Chinese payment-terminal company searched by FBI

Spread the love

The FBI and other US agencies have searched Florida premises used by Chinese payment-terminal provider Pax Technology.

The search had been “in furtherance of a federal investigation”, the FBI said.

US media reports suggest it was prompted by concerns about the security of Pax Technology products.

The company said no allegation of wrongdoing had been made. “Pax Technology takes security very seriously,” it said.

“As always, Pax Technology is actively monitoring its environment for possible threats.

“We remain committed to providing secure and quality software systems and solutions.”

“Pax Technology is not aware of any illegal conduct by it or its employees and is in the process of engaging counsel to assist in learning more about the events that led to the investigation.”

Widely used

Founded in 2001, Pax says it has delivered over 57 million terminals to more than 120 countries around the world.

Pax technology is widely used in the UK – on its blog, the company notes Prime Minister Boris Johnson used one of its terminals to make a donation to charity.

 

Boris Johnson using a PAX payment terminal

 

An FBI official told BBC News it had searched three facilities in Jacksonville, Florida.

“The FBI Jacksonville division, in partnership with Homeland Security Investigations, Customs and Border Protection, Department of Commerce, and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office, executed a court-authorised search in furtherance of a federal investigation,” it said.

“The investigation remains active and ongoing and no additional information can be confirmed at this time.”

The news hit the company’s shares hard – Pax Global Technology fell over 43% on Wednesday, in trading in Hong Kong.

 

A Pax Terminal

In a letter to UK customers, obtained by BBC News, the company’s British office said: “In summary, there are no security issues.

“Pax UK can confirm there have been no security breaches, no data compromises and there is no risk of a compromise.

“No confidential customer information or transaction data was sent from any Pax device sold in the US or UK”.

Pax Technology Corporate in Hong Kong would be releasing a “global response by the end of this week”, it said.

‘Working closely’

Technology journalist Brian Krebs said a trusted source of his had alleged a major US payment processor had claimed “that the Pax terminals were being used both as a malware ‘dropper’ – a repository for malicious files – and as ‘command-and-control’ locations for staging attacks and collecting information”.

The source further alleged UK security service MI5 was also involved in the investigation.

BBC News has been unable to verify these claims.

The letter to UK customers said: “MI5 have not been in contact with anyone at Pax”.

In a “frequently-asked-questions” (FAQ) document accompanying the letter, the company added: “There are no known or reported vulnerabilities in Pax terminals.”

The National Cyber Security Centre told BBC News it was aware of the reports “and have been working closely with relevant partners in relation to them”.

‘No evidence’

Worldpay from FIS, a major payments-processing company, began removing Pax Terminals, earlier this month, in a move first reported by Bloomberg News.

It no longer deployed Pax point-of-sale (POS) devices, “because it did not receive satisfactory answers from Pax regarding its POS devices connecting to websites not listed in their supplied documentation”, FIS said.

But it had “no evidence that data running through Pax POS devices has been compromised”.

The company declined to give further information.

‘More networks’

And it is unclear if the FBI investigation is connected to the issues that led Worldpay to withdraw the terminals.

But the Pax UK letter to customers said: “This has to do with FIS/Worldpay.”

And the FAQ document said: “Concerns about the security of our devices appear to be rooted in a misunderstanding of our Android-based technology.

“Enhanced features require connectivity with more networks, which can lead to the misimpression that an Android-based device is less secure”.


Spread the love