Sign up to our newsletter
When ‘several thousand’ Hypercom payment terminals across the country simultaneously stopped working last week, it would be easy to jump to the conclusion that some malicious malware was on the loose, but the truth had nothing to do with cybercriminals, Brian Krebs of Krebs on Security explains.
With point of sale malware having successfully targeted many high-street businesses this year, including Kmart, Home Depot and Dairy Queen, cybercriminals would seem to be a likely source at first glance, but actually it seems that the terminals crashed due to the expiry of a cryptographic certificate used in the devices.
In short, the certificates that the Hypercom payment terminals required to function had a 10 year certificate, and affected models all expired simultaneously. Or as Stuart Taylor, vice president of Equinox, owner of the Hypercom brand puts it, “The security mechanism was triggered by the rollover of the date and not by any attack on or breach of the terminal. The certificate was created in 2004 with a 10 year expiry date.”
“Many of these terminals have been successfully updated in the field. Unfortunately, a subset of them can’t be fixed in the field which means they’ll need to be sent to our repair facility. We are working with our customers and distribution partners to track down where these terminals are and will provide whatever assistance we can to minimize any disruption as a result of this matter.”
According to those affected, symptoms of the device breaking would only manifest themselves once the payment terminals were power-cycled or rebooted – a step that many merchants make on a daily basis. Those that did were met by a ‘blank and inoperative’ terminal.
“While designing your products so that they fail after 10 years seems like a less than brilliant idea, this incident is a reminder of just how much of the payments infrastructure in the United States relies on rapidly aging technology,” concludes Krebs.
If your Hypercom payment terminals’ certificates have expired, the company advises you head to the certificate expiry help page.
Author Alan Martin, ESET