A report released on Tuesday detailing a raid by federal investigators at a Florida warehouse linked to Pax Technology Inc. has stunned the payments industry and left some observers concerned about the big point-of-sale device maker’s reported reaction to allegations its technology was involved in cyber attacks against organizations both in the United States and overseas.
An article posted on Tuesday in the online newsletter “Krebs on Security” said investigators had told a local radio station they were executing a “court-authorized search” at a Jacksonville, Fla., warehouse belonging to Pax. They indicated the search involved agents with the U.S. Department of Homeland Security’s Customs and Border Protection service and the Naval Criminal Investigative Services (NCIS). Krebs on Security is reported and written by former Washington Post journalist Brian Krebs.
Citing a “trusted source,” Krebs said the Federal Bureau of Investigation had launched an investigation after a “major” U.S. processor began inquiring about “unusual” network packets flowing from Pax terminals. The processor discovered the terminals were serving as “a repository of malicious files” and as a “command and control” for attacks and information gathering, according to the source. Krebs adds, however, that the source could not pass along specifics about the “strange network activity” that drew the attention of the FBI.
Late Wednesday afternoon, a Pax spokesperson submitted the following statement to Digital Transactions News: “On Tuesday, October 26, 2021, PAX Technology, Inc. in the United States was subject to an unexpected visit from the Federal Bureau of Investigation (FBI) and other government agencies relating to an apparent investigation. PAX Technology is not aware of any illegal conduct by it or its employees and is in the process of engaging counsel to assist in learning more about the events that led to the investigation.
Separately, we are aware of media reports regarding the security of PAX Technology’s devices and services. PAX Technology takes security very seriously. As always, PAX Technology is actively monitoring its environment for possible threats. We remain committed to providing secure and quality software systems and solutions.”
Krebs reported the company did not respond to his request for comment. However, the company has claimed the investigation is “racially and politically motivated,” according to Krebs’s source.
Headquartered in Shenzen, China, and with its U.S. base in Jacksonville, Pax says it has shipped more than 57 million terminals to 120 countries since its founding in 2001. Using either the Android or Linux operating system, the devices use third-party apps to provide services like loyalty marketing on top of payment processing.
Payments experts point out that criminals have a long history of targeting POS technology to steal payments data. “So, it would be no surprise if Pax was targeted and penetrated by criminal enterprises for profit,” notes Eric Grover, principal at payments consultancy Intrepid Ventures.
Grover says he is troubled, though, by Pax’s alleged contention that the investigation is motivated by racial or political factors. “Pax’s reaction can’t help them,” he notes. “If Pax was compromised, it will hurt them. If Pax was in any way complicit with private criminal actors or the government, it will cripple them.”