Jump to content


Photo
- - - - -

Verifone CC Processing Software


  • Please log in to reply
24 replies to this topic

#1 VeriPhony

VeriPhony

    Will I break 10 posts?

  • Members
  • 5 posts
  • Country:
  • Gender:Male

Posted 13 March 2010 - 05:03 AM

So the most interesting flash drive fell into my lap the other day (or out of someone's pocket maybe? not sure, it was on the floor) and like any good citizen I plugged it into a laptop that I didn't care about running off a BT4 liveCD with no hard drives mounted (I'm not dumb) with the intent of perhaps identifying the owner and returning it. I didn't find any identifying information on the drive, which was odd since it had transcripts of emails etc with names redacted, like it was intentionally anonymized or something... Anyway once I started reading this stuff I couldn't stop. Long story short it appears to be the property of some Verifone employee who has gone to great lengths to let people know how broken their software is and keeps getting shot down.

Maybe I'm interpreting a lot of this the wrong way but it's almost like this person wanted this stuff to make it out. Whether that was the intent or not, it's happening :)

Here's the thing though, I'm guessing about 80% of what's on this drive is Verifone's intellectual property and the other 20% they probably wouldn't be too happy about seeing on the internets. I don't want to violate any of BR's policies either and I'm not sure what the stance is on stuff like this. I'll post, in my own words, what appears to be the original research of this drive's owner and I'll gladly send anything on this drive to anyone who wants copies assuming you have a safe anonymous way to get them to you. I might just start an eepsite or something with all this stuff on it, let me know what you all think I should do and I'll respect your opinions and policies.

Anyway, on with the stuff I think I'm safe to post here.

The docs in here seem to be about 3 products: pc charge, ip charge, and payware pc. They're all credit card processing apps sold by verifone (ip charge seems to be more of a service, very paypal-esque). There's some good stuff that looks like internal documents, training and such, for ip charge and payware, but the majority of this stuff seems to be about pc charge. There are docs labeled "capture spec" and "auth spec" for a couple dozen companies which google tells me are credit card processing companies and various documents outlining how point of sale systems communicate with verifone's stuff. It's all quite fascinating and I'm sure it could've been RE'd anyway so it's probably safe to post here, but this is me asking nicely before pissing people off.

The cool stuff though was in its own separate folder, this is where our tech outlines all the security problems found in several versions of the software (there's installers on the drive too for like 4 versions and a zip file that's got what I hope are test accounts - haven't checked if they work, too scared). Here's what was documented:


* The software apparently has open SQL injection bugs, and apparently that's enough to get the app's certification yanked on the spot - at least according to the tech... Management seems to disagree in some of the emails...

* The software encrypts most of the data it stores, and everything it encrypts is using the same algorithm and key and the data is never hashed, and the key never changes, ever, it's always the same for every installation of the software. There's a spreadsheet in here that appears to be a rainbow table of expiration dates. It's referenced in one of the emails as a proof of concept that threatens the possibility of such a table being made for card numbers too.

* The software, apparently, stores its password data encrypted rather than hashed, and uses the same algorithm as it does for everything else. One of the docs shows how you can copy and paste the password field into other database fields and use various menu options and reports to decrypt the password for the root user, who is apparently always named "System"

* The software stores absolutely everything in an unlocked unencrypted unpassworded access database. The only protection on this thing is that the version of access they use is so damned old you can't actually do anything with the file in new versions without converting it and making it inaccessible to the app. Of course they circumvent this one and only layer of security by including an old copy of M$ VisData with the app so you can SQL your heart out.

* Apparently compliance only requires CC data to be encrypted once it reaches a "public" network like the internet, so nothing between this app and a point of sale system is ever encrypted. Everything is sent either via everyday TCP to an arbitrary port or by a method called "file drop" which according to the docs is more common. "File drop" consists of putting all the CC and transaction info into an XML file, copying that file into a shared folder over the network, and then watching for a file that contains the response. Real secure guys, real secure. Technically speaking I think this is supposed to happen on a separate network segment than the free WiFi you give your customers but who wants to place bets on how many small business owners know a subnet from a fishnet?

* The emails seem to indicate that a lot of large chains use this broken app and does list several scarily big names. Not sure if this forum is the appropriate place to drop such a bombshell so I'll await your response on yet another item.

There's lots more here. Again please advise on what would be the best method to send this stuff around, assuming you're all even interested.

I'm still digging through a lot of this stuff, and some of it is honestly a bit over my head. Until I can get this stuff spreading ask questions and I'll see if there's an answer in here for you. I've spent probably two weeks combing this stuff and playing with the software on VMs that are intentionally disconnected from the 'net, there's a ton of stuff here and I'm just beginning to comprehend it all...

#2 PurpleJesus

PurpleJesus

    Dangerous free thinker

  • Members
  • 1,578 posts
  • Gender:Male
  • Location:800

Posted 13 March 2010 - 09:58 AM

Awesome find. You have my attention.

#3 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,102 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 13 March 2010 - 10:26 AM

great post. I had to lol at the fact this employee rips the company's security and puts all this info on unencrypted media ten loses it. I guess he fits right in there.

#4 VeriPhony

VeriPhony

    Will I break 10 posts?

  • Members
  • 5 posts
  • Country:
  • Gender:Male

Posted 14 March 2010 - 03:14 AM

I'm working on uploading the file to freenet, it's over 300MB zipped with all the installers and such included. I'll post the key when it finishes. If you don't want to wait I've set up an eepsite serving the file also: http://veriphony.i2p

I'm hoping someone here uses one or both networks and will help distribute if enough people find it interesting, I just don't want to be the known point of origin. Verifone is a big company with lots of lawyers, and you'd have to be an idiot not to at least fear them a little...

#5 Belenos

Belenos

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 11 posts

Posted 14 March 2010 - 05:59 AM

Link to i2p site seems broken, and the freenet is thin here.

I have to wonder if this is legit. A security employee carefully organizes and redacts this information, and then drops it in a public place. There are a few situations that could have ensued. One, it falls into the hands of someone like my father, whose connection to computers is tenuous at best. He would have either opened the files and turned it into the police as lost property, or to someone more tech-savvy to identify. It could have fallen into the hands of some skiddie or other unscrupulous individual or, as it did, those of someone like VeriPhony. The skiddie would have tried to turn the information to his advantage, possibly dropped hints to his friends, and gotten nailed somehow. A more experienced cracker might not have made those rookie mistakes, but I'm not sure I believe this.

I'm not sure I believe this because it's too juicy: first, let us assume that this is real. If that is so, then this is an attempt by a lone security programmer to prevent the release of flawed code systems from being released into the wild, despite the actions of his superiors, coworkers, and other people high in the company organization. Sounds nice, doesn't it? Like something you or I would do? I call bullshit, because even idealistic security programmers (we'll call him Heinrich) need to eat. Now, working on th assumption that this is the case, and Heinrich is acting in our best interests, he will be fired, and never work in his current profession again. Why? Because once these files are public, they are *public*, which is to say that internal security at Verifone will be able to locate Heinrich and proceed to blackball him from here 'til judgement day. QED, these files were not dropped by someone who has any intention of eating on Heinrich's dime ever, ever again.

That presents a few alternatives: one, Verifone *does* have lousy security, and someone compromised their systems sufficiently to gain access to this data. Two, Heinrich has already been fired over this (or another) issue, and is looking to create, either legitimately (these files are real) or not (they aren't), some kind of furor. Three, Heinrich is an idiot capable of putting together a totally damning battery of evidence, but not able to muster the forethought to make the leap to "I'm going to be totally fucked when this gets out." Four, Heinrich doesn't care about eating, and is willing to sacrifice his career for the truth. Somehow, I find my faith less than full for that last one.

None of these make for really compelling scenarios, do they? Let's try again, only now we assume not P. Here, the documents are false.

If the documents are false, let's first also assume that VeriPhony is a sock puppet (sorry, man). Now we have some entity undermining the confidence of consumers of Verfone devices. Rule one of making money for your company, is making it easy to *spend* money on your product. So if Verifone cannot be trusted, then there is a concomitant loss of trust in every establishment that uses Verifone product. As a result, Verifone loses money, and so does Wal-Mart, Hannaford Brothers, Irving, Shell, Sears, Macy's, and the list goes on. This sort of revelation might, in fact, cause some sort of mass migration to, say, other providers of POS devices. I don't suppose that Ingenico, the largest terminal provider by units shipped, would benefit in any way by a sudden drop in the trust of its rival?

Okay, next idea: VeriPhony is genuine, and this documents set is some kind of honeypot. I don't think there's too much to this idea, really, because this kind of security risk is a PR disaster, even if it only exists in the minds of consumers. Scare them, and they stop giving you money.

Final idea: VeriPhony isn't genuine (sorry again), and he's just trolling us. And winning.

I realize that I might have started an epic flame war, here, but these all seem like valid points that have to be addressed and verified.

More succinctly: pics or it never happened.

#6 VeriPhony

VeriPhony

    Will I break 10 posts?

  • Members
  • 5 posts
  • Country:
  • Gender:Male

Posted 14 March 2010 - 10:52 PM

Well, good job calling BS on the story because that's what it is. Problem is I can't tell how I got this data because it would get quite a few people in trouble, myself among them - hence all the I2P, Freenet etc. As for "Heinrich" I rather like that name, maybe I'll keep it :)

Anyway I understand the skepticism, the only reason I haven't attached files here yet is because 1) I2P makes it slow as hell and I was hoping it would be unnecessary and 2) I'm not sure what the forum's policies are for something like that. Since this is a throwaway account anyway, what the hell, here's some files

Attached are 2 pdfs outlining the capture and auth specs for TSYS, a rather large CC processing company. You should also find a sample database and log files from an installation of PC Charge 5.7.1 isp8c which I'm assured is the most popular distribution, used by companies like Meineke and Burger King. Dominos uses it too, but they use a custom build that is available in the full sized zip.

Enjoy.

Oh, btw, those having trouble with the eepsite should add a subscription to http://www.i2p2.i2p/hosts.txt and the file is now available on FreeNet with the key CHK@tLrgMuUaGXK0CjULoDiRdG73poaCjFxroXfyOZncH2o,w4xDL56TzI~rZBbX9MVqni0g9tRFJD59vn5JxSip0uo,AAIC--8/Leaked%20Verifone%20Files.zip

Attached Files



#7 Enmaku

Enmaku

    SUP3R 31337

  • Members
  • 163 posts
  • Country:
  • Gender:Male
  • Location:Las Vegas, NV

Posted 15 March 2010 - 12:48 AM

well I haven't finished downloading the big bundle yet, so I can't speak to it, freenet moving slowly as usual :p

-BUT-

I did used to work for VFI a few years ago so I can verify that the logs and database look genuine. I can't verify the pdfs because I wasn't privy to that stuff - whoever leaked this stuff has to be at least a T3 support rep because I was T2 and we never got to see this much detail and especially not from official horses-mouth documents, our stuff was all dumbed down and rebranded as "Verifone Training Materials". that said, it certainly *looks* genuine and the specs seem to match the log files I worked with every day.

I *can* say that the SW was a giant steaming pile of crap that was pieced together in VB6 years ago and that our craptastic devs had whole chunks of code that they had literally no idea what they did and were afraid to touch. I *can't* say too much else because unlike some others I actually worry about the consequences of breaking the NDA that we all signed.

not surprised the place finally sprung a leak though, every little thing resulted in a bulk email there so everyone knew too much and their turnover rate was absurd, mostly because they treat the intelligent employees like crap while promoting the ones too dumb to see the corporate stupidity or too jaded to care.

well, if you don't mind I'm going to go prepare for the inevitable phone call from my former employer now by trying very hard to forget the names of everyone I ever showed this web site to...

#8 Follygator

Follygator

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Male

Posted 15 March 2010 - 02:07 PM

well I haven't finished downloading the big bundle yet, so I can't speak to it, freenet moving slowly as usual :p

-BUT-

I did used to work for VFI a few years ago so I can verify that the logs and database look genuine. I can't verify the pdfs because I wasn't privy to that stuff - whoever leaked this stuff has to be at least a T3 support rep because I was T2 and we never got to see this much detail and especially not from official horses-mouth documents, our stuff was all dumbed down and rebranded as "Verifone Training Materials". that said, it certainly *looks* genuine and the specs seem to match the log files I worked with every day.

I *can* say that the SW was a giant steaming pile of crap that was pieced together in VB6 years ago and that our craptastic devs had whole chunks of code that they had literally no idea what they did and were afraid to touch. I *can't* say too much else because unlike some others I actually worry about the consequences of breaking the NDA that we all signed.

not surprised the place finally sprung a leak though, every little thing resulted in a bulk email there so everyone knew too much and their turnover rate was absurd, mostly because they treat the intelligent employees like crap while promoting the ones too dumb to see the corporate stupidity or too jaded to care.

well, if you don't mind I'm going to go prepare for the inevitable phone call from my former employer now by trying very hard to forget the names of everyone I ever showed this web site to...



This is my first post here, hope it's right.

I bought a Verifone omni 3750 credit card machine. The master password has been changed from the factory default.

Does anyone know the key sequence that does a hard reset on this machine to restore the factory password? Verifone wants $155 plus shipping and tax. What a rip.

Thanks

#9 Enmaku

Enmaku

    SUP3R 31337

  • Members
  • 163 posts
  • Country:
  • Gender:Male
  • Location:Las Vegas, NV

Posted 15 March 2010 - 05:12 PM

Sorry, I was a software guy, I got to play with the occasional pinpad but not anything that cool :p

#10 ozlo

ozlo

    Mack Daddy 31337

  • Members
  • 226 posts

Posted 16 March 2010 - 08:19 AM

I've known a few people who worked at Verifone, and from what they tell me nearly all technical docs were available to anyone there who wanted to grab it and make heads or tails out of it. I heard they were running their software/hardware as cheaply as they could then charging the end user ridiculous amounts for their junk. It wouldn't surprise me to find many vulnerabilities and unencrypted, weak points in their systems!

Also, I believe a couple years ago they did some restructuring in the support dept. which upset a lot of old timers who knew their stuff. By "old timers", this means anyone there for more than a few years due to such high turnover! So I'm surprised it's taken this long to get the info out there.

#11 Enmaku

Enmaku

    SUP3R 31337

  • Members
  • 163 posts
  • Country:
  • Gender:Male
  • Location:Las Vegas, NV

Posted 16 March 2010 - 05:12 PM

I've known a few people who worked at Verifone


Yeah if you know anyone who can read/write XML who also lives in or around southwestern Florida they've probably worked at Verifone at some point lol.

If the stuff was available maybe it was my fault for failing to ask. I tried real hard to just do my job, come home, and leave work at work. The place drove me so nuts that I think if I actually dwelled on it after I got home I would've fire-bombed the building lol.

#12 Follygator

Follygator

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Male

Posted 16 March 2010 - 09:09 PM


I've known a few people who worked at Verifone


Yeah if you know anyone who can read/write XML who also lives in or around southwestern Florida they've probably worked at Verifone at some point lol.

If the stuff was available maybe it was my fault for failing to ask. I tried real hard to just do my job, come home, and leave work at work. The place drove me so nuts that I think if I actually dwelled on it after I got home I would've fire-bombed the building lol.



Exactly what city in SW Florida would that be?

#13 Enmaku

Enmaku

    SUP3R 31337

  • Members
  • 163 posts
  • Country:
  • Gender:Male
  • Location:Las Vegas, NV

Posted 16 March 2010 - 10:22 PM

Well I lived in St. Petersburg and worked in Clearwater, but now I'm back in southern CA, as far away from the "God's Waiting Room" state as possible - without leaving the country anyway...

#14 Enmaku

Enmaku

    SUP3R 31337

  • Members
  • 163 posts
  • Country:
  • Gender:Male
  • Location:Las Vegas, NV

Posted 20 March 2010 - 02:12 AM

Just finished the big download (jeebus FreeNet is slow sometimes) and all I can say is wow. I'd love to break this into smaller bits for people who are just interested in the docs or just want the software or whatever, maybe even put them somewhere more accessible, but can anyone tell me how much shit I'd be in for that? I'm sure for posting the software I'd be in deep shit for piracy but what about the docs? Once internal docs like that get leaked is it still a new offense to mirror them? Of course attaching files to PMs is another issue entirely if anyone wants something ;)

#15 zandi

zandi

    SUP3R 31337 P1MP

  • Members
  • 263 posts
  • Location:michigan

Posted 20 March 2010 - 10:49 PM

just as an FYI, the first place i'd go in an attempt to anonymously disseminate info would have to be wikileaks or 4chan. if enough care is taken to make it unclear where the leak originated, it may be difficult to find it and you. i haven't done this kind of thing before so this is mostly speculation, but those are my thought anyways.

#16 VeriPhony

VeriPhony

    Will I break 10 posts?

  • Members
  • 5 posts
  • Country:
  • Gender:Male

Posted 21 March 2010 - 12:32 PM

I2P + RapidShare = we all win.

It also = I spend FOREVER uploading stuff.

http://rapidshare.com/users/Z2ACRR

#17 VeriPhony

VeriPhony

    Will I break 10 posts?

  • Members
  • 5 posts
  • Country:
  • Gender:Male

Posted 21 March 2010 - 12:44 PM

In case the list breaks:


http://rapidshare.co...3/docs.zip.html
All documents from the big package, zipped. This is probably the part you'll all find most interesting.

http://rapidshare.co...build_.zip.html
Custom 5.7 build used by Dominos Pizza

http://rapidshare.co...taller.zip.html
Client for 5.7.1 isp8c (client speaks to pro or server install over network)

http://rapidshare.co...g_disk.zip.html
Config disk with numerous test accounts, works in all versions posted. Just extract files into the install folder, overwriting files as necessary.

http://rapidshare.co..._5.8.0.exe.html
Client for 5.8.0

http://rapidshare.co...taller.zip.html
Pro 5.7.1 isp9a, minor bugfixes from isp8c

http://rapidshare.co...Tarja2.exe.html
Internal use keygen for pre-5.8 versions. Apparently one of the devs has a hardon for Finnish symphonic rock singers.

http://rapidshare.co...0_Installer.zip
Pro 5.8.0 Installer

http://rapidshare.co...5.8.0_Setup.exe
Payment Server 5.8.0 Installer

http://rapidshare.co...c_Installer.zip
Payment Server 5.7.1 isp8c installer

#18 Enmaku

Enmaku

    SUP3R 31337

  • Members
  • 163 posts
  • Country:
  • Gender:Male
  • Location:Las Vegas, NV

Posted 21 March 2010 - 12:48 PM

Thanks for the advice Zandi. Looks like I won't need it though :)

I'll still gladly send anyone whatever they want privately, in case RS pulls those files. I should -1 rep you just for using RapidShare VeriPhony... I mean seriously, wtf...

#19 phr34kc0der

phr34kc0der

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 469 posts
  • Country:
  • Gender:Male

Posted 21 March 2010 - 01:13 PM

Anyone feel like creating a torrent?

#20 Enmaku

Enmaku

    SUP3R 31337

  • Members
  • 163 posts
  • Country:
  • Gender:Male
  • Location:Las Vegas, NV

Posted 21 March 2010 - 01:49 PM

Done.

http://thepiratebay....torrent/5451545

Edit: And now that I've actually set up port forwarding it should even work!

Edit #2: 3 seeds now. GIANT thank you to the folks who stuck around to seed after their downloads finished :)

Edited by Enmaku, 21 March 2010 - 08:32 PM.





BinRev is hosted by the great people at Lunarpages!