lolhaxorlol

Verifone CC Processing Software

25 posts in this topic

So the most interesting flash drive fell into my lap the other day (or out of someone's pocket maybe? not sure, it was on the floor) and like any good citizen I plugged it into a laptop that I didn't care about running off a BT4 liveCD with no hard drives mounted (I'm not dumb) with the intent of perhaps identifying the owner and returning it. I didn't find any identifying information on the drive, which was odd since it had transcripts of emails etc with names redacted, like it was intentionally anonymized or something... Anyway once I started reading this stuff I couldn't stop. Long story short it appears to be the property of some Verifone employee who has gone to great lengths to let people know how broken their software is and keeps getting shot down.

Maybe I'm interpreting a lot of this the wrong way but it's almost like this person wanted this stuff to make it out. Whether that was the intent or not, it's happening :)

Here's the thing though, I'm guessing about 80% of what's on this drive is Verifone's intellectual property and the other 20% they probably wouldn't be too happy about seeing on the internets. I don't want to violate any of BR's policies either and I'm not sure what the stance is on stuff like this. I'll post, in my own words, what appears to be the original research of this drive's owner and I'll gladly send anything on this drive to anyone who wants copies assuming you have a safe anonymous way to get them to you. I might just start an eepsite or something with all this stuff on it, let me know what you all think I should do and I'll respect your opinions and policies.

Anyway, on with the stuff I think I'm safe to post here.

The docs in here seem to be about 3 products: pc charge, ip charge, and payware pc. They're all credit card processing apps sold by verifone (ip charge seems to be more of a service, very paypal-esque). There's some good stuff that looks like internal documents, training and such, for ip charge and payware, but the majority of this stuff seems to be about pc charge. There are docs labeled "capture spec" and "auth spec" for a couple dozen companies which google tells me are credit card processing companies and various documents outlining how point of sale systems communicate with verifone's stuff. It's all quite fascinating and I'm sure it could've been RE'd anyway so it's probably safe to post here, but this is me asking nicely before pissing people off.

The cool stuff though was in its own separate folder, this is where our tech outlines all the security problems found in several versions of the software (there's installers on the drive too for like 4 versions and a zip file that's got what I hope are test accounts - haven't checked if they work, too scared). Here's what was documented:

* The software apparently has open SQL injection bugs, and apparently that's enough to get the app's certification yanked on the spot - at least according to the tech... Management seems to disagree in some of the emails...

* The software encrypts most of the data it stores, and everything it encrypts is using the same algorithm and key and the data is never hashed, and the key never changes, ever, it's always the same for every installation of the software. There's a spreadsheet in here that appears to be a rainbow table of expiration dates. It's referenced in one of the emails as a proof of concept that threatens the possibility of such a table being made for card numbers too.

* The software, apparently, stores its password data encrypted rather than hashed, and uses the same algorithm as it does for everything else. One of the docs shows how you can copy and paste the password field into other database fields and use various menu options and reports to decrypt the password for the root user, who is apparently always named "System"

* The software stores absolutely everything in an unlocked unencrypted unpassworded access database. The only protection on this thing is that the version of access they use is so damned old you can't actually do anything with the file in new versions without converting it and making it inaccessible to the app. Of course they circumvent this one and only layer of security by including an old copy of M$ VisData with the app so you can SQL your heart out.

* Apparently compliance only requires CC data to be encrypted once it reaches a "public" network like the internet, so nothing between this app and a point of sale system is ever encrypted. Everything is sent either via everyday TCP to an arbitrary port or by a method called "file drop" which according to the docs is more common. "File drop" consists of putting all the CC and transaction info into an XML file, copying that file into a shared folder over the network, and then watching for a file that contains the response. Real secure guys, real secure. Technically speaking I think this is supposed to happen on a separate network segment than the free WiFi you give your customers but who wants to place bets on how many small business owners know a subnet from a fishnet?

* The emails seem to indicate that a lot of large chains use this broken app and does list several scarily big names. Not sure if this forum is the appropriate place to drop such a bombshell so I'll await your response on yet another item.

There's lots more here. Again please advise on what would be the best method to send this stuff around, assuming you're all even interested.

I'm still digging through a lot of this stuff, and some of it is honestly a bit over my head. Until I can get this stuff spreading ask questions and I'll see if there's an answer in here for you. I've spent probably two weeks combing this stuff and playing with the software on VMs that are intentionally disconnected from the 'net, there's a ton of stuff here and I'm just beginning to comprehend it all...

2

Share this post


Link to post
Share on other sites

great post. I had to lol at the fact this employee rips the company's security and puts all this info on unencrypted media ten loses it. I guess he fits right in there.

0

Share this post


Link to post
Share on other sites

I'm working on uploading the file to freenet, it's over 300MB zipped with all the installers and such included. I'll post the key when it finishes. If you don't want to wait I've set up an eepsite serving the file also: http://veriphony.i2p

I'm hoping someone here uses one or both networks and will help distribute if enough people find it interesting, I just don't want to be the known point of origin. Verifone is a big company with lots of lawyers, and you'd have to be an idiot not to at least fear them a little...

1

Share this post


Link to post
Share on other sites

Link to i2p site seems broken, and the freenet is thin here.

I have to wonder if this is legit. A security employee carefully organizes and redacts this information, and then drops it in a public place. There are a few situations that could have ensued. One, it falls into the hands of someone like my father, whose connection to computers is tenuous at best. He would have either opened the files and turned it into the police as lost property, or to someone more tech-savvy to identify. It could have fallen into the hands of some skiddie or other unscrupulous individual or, as it did, those of someone like VeriPhony. The skiddie would have tried to turn the information to his advantage, possibly dropped hints to his friends, and gotten nailed somehow. A more experienced cracker might not have made those rookie mistakes, but I'm not sure I believe this.

I'm not sure I believe this because it's too juicy: first, let us assume that this is real. If that is so, then this is an attempt by a lone security programmer to prevent the release of flawed code systems from being released into the wild, despite the actions of his superiors, coworkers, and other people high in the company organization. Sounds nice, doesn't it? Like something you or I would do? I call bullshit, because even idealistic security programmers (we'll call him Heinrich) need to eat. Now, working on th assumption that this is the case, and Heinrich is acting in our best interests, he will be fired, and never work in his current profession again. Why? Because once these files are public, they are *public*, which is to say that internal security at Verifone will be able to locate Heinrich and proceed to blackball him from here 'til judgement day. QED, these files were not dropped by someone who has any intention of eating on Heinrich's dime ever, ever again.

That presents a few alternatives: one, Verifone *does* have lousy security, and someone compromised their systems sufficiently to gain access to this data. Two, Heinrich has already been fired over this (or another) issue, and is looking to create, either legitimately (these files are real) or not (they aren't), some kind of furor. Three, Heinrich is an idiot capable of putting together a totally damning battery of evidence, but not able to muster the forethought to make the leap to "I'm going to be totally fucked when this gets out." Four, Heinrich doesn't care about eating, and is willing to sacrifice his career for the truth. Somehow, I find my faith less than full for that last one.

None of these make for really compelling scenarios, do they? Let's try again, only now we assume not P. Here, the documents are false.

If the documents are false, let's first also assume that VeriPhony is a sock puppet (sorry, man). Now we have some entity undermining the confidence of consumers of Verfone devices. Rule one of making money for your company, is making it easy to *spend* money on your product. So if Verifone cannot be trusted, then there is a concomitant loss of trust in every establishment that uses Verifone product. As a result, Verifone loses money, and so does Wal-Mart, Hannaford Brothers, Irving, Shell, Sears, Macy's, and the list goes on. This sort of revelation might, in fact, cause some sort of mass migration to, say, other providers of POS devices. I don't suppose that Ingenico, the largest terminal provider by units shipped, would benefit in any way by a sudden drop in the trust of its rival?

Okay, next idea: VeriPhony is genuine, and this documents set is some kind of honeypot. I don't think there's too much to this idea, really, because this kind of security risk is a PR disaster, even if it only exists in the minds of consumers. Scare them, and they stop giving you money.

Final idea: VeriPhony isn't genuine (sorry again), and he's just trolling us. And winning.

I realize that I might have started an epic flame war, here, but these all seem like valid points that have to be addressed and verified.

More succinctly: pics or it never happened.

0

Share this post


Link to post
Share on other sites

Well, good job calling BS on the story because that's what it is. Problem is I can't tell how I got this data because it would get quite a few people in trouble, myself among them - hence all the I2P, Freenet etc. As for "Heinrich" I rather like that name, maybe I'll keep it :)

Anyway I understand the skepticism, the only reason I haven't attached files here yet is because 1) I2P makes it slow as hell and I was hoping it would be unnecessary and 2) I'm not sure what the forum's policies are for something like that. Since this is a throwaway account anyway, what the hell, here's some files

Attached are 2 pdfs outlining the capture and auth specs for TSYS, a rather large CC processing company. You should also find a sample database and log files from an installation of PC Charge 5.7.1 isp8c which I'm assured is the most popular distribution, used by companies like Meineke and Burger King. Dominos uses it too, but they use a custom build that is available in the full sized zip.

Enjoy.

Oh, btw, those having trouble with the eepsite should add a subscription to http://www.i2p2.i2p/hosts.txt and the file is now available on FreeNet with the key CHK@tLrgMuUaGXK0CjULoDiRdG73poaCjFxroXfyOZncH2o,w4xDL56TzI~rZBbX9MVqni0g9tRFJD59vn5JxSip0uo,AAIC--8/Leaked%20Verifone%20Files.zip

TSYS Specs.zip

db & logs.zip

2

Share this post


Link to post
Share on other sites

well I haven't finished downloading the big bundle yet, so I can't speak to it, freenet moving slowly as usual :P

-BUT-

I did used to work for VFI a few years ago so I can verify that the logs and database look genuine. I can't verify the pdfs because I wasn't privy to that stuff - whoever leaked this stuff has to be at least a T3 support rep because I was T2 and we never got to see this much detail and especially not from official horses-mouth documents, our stuff was all dumbed down and rebranded as "Verifone Training Materials". that said, it certainly *looks* genuine and the specs seem to match the log files I worked with every day.

I *can* say that the SW was a giant steaming pile of crap that was pieced together in VB6 years ago and that our craptastic devs had whole chunks of code that they had literally no idea what they did and were afraid to touch. I *can't* say too much else because unlike some others I actually worry about the consequences of breaking the NDA that we all signed.

not surprised the place finally sprung a leak though, every little thing resulted in a bulk email there so everyone knew too much and their turnover rate was absurd, mostly because they treat the intelligent employees like crap while promoting the ones too dumb to see the corporate stupidity or too jaded to care.

well, if you don't mind I'm going to go prepare for the inevitable phone call from my former employer now by trying very hard to forget the names of everyone I ever showed this web site to...

0

Share this post


Link to post
Share on other sites

well I haven't finished downloading the big bundle yet, so I can't speak to it, freenet moving slowly as usual :P

-BUT-

I did used to work for VFI a few years ago so I can verify that the logs and database look genuine. I can't verify the pdfs because I wasn't privy to that stuff - whoever leaked this stuff has to be at least a T3 support rep because I was T2 and we never got to see this much detail and especially not from official horses-mouth documents, our stuff was all dumbed down and rebranded as "Verifone Training Materials". that said, it certainly *looks* genuine and the specs seem to match the log files I worked with every day.

I *can* say that the SW was a giant steaming pile of crap that was pieced together in VB6 years ago and that our craptastic devs had whole chunks of code that they had literally no idea what they did and were afraid to touch. I *can't* say too much else because unlike some others I actually worry about the consequences of breaking the NDA that we all signed.

not surprised the place finally sprung a leak though, every little thing resulted in a bulk email there so everyone knew too much and their turnover rate was absurd, mostly because they treat the intelligent employees like crap while promoting the ones too dumb to see the corporate stupidity or too jaded to care.

well, if you don't mind I'm going to go prepare for the inevitable phone call from my former employer now by trying very hard to forget the names of everyone I ever showed this web site to...

This is my first post here, hope it's right.

I bought a Verifone omni 3750 credit card machine. The master password has been changed from the factory default.

Does anyone know the key sequence that does a hard reset on this machine to restore the factory password? Verifone wants $155 plus shipping and tax. What a rip.

Thanks

0

Share this post


Link to post
Share on other sites

Sorry, I was a software guy, I got to play with the occasional pinpad but not anything that cool :P

0

Share this post


Link to post
Share on other sites

I've known a few people who worked at Verifone, and from what they tell me nearly all technical docs were available to anyone there who wanted to grab it and make heads or tails out of it. I heard they were running their software/hardware as cheaply as they could then charging the end user ridiculous amounts for their junk. It wouldn't surprise me to find many vulnerabilities and unencrypted, weak points in their systems!

Also, I believe a couple years ago they did some restructuring in the support dept. which upset a lot of old timers who knew their stuff. By "old timers", this means anyone there for more than a few years due to such high turnover! So I'm surprised it's taken this long to get the info out there.

0

Share this post


Link to post
Share on other sites

I've known a few people who worked at Verifone

Yeah if you know anyone who can read/write XML who also lives in or around southwestern Florida they've probably worked at Verifone at some point lol.

If the stuff was available maybe it was my fault for failing to ask. I tried real hard to just do my job, come home, and leave work at work. The place drove me so nuts that I think if I actually dwelled on it after I got home I would've fire-bombed the building lol.

0

Share this post


Link to post
Share on other sites

I've known a few people who worked at Verifone

Yeah if you know anyone who can read/write XML who also lives in or around southwestern Florida they've probably worked at Verifone at some point lol.

If the stuff was available maybe it was my fault for failing to ask. I tried real hard to just do my job, come home, and leave work at work. The place drove me so nuts that I think if I actually dwelled on it after I got home I would've fire-bombed the building lol.

Exactly what city in SW Florida would that be?

0

Share this post


Link to post
Share on other sites

Well I lived in St. Petersburg and worked in Clearwater, but now I'm back in southern CA, as far away from the "God's Waiting Room" state as possible - without leaving the country anyway...

0

Share this post


Link to post
Share on other sites

Just finished the big download (jeebus FreeNet is slow sometimes) and all I can say is wow. I'd love to break this into smaller bits for people who are just interested in the docs or just want the software or whatever, maybe even put them somewhere more accessible, but can anyone tell me how much shit I'd be in for that? I'm sure for posting the software I'd be in deep shit for piracy but what about the docs? Once internal docs like that get leaked is it still a new offense to mirror them? Of course attaching files to PMs is another issue entirely if anyone wants something ;)

0

Share this post


Link to post
Share on other sites

just as an FYI, the first place i'd go in an attempt to anonymously disseminate info would have to be wikileaks or 4chan. if enough care is taken to make it unclear where the leak originated, it may be difficult to find it and you. i haven't done this kind of thing before so this is mostly speculation, but those are my thought anyways.

1

Share this post


Link to post
Share on other sites

In case the list breaks:

http://rapidshare.com/files/366334463/docs.zip.html

All documents from the big package, zipped. This is probably the part you'll all find most interesting.

http://rapidshare.com/files/366341857/5.7.8.1.44__dominos_build_.zip.html

Custom 5.7 build used by Dominos Pizza

http://rapidshare.com/files/366341861/Client_5.7.1I_SP8c_Installer.zip.html

Client for 5.7.1 isp8c (client speaks to pro or server install over network)

http://rapidshare.com/files/366341862/config_disk.zip.html

Config disk with numerous test accounts, works in all versions posted. Just extract files into the install folder, overwriting files as necessary.

http://rapidshare.com/files/366341863/PCCWClient_5.8.0.exe.html

Client for 5.8.0

http://rapidshare.com/files/366341866/Pro_5.7.1I_SP9a_Installer.zip.html

Pro 5.7.1 isp9a, minor bugfixes from isp8c

http://rapidshare.com/files/366345809/Tarja2.exe.html

Internal use keygen for pre-5.8 versions. Apparently one of the devs has a hardon for Finnish symphonic rock singers.

http://rapidshare.com/files/366350414/Pro_5.8.0_Installer.zip

Pro 5.8.0 Installer

http://rapidshare.com/files/366350418/PS_5.8.0_Setup.exe

Payment Server 5.8.0 Installer

http://rapidshare.com/files/366350420/Server_5.7.1I_SP8c_Installer.zip

Payment Server 5.7.1 isp8c installer

2

Share this post


Link to post
Share on other sites

Thanks for the advice Zandi. Looks like I won't need it though :)

I'll still gladly send anyone whatever they want privately, in case RS pulls those files. I should -1 rep you just for using RapidShare VeriPhony... I mean seriously, wtf...

0

Share this post


Link to post
Share on other sites

Done.

http://thepiratebay.org/torrent/5451545

Edit: And now that I've actually set up port forwarding it should even work!

Edit #2: 3 seeds now. GIANT thank you to the folks who stuck around to seed after their downloads finished :)

Edited by Enmaku
1

Share this post


Link to post
Share on other sites

OK, so hopefully this post isn't so old that this would be considered necromancy, but I've come to a conclusion. Counsel advises me that my NDA only covers stuff I learned or knew when I worked for VFI, anything I learn after the fact is fair game so here goes.

I never got to support integration, we always referred them to their point-of-sale manufacturer for that stuff, so I've been playing with it a bit since this hit the open market and here's what I've got:

Integration in any version before 5.8 appears to be either TCP or SMB based, no encryption anywhere. 5.8 appears to offer SSL but it's clunky and definitely not the default. I've sniffed my own traffic and sure enough there's the whole transaction unencrypted on the local wire for anyone with access to see. I'm pretty sure PCI compliance requires that merchants secure their own networks but it seems like kind of a douche move to dump that kind of a vulnerability on end-users who are probably as technically competent as a garden slug. Talk about enforcing the letter of the law rather than its spirit.

Transactions are sent from client to server as unencrypted XML regardless of the method chosen. TCP just connects on the specified port (default 31419) and dumps the XML, then waits for an XML-formatted response before closing the connection. SMB puts the data in a file which is copied into a shared folder over the network, the transaction is run and then the file deleted and another file created with a similar name but different extension. The incoming transaction is a .INX file, the outgoing is a .OUX file, both containing unencrypted plain XML with every detail perfectly human-readable.

These are the results of sniffing network traffic between a node running payment server and one running client, I can only assume that integration with third-party software works in much the same way. Based on sniffing I've done at places like Starbucks and McDonalds I'm pretty sure the big name stores hire someone to handle their networks, I've never seen a card number go over the wire there, but this does look similar to something I've seen at a smaller local coffee house, and I'll bet there's a lot of small businesses who could get screwed by this badly.

More to come when there's more to tell :)

0

Share this post


Link to post
Share on other sites

OK, so hopefully this post isn't so old that this would be considered necromancy, but I've come to a conclusion. Counsel advises me that my NDA only covers stuff I learned or knew when I worked for VFI, anything I learn after the fact is fair game so here goes.

I never got to support integration, we always referred them to their point-of-sale manufacturer for that stuff, so I've been playing with it a bit since this hit the open market and here's what I've got:

Integration in any version before 5.8 appears to be either TCP or SMB based, no encryption anywhere. 5.8 appears to offer SSL but it's clunky and definitely not the default. I've sniffed my own traffic and sure enough there's the whole transaction unencrypted on the local wire for anyone with access to see. I'm pretty sure PCI compliance requires that merchants secure their own networks but it seems like kind of a douche move to dump that kind of a vulnerability on end-users who are probably as technically competent as a garden slug. Talk about enforcing the letter of the law rather than its spirit.

Transactions are sent from client to server as unencrypted XML regardless of the method chosen. TCP just connects on the specified port (default 31419) and dumps the XML, then waits for an XML-formatted response before closing the connection. SMB puts the data in a file which is copied into a shared folder over the network, the transaction is run and then the file deleted and another file created with a similar name but different extension. The incoming transaction is a .INX file, the outgoing is a .OUX file, both containing unencrypted plain XML with every detail perfectly human-readable.

These are the results of sniffing network traffic between a node running payment server and one running client, I can only assume that integration with third-party software works in much the same way. Based on sniffing I've done at places like Starbucks and McDonalds I'm pretty sure the big name stores hire someone to handle their networks, I've never seen a card number go over the wire there, but this does look similar to something I've seen at a smaller local coffee house, and I'll bet there's a lot of small businesses who could get screwed by this badly.

More to come when there's more to tell :)

That is quite frightening.

0

Share this post


Link to post
Share on other sites

Just tested the excel "rainbow table" of expiration dates that was in the package, it's accurate but incomplete. BTW if you start the program with a /D flag (case sensitive) it runs in "demo mode" and doesn't appear to communicate with the outside world. Any MOD10 valid card number is authorized. I made an import file with the excel tool included and it ran 20 transactions in a couple seconds so generating one of these tables for all card numbers seems like a very real possibility. I'm thinking I might actually write a program to generate the appropriate import files for, say, all possible visa and MC numbers as well as a more complete list of expiration dates and dedicate some CPU time to running it if anyone is interested. Not sure what format I would store the results in either, any suggestions?

0

Share this post


Link to post
Share on other sites

please help me

all link for torrent "Leaked Verifone Files" is not active now

i need documentation about Verifone cryptography

who may upload it and put download link?

contact me at jabber dreamseller@xmpp.jp

0

Share this post


Link to post
Share on other sites

hi brother i just read now almost after 4 years. and link are not working all files are removed from rapidshare.com .

 can i get all these file in anyway ? kindly reple me ... or if any one there who can send me these files.

 thnx .... waiting ..

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now