Caught Embezzling 5 Billion Won Over 10 Years Through POS Device Vulnerability
Financial Authorities, Card Companies, and Value-Added Telecom Operators All Unaware
FSS Formed TF for Discussion but Could Not Fully Fix the Flaw
Court: "Vulnerability Exploited in Crime Not Completely Addressed"
[Asia Economy Reporter Song Seung-seop] It has been revealed that there were serious vulnerabilities in POS (Point of Sale) terminals distributed in the financial sector for card payments. A person who exploited this to purchase products and fraudulently cancel payments, stealing 5 billion KRW, was also caught. The value-added telecommunications service providers and card companies failed to notice this fact for 10 years. Although financial authorities have taken steps to address the vulnerabilities, a complete solution has yet to be found.
According to the financial sector and the Seoul Central District Court on the 22nd, Mr. A, who installed and repaired POS terminals, discovered in 2010 that it was possible to arbitrarily cancel credit card payments made through POS devices. Afterwards, he began purchasing items at a stationery store, canceling the payment approval, and reselling the products on internet sites. Until February 2020, Mr. A sold stationery worth approximately 5,044.6 million KRW through about 1,400 transactions.
The reason this crime was possible was due to the unusually weak security of POS terminals in the financial sector. Domestic merchants use machines called CAT or POS to accept credit card payments. The difference lies in the serial number. CAT devices have their own serial numbers, but POS devices do not. This means that POS devices lack serial numbers, so even if payment approval and cancellation are conducted on different devices, there is no way to detect it.
Accordingly, value-added telecommunications service providers responsible for payment services used the ‘terminal ID’ when a payment cancellation request was received. They compared the ID displayed in the program during the cancellation request with the ID at the time of payment approval. By additionally identifying a few pieces of information on the card slip, anyone could commit fraud using the same method. Mr. A also installed a program called AnsiPOS on his laptop, attached a card reader, and repeatedly approved and canceled payments.
TF Operated for Several Months... Court: "Still Not Fully Remedied"
Financial authorities who discovered the security vulnerability began addressing the issue in May 2020. At that time, the Financial Supervisory Service, the Credit Finance Association’s Card Operations Department, four credit card companies, and six value-added telecommunications service providers formed a task force (TF). The TF pointed out problems such as cancellations being possible even with different terminals and the card companies’ abnormal transaction detection systems not functioning.
Accordingly, the Financial Supervisory Service proposed methods such as assigning serial numbers to POS devices and credit cards and partially masking terminal numbers with ‘*’. However, value-added telecommunications service providers argued that new programs needed to be developed, which would take nine months, and insisted, "Let’s apply this only to the top 6 to 7 POS companies first." Subsequently, the TF announced a policy to assign a unique 15-digit number to terminals to prevent fraudulent card payment cancellations.
The problem is that this policy was applied only to some companies, leaving security vulnerabilities still present. Small and medium-sized POS companies, which financial authorities cannot manage and which lack cooperation from value-added telecommunications service providers, found it difficult to apply the improvement measures. Although the TF explored various alternatives at the time, no clear solution was found. Ultimately, for reasons such as ‘preventing merchant confusion,’ it was decided to process cancellation requests even if the unique numbers differed until an improved measure was established. This means that although a 15-digit unique number was introduced as a solution, mismatches in unique numbers were tolerated. Such merchants are estimated to account for 30% of the total.
The Seoul Central District Court, which handled the civil case, pointed out, "The TF has not yet fully remedied the vulnerabilities of the POS devices used in this fraud case as of February."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
![Clutching a Stolen Dior Bag, Saying "I Hate Being Poor but Real"... The Grotesque Con of a "Human Knockoff" [Slate]](https://cwcontent.asiae.co.kr/asiaresize/183/2026021902243444107_1771435474.jpg)
