Default Passcode Can Hack Many Credit Card Readers
If you get in by the default password, can it be considered hacking? In most cases, the law will say yes, but by hacker standards, that seems nonsensical. Low hanging fruit is the bitterest.
In any case, the same default code has been left in place on the overwhelming majority of point-of-sale credit card readers for more than two decades. The code is Z66816 or 166816, depending on the Verifone terminal. A person with access to the machine has a 9 in 10 chance of successfully gaining root access with one of these codes, according to research revealed at the 2015 RSA Conference.
The truth of this was discovered in a recent report by Trustwave and Bishop Fox, two security firms, representatives of which gave a presentation at the recent RSA Conference in San Francisco. Using the right code, a person has access to do whatever the terminal allows him or her to do. In this writer’s experience, that at the very least means being able to print out a report of the day’s sales, which includes all card data in plain text.
In his speech to go with the presentation, Chris Henderson of Trustwave, said:
No one is changing the password when they set this up for the first time; everybody thinks the security of their point-of-sale is someone else’s responsibility.
This can be likened to default passwords on Wi-Fi routers. In some cases, cable providers have begun instituting auto-generated, secure passwords by default. But there will always be the corner cutters who don’t bother. The question is who is at fault, the vendor or the customer? In the case of credit card terminals, it’s the customer, who is the party responsible for the credit card data being passed to them. It is important to note that that the majority of the major point-of-sale breaches in the last decade haven’t been due to these codes. Rather, they’ve had to do with larger network weaknesses in the implementation of security at the store level, which can sometimes lead to greater access by the attackers.
Also read: Cisco Discovers “PoSeidon” POS Malware
Looking at other services where a default password is enabled, the customer is usually required to change it the first time they need to use that password. It just makes sense. A default password is all but public knowledge.
In a similar fashion, Triton ATMs were famously compromised for years (and still probably are being compromised) because the ATM owners don’t bother to change the administrator passcode sequence. Thus, anyone who knows what they’re doing can get on the machine and change the denomination to 1s, even though the machine is still dispensing 20s. Then if they make a withdrawal for $20, they’re actually withdrawing $400, and so on.
Simple security practices seem lost on many people who have the responsibility of a lot of money. The current system provides stiff penalties to those who are brazen enough to exploit these weaknesses, but the point is that they are often preventable with simple, best practices that make sense with even a passing glance at them.
“We’re making it pretty easy for criminals,” Henderson told the conference. Indeed.
Images from Shutterstock.