Poor password management put millions of cash registers at risk for decades – report

Reuters/Alexander Demianchuk
As major security breaches surface on a routine basis, researchers say millions of point-of-sale systems used around the world are vulnerable because they are protected by a well-documented password that hasn't been changed since 1990.

At the RSA conference in San Francisco this week, those conducting the report, said the global vendor of payment terminals has been using the same default passwords on the PoS machines it’s been shipping for two decades.

Researchers with Trustwave and Bishop Fox said the password, “166816,” is used on nine-out-of-ten terminals they’ve tested that come from the same major retailer. They declined to explicitly identify the seller responsible for the lax security practice, but a cursory Google search points to Verifone — a California-based corporation with a presence in more than 150 countries worldwide.

READ MORE: New security flaw detected in Microsoft Windows

The company started shipping products with that password 25 years ago, the report says, but neither the vendor nor the majority of its customers has bothered to change it. The credentials were even widely circulated among a hacker newsgroup in 1994, according to their RSA presentation.

“Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password,” researcher Charles Henderson said at RSA convention, according to The Register. In all, Verifone has reportedly shipped approximately 27 million machines around the world.

Verifone responded to the report with a statement downplaying the security concerns.

"The important fact to point out is that even knowing this password, sensitive payment information or PII (personally identifiable information) cannot be captured," Verifone said. "What the password allows someone to do is to configure some settings on the terminal; all executables have to be file signed, and it is not possible to enter malware just by knowing passwords."

Nevertheless, Verifone said it tells it encourages its customers to change the password on the PoS systems it ships.

Last year, security firm Trend Micro warned that hackers may be able to compromise potentially critical systems by gaining access to a PoS terminal and traversing to connected networks.

“Sufficiently skilled and determined attackers can thus go after a business’s PoS terminals on a large scale and compromise the credit cards of thousands of users at a time. The same network connectivity can also be leveraged to help exfiltrate any stolen information. This is not just a theoretical risk, as we have observed multiple PoS malware families in the wild,” they said.

READ MORE: Lawyer finds surveillance software baked into hard drive supplied by police

According to The Register, the presentation at RSA convention this week also revealed that criminals still resort to more traditional means to take down PoS systems.

In one instance cited, two individuals reportedly walked into a major American retail store, acknowledged the staff and then unscrewed a server rack and walked out with it. After taking the server, the store was unable to process credit card payments.

“Bad passwords are one of the easiest ways to compromise a system,” Edward Snowden, the former national security contractor-turned-leaver, told TV host John Oliver earlier this month. “For someone who has a very common, eight-character password, it can literally take less than a second for a computer to go through the possibilities and pull that password out.”