Slashdot Mirror

← Back to Stories (view on slashdot.org)

Point-of-Sale System Bought On eBay Yields Treasure Trove of Private Data

Posted by Soulskill on from the low-hanging-fruit dept.

jfruh writes: Point-of-sale systems aren't cheap, so it's not unusual for smaller merchants to buy used terminals second-hand. An HP security researcher bought one such unit on eBay to see what a used POS system will get you, and what he found was disturbing: default passwords, a security flaw, and names, addresses, and social security numbers of employees of the terminal's previous owner.

13 of 68 comments (clear)

  1. I hope this surprises no one,.. by Selur · · Score: 4, Interesting

    I bet 90% of all small businesses still have no real clue data security and about the amount of data their printers, cash registers,.. still contain.

    1. Re:I hope this surprises no one,.. by Anonymous Coward · · Score: 4, Insightful

      When someone goes out of business and liquidates (is forced to liquidate) their capital assets, they're not going to give a crap about what data might be left on these devices.

    2. Re:I hope this surprises no one,.. by mythosaz · · Score: 4, Informative

      Restaurant fails to pay the lease.

      Landlord slaps a new lock on the door.

      Equipment is sold to a restaurant supply reclamation company, of which any city of any size has.

      Supply company puts their crap on eBay.

    3. Re:I hope this surprises no one,.. by Jiro · · Score: 4, Interesting

      By that reasoning if the restaurant supply reclamation company instead found equipment contaminated with bacteria, and sold the equipment, and people got sick and died from it, they likewise wouldn't have any responsibility. Equipment that poses a threat to people because it spreads private data is not really all that different from equipment that poses a threat because it spreads disease.

      (Which is not to say that it's legally the same, of course.)

  2. Default Passwords? by mythosaz · · Score: 4, Funny

    It's hard to imagine that used equipment was sold with the default password...

    I always include employee data, but I make the new purchaser guess my password.

  3. Re:meh, they're retail workers by jehan60188 · · Score: 2

    since i like to use sarcasm to drive home a point.
    the point being- big or small, not enough people care enough about security.

  4. Re:meh, they're retail workers by idontgno · · Score: 2

    I think his point is that you don't understand sarcasm.

    Or, in the vernacular, "Whoosh!"

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  5. Small business owners by sjbe · · Score: 4, Insightful

    I bet 90% of all small businesses still have no real clue data security and about the amount of data their printers, cash registers,.. still contain.

    As someone who has spent many years consulting to small businesses I can tell you that you are being too conservative. 99% is probably closer to the mark. Nearly all small business owners are clueless regarding data security and frankly don't really have the time to worry about it either. Running a small business is a hugely time consuming endeavor and dealing the the nuances of data security is a luxury most do not have time for. Shoot, you'd be terrified at how many of them don't even bother to back up key data like their accounting software.

    I run a small business myself and while I'm more aware than most about our security I don't really have time to deal with all of it. At some point you sometimes simply have to live with a certain level of risk until you have the resources to address things properly.

    1. Re:Small business owners by sjbe · · Score: 2

      That data proved to be an excellent fossil showing a business running an insecure system without basic protections, failing even to install security updates for seven years.

      You will find that the majority of small businesses fit that description. The company I work at right now has about a dozen computers. Before I got there ALL of them hadn't seen a security update in at least 5 years, the server wasn't being backed up, there was no firewall or antivirus to be found, the company books were done on a spreadsheet, etc. And they were better than many. I've consulted with probably 20-30 small businesses in the last 10 years and maybe 3 or 4 handled their computer security and data in even a moderately safe manner. Some I'm amazed they are still in business at all. Remember that the next time you say you want to support small business. (and then do it anyway!)

  6. Re:SSN on POS? by GameboyRMH · · Score: 4, Informative

    An excellent question.

    I'm betting this POS machine was basically a full-blown PC hooked up to a cash drawer. It seems to be a popular setup with small businesses (I'm guessing actual cash registers cost a lot - and they're certainly not as versatile).

    A hardware store and a couple car parts stores near my house have this setup. The car parts stores use them for parts info lookup as well. Maybe this machine was also holding the HR files.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  7. Re:SSN on POS? by aviators99 · · Score: 2

    Full-featured POS systems can handle things like payroll, invoicing, inventory/food ordering, bill payment, appointment reminders for customers, etc.

  8. Re:SSN on POS? by Fnord666 · · Score: 3, Informative

    Full-featured POS systems can handle things like payroll, invoicing, inventory/food ordering, bill payment, appointment reminders for customers, etc.

    Yep. They're called Integrated Payment Platforms or Integrated Payment Systems and they're all the rage right now.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  9. Re:SSN on POS? by tlhIngan · · Score: 2

    I'm betting this POS machine was basically a full-blown PC hooked up to a cash drawer. It seems to be a popular setup with small businesses (I'm guessing actual cash registers cost a lot - and they're certainly not as versatile).

    No, cash registers (the dumb kind) are fairly cheap things - a few hundred bucks tops.

    The problem is, the dumb registers don't do more than record sales and all that.

    The fancy PC based ones do tons more - they integrate with a backend inventory system to update real-time inventory counts, integrate with ticketing systems so customer orders can be entered in and it gets kicked out to the kitchen with no fuss (handy for restaurants - they key in the order at the front, and the kitchen gets it automatically), etc.

    I'm guessing they also can handle time card and time tracking for the cashier currently logged in.

    Auto parts stores also integrate into it a vendor inventory query system so they can place orders for parts with vendors right when the customer orders the product, and it'll keep track of customer details so when the part is scanned in, it can be linked back to who ordered it and all that.

    And then there's the POS terminal that often is used to scan in parts that arrive - e.g., a bunch of new inventory comes in, anyone can go and scan it into the system and update the transit and on hand counts.