Slashdot Mirror

← Back to Stories (view on slashdot.org)

Point-of-Sale System Bought On eBay Yields Treasure Trove of Private Data

Posted by Soulskill on from the low-hanging-fruit dept.

jfruh writes: Point-of-sale systems aren't cheap, so it's not unusual for smaller merchants to buy used terminals second-hand. An HP security researcher bought one such unit on eBay to see what a used POS system will get you, and what he found was disturbing: default passwords, a security flaw, and names, addresses, and social security numbers of employees of the terminal's previous owner.

7 of 68 comments (clear)

  1. I hope this surprises no one,.. by Selur · · Score: 4, Interesting

    I bet 90% of all small businesses still have no real clue data security and about the amount of data their printers, cash registers,.. still contain.

    1. Re:I hope this surprises no one,.. by Anonymous Coward · · Score: 4, Insightful

      When someone goes out of business and liquidates (is forced to liquidate) their capital assets, they're not going to give a crap about what data might be left on these devices.

    2. Re:I hope this surprises no one,.. by mythosaz · · Score: 4, Informative

      Restaurant fails to pay the lease.

      Landlord slaps a new lock on the door.

      Equipment is sold to a restaurant supply reclamation company, of which any city of any size has.

      Supply company puts their crap on eBay.

    3. Re:I hope this surprises no one,.. by Jiro · · Score: 4, Interesting

      By that reasoning if the restaurant supply reclamation company instead found equipment contaminated with bacteria, and sold the equipment, and people got sick and died from it, they likewise wouldn't have any responsibility. Equipment that poses a threat to people because it spreads private data is not really all that different from equipment that poses a threat because it spreads disease.

      (Which is not to say that it's legally the same, of course.)

  2. Default Passwords? by mythosaz · · Score: 4, Funny

    It's hard to imagine that used equipment was sold with the default password...

    I always include employee data, but I make the new purchaser guess my password.

  3. Small business owners by sjbe · · Score: 4, Insightful

    I bet 90% of all small businesses still have no real clue data security and about the amount of data their printers, cash registers,.. still contain.

    As someone who has spent many years consulting to small businesses I can tell you that you are being too conservative. 99% is probably closer to the mark. Nearly all small business owners are clueless regarding data security and frankly don't really have the time to worry about it either. Running a small business is a hugely time consuming endeavor and dealing the the nuances of data security is a luxury most do not have time for. Shoot, you'd be terrified at how many of them don't even bother to back up key data like their accounting software.

    I run a small business myself and while I'm more aware than most about our security I don't really have time to deal with all of it. At some point you sometimes simply have to live with a certain level of risk until you have the resources to address things properly.

  4. Re:SSN on POS? by GameboyRMH · · Score: 4, Informative

    An excellent question.

    I'm betting this POS machine was basically a full-blown PC hooked up to a cash drawer. It seems to be a popular setup with small businesses (I'm guessing actual cash registers cost a lot - and they're certainly not as versatile).

    A hardware store and a couple car parts stores near my house have this setup. The car parts stores use them for parts info lookup as well. Maybe this machine was also holding the HR files.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel