POS Vendor Uses Same Short, Numeric Password Non-Stop Since 1990

mask.of.sanity writes: Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password. Fraudsters would need physical access to the PoS in question to exploit it by opening a panel using a paperclip. But such physical PoS attacks are not uncommon and are child's play for malicious staff. Criminals won't pause before popping and unlocking. The enraged pair badged the unnamed PoS vendor by its other acronym labelling it 'Piece of S***t.

It's in the name

POS means Piece Of Shit, doesn't it? What would you expect from a POS vendor?

Not a Piece of Shit

[EmagGeek]

The fact that the vendor did not use a strong password does not make the system a "piece of shit." It just means that the vendor did not use a strong default password.

Re:Not a Piece of Shit

[rmdingler]

Indeed, and any retailer who entrusts all their monetary transactions to a manufacturer's default password is probably going to slip up somewhere anyway.

Re:Not a Piece of Shit

[RickOShey]

POS = Point of Sale (Like a cash register)

Re:Not a Piece of Shit

no, the company is RealPOS, and it really is POS.
I have used it and they SUCK big time. The equipment is pure junk. It is Windows based and locks up every so often.
In addition, it is in various companies that have already been cracked.

Re:Not a Piece of Shit

[AmiMoJo]

It was probably the customers who demanded the weak default password too. Anyone who has ever developed a system like this knows that the users are basically morons and won't be able to look up the default password in the manual (which they lost years ago) and will call your tech support line instead.

I used to write software for fire alarms and the customers demanded the default password on everything (which was the first four digits of the manufacturer's phone number, back in the late 80s before the great re-numbering). Often they wanted a sticker on the damn alarm panel with the password printed on it, preferring instead to rely on locking the cabinet with a key. The fire alarm panel could control various vents and fans that were designed to extract smoke from a burning building, but people liked to use them for day-to-day climate control as well.

Most people don't care about security. If they get hacked it's someone else's fault, they are the victim. They just want an easy life and cool breeze in the summer.

Re:Not a Piece of Shit

I know this is Slashdot, so I understand that you are unable to read TFA. But try reading the full summary at least...

Re:Not a Piece of Shit

[SCPaPaJoe]

One of the requirements of PCI compliance with the credit card companies is that you don't use default passwords in any equipment tied to the card transaction.

Re:Not a Piece of Shit

[bondsbw]

Does that mean the company using the POS would be held liable in the case of a direct breach of their system?

Re:Not a Piece of Shit

While it is the POS implementor's responsibility to properly set the password, the vendor can do things to enable the vendor to act securely.

* Don't ship a default password
* ship a default password, but force it to change on first login, and don't ever allow it to set back to teh default
* offer stronger authentication options (smart card, OTP, etc)
* provide a secure configuration guide so that customers are aware of everything they need to do in order to properly configure their stuff

Re:Not a Piece of Shit

[Penguinisto]

One of the requirements of PCI compliance with the credit card companies is that you don't use default passwords in any equipment tied to the card transaction.

True, but...

1) Does PCI compliance/certification even go near individual retailers/businesses, or does it stop cold at the merchant card processor that the retailer/PoS dials into with each transaction? I'm not quite seeing a small Mom-n-Pop store undergoing a PCI audit anytime soon...

2) For folks who do their own in-house processing, how many auditors do you know of that painstakingly test each and every PoS machine in every store (e.g. Wal-Mart, whenever they recertify)? Hell - they barely sample servers, which you tell them the hostnames for...

Re:Not a Piece of Shit

[dbIII]

It also makes it more likely that since they put so little thought and care into one thing that there are other things that add up to a pile of shit, not just a piece of shit.
I've actually seen even worse passwords on POS systems and remote access requirements meant they could not be changed away from the default - which was printed on the side of the devices!

Re:Not a Piece of Shit

[cdrudge]

He knows what POS means. But calling it a piece of shit isn't entirely the fault of the manufacturer. It's also the fault of the retailer or installer for not changing it to something that is unique to that location or company.

I own a padlock that allows me to set the combination by removing and rotating 4 dials to the letters or numbers that I want. It ships with a default combination of 0000. If I used it straight out of the package, does that make the lock a piece of shit just because it has a easy to guess default password? Or does it make me an idiot for using the lock without changing the password?

Re:Not a Piece of Shit

It was probably the customers who demanded the weak default password too. Anyone who has ever developed a system like this knows that the users are basically morons and won't be able to look up the default password in the manual (which they lost years ago) and will call your tech support line instead.

I used to write software for fire alarms and the customers demanded the default password on everything (which was the first four digits of the manufacturer's phone number, back in the late 80s before the great re-numbering). Often they wanted a sticker on the damn alarm panel with the password printed on it, preferring instead to rely on locking the cabinet with a key. The fire alarm panel could control various vents and fans that were designed to extract smoke from a burning building, but people liked to use them for day-to-day climate control as well.

Most people don't care about security. If they get hacked it's someone else's fault, they are the victim. They just want an easy life and cool breeze in the summer.

My first programming job was working on the development of a point of sale system and everything you've said was true even as late as 2007.

Re:Not a Piece of Shit

[Just+Some+Guy]

provide a secure configuration guide so that customers are aware of everything they need to do in order to properly configure their stuff

So much this. In the Slashdot echo chamber we presume that everyone in the world should be the security experts we are. No one outside forums like this thinks the way we do. Your average mom & pop grocer doesn't know about security, can't imagine what a "default password" is or why it would be bad, and sees a POS as an appliance much like a refrigerator or stove.

Tell a restaurateur that they're stupid for not changing the default password, and they're likely to tell you how your stupid home food storage and cooking methods are likely to give you listeriosis. We are experts in our domain, and expecting everyone else to care about it (especially while remaining ignorant of their specialties) is a major failing on our part, not theirs.

Re:Not a Piece of Shit

I think the FD wants to have the passwords in a easy to find place and in a place that does not need a network / power to look up.

Re:Not a Piece of Shit

No kidding -- why would you have a password on such a thing in the first place? I don't need a password to turn on my stove -- my stove is secure because it is on my premises.

Re:Not a Piece of Shit

[tlhIngan]

Indeed, and any retailer who entrusts all their monetary transactions to a manufacturer's default password is probably going to slip up somewhere anyway.

Except it's likely the retailer doesn't know about it period. They buy a POS system, and it's actually installed, programmed and setup by the company they purchased it from. A lot of POS systems (excepting custom designed ones or franchisees who often have to purchase a specific unit from the franchiser) are purchased, set up, and installed by companies who do this. In fact, a lot of it is blocked out for customers (i.e., the retailer) by the manufacturer. The programming information and interface setup is often provided only to installers who are under orders to never reveal it to the retailer.

Sure, the retailer has a few "controls" (they could add/remove products from inventory, do inventory and other day-to-day operations) but other ones including setting it up with a server, or even setting tax rates or categories (non taxable, partially taxable, fully taxable, etc) require an installer to do it.

The retailer might not know of the password's existence or it could even be locked away under a anti-tamper seal put in by the installer so the retailer doesn't try to ... experiment.

Re:Not a Piece of Shit

[dgatwood]

Better choice is #5. Ship a different, randomly-generated password on each device. Print it along with the serial number on a slip of paper that comes with the device. That way, there's a strong default passcode for people who won't bother to set a good one, and it isn't shared across devices.

Re:Not a Piece of Shit

[Jawnn]

With apologies to Momma, shitty is as shitty does.

Re:Not a Piece of Shit

[DutchUncle]

... And every single customer will wind up calling customer service asking why they can't get into their system. The papers got filed in shipping, or in finance, or tossed with the packaging. Maybe you could print it on a sticker, just like the serial number; then you have the physical security issue, but at least there's no global exposure.

Re:Not a Piece of Shit

Whenever I see 'POS Vendor' , despite my knowing it means Point-Of-Sale, I always juveniley default to in thinking it's 'Piece-Of-Shit'. I guess in some cases, that's true.

Re:Not a Piece of Shit

[ldconfig]

The problem is not the passwords they use. Its that all these POS system ARE RUNNING WINDOWS! An OS that has been proven time and again to have ZERO security.

Re:Not a Piece of Shit

[EmagGeek]

Whether or not it is a "piece of shit" does not depend on what O/S it is running. It depends on whether it meets all of the customer requirements.

Re:Not a Piece of Shit

PCI Compliance does not apply to individual retail installations - it only applies to merchant card processors.

Re:Not a Piece of Shit

The default password has been 166816, not 123456 or 111111. One random number per customer is the same as one random number for every customer.

Re:Not a Piece of Shit

[TomGreenhaw]

That's why the payment card brands require PCI certification. Now that the rules are finally getting enforced with third party auditors checking such things, this crap is getting fixed.

The system works if the rules are followed. Take a look at the 30 page+ PCI assessment (https://www.pcisecuritystandards.org/security_standards/documents.php) and ask yourself - if all these measure were *really* in place, how could a breach possibly happen?

Re:Not a Piece of Shit

[Darinbob]

Using it since 1990 though is pretty standard. It's harder to change the code for this than it is to design a brand new system from scratch. Half the departments will start screaming at you for making unnecessary changes, and the other half of the departments will scream at you because they fear thousands of customers being locked out of their systems.

Re:Not a Piece of Shit

[markxz]

Setting the default combination to 0000 would make users know that it is a default password (and make them dumb for not changing it). Using a more complex default combination would make it less likely that people will change it thinking they were allocated a secure code, not the default for that manufacturer.

Re:Not a Piece of Shit

People are stupid if they don't realize a password is like a key. Would they put a lock on their front door that has a default key every other lock comes with and not change that? Quit coddling users and call them out on their dumb practices of not changing default passwords.

Re: Not a Piece of Shit

When we had a company audit is for compliance, they ran a port scan. That's it.

Re:Not a Piece of Shit

Back in 1990, 6 digits wasn't all that bad. It's still considered good enough now for most combination locks (mechanical as well as electronic) and the contents of your bank account (PIN code).

Re:Not a Piece of Shit

[Just+Some+Guy]

People are stupid if they don't realize a password is like a key.

They do, and the problem is that they treat it exactly like one. When you buy a lock, do you immediately re-key it? No: you use it as-is. Now maybe if the key looked very suspicious, like say it was a perfect sine or square wave or it was completely smooth, then you might ask the blacksmith whether that's normal. I bet those shopkeepers would be asking the same of their POS installer if the password was "123456" or "111111".

But to their (and my) untrained eye, "166816" looks reasonably random. It looks as random as my Schlage house key does. Maybe there's a locksmith forum where experts are making fun of me for not changing my obviously default lock. After all, they can tell at a glance that I have the standard factory issue! How stupid am I for using it without making my own pattern!

No, I think you're exactly wrong. People think of these passwords as keys. They use the ones manufacturers give them. They hand them out to the same staff that have keys to the front door and cash drawers. They don't routinely change them when people quit. They don't audit their usage. They treat them just like the little medal danglies on the ring in their pocket, no more, no less. We've done a very poor job of telling them why they should think otherwise.

Re:Not a Piece of Shit

The fact that the vendor did not use a strong password does not make the system a "piece of shit." It just means that the vendor did not use a strong default password.

And that, in turn, means their system is a piece of shit. You are a stupid motherfucker for not understanding this simple fact.

Re:Not a Piece of Shit

[The+Snowman]

One of the requirements of PCI compliance with the credit card companies is that you don't use default passwords in any equipment tied to the card transaction.

Which makes this even more interesting. Based on the password and the fact that a paperclip is required I know the specific vendor and equipment to which the article refers, despite the authors going to great lengths to omit that information. The vendor is a big one and their equipment is involved in millions of electronic payments made every day. You could even say they are "the way to pay." In fact, they are involved in PCI certification for most production deployments involving their hardware: most, but not all, because certain deployments using default configurations do not need additional certification, just a quick verification that IP addresses and the like are properly configured.

I understand the need for a default password, but it really should be changed. That being said, the encryption keys are not accessible using that password. They are stored in a hardware module that self-destructs if you tamper with it. They can only be set in one of two secure locations both controlled by the vendor: if you attempt to use any other means to mess with the keys, bye-bye memory card that stores them. This is bad, but not as bad as it sounds at first.

Re:Not a Piece of Shit

[rmdingler]

Your thoughts smell like truth. It just seems as if the number of well-publicized breaches has reached a threshold where even the Muggles are aware of the ubiquitous flaws in security.

Re:Not a Piece of Shit

I'd say the password is a bad default password, because it "looks" strong. Nobody would guess 166816 at random on the first try, so the tendency to just leave it at that may be higher than if "000000" was the default password. The latter happened to be the password for the Card payment system at the Burger King across the road from my office, and I was always kind of tempted to change the message on the receipt to "I'm loving it."

Re:Not a Piece of Shit

[SCPaPaJoe]

We have four retail clothing stores. Each store is scanned by the card processor once a quarter. Once a year I have to fill out a Self Assessment Questionnaire which addresses the default password issue among other things. It's a royal pain in the ass. I failed scans in the past for having our systems locked down so tight that the scans were blocked. That seemed ideal to me, but the processor saw it differently. I had to white-list their ip range.

Unfortunately...

the 10% who managed to change the default password replaced it by 12345

Re:Unfortunately...

Are you sure it wasn't abcde? :rolleyes:

Re:Unfortunately...

I'm pretty sure it wasn't, because qwerty is easier to type.

Re:Unfortunately...

That's amazing! I've got the same combination on my luggage!

Re:Unfortunately...

That's the same combination I have on my luggage!

Re:Unfortunately...

[ebvwfbw]

That's stupid. Of course they replaced it with 54321. That's really secure. Nobody would think of that.

Of course I've found plenty that were set to 00001.

Same as it ever was...

[jeffb+(2.718)]

Everybody jumps on the three-letter acronym, but no love for the researcher's name?

Re:Same as it ever was...

[Darinbob]

This is not my beautiful POS!

So? I do that.

That way the password matches that of my luggage.

But it does

But it does make the vendor a piece of shit

Re:But it does

But it does make the vendor a piece of shit

No, it makes the user a piece of shit. For one thing, you can use the toughest most complex word you can think of as your system default password, but if the customer doesn't change it when in production, it won't matter. Period. Why is the customer using the default user?

In the US we have Payment Card Industry Compliance (PCI) which forces you to change passwords at least yearly and you do not share one account for access to the database or system in general.

Re:But it does

[beelsebob]

Which is why vendors shouldn't ship products with default passwords at all. Instead, they should require all users to set a password when the system is first installed.

Re:But it does

[rstanley]

And the customer will simply set it to "123456".

I had a client in the financial business, and the so-called, "Office-Manager" / Comptroller set all the passwords to "password" and several variations on this! He REFUSED to set them to secure passwords, even though if they were hacked, they could have lost millions of dollars in their client's money and securities!

That company is now someone else's headache now.

Re:But it does

[DigiShaman]

And the customer will simply set it to....

Than the onus of responsibility lies with the client of the vendor and not with the PoS vendor directly. Yes, the PoS vendor could enforce password complexity because it's industry best practice to do so, but not required unless legislated into law.

Re:But it does

And the customer will simply set it to "123456".

Any half-decent system will disallow passwords like this. A combination of specifically banned values and banned patterns is the very least you need for a system like this where physical access is required (obviously for passwords where an online brute-force attack is possible you need to check for dictionary words etc. as well).

Re:But it does

[ArcadeMan]

And the default password isn't something obvious like "123456" so it's not like the vendor didn't care about it either.

Re:But it does

[aaarrrgggh]

Ok, how about the fact that credit card numbers are stored in the memory dump of the unit? When encrypted, credit cards storage uses a symmetric key? Servers are regularly stolen, but the drives are not encrypted? The software must be installed as the admin user?

From a security perspective, these units really are a POS and a betrayal of trust by the vendors. Most retailers do not have staff on-property to do IT security, so they out-source it. They have been charged an arm and a leg, but do not get a secure, reliable system.

Re:But it does

[Aristos+Mazer]

What if you made the default password the date the system was turned on? Sure, it's a simple 8 digit numeric value, but it would be somewhat unique per machine or local bank of machines. Don't ask them for a default password, tell them what it is and make them go change it. Various studies suggest they probably won't.

Re:But it does

[Yomers]

Any half-decent system will disallow passwords like this.

Enforce strong passwords? Prepare for a sticky notes.

Re:But it does

date and time to the second 20150423125456

Re:But it does

[beelsebob]

And at *that* point it's the user's fault. But not until the vendor stops shipping things with default passwords and not asking you to change it at first setup.

Re:But it does

[beelsebob]

What if you made the default password the date the system was turned on?

Then I as a thief would do some basic research into the date that that location opened for business and try 2-3 guesses close to that date before getting it bang on.

Re:But it does

It's worse, based on the make and model you can probably reduce the year it was turned on to about 5 choices (if even that), limiting your total pool of combinations to 5*12*30=1800 possible codes. You could brute force that by hand in a few hours if you locked yourself in the store at night. Dates do not make good security codes.

Re:Obligatory

[QilessQi]

Quick, change it to 12345!

useless story

[CrAlt]

If they don't name the vender then what will change?
How can users be warned?
How do we know its even true?

They might as well be bashing some made up system by some fake company that doesn't exist.

Re: useless story

Based on it being 6 digits starting with 166, I'd say it is VeriFone. Their card terminals have the same kind of 6 digit code starting with 166.

Re:useless story

[Hartree]

It's VeriFone. Anyone who's been a credit card terminal tech could tell you that. Hypercom has a well known default password as well. Any competent fraudster trying to reprogram the pad would know it as well.

They have to put in something at the factory, so they put in a default. It's supposed to be changed when the system is programmed and set up.

I used to have the default password for VeriFone's 101 pin pads in muscle memory due to having set up so many of them. (Yes, part of the setup was changing the default to something else.)

Re: useless story

Posting as anon to not lose mod points. They have pictures of a Verifone terminal in the presentation. No logo, though.

Re:useless story

[amicusNYCL]

They have to put in something at the factory, so they put in a default.

It's not the only option is a single password for every device. They could just as easily plug it in to something, set a random password for just that device, and have a sticker print out with the password that gets put on the device. I've seen modems ship like that, with a 20-character password that is obviously random for that device (since it's printed on the same sticker as the MAC).

Re:useless story

[Hartree]

And then some idiots would leave the sticker attached to it and if forced to change the password they'd change it back to the original. You know what they say about "foolproof".

Re:useless story

[amicusNYCL]

So you're suggesting that a better alternative is to set the same password for every device instead of shipping each device with a unique password? I didn't say anything about "foolproof". I'm saying that shipping every device with the same password is not the only option, it's not even a good option.

Re:useless story

[Hartree]

No, I was simply noting that technical solutions are limited in solving what are human problems at the base.

The base problem is valuing "easy" over secure.

The real problem to be solved is a bit harder: Finding a technical or human way to block that problem, that's still workable (think about bricked devices from an unknown password that can't be reset) enough to be accepted by users and the companies fielding them.

Re: useless story

The name of the process in Process Explorer screenshot shows which one has been analyzed.

It is Retalix http://www.retalix-intl.com/fr/societe/ a NCR division

Don't use a password

[__aabppq7737]

Using some secret number, calculate the hash of that number concatenated with the current hour and minute. Then, when someone comes by to unlock it, they just use the same algorithm with the same secret number to generate a hash that matches the one on the machine. Authenticate based off of equality of user given hash and machine calculated hash.

Of course, concatenation maybe isn't the best option if you want a large amount of entropy behind the hash code. Maybe replace the human and PIN input with a serial port.

Re:Don't use a password

And what exactly do you expect to achieve with that?

Re:Don't use a password

[Sneeka2]

I'll bite... wut?!

If you're asking a user to calculate a hash in their head based on a secret plus the current time when entering a password, you're greatly overestimating the amount of time and mental capacity regular people have.
If OTOH you're talking about using a hash of a secret plus the unhashed current time, your suggestion is completely useless. The hash would be static and simply be a normal static password, and the addition of the current time would be of no extra significance to security. Not to mention that you'll have a hell of a time with clock synchronisation.

To make dynamic hash calculations based on secrets feasible in practice, you need a dingus which does it for you... oh wait, that's a smart card or an OTP device.

Re:Don't use a password

[__aabppq7737]

hash ( (secret) concat (date) concat (time-to-the-nearest-second) )

I wasn't thinking straight. A smart card is definitely better

Re:Don't use a password

Again, what do you think that achieves compared to just using a password?

Re: Don't use a password

[AvitarX]

That weakens security. It means the computer needs to store the secret in a readable way, and once readthe secret is known, and the time and hashing simply obscures the sending over the wire. Since the hash is not a shared secret, no extra security is proviDed. Best to have the secret hashed in a non readable way.

What can you do?

[masterofthumbs]

What could someone possibly do if they gain admin access to a POS? Is this a Windows CE system where someone could run arbitrary code? Or is this a bespoke system where the admin password just gives you access to the settings of the system? The article mentions staff using a POS server to play games and download porn on but that is a server probably running Windows Server with some POS server software from the vendor. Rather than just making fun of the name, these guys should explain what exactly does the admin password get you.

Getting access to the network is something different. You could update every POS terminal out there with your own code to steal CCs or crash every terminal on Black Friday.

Re:What can you do?

[gstoddart]

What could someone possibly do if they gain admin access to a POS?

Ummm ... it's kind of the cash register, tied into what sales you've made. So, with the admin password, maybe your staff can fiddle with the numbers and rob you blind.

Hell, it could be tied to your inventory system. Oh, and don't forget credit cards details of your patrons.

Your POS is the keys to the kingdom.

Re:What can you do?

[dbIII]

Gain? Change the transaction information so the numbers match when you steal a lot of money out of the till for one thing.

Credit Card Terminals, too.

166831 has been the default pw on VeriFone card terminals and "multilane" on Hypercom ones for as long as I can remember. Of course these are supposed to be changed at install time, but we know how that goes...

Odd Findings

The pair iterated some brazen criminal and hopeless customer cases they each dealt with while at Trustwave where PoS systems had been compromised. ...
In another, forensics were left stumped by a carder's keylogger which had logged repeat keys (such as aaaaa ggggg bbbbb) entered on the PoS server. It was later revealed staff had used the machine to play Guitar Hero, Call of Duty, and download porn.

Forensics had even established which songs were played based on the logged keys.

The researchers found that next to the ubiquitous use of the password 166816 amongst separate manufacturers, that Deep Purple's "Smoke on the Water" was the most played song on compromised PoS terminals. Strange.

Is that vendor..

Logic controls?

Not quite accurate

[gatkinso]

The vendor recently updated the default password to "166832".

Re:Not quite accurate

[Bender+Unit+22]

or 166831a

Verifone

The vendor in question is Verifone.

Same PWD for Nortel PBX

I seem to remember from my days (quite some time ago) of doubling as a Nortel PBX admin, that **166816 was also the default admin pwd.

One of the most popular POS systems

[jd2112]

One of the most popular Point of Sales systems is called 'RealPOS'. I wouldn't be surprised if this is the one referenced in the article.

Re:One of the most popular POS systems

[Holi]

It's not, it's Verifone, which is odd because I thought they did payment solutions not the actual POS software. Looking at their site I don't see any POS solutions, just payment solutions for actual POS software (like Micros).

Re:One of the most popular POS systems

http://www.verifone.com/products/hardware/

Re:One of the most popular POS systems

[Holi]

isn't RealPOS NCR's hardware line? Their software would be Counterpoint or OmniPOS among others, it depends on the industry. I don't know much about the retail market in POS, but I support several different systems for the Restaurant/Bar industry, most of them suck.

Re:One of the most popular POS systems

isn't RealPOS NCR's hardware line? Their software would be Counterpoint or OmniPOS among others, it depends on the industry. I don't know much about the retail market in POS, but I support several different systems for the Restaurant/Bar industry, most of them suck.

I would expect the vendor to be NCR. A couple of decades ago I used to work on IBM pos systems, but those were P.O.S. too.

Re:One of the most popular POS systems

RPOS is NCR.

But the password the article references is definitely Verifone. Source: Worked at both places.

,UDH Worse than just Passwords

[aaarrrgggh]

The actual presentation is much worse than just passwords.

Really pathetic that "chip and sign" won't do much to fix these issues. Disappointed that they didn't shame the manufacturer, although there are really only 3 left now among the majors.

(And sadly, the link to that presentation's directory is "writeable." Sometimes even security specialists get it wrong...)

VeriFone- Old News

""Take widely used old and new VeriFone POS devices, which Henderson says have a default password that's been well-documented since at least 1990. When Trustwave does a POS audit, "90 percent of the VeriFone card readers that we test have that password," he says, noting that too many retailers do not change the default passwords on their VeriFone devices, which makes it easy for anyone who can get malware onto the device to then seize full control. "And that's just one vendor, and that's just one example," he says."

http://www.bankinfosecurity.com/pos-malware-still-works-a-8044/op-1

Re:VeriFone- Old News

Another little snippet for Oldtimers...
Apollo Computers were popular in certain areas back in the Eighties.
The default Root Password was -apollo-
So of course, one changed the Root Password as soon as the Workstation was set up.
Around 1994, I got a surplus DN580 from the SSC. It was free.
I tried to login as root, with -apollo- as the password. No go.
I then tried toor, wheel, locksmith and a couple of other hidden Apollo root accounts, and -apollo- worked on them all.
So what did I find?
I kid you not- catering plans for Meetings that never occurred, and an empty Index for Papers that were never presented, or even written.
I kept the keyboard.
It's still a cool keyboard.

Also, pertinent to the original Subject, from 2007:
http://www.hackerfactor.com/papers/cc-pos-20.pdf

Hardly the vendors fault

I fail to see how it is the vendors fault that the end user FAILED to change the default password. I mean hell 90% of the default router passwords are admin:admin. Do you hear people shouting at the moon that the router manufacturers NEED to send each router out with a custom username/password burned into its firmware? No, generally you hear the sane argument that the morons who leave the default password in place are at fault for whatever data breach occurs due to their ineptitude. Along with the battle cry, "Learn to configure your damn router!"

Re:Hardly the vendors fault

Yeah, this seems to be the fault of the company installing the terminals for a retailer. They're already going to the trouble of setting up the system, why not add a step to change the default password?

Re:Hardly the vendors fault

I don't keep bundles of Cash, Checks, and Credit Card receipts in my Router.
I'm somewhat surprised that you do.

Re:Hardly the vendors fault

[Yomers]

I don't keep bundles of Cash, Checks, and Credit Card receipts in my Router. I'm somewhat surprised that you do.

So you say changing resolvers in your router would do you no harm?

It was funny in Thailand - 2 major ADSL internet providers, with most adsl modems/routers configured with 3 default admin passwords - 3bb, tot, and, you guessed it, admin. By default they were all open from WAN - I checked once, just opened in browser a few IP's in a same subnet with mine - could login to about 5 out of about 10 IP's tested. About a year ago probably somebody exploited this, so what did providers do? Simple solution - just drop all incoming connections, anyway nobody noticed.

Re:Hardly the vendors fault

The devices should _refuse_ to start properly and show an error message unless user changes the password. That is good design, and the vendor could easily have done this.

More context needed

[ERJ]

Without additional context I would say "So what?".

Questions that need answering:
- Can end user change the default password?
- Do installation best practices from manufacturer dictate to change the default password?
- Who performs the installation and maintains the devices?

Without answers to these it is hard to say whether the issue lies with the manufacturer, the reseller or the end user.

Re:More context needed

IMO, the fault lies with the installer.

most companies aren't competent and don't care

Clearly, all the owners and managers care about is getting more than their fair share and abusing those beneath them.

Re:Obligatory

ROT5 that bitch

What can you do with a hacked POS?

I'm unfamiliar with these devices, could someone tell me what you could really accomplish with getting into a POS? I'd guess you can probably open the register, but beyond that is there really much of a security risk here?

2 seconds on google

Really folks, why name the vendor?

http://router-defaults.com/Router/Verifone--Junior+2.05-ip-password-username

Naming Adobe landed Dmitry S. in jail

[dbIII]

If they don't name the vender then what will change?

They won't be dragged off to court, or now that we have DMCA bullshit they won't be dragged off to jail like Dmitry S. vs Adobe. If they name them one or both may happen.

Not really a problem

[ArcadeMan]

Fraudsters would need physical access to the PoS in question to exploit it by opening a panel using a paperclip.

This isn't really a problem. Where are regular people who don't work in security going to get a paperclip?

Re:Not really a problem

[stinkydog]

You'll need a three day wait and a background check to secure one of these terrorist "paperclips". Sure, you could 3D bend your own with some wire and a few thousand dollars in equipment, but it will still be inferior to the real thing.

-SD

Re:Not really a problem

[PPH]

Tweeted from a 787 in flight: "I have a paperclip."

pop and lock

[Noah+Haders]

Criminals won't pause before popping and unlocking.

My own preference is to pop and lock.

Dumb question

[Jeremi]

What does knowing this password allow a malicious person to do, that he couldn't do otherwise?

Re:Dumb question

[Neil+Boekend]

Apparently play games and download porn on the PoS.
In theory an american PoS has access to credit card numbers. Since the PoS apparently is a fully fledged Windows machine with internet access these cc numbers could be stolen.

Out POS Solution is worse

[toadlife]

Our solution by Food Service Solutions has a hard-coded superuser admin account with the username of "a" and the password of "a."

It's used by thousands of institutions.

You can't disable it.

Re:Out POS Solution is worse

Our solution by Food Service Solutions has a hard-coded superuser admin account with the username of "a" and the password of "a."

It's used by thousands of institutions.

You can't disable it.

That's perfectly safe, you go ahead and try to find a hash table for single character strings on the internet, they don't exist I tell you!

Re:Out POS Solution is worse

So there's a superuser admin account named "a" and password of "a"?

You betcha I can disable it now. I can do all sorts of things.

Same as it ever was.

Unfortunately, this kind of finding is not just once in a lifetime. These little creatures may seem like they're just talking heads, but we shouldn't treat them like they're speaking in tongues. These are true stories. Something something fear of music. Ok, I'm done. Naked. Now I'm really done.

Can you say... normal?

[garyoa1]

There's a reason why linksys, D-link and others do pretty much the same thing.

User Error

[Murdoch5]

Change the password! If you're not going to be proactive about security, why should anyone help you?

Abuse it!

If they stubbornly insist on bad passwords, abuse the system. Disrupt it in some way, or transfer money to Nigeria. Halve all prices. Then they loose, and learn. Don't go with defaults, don't trust vendors of broken policies.

Re: Abuse it!

Really? So you subscribe to the idea that if you see something on somebody's deck you should just steal it when you walk by? What kind of a jerk does that?

Hey, my previous employer did just this

At my previous employer, Epicor (formally CRS) we did this, and I think it was the same password in the article. You could hit alt backspace, enter it in, and then have admin level access to windows. Crazy!!

One client, Ecko Unlimited had a virus in the base image. Thankfully the anti-virus caught it, but its just stupid. Oh, and they never updated their definitions, so some systems were 6 years outdated! Finally, the real kicker, is that credit card data was stored encrypted in the database that anyone could access. Wait for it, it gets better. Once they settled credit nightly, the card information was stored UNENCRYPTED for a YEAR!!! They didn't want to pay to fix any of this.

Yeah, dont EVER shop there!!!!!

Re:Hey, my previous employer did just this

That is disgusting...

Back in the early 80's when I was in the Air Force

[pebear]

The Military used to call our cars POV's and I used to call my car a POV, POS. Then came the point of sale setups and they appropriated my acronym. Now we can go back to using POS as it's original intended purpose. BTW thanks for giving me the password, it think I might just get rich and lucky this weekend...

Sadly this is normal

[geohump]

Most large commercial device makers do exactly this same thing.

Routers, Credit Card terminals, Coke machines.

Not only do they all do this, the default passwords and the correct menus to select are all well documented online.

You can walk up to most digital Coke machines and reboot them, and reconfigure their settings to do all kinds of things.