Slashdot Mirror

← Back to Stories (view on slashdot.org)

POS Vendor Uses Same Short, Numeric Password Non-Stop Since 1990

Posted by timothy on from the you-only-said-not-to-use-123456 dept.

mask.of.sanity writes: Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password. Fraudsters would need physical access to the PoS in question to exploit it by opening a panel using a paperclip. But such physical PoS attacks are not uncommon and are child's play for malicious staff. Criminals won't pause before popping and unlocking. The enraged pair badged the unnamed PoS vendor by its other acronym labelling it 'Piece of S***t.

5 of 128 comments (clear)

  1. Credit Card Terminals, too. by Anonymous Coward · · Score: 2, Informative

    166831 has been the default pw on VeriFone card terminals and "multilane" on Hypercom ones for as long as I can remember. Of course these are supposed to be changed at install time, but we know how that goes...

  2. Re:But it does by Anonymous Coward · · Score: 0, Informative

    But it does make the vendor a piece of shit

    No, it makes the user a piece of shit. For one thing, you can use the toughest most complex word you can think of as your system default password, but if the customer doesn't change it when in production, it won't matter. Period. Why is the customer using the default user?

    In the US we have Payment Card Industry Compliance (PCI) which forces you to change passwords at least yearly and you do not share one account for access to the database or system in general.

  3. Re:useless story by Hartree · · Score: 5, Informative

    It's VeriFone. Anyone who's been a credit card terminal tech could tell you that. Hypercom has a well known default password as well. Any competent fraudster trying to reprogram the pad would know it as well.

    They have to put in something at the factory, so they put in a default. It's supposed to be changed when the system is programmed and set up.

    I used to have the default password for VeriFone's 101 pin pads in muscle memory due to having set up so many of them. (Yes, part of the setup was changing the default to something else.)

  4. Re:Not a Piece of Shit by SCPaPaJoe · · Score: 4, Informative

    One of the requirements of PCI compliance with the credit card companies is that you don't use default passwords in any equipment tied to the card transaction.

  5. Re:Not a Piece of Shit by tlhIngan · · Score: 4, Informative

    Indeed, and any retailer who entrusts all their monetary transactions to a manufacturer's default password is probably going to slip up somewhere anyway.

    Except it's likely the retailer doesn't know about it period. They buy a POS system, and it's actually installed, programmed and setup by the company they purchased it from. A lot of POS systems (excepting custom designed ones or franchisees who often have to purchase a specific unit from the franchiser) are purchased, set up, and installed by companies who do this. In fact, a lot of it is blocked out for customers (i.e., the retailer) by the manufacturer. The programming information and interface setup is often provided only to installers who are under orders to never reveal it to the retailer.

    Sure, the retailer has a few "controls" (they could add/remove products from inventory, do inventory and other day-to-day operations) but other ones including setting it up with a server, or even setting tax rates or categories (non taxable, partially taxable, fully taxable, etc) require an installer to do it.

    The retailer might not know of the password's existence or it could even be locked away under a anti-tamper seal put in by the installer so the retailer doesn't try to ... experiment.