Slashdot Mirror

← Back to Stories (view on slashdot.org)

POS Vendor Uses Same Short, Numeric Password Non-Stop Since 1990

Posted by timothy on from the you-only-said-not-to-use-123456 dept.

mask.of.sanity writes: Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password. Fraudsters would need physical access to the PoS in question to exploit it by opening a panel using a paperclip. But such physical PoS attacks are not uncommon and are child's play for malicious staff. Criminals won't pause before popping and unlocking. The enraged pair badged the unnamed PoS vendor by its other acronym labelling it 'Piece of S***t.

7 of 128 comments (clear)

  1. Not a Piece of Shit by EmagGeek · · Score: 5, Insightful

    The fact that the vendor did not use a strong password does not make the system a "piece of shit." It just means that the vendor did not use a strong default password.

    1. Re:Not a Piece of Shit by rmdingler · · Score: 4, Insightful

      Indeed, and any retailer who entrusts all their monetary transactions to a manufacturer's default password is probably going to slip up somewhere anyway.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    2. Re:Not a Piece of Shit by AmiMoJo · · Score: 4, Insightful

      It was probably the customers who demanded the weak default password too. Anyone who has ever developed a system like this knows that the users are basically morons and won't be able to look up the default password in the manual (which they lost years ago) and will call your tech support line instead.

      I used to write software for fire alarms and the customers demanded the default password on everything (which was the first four digits of the manufacturer's phone number, back in the late 80s before the great re-numbering). Often they wanted a sticker on the damn alarm panel with the password printed on it, preferring instead to rely on locking the cabinet with a key. The fire alarm panel could control various vents and fans that were designed to extract smoke from a burning building, but people liked to use them for day-to-day climate control as well.

      Most people don't care about security. If they get hacked it's someone else's fault, they are the victim. They just want an easy life and cool breeze in the summer.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Not a Piece of Shit by Just+Some+Guy · · Score: 4, Insightful

      provide a secure configuration guide so that customers are aware of everything they need to do in order to properly configure their stuff

      So much this. In the Slashdot echo chamber we presume that everyone in the world should be the security experts we are. No one outside forums like this thinks the way we do. Your average mom & pop grocer doesn't know about security, can't imagine what a "default password" is or why it would be bad, and sees a POS as an appliance much like a refrigerator or stove.

      Tell a restaurateur that they're stupid for not changing the default password, and they're likely to tell you how your stupid home food storage and cooking methods are likely to give you listeriosis. We are experts in our domain, and expecting everyone else to care about it (especially while remaining ignorant of their specialties) is a major failing on our part, not theirs.

      --
      Dewey, what part of this looks like authorities should be involved?
    4. Re:Not a Piece of Shit by Just+Some+Guy · · Score: 3, Insightful

      People are stupid if they don't realize a password is like a key.

      They do, and the problem is that they treat it exactly like one. When you buy a lock, do you immediately re-key it? No: you use it as-is. Now maybe if the key looked very suspicious, like say it was a perfect sine or square wave or it was completely smooth, then you might ask the blacksmith whether that's normal. I bet those shopkeepers would be asking the same of their POS installer if the password was "123456" or "111111".

      But to their (and my) untrained eye, "166816" looks reasonably random. It looks as random as my Schlage house key does. Maybe there's a locksmith forum where experts are making fun of me for not changing my obviously default lock. After all, they can tell at a glance that I have the standard factory issue! How stupid am I for using it without making my own pattern!

      No, I think you're exactly wrong. People think of these passwords as keys. They use the ones manufacturers give them. They hand them out to the same staff that have keys to the front door and cash drawers. They don't routinely change them when people quit. They don't audit their usage. They treat them just like the little medal danglies on the ring in their pocket, no more, no less. We've done a very poor job of telling them why they should think otherwise.

      --
      Dewey, what part of this looks like authorities should be involved?
  2. Re: useless story by Anonymous Coward · · Score: 5, Insightful

    Based on it being 6 digits starting with 166, I'd say it is VeriFone. Their card terminals have the same kind of 6 digit code starting with 166.

  3. Re:But it does by beelsebob · · Score: 5, Insightful

    Which is why vendors shouldn't ship products with default passwords at all. Instead, they should require all users to set a password when the system is first installed.