Slashdot Mirror

← Back to Stories (view on slashdot.org)

POS Vendor Uses Same Short, Numeric Password Non-Stop Since 1990

Posted by timothy on from the you-only-said-not-to-use-123456 dept.

mask.of.sanity writes: Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password. Fraudsters would need physical access to the PoS in question to exploit it by opening a panel using a paperclip. But such physical PoS attacks are not uncommon and are child's play for malicious staff. Criminals won't pause before popping and unlocking. The enraged pair badged the unnamed PoS vendor by its other acronym labelling it 'Piece of S***t.

28 of 128 comments (clear)

  1. Not a Piece of Shit by EmagGeek · · Score: 5, Insightful

    The fact that the vendor did not use a strong password does not make the system a "piece of shit." It just means that the vendor did not use a strong default password.

    1. Re:Not a Piece of Shit by rmdingler · · Score: 4, Insightful

      Indeed, and any retailer who entrusts all their monetary transactions to a manufacturer's default password is probably going to slip up somewhere anyway.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    2. Re:Not a Piece of Shit by AmiMoJo · · Score: 4, Insightful

      It was probably the customers who demanded the weak default password too. Anyone who has ever developed a system like this knows that the users are basically morons and won't be able to look up the default password in the manual (which they lost years ago) and will call your tech support line instead.

      I used to write software for fire alarms and the customers demanded the default password on everything (which was the first four digits of the manufacturer's phone number, back in the late 80s before the great re-numbering). Often they wanted a sticker on the damn alarm panel with the password printed on it, preferring instead to rely on locking the cabinet with a key. The fire alarm panel could control various vents and fans that were designed to extract smoke from a burning building, but people liked to use them for day-to-day climate control as well.

      Most people don't care about security. If they get hacked it's someone else's fault, they are the victim. They just want an easy life and cool breeze in the summer.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Not a Piece of Shit by SCPaPaJoe · · Score: 4, Informative

      One of the requirements of PCI compliance with the credit card companies is that you don't use default passwords in any equipment tied to the card transaction.

    4. Re:Not a Piece of Shit by Just+Some+Guy · · Score: 4, Insightful

      provide a secure configuration guide so that customers are aware of everything they need to do in order to properly configure their stuff

      So much this. In the Slashdot echo chamber we presume that everyone in the world should be the security experts we are. No one outside forums like this thinks the way we do. Your average mom & pop grocer doesn't know about security, can't imagine what a "default password" is or why it would be bad, and sees a POS as an appliance much like a refrigerator or stove.

      Tell a restaurateur that they're stupid for not changing the default password, and they're likely to tell you how your stupid home food storage and cooking methods are likely to give you listeriosis. We are experts in our domain, and expecting everyone else to care about it (especially while remaining ignorant of their specialties) is a major failing on our part, not theirs.

      --
      Dewey, what part of this looks like authorities should be involved?
    5. Re:Not a Piece of Shit by tlhIngan · · Score: 4, Informative

      Indeed, and any retailer who entrusts all their monetary transactions to a manufacturer's default password is probably going to slip up somewhere anyway.

      Except it's likely the retailer doesn't know about it period. They buy a POS system, and it's actually installed, programmed and setup by the company they purchased it from. A lot of POS systems (excepting custom designed ones or franchisees who often have to purchase a specific unit from the franchiser) are purchased, set up, and installed by companies who do this. In fact, a lot of it is blocked out for customers (i.e., the retailer) by the manufacturer. The programming information and interface setup is often provided only to installers who are under orders to never reveal it to the retailer.

      Sure, the retailer has a few "controls" (they could add/remove products from inventory, do inventory and other day-to-day operations) but other ones including setting it up with a server, or even setting tax rates or categories (non taxable, partially taxable, fully taxable, etc) require an installer to do it.

      The retailer might not know of the password's existence or it could even be locked away under a anti-tamper seal put in by the installer so the retailer doesn't try to ... experiment.

    6. Re:Not a Piece of Shit by DutchUncle · · Score: 3, Interesting

      ... And every single customer will wind up calling customer service asking why they can't get into their system. The papers got filed in shipping, or in finance, or tossed with the packaging. Maybe you could print it on a sticker, just like the serial number; then you have the physical security issue, but at least there's no global exposure.

    7. Re:Not a Piece of Shit by Just+Some+Guy · · Score: 3, Insightful

      People are stupid if they don't realize a password is like a key.

      They do, and the problem is that they treat it exactly like one. When you buy a lock, do you immediately re-key it? No: you use it as-is. Now maybe if the key looked very suspicious, like say it was a perfect sine or square wave or it was completely smooth, then you might ask the blacksmith whether that's normal. I bet those shopkeepers would be asking the same of their POS installer if the password was "123456" or "111111".

      But to their (and my) untrained eye, "166816" looks reasonably random. It looks as random as my Schlage house key does. Maybe there's a locksmith forum where experts are making fun of me for not changing my obviously default lock. After all, they can tell at a glance that I have the standard factory issue! How stupid am I for using it without making my own pattern!

      No, I think you're exactly wrong. People think of these passwords as keys. They use the ones manufacturers give them. They hand them out to the same staff that have keys to the front door and cash drawers. They don't routinely change them when people quit. They don't audit their usage. They treat them just like the little medal danglies on the ring in their pocket, no more, no less. We've done a very poor job of telling them why they should think otherwise.

      --
      Dewey, what part of this looks like authorities should be involved?
    8. Re:Not a Piece of Shit by The+Snowman · · Score: 2

      One of the requirements of PCI compliance with the credit card companies is that you don't use default passwords in any equipment tied to the card transaction.

      Which makes this even more interesting. Based on the password and the fact that a paperclip is required I know the specific vendor and equipment to which the article refers, despite the authors going to great lengths to omit that information. The vendor is a big one and their equipment is involved in millions of electronic payments made every day. You could even say they are "the way to pay." In fact, they are involved in PCI certification for most production deployments involving their hardware: most, but not all, because certain deployments using default configurations do not need additional certification, just a quick verification that IP addresses and the like are properly configured.

      I understand the need for a default password, but it really should be changed. That being said, the encryption keys are not accessible using that password. They are stored in a hardware module that self-destructs if you tamper with it. They can only be set in one of two secure locations both controlled by the vendor: if you attempt to use any other means to mess with the keys, bye-bye memory card that stores them. This is bad, but not as bad as it sounds at first.

      --
      24 beers in a case, 24 hours in a day. Coincidence? I think not!
  2. Unfortunately... by Anonymous Coward · · Score: 5, Funny

    the 10% who managed to change the default password replaced it by 12345

  3. useless story by CrAlt · · Score: 2

    If they don't name the vender then what will change?
    How can users be warned?
    How do we know its even true?

    They might as well be bashing some made up system by some fake company that doesn't exist.

    --
    I have to return some videotapes...
    1. Re: useless story by Anonymous Coward · · Score: 5, Insightful

      Based on it being 6 digits starting with 166, I'd say it is VeriFone. Their card terminals have the same kind of 6 digit code starting with 166.

    2. Re:useless story by Hartree · · Score: 5, Informative

      It's VeriFone. Anyone who's been a credit card terminal tech could tell you that. Hypercom has a well known default password as well. Any competent fraudster trying to reprogram the pad would know it as well.

      They have to put in something at the factory, so they put in a default. It's supposed to be changed when the system is programmed and set up.

      I used to have the default password for VeriFone's 101 pin pads in muscle memory due to having set up so many of them. (Yes, part of the setup was changing the default to something else.)

    3. Re:useless story by Hartree · · Score: 2

      And then some idiots would leave the sticker attached to it and if forced to change the password they'd change it back to the original. You know what they say about "foolproof".

  4. What can you do? by masterofthumbs · · Score: 2

    What could someone possibly do if they gain admin access to a POS? Is this a Windows CE system where someone could run arbitrary code? Or is this a bespoke system where the admin password just gives you access to the settings of the system? The article mentions staff using a POS server to play games and download porn on but that is a server probably running Windows Server with some POS server software from the vendor. Rather than just making fun of the name, these guys should explain what exactly does the admin password get you.

    Getting access to the network is something different. You could update every POS terminal out there with your own code to steal CCs or crash every terminal on Black Friday.

    1. Re:What can you do? by gstoddart · · Score: 2

      What could someone possibly do if they gain admin access to a POS?

      Ummm ... it's kind of the cash register, tied into what sales you've made. So, with the admin password, maybe your staff can fiddle with the numbers and rob you blind.

      Hell, it could be tied to your inventory system. Oh, and don't forget credit cards details of your patrons.

      Your POS is the keys to the kingdom.

      --
      Lost at C:>. Found at C.
    2. Re:What can you do? by dbIII · · Score: 2

      Gain? Change the transaction information so the numbers match when you steal a lot of money out of the till for one thing.

  5. Credit Card Terminals, too. by Anonymous Coward · · Score: 2, Informative

    166831 has been the default pw on VeriFone card terminals and "multilane" on Hypercom ones for as long as I can remember. Of course these are supposed to be changed at install time, but we know how that goes...

  6. Odd Findings by Anonymous Coward · · Score: 3, Interesting

    The pair iterated some brazen criminal and hopeless customer cases they each dealt with while at Trustwave where PoS systems had been compromised. ...
    In another, forensics were left stumped by a carder's keylogger which had logged repeat keys (such as aaaaa ggggg bbbbb) entered on the PoS server. It was later revealed staff had used the machine to play Guitar Hero, Call of Duty, and download porn.

    Forensics had even established which songs were played based on the logged keys.

    The researchers found that next to the ubiquitous use of the password 166816 amongst separate manufacturers, that Deep Purple's "Smoke on the Water" was the most played song on compromised PoS terminals. Strange.

  7. Not quite accurate by gatkinso · · Score: 5, Funny

    The vendor recently updated the default password to "166832".

    --
    I am very small, utmostly microscopic.
  8. Re:But it does by beelsebob · · Score: 5, Insightful

    Which is why vendors shouldn't ship products with default passwords at all. Instead, they should require all users to set a password when the system is first installed.

  9. Re:But it does by rstanley · · Score: 2

    And the customer will simply set it to "123456".

    I had a client in the financial business, and the so-called, "Office-Manager" / Comptroller set all the passwords to "password" and several variations on this! He REFUSED to set them to secure passwords, even though if they were hacked, they could have lost millions of dollars in their client's money and securities!

    That company is now someone else's headache now.

  10. Re:But it does by DigiShaman · · Score: 2

    And the customer will simply set it to....

    Than the onus of responsibility lies with the client of the vendor and not with the PoS vendor directly. Yes, the PoS vendor could enforce password complexity because it's industry best practice to do so, but not required unless legislated into law.

    --
    Life is not for the lazy.
  11. Re:Not really a problem by stinkydog · · Score: 2

    You'll need a three day wait and a background check to secure one of these terrorist "paperclips". Sure, you could 3D bend your own with some wire and a few thousand dollars in equipment, but it will still be inferior to the real thing.

    -SD

    --
    âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
  12. Re:But it does by aaarrrgggh · · Score: 2

    Ok, how about the fact that credit card numbers are stored in the memory dump of the unit? When encrypted, credit cards storage uses a symmetric key? Servers are regularly stolen, but the drives are not encrypted? The software must be installed as the admin user?

    From a security perspective, these units really are a POS and a betrayal of trust by the vendors. Most retailers do not have staff on-property to do IT security, so they out-source it. They have been charged an arm and a leg, but do not get a secure, reliable system.

  13. Out POS Solution is worse by toadlife · · Score: 3, Interesting

    Our solution by Food Service Solutions has a hard-coded superuser admin account with the username of "a" and the password of "a."

    It's used by thousands of institutions.

    You can't disable it.

    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  14. Re:But it does by Aristos+Mazer · · Score: 2

    What if you made the default password the date the system was turned on? Sure, it's a simple 8 digit numeric value, but it would be somewhat unique per machine or local bank of machines. Don't ask them for a default password, tell them what it is and make them go change it. Various studies suggest they probably won't.

  15. Re:But it does by Yomers · · Score: 2

    Any half-decent system will disallow passwords like this.

    Enforce strong passwords? Prepare for a sticky notes.