Slashdot Mirror

← Back to Stories (view on slashdot.org)

POS Vendor Uses Same Short, Numeric Password Non-Stop Since 1990

Posted by timothy on from the you-only-said-not-to-use-123456 dept.

mask.of.sanity writes: Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password. Fraudsters would need physical access to the PoS in question to exploit it by opening a panel using a paperclip. But such physical PoS attacks are not uncommon and are child's play for malicious staff. Criminals won't pause before popping and unlocking. The enraged pair badged the unnamed PoS vendor by its other acronym labelling it 'Piece of S***t.

6 of 128 comments (clear)

  1. Not a Piece of Shit by EmagGeek · · Score: 5, Insightful

    The fact that the vendor did not use a strong password does not make the system a "piece of shit." It just means that the vendor did not use a strong default password.

  2. Unfortunately... by Anonymous Coward · · Score: 5, Funny

    the 10% who managed to change the default password replaced it by 12345

  3. Re: useless story by Anonymous Coward · · Score: 5, Insightful

    Based on it being 6 digits starting with 166, I'd say it is VeriFone. Their card terminals have the same kind of 6 digit code starting with 166.

  4. Not quite accurate by gatkinso · · Score: 5, Funny

    The vendor recently updated the default password to "166832".

    --
    I am very small, utmostly microscopic.
  5. Re:useless story by Hartree · · Score: 5, Informative

    It's VeriFone. Anyone who's been a credit card terminal tech could tell you that. Hypercom has a well known default password as well. Any competent fraudster trying to reprogram the pad would know it as well.

    They have to put in something at the factory, so they put in a default. It's supposed to be changed when the system is programmed and set up.

    I used to have the default password for VeriFone's 101 pin pads in muscle memory due to having set up so many of them. (Yes, part of the setup was changing the default to something else.)

  6. Re:But it does by beelsebob · · Score: 5, Insightful

    Which is why vendors shouldn't ship products with default passwords at all. Instead, they should require all users to set a password when the system is first installed.