RSA 2015 Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale (PoS) systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password.
The enraged pair badged the PoS vendor by its other acronym, labelling it a "piece of shit" and heaping scatological scorn on a bunch of other borked sales systems.
Fraudsters would need physical access to the PoS in question to exploit it by opening a panel using a paperclip.
Such physical PoS attacks are not uncommon and are child's play for malicious staff. Criminals won't pause before popping and unlocking.
Bishop Fox consultant Byrne and Trustwave testing chief Henderson say passwords Z66816 and 166816 – the 1 and Z being variations according to PoS keyboard layouts – are even being carried across to rival vendors as customers who assume their codes are unique switch equipment.
“This is the default password for one of the largest manufacturers of point of sale equipment and has been since at least 1990,” Henderson told the RSA Conference in San Francisco yesterday.
“Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password.
“I actually saw this password really recently on a different manufacturer's device [by a customer] who thought the password was unique to them.”
That was not the only PoS system to be criticised, as the hacker duo roasted nameless vendors for borking cryptography and basic best security practice, splashing the P.O.S badge - see image below - across their slide decks.
“Vendors claim that running in admin is a requirement but it's nothing but lies, damn lies,” Henderson says. “I know why they do it; it's like Nirvana for them. But if in fact [the PoS system] needs to run as administrator, that's a good indicator that your vendor doesn't take security seriously.”
If the PoS system needs to run as an administrator, maybe your vendor doesn't take security seriously
The pair iterated some brazen criminal and hopeless customer cases they each dealt with while at Trustwave where PoS systems had been compromised.
For one major US retailer, a pair of criminals masquerading as trades people were seen on CCTV nodding to staff as they unscrewed a server rack and loaded it into a truck after which point the store lost its ability to process credit cards.
In another, forensics were left stumped by a carder's keylogger which had logged repeat keys (such as aaaaa ggggg bbbbb) entered on the PoS server. It was later revealed staff had used the machine to play Guitar Hero, Call of Duty, and download porn.
Forensics had even established which songs were played based on the logged keys.
The pair recommends customers assume vendors have no security baked into PoS systems and are lying when they claim to have such. Instead, customers should conduct rigorous penetration tests.
Readers can download the slides online (pdf). ®
Darren Pauli travelled to San Francisco as a guest of RSA.