The researchers examined machines at more than 120 clothing, electronics, and local stores. The default password in many instances granted administrative access to the machines, Trustwave executive Charles Henderson explained at last week’s RSA security last week in San Francisco. Worst case scenario, that could enable any ruffian with the know-how to scrape payment data like credit card numbers and names.
A majority of the vulnerable terminals are manufactured by Verifone, but the company’s not necessarily the one to blame. “No one is changing the password when they set this up for the first time; everybody thinks the security of their point-of-sale is someone else’s responsibility,” Henderson told CNN Money. “We’re making it pretty easy for criminals.”
It’d be risky to try at a crowded outlet — the passwords are just lengthy enough that entering them would probably make you the target of suspicion — but the real potential for hacking arises from unsecured systems. Speaking to Digital Munition, Henderson described an instance in which an employee inadvertently downloaded keylogging software onto a retail PoS system while attempting to install a pirated video game.
Verifone doesn’t believe there’s too much cause for concern. The passwords on new payment terminals expire periodically, a spokesperson said, and the company “hasn’t witness[ed] any attacks on the security of terminals based on default passwords.” All the same, it said retailers are “strongly advised to change the default password.”
You’d think that’d be common sense.
Editors' Recommendations
- Your Google One plan just got 2 big security updates to keep you safe online
- Hackers stole $1.5 million using credit card data bought on the dark web
- Online payment fraud has doubled over the past seven years
- The best identity theft protection
- 5G adoption in retail stores will triple by 2024, study says
