Skip to main content

You can break into almost any retail store’s credit card reader with 2 passwords

credit card readers password problems cashier 1
Canadian Couponing
It’s common knowledge that point-of-sale machines aren’t exactly the most secure pieces of technology in the world — you need only look at last year’s pilfering of Home Depot, Target, Neiman Marcus, Michael’s customer data for evidence of that — but the reality may be worse than previously thought. Researchers at cybersecurity firm Trustwave discovered that a vast majority of retailers fail to change the default password on their credit card readers. It’s usually 166816 or Z66816.

The researchers examined machines at more than 120 clothing, electronics, and local stores. The default password in many instances granted administrative access to the machines, Trustwave executive Charles Henderson explained at last week’s RSA security last week in San Francisco. Worst case scenario, that could enable any ruffian with the know-how to scrape payment data like credit card numbers and names.

A majority of the vulnerable terminals are manufactured by Verifone, but the company’s not necessarily the one to blame. “No one is changing the password when they set this up for the first time; everybody thinks the security of their point-of-sale is someone else’s responsibility,” Henderson told CNN Money. “We’re making it pretty easy for criminals.”

It’d be risky to try at a crowded outlet — the passwords are just lengthy enough that entering them would probably make you the target of suspicion — but the real potential for hacking arises from unsecured systems. Speaking to Digital Munition, Henderson described an instance  in which an employee inadvertently downloaded keylogging software onto a retail PoS system while attempting to install a pirated video game.

Verifone doesn’t believe there’s too much cause for concern. The passwords on new payment terminals expire periodically, a spokesperson said, and the company “hasn’t witness[ed] any attacks on the security of terminals based on default passwords.” All the same, it said retailers are “strongly advised to change the default password.”

You’d think that’d be common sense.

Editors' Recommendations

Stolen EVGA graphics cards have been sold by Vietnamese retailer
The RTX 3060 installed in a computer.

EVGA had a truckload's worth of GPUs stolen in October 2021, and no, the stolen goods have shown up on the market. But they didn't surface through sketchy eBay listings or Facebook Marketplace offers -- they came from a well-known Vietnamese retailer.

Someone named Duy Nguyen purchased an EVGA RTX 3080 Ti from Nguyn Cong Computer in January, shortly after the retailer advertised a large sale of EVGA graphics cards. They came with one strange condition, though: Only a one-month warranty. Nguyen purchased a card anyway, and when registering it with EVGA, he was met with this message:

Read more
Robinhood reports data breach affecting 7 million customers
Robinhood app on a smartphone.

Online stock trading platform Robinhood has been hit by a data breach affecting about seven million of its customers, the company revealed on Monday, November 8.

The Menlo Park, California-based company said the “data security incident” took place on Wednesday, November 3, when an unauthorized third party “obtained access to a limited amount of personal information.”

Read more
Samsung reveals it can disable stolen TVs remotely
Samsung TV Block logo displayed over a Samsung TV.

Samsung has the ability to disable its TVs remotely. A recently published Samsung support page and press release spotted by The Verge describes how the company is able to respond to reports of stolen Samsung TVs by using a feature called Samsung TV Block to disable the sets over the internet.

The announcement comes in the wake of violent unrest in South Africa in July. At that time, an undisclosed number of Samsung TVs were stolen from one of Samsung's warehouses, according to the report.

Read more