You can break into almost any retail store’s credit card reader with 2 passwords

It’s common knowledge that point-of-sale machines aren’t exactly the most secure pieces of technology in the world — you need only look at last year’s pilfering of Home Depot, Target, Neiman Marcus, Michael’s customer data for evidence of that — but the reality may be worse than previously thought. Researchers at cybersecurity firm Trustwave discovered that a vast majority of retailers fail to change the default password on their credit card readers. It’s usually 166816 or Z66816.

The researchers examined machines at more than 120 clothing, electronics, and local stores. The default password in many instances granted administrative access to the machines, Trustwave executive Charles Henderson explained at last week’s RSA security last week in San Francisco. Worst case scenario, that could enable any ruffian with the know-how to scrape payment data like credit card numbers and names.

A majority of the vulnerable terminals are manufactured by Verifone, but the company’s not necessarily the one to blame. “No one is changing the password when they set this up for the first time; everybody thinks the security of their point-of-sale is someone else’s responsibility,” Henderson told CNN Money. “We’re making it pretty easy for criminals.”

It’d be risky to try at a crowded outlet — the passwords are just lengthy enough that entering them would probably make you the target of suspicion — but the real potential for hacking arises from unsecured systems. Speaking to Digital Munition, Henderson described an instance  in which an employee inadvertently downloaded keylogging software onto a retail PoS system while attempting to install a pirated video game.

Verifone doesn’t believe there’s too much cause for concern. The passwords on new payment terminals expire periodically, a spokesperson said, and the company “hasn’t witness[ed] any attacks on the security of terminals based on default passwords.” All the same, it said retailers are “strongly advised to change the default password.”

You’d think that’d be common sense.