Donât most things that have passwords ship with the same one forever?
e.g. SOHO routers have shipped with some default variant forever:
Admin
Admin
My recollection from writing the manuals for these things is that itâs actually 1 [Alpha] [Alpha] 6 6 8 3 1.
In related news, I saw it label printed and stuck to the side of a Verifone terminal in a store here recently.
Thatâs rightâŚthe [alpha][alpha] was to get to the letter âZâ. When I was programming Verifone 3750 terminals this password was not exactly a closely guarded secret. You canât do much other than screw up the comm settings and/or otherwise brick the device. It doesnât store any transactions or card data. Youâd need a special cable to upload malware and the files would have to pass a digital signature process.
The article mentions Target and Home Depot which use entirely different terminal devices that are managed centrally by a POS system - which does store CC info and was accessed by laterally traversing the internal network. Thatâs not something that happens by just knowing the default password.
Not sure what the scandal isâŚ
Edit: Now that I think of it I suppose it would be possible to re-configure the terminal comms to connect to a fake man-in-the-middle front end server that captures the transaction data before passing it along for processing. This would take extraordinary knowledge of the payment processing network the merchant is using and lots of luck to compromise enough terminals to make it worth while but it is theoretically possible.
Talk about making a mountain out of a mole hill. I touched thousands of those terminals when i worked in merchant services and the most nefarious thing you could do with that password, that would negatively effect anyone other than the direct merchant, would be to put naughty words on their credit card receipts. All the real programming worth anything is downloaded from the credit card processor directly. I suppose if someone figured out how to duplicate the processors signature you might have some issues but that would be an issue with the certificate not the default password. True story, back when i was doing grunt work we got a delivery of several hundred refurbished terminals where the jerk at the refurb company had programmed in bad words on the receipts so i had to reset them all and reprint the test print slips before they could be sold. Which took forever because it is done by hand. Which is about the only thing you can do with that password other than disabling its ability to communicate with the outside world completely.
Iâve worked in payments for the last decade. This is really a non-issue. As others have stated the admin password doesnât really do a whole lot.
Whatâs cool is that Nurit (an Israeli company) terminals usually have a default password of 1948; the year of Israelâs independence.
What is a âcredit card swipe machineâ? I have a foggy memory that my dad talked about these in the 70s.
Or phishing attacks on their credit card receipt? âTake our survey, get store credit! Visit hxxp://example.com/phish_survey/â.
If thatâs what we are worried about I guess itâs time to create a special task force to hunt down all junk mail both physical and digital as well. It would be much easier to do a fake mass mailer with the same phishing info than it would be to intercept and reprogram a credit card terminal then wait until the one person uses the scam address instead of automatically throwing away the receipt like everyone else automatically would. We also better add making phone surveys illegal because I get phishy scam phone calls all the time. If we expect technology to save people from their own bad choices it would be best to design it to never turn on in the first place. There will always be a better idiot out in the wild than any designer/company can anticipate.
Several models / firmware revs of Verifone terminals donât require valid TLS certs, and can be easily man in the middled. So all you would have to do is reprogram the destination gateway. So, yeah, being able to reprogram them is kind of a big deal, especially since merchant gateways donât require connections to come from a specific IP or range.
This topic was automatically closed after 5 days. New replies are no longer allowed.
