Credit card swipe machines have shipped with the same password since the 1990s

[Permalink]

1 Like

Don’t most things that have passwords ship with the same one forever?
e.g. SOHO routers have shipped with some default variant forever:
Admin
Admin

My recollection from writing the manuals for these things is that it’s actually 1 [Alpha] [Alpha] 6 6 8 3 1.

In related news, I saw it label printed and stuck to the side of a Verifone terminal in a store here recently.

5 Likes

That’s right…the [alpha][alpha] was to get to the letter ‘Z’. When I was programming Verifone 3750 terminals this password was not exactly a closely guarded secret. You can’t do much other than screw up the comm settings and/or otherwise brick the device. It doesn’t store any transactions or card data. You’d need a special cable to upload malware and the files would have to pass a digital signature process.

The article mentions Target and Home Depot which use entirely different terminal devices that are managed centrally by a POS system - which does store CC info and was accessed by laterally traversing the internal network. That’s not something that happens by just knowing the default password.

Not sure what the scandal is…

Edit: Now that I think of it I suppose it would be possible to re-configure the terminal comms to connect to a fake man-in-the-middle front end server that captures the transaction data before passing it along for processing. This would take extraordinary knowledge of the payment processing network the merchant is using and lots of luck to compromise enough terminals to make it worth while but it is theoretically possible.

4 Likes

Talk about making a mountain out of a mole hill. I touched thousands of those terminals when i worked in merchant services and the most nefarious thing you could do with that password, that would negatively effect anyone other than the direct merchant, would be to put naughty words on their credit card receipts. All the real programming worth anything is downloaded from the credit card processor directly. I suppose if someone figured out how to duplicate the processors signature you might have some issues but that would be an issue with the certificate not the default password. True story, back when i was doing grunt work we got a delivery of several hundred refurbished terminals where the jerk at the refurb company had programmed in bad words on the receipts so i had to reset them all and reprint the test print slips before they could be sold. Which took forever because it is done by hand. Which is about the only thing you can do with that password other than disabling its ability to communicate with the outside world completely.

2 Likes

I’ve worked in payments for the last decade. This is really a non-issue. As others have stated the admin password doesn’t really do a whole lot.

What’s cool is that Nurit (an Israeli company) terminals usually have a default password of 1948; the year of Israel’s independence.

What is a “credit card swipe machine”? I have a foggy memory that my dad talked about these in the 70s.

Or phishing attacks on their credit card receipt? “Take our survey, get store credit! Visit hxxp://example.com/phish_survey/”.

2 Likes

If that’s what we are worried about I guess it’s time to create a special task force to hunt down all junk mail both physical and digital as well. It would be much easier to do a fake mass mailer with the same phishing info than it would be to intercept and reprogram a credit card terminal then wait until the one person uses the scam address instead of automatically throwing away the receipt like everyone else automatically would. We also better add making phone surveys illegal because I get phishy scam phone calls all the time. If we expect technology to save people from their own bad choices it would be best to design it to never turn on in the first place. There will always be a better idiot out in the wild than any designer/company can anticipate.

Several models / firmware revs of Verifone terminals don’t require valid TLS certs, and can be easily man in the middled. So all you would have to do is reprogram the destination gateway. So, yeah, being able to reprogram them is kind of a big deal, especially since merchant gateways don’t require connections to come from a specific IP or range.

This topic was automatically closed after 5 days. New replies are no longer allowed.