back to article Cash register maker used same password – 166816 – non-stop since 1990

Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale (PoS) systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password. The enraged pair badged the PoS vendor by its other acronym …

  1. bazza Silver badge
    FAIL

    (untitled)

    The icon ---> isn't big enough...

  2. Cliff

    Hang your heads in shame!

    That's just terrible, especially for a system whose job it is (whose ONLY job, in fact) is to keep safe and accurate financial information.

    That's like finding all voting machines have a cheat code for hitting UKIP 3 times to enable 1950's mode ;)

    1. wolfetone Silver badge

      Re: Hang your heads in shame!

      Didn't they do something similar a few years ago in Florida when Al Gore was trying to be President?

      1. David Dawson

        Re: Hang your heads in shame!

        I'm sure it was some dude called chad...

  3. Ole Juul

    Please explain

    I'm not clear on what one would do with that vulnerability and the article isn't giving me a lot of ideas. In many cases I see POS used much like a cash register. If you have physical access to the drawer, you can take money out - password or not. One could perhaps fiddle the stock numbers and take stuff home. If staff with access to the cash registers can't be trusted, then there is indeed a problem, but not one that can be solved with better passwords.

    1. Dan 55 Silver badge

      Re: Please explain

      One could get admin rights, install software, snaffle credit card numbers.

      1. Ole Juul

        Re: Please explain

        Thanks. I really wasn't firing on all cylinders there. :)

      2. Anonymous Coward
        Anonymous Coward

        Re: Please explain

        One could get admin rights, install software, snaffle credit card numbers.

        This is not a bug, It is a feature. How do you think I can run double accounting and hide my income from the IRS?

    2. Mark 85

      Re: Please explain

      I'm not clear on what one would do with that vulnerability and the article isn't giving me a lot of ideas

      Ah... that's probably why you're not a "bad guy" then.... After the various break-ins/hijacks in the US in the last few years, if one remoted in, they would own the system.

      And since the PW's have been released, expect new break-ins/hijacks in...5...4....3....2....

    3. Anonymous Coward
      Anonymous Coward

      Re: Please explain

      You'd quite possibly be able to change the price of any item. Depending on your desire for subtlety, you then either mark down one particular high-value item to peanuts, or make it significantly cheaper whilst being just about conceivable. Or possibly you'd be able to create a buy-one-get-one-free type of offer on the product.

      Then you get your mates to come in and buy said item multiple times over and flog later on eBay.Hey presto, plausible deniability of any involvement all around. Profit!

    4. Triggerfish

      Re: Please explain

      Getting physical access to a drawer is not a problem usually anyway, most have a small hole a bit like CD drawers used to have poke a pin in and it releases the lock.

      The problem is a cashier would have a discrepancy that would show up on a Z-reading (don't know if they still call it that, acted as tech support for POS software many many years ago), which shows the total from the transactions.

      If a cashier was going to fiddle a cash drawer then the ability to do mental arithmetic and keeping the running total in your head for the till, plus what change you should be giving (basically you balance the books in your head), is easier you ring up as no sales (to pop the drawer but no value entered in the checkouts final total), the average customer doesn't care about a receipt.

      Depending on the set up, changing prices would not be easy either a lot of the stores had price files sent down to the back office that was then loaded down to the tills, not sure if you could change them after that easily.

      It really depends on how they set up their POS network - some stores checkout die completely with loss of the server, some we worked with were pretty robust (and running all on DOS) and would continue because they stored local copies.

      I would have though the grand prize was access to the CC merchant services that will be running somewhere the last one I saw (again years ago) used to have a service running on a SCO box and would squirt all that data to a bank that processed it and sent back auth codes for the cards.

      I can tell you also many stores do not check when someone turns up looking like they should be working there, I have walked right up to the server racks in the offices of some large chains and not once has someone said anything (I was actually supposed to be doing so btw), ask for where the sign in book is and you are pretty much accepted.

      1. F0rdPrefect

        Some still are running on DOS

        Or were up to the end of 2013 when my son ceased to work in retail.

        Just as well they were as it meant he could call his old Dad for some ideas when it went wrong and the support line was not answering.

        As for stores not checking who you are, I have been let into the server rooms of much more "security concious" organisations than the retail trade, just by asking and without the person letting me in knowing who I was.

        1. Triggerfish

          Re: Some still are running on DOS

          Some of that DOS was remarkably robust especially with a Unix back office. We had to call around our estate to make sure they were happy with the service, and some stores didn't even know they had tech support since they had never had to call them, there were cheap (basically pc rather than server kit) sitting in the back offices that had uptime running in 5-6 years region.

          It also said a lot about call centres and SLA's because the call centre manager hated to see us sitting round on our arses most days (if there was an issue we fixed the damn thing properly, the NT team relied mainly on reboots), and they hated that they could not get the customer to change over to their NT software, they used to bring them in to the centre and try and sell them to the NT software desks which was always really busy (with rebooting), showing how many calls they could handle and how quickly (reboot). While for some reason our customer liked our quiet desk where we sat around not having many issues and taking only a few calls (we might take some time, the process was fettle so it runs then fix properly - but that screws call stats).

        2. Anonymous Coward
          Anonymous Coward

          Re: Some still are running on DOS

          """

          , I have been let into the server rooms of much more "security concious" organisations than the retail trade,

          """

          Try Cleaning.

          First, they don't want to see people like you so you are alone inside an empty building; Second, you get keys and codes to the whole shop; Third, they think that people who clean are total dum-dum's so they don't care to hide anything from the cleaners, logins, passwords, business papers, WiFi's all there for the copying; Fourth, cleaners are such a low life-form that they hardly bother to check any of the details you give them, like name and such.

          It is quite amazing - cleaners are invisible people!

  4. Dan 55 Silver badge
    Coffee/keyboard

    That caption for the second image

    You might want to go over that text again.

    1. Uncle Slacky Silver badge
      Headmaster

      Re: That caption for the second image

      Also, the singular of criteria is "criterion".

      1. billse10

        Re: That caption for the second image

        Adam Hills on language .... standup routine about the use of language, and he is heckled, about his use of language ... criteria / criterion ...

    2. Khaptain Silver badge

      Re: That caption for the second image

      That image is truly worth a 1000 words. ( or passwords)

      1. Anonymous Coward
        Anonymous Coward

        Re: That caption for the second image

        Isn't it from a South Park episode?

        1. SuperNintendoChalmers

          Re: That caption for the second image

          Either from a Mr Hanky add, or possibly from a Google fibre April fools. I think. Maybe.

          1. InMyHead

            Re: That caption for the second image

            It is from the Mr. Hanky Ad Commercial from the first South Park Christmas episode

  5. Pete 2 Silver badge

    Experimental data

    > “Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password.

    And exactly how many cases have there been of this being exploited? It would interesting to see a study of how many times "well known" security holes do actually get compromised.

    What a lot of security professionals do (and you can't blame them, since that's how they make their money) is to point at every vulnerability: whether theoretical, practical or exploitable for gain and say "LOOK! it's a massive security hole. everyone must fix it immediately".

    Now, it's true that once a weakness has been "outed" it's far more likely to be explored - especially if hackers can get some material gain from it. However, that doesn't mean that every single weakness is in that class. At least not until some security geek goes blabbing to the entire world about it. It may even be that the small cost of having a single password across a long-lived range of equipment is far outweighed by the savings and speed for maintaining it or having to call someone in when you've changed the password and subsequently forgotten it.

    1. dogged

      Re: Experimental data

      > “Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password.

      So 81% of passwords?

      1. Michael Wojcik Silver badge

        Re: Experimental data

        “Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password.

        So 81% of passwords?

        Allow me to introduce you to a little thing we call "the noun phrase in apposition". A clever little devil, it closely resembles the adverbial phrase, but its behavior is quite different.

    2. Anonymous Blowhard

      Re: Experimental data

      "It may even be that the small cost of having a single password across a long-lived range of equipment is far outweighed by the savings and speed for maintaining it or having to call someone in when you've changed the password and subsequently forgotten it."

      The critical passwords should be unique to your organisation, if they are routinely used then they should be routinely changed, and current password should be securely stored where it will be accessible to company officers if they need it (like in a sealed and signed envelope kept in a safe).

      A long lived password that's known to many, especially outsiders, is a recipe for disaster; and try explaining it to your insurance company when you do get robbed...

    3. icesenshi

      Re: Experimental data

      Let the world hope that you're not in security, since you clearly lack any understanding of it. And if you are in security, it would explain cockups like this. A lot.

      1. Pete 2 Silver badge

        Re: Experimental data

        > Let the world hope that you're not in security, since you clearly lack any understanding of it.

        Lack understanding - hardly. Because asking for a considered and quantifiable measure of risk and downside is such a bad thing?

        At least with that information people would be able to make a proper assessment of the threats they face and hence to apply the correct amount of effort. Instead of employing Wild Assed Guesses that either address the wrong issues, fail to resource their security teams correctly or even learn how to identify a real threat from ignorant media jibberings.

        You never know, the next step might even lead to fact-based professionalism.

  6. Dr Paul Taylor

    customers should conduct rigorous penetration tests

    How am I supposed to do this in a supermarket queue?

    1. Warm Braw

      Re: customers should conduct rigorous penetration tests

      >How am I supposed to do this in a supermarket queue?

      Using the nearest cucumber?

      1. JLV
        Joke

        > nearest cucumber

        mine's bigger

    2. Anonymous Coward 101

      Re: customers should conduct rigorous penetration tests

      You use your smartphone to go around mainframe and implant a nanovirus.

      1. Woza
        Joke

        Re: customers should conduct rigorous penetration tests

        And then track the perpetrator's IP address through a GUI?

        1. Khaptain Silver badge

          Re: customers should conduct rigorous penetration tests

          And your colleagues for this mission will be Morgan Frogman and Tim Cruise. ( I have been assured that they are both nearly as good as the originals)

          1. Anonymous Coward
            Facepalm

            This is UNIX, I know this.

            Actually it's a 10 year old blond girl on an island.

            1. Anonymous Coward
              Anonymous Coward

              Re: This is UNIX, I know this.

              Actually, it's a 10 year old blonde girl on an island (in the spirit of the criteria / criterion comments)

              1. John Gamble

                Re: This is UNIX, I know this.

                "Actually, it's a 10 year old blonde girl on an island (in the spirit of the criteria / criterion comments)"

                No no, in the spirit of the "Morgan Frogman and Tim Cruise" comment, it's "Blond. Jane Blond."

      2. Anonymous Coward
        Anonymous Coward

        Re: customers should conduct rigorous penetration tests

        Did you steal that phrase from The Following, by any chance?

    3. Anonymous Coward
      Anonymous Coward

      Re: customers should conduct rigorous penetration tests

      You are not the customer of the PoS vendor, the supermarket chain is....maybe. They may outsource that function and not actually be the customer of the PoS vendor...

      Fortunately, the latest release of the PCI DSS does now have language that is meant to cover this.

    4. Anonymous Coward
      Anonymous Coward

      Re: customers should conduct rigorous penetration tests

      Just cover yourself in "The Cloak of Invisibility" ->

      Yellow Safety vest, White or Red Safety Helmet, Clipboard with Many Layers of Paper, Dark Trousers, Shoes that are NOT safety shoes and Reading Glasses.

      Few will notice you, no-one will remember you!

      *)

      If challenged anyway, flash an ID-badge and say you are inspecting the electrical works. An ID-badge is easy to make up with a machine for printing ... ID cards. Maybe there is even a corner shop for that?

  7. TheProf
    Happy

    Heroes

    Things won't remain in a poor state for long. Not with Bishop Fox and Chief Henderson on the case.

  8. Dr. Mouse

    The pair recommends customers assume vendors have no security baked into PoS systems and are lying when they claim to have such. Instead, customers should conduct rigorous penetration tests.

    Very sound advice. Never assume anything is secure. There could be undisclosed vulnerabilities or flaws in absolutely anything. If you assume it is insecure, you will stand a much better chance of ending up with a secure system. If you assume it will be insecure no matter what you do, you will probably keep a closer eye on it, spot problems sooner, and plug them sooner.

  9. Jim 59

    All your PoS belong to us.

  10. Annihilator
    Coat

    Nirvana

    "I know why they do it; it's like Nirvana for them"

    What's the capital N for? Are they comparing it to the band? Is it grungy?

    1. Michael Wojcik Silver badge

      Re: Nirvana

      Are they comparing it to the band?

      Running ordinary applications with administrative privileges: overrated and unnecessary.

  11. Craig 2

    "Forensics had even established which songs were played based on the logged keys."

    Hmmmm, fairly impressive. Tell me their score for for bonus points...

    1. Anonymous Coward
      Coffee/keyboard

      Have you reported it to the RIAA, mr pen tester, or are you now an acessory after the fact?

  12. Berny Stapleton

    This isn't exactly new (I know since 1990)...

    But, this isn't the first time it's been published either:

    http://www.hackerfactor.com/papers/cc-pos-20.pdf

  13. Stevie

    Bah!

    Outstanding.

  14. FrankRizzo890

    Guys, I know the POS devices in question here, and they aren't cash registers. They are VeriFone POS terminals. Very small, and used only for credit card transactions. Do a google image search for Zon Jr. And Tranz 330. It was the Zon family that used the "1" passwords, and the TranZ family that swapped over to using the "Z" passwords. During a typical day, the merchant uses it to authorize credit card transactions via a modem. Yes, dial-up. Then, it stuff the data into what's called "batch" memory. It's been a while, so I don't remember what is stored there, but I can tell you this. You can't just walk up to the device and read batch memory from the keypad. You'd need to write a custom program to do it. Oh, did I mention is uses it's own programming language? It does. It's VERY unlikely that a hacker would know this language, or even more to the point, would have the TIME to key it into the device from the numeric keypad without someone noticing. This is COMPLETE BS. These devices have been out since the late 80's, and have yet to be targeted. Anyone who has ever dealt with them knows about the passwords. (It's also VERY easy to change the default password!). Yet there have been no hacks.

    Fearmongering at it's best. Trolling at the worst, and they need to troll harder next time.

    1. Steve Graham

      I think you must be mistaken. The mention of "running as adminstrator" implies Windows (probably XP) which means they're talking about a general purpose PC with PoS software running on it.

  15. Pedigree-Pete

    Owner responsibility.

    All the devices I deal with have a default manufacturers admin password, well known to everyone in the industry & easily garnered from the freely available PDF admin guides on the manufacturers web sites.

    Shirley the purchaser is responsible for securing his devices with his own user & admin passwords?

    If lost or forgotten a factory reset will usually fix that.

    Pete

  16. Herby

    Manufacturers Password

    In a project I worked on we cooked in a "master" password that allowed entry into the system. We went to great lengths to deny that it existed to "higher ups". I was told that eventually it was released in dire circumstances (it would have necessitated a site visit). The funny thing was that it was a relatively simple password, just the companies initials as control characters. I have no idea if any of these systems exist almost 30 years later. I was laid off before the company was sold off.

    So, these things happen all the time. The saying goes: "Can you keep a secret?" to which the proper answer is "yes", but the next phrase is "So can I".

  17. Cook942
    Black Helicopters

    Damn, guess they finally worked out what i was doing

    In another, forensics were left stumped by a carder's keylogger which had logged repeat keys (such as aaaaa ggggg bbbbb) entered on the PoS server. It was later revealed staff had used the machine to play Guitar Hero, Call of Duty, and download porn.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like