back to article Cash register maker used same password – 166816 – non-stop since 1990

Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale (PoS) systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password. The enraged pair badged the PoS vendor by its other acronym …

  1. bazza Silver badge
    FAIL

    (untitled)

    The icon ---> isn't big enough...

  2. Cliff

    Hang your heads in shame!

    That's just terrible, especially for a system whose job it is (whose ONLY job, in fact) is to keep safe and accurate financial information.

    That's like finding all voting machines have a cheat code for hitting UKIP 3 times to enable 1950's mode ;)

  3. wolfetone Silver badge

    Re: Hang your heads in shame!

    Didn't they do something similar a few years ago in Florida when Al Gore was trying to be President?

  4. David Dawson

    Re: Hang your heads in shame!

    I'm sure it was some dude called chad...

  5. Ole Juul Silver badge

    Please explain

    I'm not clear on what one would do with that vulnerability and the article isn't giving me a lot of ideas. In many cases I see POS used much like a cash register. If you have physical access to the drawer, you can take money out - password or not. One could perhaps fiddle the stock numbers and take stuff home. If staff with access to the cash registers can't be trusted, then there is indeed a problem, but not one that can be solved with better passwords.

  6. Dan 55 Silver badge

    Re: Please explain

    One could get admin rights, install software, snaffle credit card numbers.

  7. Mark 85 Silver badge

    Re: Please explain

    I'm not clear on what one would do with that vulnerability and the article isn't giving me a lot of ideas

    Ah... that's probably why you're not a "bad guy" then.... After the various break-ins/hijacks in the US in the last few years, if one remoted in, they would own the system.

    And since the PW's have been released, expect new break-ins/hijacks in...5...4....3....2....

  8. Anonymous Coward
    Anonymous Coward

    Re: Please explain

    You'd quite possibly be able to change the price of any item. Depending on your desire for subtlety, you then either mark down one particular high-value item to peanuts, or make it significantly cheaper whilst being just about conceivable. Or possibly you'd be able to create a buy-one-get-one-free type of offer on the product.

    Then you get your mates to come in and buy said item multiple times over and flog later on eBay.Hey presto, plausible deniability of any involvement all around. Profit!

  9. Ole Juul Silver badge

    Re: Please explain

    Thanks. I really wasn't firing on all cylinders there. :)

  10. Anonymous Coward
    Anonymous Coward

    Re: Please explain

    One could get admin rights, install software, snaffle credit card numbers.

    This is not a bug, It is a feature. How do you think I can run double accounting and hide my income from the IRS?

  11. Triggerfish

    Re: Please explain

    Getting physical access to a drawer is not a problem usually anyway, most have a small hole a bit like CD drawers used to have poke a pin in and it releases the lock.

    The problem is a cashier would have a discrepancy that would show up on a Z-reading (don't know if they still call it that, acted as tech support for POS software many many years ago), which shows the total from the transactions.

    If a cashier was going to fiddle a cash drawer then the ability to do mental arithmetic and keeping the running total in your head for the till, plus what change you should be giving (basically you balance the books in your head), is easier you ring up as no sales (to pop the drawer but no value entered in the checkouts final total), the average customer doesn't care about a receipt.

    Depending on the set up, changing prices would not be easy either a lot of the stores had price files sent down to the back office that was then loaded down to the tills, not sure if you could change them after that easily.

    It really depends on how they set up their POS network - some stores checkout die completely with loss of the server, some we worked with were pretty robust (and running all on DOS) and would continue because they stored local copies.

    I would have though the grand prize was access to the CC merchant services that will be running somewhere the last one I saw (again years ago) used to have a service running on a SCO box and would squirt all that data to a bank that processed it and sent back auth codes for the cards.

    I can tell you also many stores do not check when someone turns up looking like they should be working there, I have walked right up to the server racks in the offices of some large chains and not once has someone said anything (I was actually supposed to be doing so btw), ask for where the sign in book is and you are pretty much accepted.

  12. F0rdPrefect

    Some still are running on DOS

    Or were up to the end of 2013 when my son ceased to work in retail.

    Just as well they were as it meant he could call his old Dad for some ideas when it went wrong and the support line was not answering.

    As for stores not checking who you are, I have been let into the server rooms of much more "security concious" organisations than the retail trade, just by asking and without the person letting me in knowing who I was.

  13. Triggerfish

    Re: Some still are running on DOS

    Some of that DOS was remarkably robust especially with a Unix back office. We had to call around our estate to make sure they were happy with the service, and some stores didn't even know they had tech support since they had never had to call them, there were cheap (basically pc rather than server kit) sitting in the back offices that had uptime running in 5-6 years region.

    It also said a lot about call centres and SLA's because the call centre manager hated to see us sitting round on our arses most days (if there was an issue we fixed the damn thing properly, the NT team relied mainly on reboots), and they hated that they could not get the customer to change over to their NT software, they used to bring them in to the centre and try and sell them to the NT software desks which was always really busy (with rebooting), showing how many calls they could handle and how quickly (reboot). While for some reason our customer liked our quiet desk where we sat around not having many issues and taking only a few calls (we might take some time, the process was fettle so it runs then fix properly - but that screws call stats).

  14. Anonymous Coward
    Anonymous Coward

    Re: Some still are running on DOS

    """

    , I have been let into the server rooms of much more "security concious" organisations than the retail trade,

    """

    Try Cleaning.

    First, they don't want to see people like you so you are alone inside an empty building; Second, you get keys and codes to the whole shop; Third, they think that people who clean are total dum-dum's so they don't care to hide anything from the cleaners, logins, passwords, business papers, WiFi's all there for the copying; Fourth, cleaners are such a low life-form that they hardly bother to check any of the details you give them, like name and such.

    It is quite amazing - cleaners are invisible people!

  15. Dan 55 Silver badge
    Coffee/keyboard

    That caption for the second image

    You might want to go over that text again.

  16. Uncle Slacky Silver badge
    Headmaster

    Re: That caption for the second image

    Also, the singular of criteria is "criterion".

  17. Khaptain Silver badge

    Re: That caption for the second image

    That image is truly worth a 1000 words. ( or passwords)

  18. LDS Silver badge

    Re: That caption for the second image

    Isn't it from a South Park episode?

  19. SuperNintendoChalmers

    Re: That caption for the second image

    Either from a Mr Hanky add, or possibly from a Google fibre April fools. I think. Maybe.

  20. billse10

    Re: That caption for the second image

    Adam Hills on language .... standup routine about the use of language, and he is heckled, about his use of language ... criteria / criterion ...

  21. InMyHead

    Re: That caption for the second image

    It is from the Mr. Hanky Ad Commercial from the first South Park Christmas episode

  22. Pete 2 Silver badge

    Experimental data

    > “Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password.

    And exactly how many cases have there been of this being exploited? It would interesting to see a study of how many times "well known" security holes do actually get compromised.

    What a lot of security professionals do (and you can't blame them, since that's how they make their money) is to point at every vulnerability: whether theoretical, practical or exploitable for gain and say "LOOK! it's a massive security hole. everyone must fix it immediately".

    Now, it's true that once a weakness has been "outed" it's far more likely to be explored - especially if hackers can get some material gain from it. However, that doesn't mean that every single weakness is in that class. At least not until some security geek goes blabbing to the entire world about it. It may even be that the small cost of having a single password across a long-lived range of equipment is far outweighed by the savings and speed for maintaining it or having to call someone in when you've changed the password and subsequently forgotten it.

  23. dogged

    Re: Experimental data

    > “Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password.

    So 81% of passwords?

  24. Anonymous Blowhard

    Re: Experimental data

    "It may even be that the small cost of having a single password across a long-lived range of equipment is far outweighed by the savings and speed for maintaining it or having to call someone in when you've changed the password and subsequently forgotten it."

    The critical passwords should be unique to your organisation, if they are routinely used then they should be routinely changed, and current password should be securely stored where it will be accessible to company officers if they need it (like in a sealed and signed envelope kept in a safe).

    A long lived password that's known to many, especially outsiders, is a recipe for disaster; and try explaining it to your insurance company when you do get robbed...

  25. icesenshi

    Re: Experimental data

    Let the world hope that you're not in security, since you clearly lack any understanding of it. And if you are in security, it would explain cockups like this. A lot.

  26. Pete 2 Silver badge

    Re: Experimental data

    > Let the world hope that you're not in security, since you clearly lack any understanding of it.

    Lack understanding - hardly. Because asking for a considered and quantifiable measure of risk and downside is such a bad thing?

    At least with that information people would be able to make a proper assessment of the threats they face and hence to apply the correct amount of effort. Instead of employing Wild Assed Guesses that either address the wrong issues, fail to resource their security teams correctly or even learn how to identify a real threat from ignorant media jibberings.

    You never know, the next step might even lead to fact-based professionalism.

  27. Michael Wojcik Silver badge

    Re: Experimental data

    “Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password.

    So 81% of passwords?

    Allow me to introduce you to a little thing we call "the noun phrase in apposition". A clever little devil, it closely resembles the adverbial phrase, but its behavior is quite different.

  28. Dr Paul Taylor

    customers should conduct rigorous penetration tests

    How am I supposed to do this in a supermarket queue?

  29. Warm Braw Silver badge

    Re: customers should conduct rigorous penetration tests

    >How am I supposed to do this in a supermarket queue?

    Using the nearest cucumber?

  30. Anonymous Coward 101

    Re: customers should conduct rigorous penetration tests

    You use your smartphone to go around mainframe and implant a nanovirus.

  31. Woza
    Joke

    Re: customers should conduct rigorous penetration tests

    And then track the perpetrator's IP address through a GUI?

  32. Khaptain Silver badge

    Re: customers should conduct rigorous penetration tests

    And your colleagues for this mission will be Morgan Frogman and Tim Cruise. ( I have been assured that they are both nearly as good as the originals)

  33. Anonymous Coward
    Anonymous Coward

    Re: customers should conduct rigorous penetration tests

    You are not the customer of the PoS vendor, the supermarket chain is....maybe. They may outsource that function and not actually be the customer of the PoS vendor...

    Fortunately, the latest release of the PCI DSS does now have language that is meant to cover this.

  34. Anonymous Coward
    Facepalm

    This is UNIX, I know this.

    Actually it's a 10 year old blond girl on an island.

  35. disgustedoftunbridgewells Silver badge

    Re: customers should conduct rigorous penetration tests

    Did you steal that phrase from The Following, by any chance?

  36. Anonymous Coward
    Anonymous Coward

    Re: This is UNIX, I know this.

    Actually, it's a 10 year old blonde girl on an island (in the spirit of the criteria / criterion comments)

  37. John Gamble

    Re: This is UNIX, I know this.

    "Actually, it's a 10 year old blonde girl on an island (in the spirit of the criteria / criterion comments)"

    No no, in the spirit of the "Morgan Frogman and Tim Cruise" comment, it's "Blond. Jane Blond."

  38. JLV Silver badge
    Joke

    > nearest cucumber

    mine's bigger

  39. Anonymous Coward
    Anonymous Coward

    Re: customers should conduct rigorous penetration tests

    Just cover yourself in "The Cloak of Invisibility" ->

    Yellow Safety vest, White or Red Safety Helmet, Clipboard with Many Layers of Paper, Dark Trousers, Shoes that are NOT safety shoes and Reading Glasses.

    Few will notice you, no-one will remember you!

    *)

    If challenged anyway, flash an ID-badge and say you are inspecting the electrical works. An ID-badge is easy to make up with a machine for printing ... ID cards. Maybe there is even a corner shop for that?

  40. TheProf
    Happy

    Heroes

    Things won't remain in a poor state for long. Not with Bishop Fox and Chief Henderson on the case.

  41. Dr. Mouse Silver badge

    The pair recommends customers assume vendors have no security baked into PoS systems and are lying when they claim to have such. Instead, customers should conduct rigorous penetration tests.

    Very sound advice. Never assume anything is secure. There could be undisclosed vulnerabilities or flaws in absolutely anything. If you assume it is insecure, you will stand a much better chance of ending up with a secure system. If you assume it will be insecure no matter what you do, you will probably keep a closer eye on it, spot problems sooner, and plug them sooner.

  42. Jim 59

    All your PoS belong to us.

  43. Annihilator
    Coat

    Nirvana

    "I know why they do it; it's like Nirvana for them"

    What's the capital N for? Are they comparing it to the band? Is it grungy?

  44. Michael Wojcik Silver badge

    Re: Nirvana

    Are they comparing it to the band?

    Running ordinary applications with administrative privileges: overrated and unnecessary.

  45. Craig 2

    "Forensics had even established which songs were played based on the logged keys."

    Hmmmm, fairly impressive. Tell me their score for for bonus points...

  46. Anonymous Coward
    Coffee/keyboard

    Have you reported it to the RIAA, mr pen tester, or are you now an acessory after the fact?

  47. Berny Stapleton

    This isn't exactly new (I know since 1990)...

    But, this isn't the first time it's been published either:

    http://www.hackerfactor.com/papers/cc-pos-20.pdf

  48. Stevie Silver badge

    Bah!

    Outstanding.

  49. FrankRizzo890

    Guys, I know the POS devices in question here, and they aren't cash registers. They are VeriFone POS terminals. Very small, and used only for credit card transactions. Do a google image search for Zon Jr. And Tranz 330. It was the Zon family that used the "1" passwords, and the TranZ family that swapped over to using the "Z" passwords. During a typical day, the merchant uses it to authorize credit card transactions via a modem. Yes, dial-up. Then, it stuff the data into what's called "batch" memory. It's been a while, so I don't remember what is stored there, but I can tell you this. You can't just walk up to the device and read batch memory from the keypad. You'd need to write a custom program to do it. Oh, did I mention is uses it's own programming language? It does. It's VERY unlikely that a hacker would know this language, or even more to the point, would have the TIME to key it into the device from the numeric keypad without someone noticing. This is COMPLETE BS. These devices have been out since the late 80's, and have yet to be targeted. Anyone who has ever dealt with them knows about the passwords. (It's also VERY easy to change the default password!). Yet there have been no hacks.

    Fearmongering at it's best. Trolling at the worst, and they need to troll harder next time.

  50. Steve Graham

    I think you must be mistaken. The mention of "running as adminstrator" implies Windows (probably XP) which means they're talking about a general purpose PC with PoS software running on it.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018