back to article Cash register maker used same password – 166816 – non-stop since 1990

Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale (PoS) systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password. The enraged pair badged the PoS vendor by its other acronym …

Silver badge
FAIL

(untitled)

The icon ---> isn't big enough...

18
0

Hang your heads in shame!

That's just terrible, especially for a system whose job it is (whose ONLY job, in fact) is to keep safe and accurate financial information.

That's like finding all voting machines have a cheat code for hitting UKIP 3 times to enable 1950's mode ;)

18
0
Silver badge

Re: Hang your heads in shame!

Didn't they do something similar a few years ago in Florida when Al Gore was trying to be President?

4
0

Re: Hang your heads in shame!

I'm sure it was some dude called chad...

3
0
Silver badge

Please explain

I'm not clear on what one would do with that vulnerability and the article isn't giving me a lot of ideas. In many cases I see POS used much like a cash register. If you have physical access to the drawer, you can take money out - password or not. One could perhaps fiddle the stock numbers and take stuff home. If staff with access to the cash registers can't be trusted, then there is indeed a problem, but not one that can be solved with better passwords.

1
8
Silver badge

Re: Please explain

One could get admin rights, install software, snaffle credit card numbers.

18
0
Silver badge

Re: Please explain

I'm not clear on what one would do with that vulnerability and the article isn't giving me a lot of ideas

Ah... that's probably why you're not a "bad guy" then.... After the various break-ins/hijacks in the US in the last few years, if one remoted in, they would own the system.

And since the PW's have been released, expect new break-ins/hijacks in...5...4....3....2....

2
0
Anonymous Coward

Re: Please explain

You'd quite possibly be able to change the price of any item. Depending on your desire for subtlety, you then either mark down one particular high-value item to peanuts, or make it significantly cheaper whilst being just about conceivable. Or possibly you'd be able to create a buy-one-get-one-free type of offer on the product.

Then you get your mates to come in and buy said item multiple times over and flog later on eBay.Hey presto, plausible deniability of any involvement all around. Profit!

8
0
Silver badge

Re: Please explain

Thanks. I really wasn't firing on all cylinders there. :)

4
0
Anonymous Coward

Re: Please explain

One could get admin rights, install software, snaffle credit card numbers.

This is not a bug, It is a feature. How do you think I can run double accounting and hide my income from the IRS?

1
0
Silver badge

Re: Please explain

Getting physical access to a drawer is not a problem usually anyway, most have a small hole a bit like CD drawers used to have poke a pin in and it releases the lock.

The problem is a cashier would have a discrepancy that would show up on a Z-reading (don't know if they still call it that, acted as tech support for POS software many many years ago), which shows the total from the transactions.

If a cashier was going to fiddle a cash drawer then the ability to do mental arithmetic and keeping the running total in your head for the till, plus what change you should be giving (basically you balance the books in your head), is easier you ring up as no sales (to pop the drawer but no value entered in the checkouts final total), the average customer doesn't care about a receipt.

Depending on the set up, changing prices would not be easy either a lot of the stores had price files sent down to the back office that was then loaded down to the tills, not sure if you could change them after that easily.

It really depends on how they set up their POS network - some stores checkout die completely with loss of the server, some we worked with were pretty robust (and running all on DOS) and would continue because they stored local copies.

I would have though the grand prize was access to the CC merchant services that will be running somewhere the last one I saw (again years ago) used to have a service running on a SCO box and would squirt all that data to a bank that processed it and sent back auth codes for the cards.

I can tell you also many stores do not check when someone turns up looking like they should be working there, I have walked right up to the server racks in the offices of some large chains and not once has someone said anything (I was actually supposed to be doing so btw), ask for where the sign in book is and you are pretty much accepted.

2
0

Some still are running on DOS

Or were up to the end of 2013 when my son ceased to work in retail.

Just as well they were as it meant he could call his old Dad for some ideas when it went wrong and the support line was not answering.

As for stores not checking who you are, I have been let into the server rooms of much more "security concious" organisations than the retail trade, just by asking and without the person letting me in knowing who I was.

0
0
Silver badge

Re: Some still are running on DOS

Some of that DOS was remarkably robust especially with a Unix back office. We had to call around our estate to make sure they were happy with the service, and some stores didn't even know they had tech support since they had never had to call them, there were cheap (basically pc rather than server kit) sitting in the back offices that had uptime running in 5-6 years region.

It also said a lot about call centres and SLA's because the call centre manager hated to see us sitting round on our arses most days (if there was an issue we fixed the damn thing properly, the NT team relied mainly on reboots), and they hated that they could not get the customer to change over to their NT software, they used to bring them in to the centre and try and sell them to the NT software desks which was always really busy (with rebooting), showing how many calls they could handle and how quickly (reboot). While for some reason our customer liked our quiet desk where we sat around not having many issues and taking only a few calls (we might take some time, the process was fettle so it runs then fix properly - but that screws call stats).

0
0
Anonymous Coward

Re: Some still are running on DOS

"""

, I have been let into the server rooms of much more "security concious" organisations than the retail trade,

"""

Try Cleaning.

First, they don't want to see people like you so you are alone inside an empty building; Second, you get keys and codes to the whole shop; Third, they think that people who clean are total dum-dum's so they don't care to hide anything from the cleaners, logins, passwords, business papers, WiFi's all there for the copying; Fourth, cleaners are such a low life-form that they hardly bother to check any of the details you give them, like name and such.

It is quite amazing - cleaners are invisible people!

0
0
Silver badge
Coffee/keyboard

That caption for the second image

You might want to go over that text again.

8
0
Silver badge
Headmaster

Re: That caption for the second image

Also, the singular of criteria is "criterion".

13
0
Silver badge

Re: That caption for the second image

That image is truly worth a 1000 words. ( or passwords)

1
0
LDS
Silver badge

Re: That caption for the second image

Isn't it from a South Park episode?

1
0

Re: That caption for the second image

Either from a Mr Hanky add, or possibly from a Google fibre April fools. I think. Maybe.

0
0

Re: That caption for the second image

Adam Hills on language .... standup routine about the use of language, and he is heckled, about his use of language ... criteria / criterion ...

0
0

Re: That caption for the second image

It is from the Mr. Hanky Ad Commercial from the first South Park Christmas episode

0
0
Silver badge

Experimental data

> “Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password.

And exactly how many cases have there been of this being exploited? It would interesting to see a study of how many times "well known" security holes do actually get compromised.

What a lot of security professionals do (and you can't blame them, since that's how they make their money) is to point at every vulnerability: whether theoretical, practical or exploitable for gain and say "LOOK! it's a massive security hole. everyone must fix it immediately".

Now, it's true that once a weakness has been "outed" it's far more likely to be explored - especially if hackers can get some material gain from it. However, that doesn't mean that every single weakness is in that class. At least not until some security geek goes blabbing to the entire world about it. It may even be that the small cost of having a single password across a long-lived range of equipment is far outweighed by the savings and speed for maintaining it or having to call someone in when you've changed the password and subsequently forgotten it.

1
23

Re: Experimental data

> “Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password.

So 81% of passwords?

10
1

Re: Experimental data

"It may even be that the small cost of having a single password across a long-lived range of equipment is far outweighed by the savings and speed for maintaining it or having to call someone in when you've changed the password and subsequently forgotten it."

The critical passwords should be unique to your organisation, if they are routinely used then they should be routinely changed, and current password should be securely stored where it will be accessible to company officers if they need it (like in a sealed and signed envelope kept in a safe).

A long lived password that's known to many, especially outsiders, is a recipe for disaster; and try explaining it to your insurance company when you do get robbed...

4
0

Re: Experimental data

Let the world hope that you're not in security, since you clearly lack any understanding of it. And if you are in security, it would explain cockups like this. A lot.

6
0
Silver badge

Re: Experimental data

> Let the world hope that you're not in security, since you clearly lack any understanding of it.

Lack understanding - hardly. Because asking for a considered and quantifiable measure of risk and downside is such a bad thing?

At least with that information people would be able to make a proper assessment of the threats they face and hence to apply the correct amount of effort. Instead of employing Wild Assed Guesses that either address the wrong issues, fail to resource their security teams correctly or even learn how to identify a real threat from ignorant media jibberings.

You never know, the next step might even lead to fact-based professionalism.

0
5
Silver badge

Re: Experimental data

“Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password.

So 81% of passwords?

Allow me to introduce you to a little thing we call "the noun phrase in apposition". A clever little devil, it closely resembles the adverbial phrase, but its behavior is quite different.

2
0

customers should conduct rigorous penetration tests

How am I supposed to do this in a supermarket queue?

8
0
Silver badge

Re: customers should conduct rigorous penetration tests

>How am I supposed to do this in a supermarket queue?

Using the nearest cucumber?

21
0

Re: customers should conduct rigorous penetration tests

You use your smartphone to go around mainframe and implant a nanovirus.

5
0
Joke

Re: customers should conduct rigorous penetration tests

And then track the perpetrator's IP address through a GUI?

4
0
Silver badge

Re: customers should conduct rigorous penetration tests

And your colleagues for this mission will be Morgan Frogman and Tim Cruise. ( I have been assured that they are both nearly as good as the originals)

3
0
Anonymous Coward

Re: customers should conduct rigorous penetration tests

You are not the customer of the PoS vendor, the supermarket chain is....maybe. They may outsource that function and not actually be the customer of the PoS vendor...

Fortunately, the latest release of the PCI DSS does now have language that is meant to cover this.

1
3
Facepalm

This is UNIX, I know this.

Actually it's a 10 year old blond girl on an island.

2
0
Silver badge

Re: customers should conduct rigorous penetration tests

Did you steal that phrase from The Following, by any chance?

0
0
Anonymous Coward

Re: This is UNIX, I know this.

Actually, it's a 10 year old blonde girl on an island (in the spirit of the criteria / criterion comments)

0
0

Re: This is UNIX, I know this.

"Actually, it's a 10 year old blonde girl on an island (in the spirit of the criteria / criterion comments)"

No no, in the spirit of the "Morgan Frogman and Tim Cruise" comment, it's "Blond. Jane Blond."

2
0
JLV
Silver badge
Joke

> nearest cucumber

mine's bigger

0
0
Anonymous Coward

Re: customers should conduct rigorous penetration tests

Just cover yourself in "The Cloak of Invisibility" ->

Yellow Safety vest, White or Red Safety Helmet, Clipboard with Many Layers of Paper, Dark Trousers, Shoes that are NOT safety shoes and Reading Glasses.

Few will notice you, no-one will remember you!

*)

If challenged anyway, flash an ID-badge and say you are inspecting the electrical works. An ID-badge is easy to make up with a machine for printing ... ID cards. Maybe there is even a corner shop for that?

0
0
Happy

Heroes

Things won't remain in a poor state for long. Not with Bishop Fox and Chief Henderson on the case.

1
0

The pair recommends customers assume vendors have no security baked into PoS systems and are lying when they claim to have such. Instead, customers should conduct rigorous penetration tests.

Very sound advice. Never assume anything is secure. There could be undisclosed vulnerabilities or flaws in absolutely anything. If you assume it is insecure, you will stand a much better chance of ending up with a secure system. If you assume it will be insecure no matter what you do, you will probably keep a closer eye on it, spot problems sooner, and plug them sooner.

2
0

All your PoS belong to us.

2
0
Coat

Nirvana

"I know why they do it; it's like Nirvana for them"

What's the capital N for? Are they comparing it to the band? Is it grungy?

1
0
Silver badge

Re: Nirvana

Are they comparing it to the band?

Running ordinary applications with administrative privileges: overrated and unnecessary.

0
0

"Forensics had even established which songs were played based on the logged keys."

Hmmmm, fairly impressive. Tell me their score for for bonus points...

0
0
Coffee/keyboard

Have you reported it to the RIAA, mr pen tester, or are you now an acessory after the fact?

0
0

This isn't exactly new (I know since 1990)...

But, this isn't the first time it's been published either:

http://www.hackerfactor.com/papers/cc-pos-20.pdf

0
0
Silver badge

Bah!

Outstanding.

0
0

Guys, I know the POS devices in question here, and they aren't cash registers. They are VeriFone POS terminals. Very small, and used only for credit card transactions. Do a google image search for Zon Jr. And Tranz 330. It was the Zon family that used the "1" passwords, and the TranZ family that swapped over to using the "Z" passwords. During a typical day, the merchant uses it to authorize credit card transactions via a modem. Yes, dial-up. Then, it stuff the data into what's called "batch" memory. It's been a while, so I don't remember what is stored there, but I can tell you this. You can't just walk up to the device and read batch memory from the keypad. You'd need to write a custom program to do it. Oh, did I mention is uses it's own programming language? It does. It's VERY unlikely that a hacker would know this language, or even more to the point, would have the TIME to key it into the device from the numeric keypad without someone noticing. This is COMPLETE BS. These devices have been out since the late 80's, and have yet to be targeted. Anyone who has ever dealt with them knows about the passwords. (It's also VERY easy to change the default password!). Yet there have been no hacks.

Fearmongering at it's best. Trolling at the worst, and they need to troll harder next time.

5
0

I think you must be mistaken. The mention of "running as adminstrator" implies Windows (probably XP) which means they're talking about a general purpose PC with PoS software running on it.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018