Secondhand Point-o-Sale terminal was horrific security midden

Obviously the solution is to ban the resale of POS terminals to security researchers.

Eponymous

POS terminal.

POS security.

Er... news?

So this is another "stuff bought second hand not wiped" news story?

I bought some second hand IP phones fairly recently, plugged them in and was able to make calls. Only then did I realise I hadn't set them up yet, they still had all the details from the previous owner in them.

Where's my news story?

(anon because of the half dozen test calls).

Bankruptcy stock and dealt with by a load of people who are simply just shifting and lifting old kit to get money back.

The company goes down, the employees might be lucky to get a token pay off but most are just happy to be out of it and off a new job. The old crap in the offices is just dumped on the back of lorries by people who neither know nor care what it is, they're just told to "pile 'em high and sell them off" to get money back to pay the bankruptcy debt back to the bank.

The local shop in the village where I live has 2 POS terminals.

One of them went wrong and I noticed a USB slot underneath the monitor and offered to plug a keyboard in and take a look for them.

I was appalled to find (apart from the fact it is running Windows) no antivirus security and the firewall disabled. But I thought well it's not connected to the internet, it's not that terrible......

Then the shop owner told me, whenever it went wrong in the past - he just phoned up the company that deals with the maintenance of the things, and they remotely fix the problem, and sure enough - yup they are connected to the internet after all..... with no antivirus and no firewall.......

I've found that PoS, inventory control, time/staffing systems, and any other systems deployed to stores end up failing due to one of two philosophies (Well over 90% of my clients are guilty of at least one):

'Configure it until it works, then never touch it again until it breaks'

This usually happens when a technician setting up a new system does the bare minimum to get it to work; ofter leaving in default passwords, leaving encryption options turned off, and little to no monitoring set up.

'Make it simple enough for a store manager to fix it'

I see this a lot at large chain stores where systems are shipped out to stores. Companies will try to cut support costs by configuring systems so that they can be set-up by a local contractor (Usually low-skilled) and then be managed store managers so that they only have to send out skilled employees in only the most serious problems.

Either way the systems are as secure as a wet cardboard boxes and nothing will be done about them without a serious breach and immense amounts of effort/money.

Basic security

Some things should be basic.

But they don't seem to be.

When managing in a special ed teaching service I routinely took the HDD out of obsolete admin PCs before I took the boxes to the recycling centre. HDDs wiped and made at least physically unrecoverable by normal means, by breaking them as much as I could, then dumped with the general landfill rubbish.

The council didn't seem to care about how we disposed of them, since there was no policy for disposal, no option to have the HDDs removed and taken for destruction by central IT.

But I have a sneaky suspicion that if I hadn't removed the HDDs and one had ended up in the public domain it was my head that would have been on the block.