back to article Brute-force bot busts shonky PoS passwords

A botnet has compromised 60 point of sale (PoS) terminals by brute-force password attacks against poorly-secured connections, FireEye researchers say. The trio including Nart Villeneuve, Joshua Homan and Kyle Wilhoit found 51 of the 60 popped PoS boxes were based in the United States. The attacks were basic and targeted …

  1. WraithCadmus
    Trollface

    POS

    For years I've been reading this acronym as 'Piece of Shit' instead of 'Point of Sale'. Given how many attacks we've seen recently against these systems and the poor security they implement I may have been right all along.

    1. This post has been deleted by its author

  2. Dave Evans 1
    FAIL

    Really?

    Given the amount of POS systems installed across the world, 60 compromised units is not a lot. That's less than the number of POS units in 2 reasonable sized supermarkets! Most POS vendors and Retail sysadmins treat their systems with respect and a bucket load of caution. There are always going to be a few blessed innocents out there who don't quite understand the implications of security (how many people do you know with a banking app on their mobile, without setting a logon on their lock screen!). No need to tar the whole industry!

    1. Robert Helpmann??
      FAIL

      Re: Really?

      From the linked abstract: ...BrutPOS... uses thousands of compromised computers to scan specified IP address ranges for RDP servers that have weak or default passwords in an effort to locate vulnerable POS systems.

      It uses the simplest of methods to break into PoS systems and makes enough money for renting one or more botnets to scan for exploitable systems to be worthwhile. This was low hanging fruit, both for the researchers and for the crims. I agree that there is no need to tar the whole industry, but only because it seems obvious that same industry is doing the job well without outside help.

      I am in the process of putting a PoS system together and had to browbeat the db developer into using basic security principles in the design because "It's going to be a closed system. How could any info possibly be stolen?" This simple check only shows the tip of the tip of the iceberg.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like