(untitled)
The icon ---> isn't big enough...
Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale (PoS) systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password. The enraged pair badged the PoS vendor by its other acronym …
I'm not clear on what one would do with that vulnerability and the article isn't giving me a lot of ideas. In many cases I see POS used much like a cash register. If you have physical access to the drawer, you can take money out - password or not. One could perhaps fiddle the stock numbers and take stuff home. If staff with access to the cash registers can't be trusted, then there is indeed a problem, but not one that can be solved with better passwords.
I'm not clear on what one would do with that vulnerability and the article isn't giving me a lot of ideas
Ah... that's probably why you're not a "bad guy" then.... After the various break-ins/hijacks in the US in the last few years, if one remoted in, they would own the system.
And since the PW's have been released, expect new break-ins/hijacks in...5...4....3....2....
You'd quite possibly be able to change the price of any item. Depending on your desire for subtlety, you then either mark down one particular high-value item to peanuts, or make it significantly cheaper whilst being just about conceivable. Or possibly you'd be able to create a buy-one-get-one-free type of offer on the product.
Then you get your mates to come in and buy said item multiple times over and flog later on eBay.Hey presto, plausible deniability of any involvement all around. Profit!
Getting physical access to a drawer is not a problem usually anyway, most have a small hole a bit like CD drawers used to have poke a pin in and it releases the lock.
The problem is a cashier would have a discrepancy that would show up on a Z-reading (don't know if they still call it that, acted as tech support for POS software many many years ago), which shows the total from the transactions.
If a cashier was going to fiddle a cash drawer then the ability to do mental arithmetic and keeping the running total in your head for the till, plus what change you should be giving (basically you balance the books in your head), is easier you ring up as no sales (to pop the drawer but no value entered in the checkouts final total), the average customer doesn't care about a receipt.
Depending on the set up, changing prices would not be easy either a lot of the stores had price files sent down to the back office that was then loaded down to the tills, not sure if you could change them after that easily.
It really depends on how they set up their POS network - some stores checkout die completely with loss of the server, some we worked with were pretty robust (and running all on DOS) and would continue because they stored local copies.
I would have though the grand prize was access to the CC merchant services that will be running somewhere the last one I saw (again years ago) used to have a service running on a SCO box and would squirt all that data to a bank that processed it and sent back auth codes for the cards.
I can tell you also many stores do not check when someone turns up looking like they should be working there, I have walked right up to the server racks in the offices of some large chains and not once has someone said anything (I was actually supposed to be doing so btw), ask for where the sign in book is and you are pretty much accepted.
Or were up to the end of 2013 when my son ceased to work in retail.
Just as well they were as it meant he could call his old Dad for some ideas when it went wrong and the support line was not answering.
As for stores not checking who you are, I have been let into the server rooms of much more "security concious" organisations than the retail trade, just by asking and without the person letting me in knowing who I was.
Some of that DOS was remarkably robust especially with a Unix back office. We had to call around our estate to make sure they were happy with the service, and some stores didn't even know they had tech support since they had never had to call them, there were cheap (basically pc rather than server kit) sitting in the back offices that had uptime running in 5-6 years region.
It also said a lot about call centres and SLA's because the call centre manager hated to see us sitting round on our arses most days (if there was an issue we fixed the damn thing properly, the NT team relied mainly on reboots), and they hated that they could not get the customer to change over to their NT software, they used to bring them in to the centre and try and sell them to the NT software desks which was always really busy (with rebooting), showing how many calls they could handle and how quickly (reboot). While for some reason our customer liked our quiet desk where we sat around not having many issues and taking only a few calls (we might take some time, the process was fettle so it runs then fix properly - but that screws call stats).
"""
, I have been let into the server rooms of much more "security concious" organisations than the retail trade,
"""
Try Cleaning.
First, they don't want to see people like you so you are alone inside an empty building; Second, you get keys and codes to the whole shop; Third, they think that people who clean are total dum-dum's so they don't care to hide anything from the cleaners, logins, passwords, business papers, WiFi's all there for the copying; Fourth, cleaners are such a low life-form that they hardly bother to check any of the details you give them, like name and such.
It is quite amazing - cleaners are invisible people!
> “Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password.
And exactly how many cases have there been of this being exploited? It would interesting to see a study of how many times "well known" security holes do actually get compromised.
What a lot of security professionals do (and you can't blame them, since that's how they make their money) is to point at every vulnerability: whether theoretical, practical or exploitable for gain and say "LOOK! it's a massive security hole. everyone must fix it immediately".
Now, it's true that once a weakness has been "outed" it's far more likely to be explored - especially if hackers can get some material gain from it. However, that doesn't mean that every single weakness is in that class. At least not until some security geek goes blabbing to the entire world about it. It may even be that the small cost of having a single password across a long-lived range of equipment is far outweighed by the savings and speed for maintaining it or having to call someone in when you've changed the password and subsequently forgotten it.
“Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password.
So 81% of passwords?
Allow me to introduce you to a little thing we call "the noun phrase in apposition". A clever little devil, it closely resembles the adverbial phrase, but its behavior is quite different.
"It may even be that the small cost of having a single password across a long-lived range of equipment is far outweighed by the savings and speed for maintaining it or having to call someone in when you've changed the password and subsequently forgotten it."
The critical passwords should be unique to your organisation, if they are routinely used then they should be routinely changed, and current password should be securely stored where it will be accessible to company officers if they need it (like in a sealed and signed envelope kept in a safe).
A long lived password that's known to many, especially outsiders, is a recipe for disaster; and try explaining it to your insurance company when you do get robbed...
> Let the world hope that you're not in security, since you clearly lack any understanding of it.
Lack understanding - hardly. Because asking for a considered and quantifiable measure of risk and downside is such a bad thing?
At least with that information people would be able to make a proper assessment of the threats they face and hence to apply the correct amount of effort. Instead of employing Wild Assed Guesses that either address the wrong issues, fail to resource their security teams correctly or even learn how to identify a real threat from ignorant media jibberings.
You never know, the next step might even lead to fact-based professionalism.
You are not the customer of the PoS vendor, the supermarket chain is....maybe. They may outsource that function and not actually be the customer of the PoS vendor...
Fortunately, the latest release of the PCI DSS does now have language that is meant to cover this.
Just cover yourself in "The Cloak of Invisibility" ->
Yellow Safety vest, White or Red Safety Helmet, Clipboard with Many Layers of Paper, Dark Trousers, Shoes that are NOT safety shoes and Reading Glasses.
Few will notice you, no-one will remember you!
*)
If challenged anyway, flash an ID-badge and say you are inspecting the electrical works. An ID-badge is easy to make up with a machine for printing ... ID cards. Maybe there is even a corner shop for that?
The pair recommends customers assume vendors have no security baked into PoS systems and are lying when they claim to have such. Instead, customers should conduct rigorous penetration tests.
Very sound advice. Never assume anything is secure. There could be undisclosed vulnerabilities or flaws in absolutely anything. If you assume it is insecure, you will stand a much better chance of ending up with a secure system. If you assume it will be insecure no matter what you do, you will probably keep a closer eye on it, spot problems sooner, and plug them sooner.
Guys, I know the POS devices in question here, and they aren't cash registers. They are VeriFone POS terminals. Very small, and used only for credit card transactions. Do a google image search for Zon Jr. And Tranz 330. It was the Zon family that used the "1" passwords, and the TranZ family that swapped over to using the "Z" passwords. During a typical day, the merchant uses it to authorize credit card transactions via a modem. Yes, dial-up. Then, it stuff the data into what's called "batch" memory. It's been a while, so I don't remember what is stored there, but I can tell you this. You can't just walk up to the device and read batch memory from the keypad. You'd need to write a custom program to do it. Oh, did I mention is uses it's own programming language? It does. It's VERY unlikely that a hacker would know this language, or even more to the point, would have the TIME to key it into the device from the numeric keypad without someone noticing. This is COMPLETE BS. These devices have been out since the late 80's, and have yet to be targeted. Anyone who has ever dealt with them knows about the passwords. (It's also VERY easy to change the default password!). Yet there have been no hacks.
Fearmongering at it's best. Trolling at the worst, and they need to troll harder next time.
All the devices I deal with have a default manufacturers admin password, well known to everyone in the industry & easily garnered from the freely available PDF admin guides on the manufacturers web sites.
Shirley the purchaser is responsible for securing his devices with his own user & admin passwords?
If lost or forgotten a factory reset will usually fix that.
Pete
In a project I worked on we cooked in a "master" password that allowed entry into the system. We went to great lengths to deny that it existed to "higher ups". I was told that eventually it was released in dire circumstances (it would have necessitated a site visit). The funny thing was that it was a relatively simple password, just the companies initials as control characters. I have no idea if any of these systems exist almost 30 years later. I was laid off before the company was sold off.
So, these things happen all the time. The saying goes: "Can you keep a secret?" to which the proper answer is "yes", but the next phrase is "So can I".
In another, forensics were left stumped by a carder's keylogger which had logged repeat keys (such as aaaaa ggggg bbbbb) entered on the PoS server. It was later revealed staff had used the machine to play Guitar Hero, Call of Duty, and download porn.