A major vendor of point-of-sale terminals has not changed the default passwords used on its devices in a quarter of a century, researchers have revealed at RSA 2015.
The firm was not named during the presentation by Charles Henderson and David Byrne for security reasons, but it is said to be a widely used manufacturer. Although the password can (and should) be changed, CIO reports that the researchers believed in most cases they were left as customers assumed the password – 166816 – was unique to them.
In fact this was not the case, and the researchers estimate that the code was used in 90 percent of point-of-sale products from the company dating back to 1990. Any exploit would require physical access to the equipment: The Register states that an attack would involve “opening a panel using a paperclip,” a maneuver it goes on to describe as “child’s play for malicious staff.”
The 166816 password is sometimes Z66816 – but in those cases it’s because of different keyboard layouts, rather than a nod to good password hygiene. “I actually saw this password really recently on a different manufacturer’s device [by a customer] who thought the password was unique to them,” Henderson said during the talk.
According to Geek.com, this lax approach to password security isn’t limited to just a single point-of-sale terminal provider either. It states that another vendor hasn’t changes its default administrator password in nine years, while another has left the password field completely empty.
We have known for some time that members of the general public are reusing easily guessable passwords for their various online accounts, but for something as widely used as point-of-sale systems this should be quite a wake-up-call to providers, especially with PoS attacks being one of the major security themes of last year.