90% CC Machines Have Default Password

As I was going through the Top 100Cyber  Security blogs  one post stood out to me:

http://money.cnn.com/2015/04/29/technology/credit-card-machine-hack/

Apparently 90% of all credit card machines have  the default password , which happens to be: 166816 and Z66816 since 1990.

 

So there are several problems here:

1.  The same default password for many years by the manufacturers (Verifone is a manufacturer)

2. No one changed the credit Card machine passwords because of difficulties and laziness

3. Verifone claims there have been no “security incidents”  – I doubt that

 

 

Lucky Verifone Changed the password to  “1, Alpha, Alpha, 66831”  for the new EMV model VX520 (this is from the Verifone publicly accessible reference manual)

As you can see the VX820 Duet default password is  166831  (kind of similar to the VX520).  and this “new” password is similar to the older model passwords as well.

Including the VX820Duet is now:

verifonevx820referencepassword

For PCI compliance one must change the default passwords of all your equipment, as you don’t want a bad situation to develop (no telling what a hacker can do with a credit card machine)

 

 

 

The PCI Compliance document requires all default passwords to be changed:

pcicompliancerequirement2

In fact I like the wording:

These passwords and settings are well known by hacker communities and are easily determined via public information.  As is proven by going to the Verifone tech support site and looking around a little.

 

What may be missing in most of the companies (90% of them according to Trustwave) is a general security mindset.

 

Let us know if you need help with PCI compliance needs as we have done this type of work , as well as creating security policies, access policies and more.

Contact me – Tony Zafiropoulos 314-504-3974 if you are having difficulties in this area of Cybersecurity.

 

 

Advertisements