Changing Default Passwords: Too Hard?

Is changing the default password too hard on your devices?  For example the highest profile devices (not IoT Internet of things), but the ones that process money: POS(Point Of Sale) terminals.

Above is an Ingenico ISC250 with a stand. (from discountcreditcardsupply.com)

Are manufacturers making it easy or hard to change the default password?

 

Well, if you Google “hacking a point of sale terminal”, then several interesting links come through:

Old news stories are relevant as many businesses (small and large) do not make changes and purchase old equipment. Wired 2012 story of 63  breached POS systems using malware.

The story also mentioned 40 people arrested in Canada over a carding ring, which also tampered by stealing POS terminals and installing sniffers on them.  Which means they were able to modify the machines at will.

 

So this is why I mention the difficulty of changing the default password on these machines. Yet the password information is on the Internet, so if you are a hacker and wish to spend time to learn the password it is available for you to do so.

Helcim Support helpfully has the method of changing the password on their website:

Check the default password from manufacturer: ‘123456P’ not very sophisticated??? and the new password is to be 7 characters long with one letter. An amazing testament of password schema from the manufacturer Ingenico.

At oversitesentry we are dedicated to helping companies harden their security systems, including POS. Changing your default password is a must, and places you in compliance with PCI DSS (Payment Card Industry – Data Security Standard)

I don’t understand why owners and managers in charge of POS systems that depend on revenue from these systems have not understood the concept of changing the default password on their POS devices. Why am I mentioning this?

Because small businesses fail after a successful criminal cyber attack

(from a previous post among many on our blog)

The statistics are bad… but why is this? Is it that the default password is _REALLY_ that hard to change? Is it that difficult to make a Cyber policy?

I think that the managers and owners assume nothing will happen to them, because last month nothing happened.  Their education is based upon experiences and the news of companies being hacked is not a big deal.

VISA has stated in the past that the major problems (breaches) come from basic failures like not changing default passwords. Visa website to go for more information.

The following is a screenshot from a VISA presentation on PCI compliance challenges.

Card Present Vulnerabilities:

  • Insecure remote access used by attackers to gain access
  • Weak or Default passwords and settings commonly used
  • lack of network segmentation
  • malware deployed to capture card data
    • absence of anti-virus tools to detect malware

 

 

So I would like for you to contact me if you want to do something about this problem – tonyz”@”fixvirus.com or 314-504-3974 Tony Zafiropoulos.

Advertisements