Most Credit Card Readers Use Same Password
According to Trustwave almost all credit card readers are currently use same password. The passcode, set by default on credit card machines since 1990, can be found with a quick Google search. It’s either 166816 or Z66816, depending on the machine.
This password allows attacker to gain complete control of a credit car reader and steal customers payment data. According to Trustwave executive Charles Henderson, who explained his findings at RSA cybersecurity conference with a presentation called “That Point of Sale is a PoS.”:
Administrative access can be used to infect machines with malware that steals credit card data. No one is changing the password when they set this up for the first time; everybody thinks the security of their point-of-sale is someone else’s responsibility. We’re making it pretty easy for criminals.
Trustwave examined the credit card terminals at more than 120 retailers nationwide. That includes major clothing and electronics stores, as well as local retail chains. No specific retailers were named.
The vast majority of machines were made by Verifone. But the same issue is present for all major terminal makers, Trustwave said.
Trustwave decided to examine the credit card terminals at more than 120 retailers in USA. Including major clothing and electronics stores, as well as local retail chains. No specific retailers were named.
The vast majority of machines were made by Verifone. But the same issue is present for all major terminal makers.
A spokesman for Verifone said that a password alone isn’t enough to infect machines with malware. The company said, until now, it “has not witnessed any attacks on the security of its terminals based on default passwords.”
Just in case, though, Verifone said retailers are “strongly advised to change the default password.” And nowadays, new Verifone devices come with a password that expires.
In any case, the fault lies with retailers and their special vendors. It’s like home Wi-Fi. If you buy a home Wi-Fi router, it’s up to you to change the default passcode. Retailers should be securing their own machines. And machine resellers should be helping them do it.