As major security breaches surface on a routine basis, researchers say millions of point-of-sale systems used around the world are vulnerable because they are protected by a well-documented password that hasn’t been changed since 1990.
At the RSA conference in San Francisco this week, those conducting the report, said the global vendor of payment terminals has been using the same default passwords on the PoS machines it’s been shipping for two decades.
Researchers with Trustwave and Bishop Fox said the password, “166816,” is used on nine-out-of-ten terminals they’ve tested that come from the same major retailer. They declined to explicitly identify the seller responsible for the lax security practice, but a cursory Google search points to Verifone — a California-based corporation with a presence in more than 150 countries worldwide.
The company started shipping products with that password 25 years ago, the report says, but neither the vendor nor the majority of its customers has bothered to change it. The credentials were even widely circulated among a hacker newsgroup in 1994, according to their RSA presentation.
“Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password,” researcher Charles Henderson said at RSA convention, according to The Register. In all, Verifone has reportedly shipped approximately 27 million machines around the world.
Verifone responded to the report with a statement downplaying the security concerns.
“The important fact to point out is that even knowing this password, sensitive payment information or PII (personally identifiable information) cannot be captured,” Verifone said. “What the password allows someone to do is to configure some settings on the terminal; all executables have to be file signed, and it is not possible to enter malware just by knowing passwords.”