You’ve probably seen coverage of the big RSA reveal regarding the fact that point of sale devices from a specific vendor have used the same pre-set administrator password for the last quarter of a century.
Security researchers Charles Henderson and David Byrne, at their RSA presentation, were the ones who shared this discovery. More troubling, according to Henderson and Byrne, 90% of the systems they see have retained that exact admin username and the password: 166816. You’d wonder why retailers aren’t changing the default admin and password when they deploy the system, but it seems like many assumed that the 166816 password was uniquely assigned to them.
The PoS system in question is widely used, but the vendor isn’t the only one who has been lax in basic security best practices. Henderson and Byrne stated that another vendor hasn’t changed the default administrator password they use in nearly a decade. Another vendor leaves the password field empty – so there’s no need to even enter a password.
Are the vendors to blame for this? Yes, it’s sloppy – even preset passwords/admin logins should be rotated regularly. Sadly, hardware vendors rarely do so – as evidenced by the lists of default login info for assorted devices that are readily accessible to anyone who searches for the info.
That said, changing the default admin login and password should be an automatic and basic part of the process when deploying any new technology. The fact that so many retailers haven’t done so, at least according to Henderson and Byrne, is extremely worrying.
A PDF of the presentation slides is available online, and should be required reading for anyone who is concerned about securing PoS systems. The presentation details other cases of vendor negligence, along with other attack vectors and techniques that were used in successful exploits. These include:
- Multiple workstations in CHD environment used to browse pornographic websites, download torrents, and video chat
- Logged use of machines with CHD being used to play Guitar Hero 3, Call of Duty, and other games
- Over reliance on passwords for security – it is very difficult to secure OS passwords on endpoint
- No drive encryption
- Little attention paid to physical security
- Using a single set of authentication credentials across the enterprise
- No authentication against networked application services
Details of exploits, additional exploits, and a great Best Practices checklist for securing PoS systems are detailed in the PDF. As noted, it’s an essential read.
The basic best practices of PoS security include enforcement of strong authentication policies, implementation of role-based permissions, not storing payment card data on registers, and not running PoS systems as an administrator, along with the usual essentials: patch systems and update antivirus and other monitoring programs regularly.
Retailers who are concerned that they’ve been running systems that are essentially open doors to malicious hackers and other criminals may want to conduct a thorough analysis of their system before locking those virtual doors. Obviously, if the criminals are already inside the system, implementing best practices to keep them out will be less than useful.
BAI offers comprehensive IT Security Assessments for the retail industry, which include:
- Vulnerability and Penetration Testing
- Extensive Firewall Evaluation
- Social Engineering Evaluation
- Malware Protection Evaluation
- Network Operating System Evaluation
- Remote Location (Branch) Evaluation
- Remote Access Evaluation
- Telco-testing / War-dialing Evaluation
- Wireless Security Evaluation
We also provide a Compromise Assessment service for retailers that want to ensure malware is not operating within their network, or that the organization has not already been breached by external attackers.