POS security systems still lacking

Security researchers David Byrne and Charles Henderson stated during the recent RSA Security Conference 2015 in San Francisco that weak remote administration of point-of-sale (POS) systems is possibly the biggest source of compromise for companies.

"In most POS breaches you read about in the news, or perhaps you don't read about in the news, the vulnerabilities that are exploited and cause the breach are relatively simple," Charles Henderson, VP of Managed Security Testing with Trustwave, said. "They're easily preventable things."

Henderson and Byrne gave an example of one of the world's largest POS vendors — which they did not name — saying that the company has been using the same default password on its kit since 1990: 166816 or Z66816. What's worse is that 90 percent of the vendor's customers are using the same password.

"Nine out of 10 times when we see equipment from that manufacturer, 90 percent of the time, this is the password. I actually saw this password really recently on a different manufacturer's device [by a customer] who thought the password was unique to them," Henderson said.

That means that customers are transferring these default passwords to rival vendors because customers are assuming that the codes are unique to them. 

Henderson and Byrne lamented that fact that so many POS system customers continue to operate their systems as administrators. Both suggest that customers assume that vendors have no pre-installed security on POS systems and should instead change passwords and conduct penetration tests regularly.

The security researchers also advised that retailers keep their systems patched, with current antivirus signatures, and use strong authentication policies to ensure safety. 

It is also important for merchants to update credit card processing software, to make sure they are protected against the most recent fraud concerns.

Scroll to Top