Is a Password Problem Making Credit Card Terminals Hackable?

You know how sometimes you sign up for something and you get a default password so you can access that new account? Apparently, that sort of system came under fire recently at a major cybersecurity conference in San Francisco.

At RSA Conference 2015 USA, which ran April 20-24, researchers said that a major payment terminal vendor has been shipping systems with the same default password for more than 20 years, according to a report from the International Data Group (IDG) News Service.

The researchers said the default password is in use at nine out of 10 customers who have the terminals. IDG confirmed the vendor is VeriFone, which operates point-of-sale software in more than 150 countries. VeriFone sent a statement to IDG acknowledging that its devices come with a widely known default password, and new devices now require users change it upon setup.

“The important fact to point out is that even knowing this password, sensitive payment information or PII (personally identifiable information) cannot be captured,” Verifone said to IDG. “What the password allows someone to do is to configure some settings on the terminal; all executables have to be file signed, and it is not possible to enter malware just by knowing passwords.”

The researchers who discussed the issue at RSA Conference had a different perspective, identifying the default password as one of many security flaws in the industry, which they detailed in a session cheekily titled “That Point of Sale is a PoS.”

Get everything you need to master your credit today.

Get started for free

Vulnerabilities in point-of-sale systems have come under intense scrutiny in the wake of massive data breaches that have hit the retail industry in recent years. Some of the largest attacks hit Target and Home Depot, when hackers installed malware in point-of-sale terminals and stole millions of consumers’ payment card information.

Such breaches can seriously harm consumers’ finances, because the balance that results from any fraudulent charges made with stolen data could end up on consumers’ credit reports, which can be time-consuming to correct. In the case of stolen debit card data, a thief could wipe out a consumer’s bank account, the funds of which may be necessary to make bill and loan payments. Because consumers can’t do much to protect their data from getting stolen in a breach like the ones that hit Target and Home Depot, the best thing to do is closely monitor your financial accounts and credit data. You can get a free credit report summary every 30 days on Credit.com, to help spot fraudulent activity.