Shocking : A cyber security firm found 90% of credit card readers currently use the same password from 1990 till date.

This is a facepalm moment for the credit card issues and retailers. Nearly all credit card readers in United States are still using the default password which can be easily hacked into by cyber criminals.

The passcode, set by default on credit card machines since 1990, has been exposed for so long there’s no sense in trying to hide it. It’s either 166816 or Z66816, depending on the machine.

Using either of the two passwords, an attacker can gain complete control of a store’s credit card readers, potentially allowing them to hack into the machines and steal customers’ payment data. No wonder big retailers like Target and Home Depot keep on losing our credit card data to hackers.

Researchers at Trustwave, a cybersecurity firm were quite flummoxed to find that retailers still use decades old passwords for credit card readers. Trustwave executive, Charles Henderson explained that armed with these passwords, hackers can gain administrative access to the card readers and infect them with malware that steals credit card data. Henderson presented his findings at last week’s RSA cybersecurity conference in San Francisco at a presentation called “That Point of Sale is a PoS.”

Device makers sell machines to special distributors. These vendors sell them to retailers. But no one thinks it’s their job to update the master code, Henderson told CNNMoney.

“No one is changing the password when they set this up for the first time; everybody thinks the security of their point-of-sale is someone else’s responsibility,” Henderson said. “We’re making it pretty easy for criminals.”

To arrive at the conclusion, Trustwave researchers studied the credit card terminals at more than 120 retailers nationwide. Henderson stated that these terminals included major clothing and electronics stores, as well as local retail chains however he did not name specific retailers.

According to Trustwave majority of the machines in operation in the US are manufactured by Verifone but they found the same issue to be present in all major terminal makers.

A spokesman for Verifone said that a password alone isn’t enough to infect machines with malware. The company said, until now, it “has not witnessed any attacks on the security of its terminals based on default passwords.” As an afterthought the spokesperson added that Verifone said retailers are “strongly advised to change the default password.”

The fault however lies with the retailers as they should be securing their own machines. Consider one case Henderson investigated recently. A nasty keystroke-logging spy software ended up on the computer a store uses to process credit card transactions. It turns out employees had rigged it to play a pirated version of Guitar Hero, and accidentally downloaded the malware.

“It shows you the level of access that a lot of people have to the point-of-sale environment,” he said. “Frankly, it’s not as locked down as it should be.”


  1. Confusing article that seems to contradict current knowledge that has already shown that credit card numbers from Target and Home Depot were stolen using malware on the PCs that run the PoS software, *NOT* the actual card reader …

    From Krebs on Security (Home Depot Hit By Same Malware as Target):

    ‘… revealed at least some of Home Depot’s store registers had been infected with a new variant of “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows.’

    Note that this refers to the cash register software, not the card reader!

    ‘Trustwave executive, Charles Henderson explained that armed with these passwords, hackers can gain administrative access to the card readers and infect them with malware that steals credit card data’

    Really? Verifone’s response:

    ‘A spokesman for Verifone said that a password alone isn’t enough to infect machines with malware’

    So please explain how someone can infect these readers with malware using only the password when the software will be rejected by the reader.

    Need I mention that PCI accreditation *requires* that default passwords are changed?

    I agree with one thing, this article is shocking … shockingly inaccurate

    • Sir, the matter was reported by CNN Money and Verifone has taken immediate action to change the default passwords thus saving us users from a sureshot future mega leak of payment cards.


      • Sir,

        Forgive me if I’m misunderstanding what you are saying, but how could we get a ‘sureshot future mega leak of payment cards’ when you can’t even download malware onto a reader to steal them with just the password anyway?

        These card numbers, now and undoubtably in the future, are coming from the *cash register software* running on a PC and *NOT* from malware on the reader, so I’m a little sceptical of why this issue is being stated as being so shocking when the real solution required is to secure the cash register software where most malware can be installed through vulnerabilities in the operating system without even needing a password!

        In order to fix the problem, you first have to find the source of the leak, and this isn’t it. It’s like trying to stop a water leak by switching a lightbulb off … perhaps you should mention this to CNN money, though I cannot comment on their story, as I haven’t seen it.

  2. Also — those credit card terminals are being phased out…which I didn’t see mentioned. You’ve also got to go through several steps to do it, which means it’s not as easy as this article wants you to think. It’s easier to get and use a skimmer than to set up the machine to go to a different account.

    Source: work for a credit card processing company.

    • So basically from what it looks like… you have to have physical access to the card reader, then you have to make custom firmware for the card reader chipset which is not standard at all in the form of malware, then you have to update the firmware on the reader using whatever mechanism that company uses which it sounds like, nobody does… Others saying the company claimed you cant even update it using the password… To maybe get some numbers of only the people using that card reader. A virus on the computer itself makes SOOOOO much more sense haha

      Isnt it easier to just steal the cash register if you have that much time and physical access? lolol

  3. If Ti guys werent so fuckin lazy they would create a pass for each machine, cause changing the default to the same pass in every POS ends in the same result. Lazy bitches

  4. It’s really easy to hack a credit card. There’s a basic way. If the pos device owner, Inside the pos place a software. They can steal the card informations such that cvv, expiration date etc.


Please enter your comment!
Please enter your name here