This code can hack nearly 90 percent of credit card readers in circulation

Shocking : A cyber security firm found 90% of credit card readers currently use the same password from 1990 till date.

This is a facepalm moment for the credit card issues and retailers. Nearly all credit card readers in United States are still using the default password which can be easily hacked into by cyber criminals.

The passcode, set by default on credit card machines since 1990, has been exposed for so long thereโ€™s no sense in trying to hide it. Itโ€™s either 166816 or Z66816, depending on the machine.

Using either of the two passwords, an attacker can gain complete control of a storeโ€™s credit card readers, potentially allowing them to hack into the machines and steal customersโ€™ payment data. No wonder big retailers like Target and Home Depot keep on losing our credit card data to hackers.

Researchers at Trustwave, a cybersecurity firm were quite flummoxed to find that retailers still use decades old passwords for credit card readers. Trustwave executive, Charles Henderson explained that armed with these passwords, hackers can gain administrative access to the card readers and infect them with malware that steals credit card data. Henderson presented his findings at last weekโ€™s RSA cybersecurity conference in San Francisco at a presentation called โ€œThat Point of Sale is a PoS.โ€

Device makers sell machines to special distributors. These vendors sell them to retailers. But no one thinks itโ€™s their job to update the master code, Henderson told CNNMoney.

โ€œNo one is changing the password when they set this up for the first time; everybody thinks the security of their point-of-sale is someone elseโ€™s responsibility,โ€ Henderson said. โ€œWeโ€™re making it pretty easy for criminals.โ€

To arrive at the conclusion, Trustwave researchers studied the credit card terminals at more than 120 retailers nationwide. Henderson stated that these terminals included major clothing and electronics stores, as well as local retail chains however he did not name specific retailers.

According to Trustwave majority of the machines in operation in the US are manufactured by Verifone but they found the same issue to be present in all major terminal makers.

A spokesman for Verifone said that a password alone isnโ€™t enough to infect machines with malware. The company said, until now, it โ€œhas not witnessed any attacks on the security of its terminals based on default passwords.โ€ As an afterthought the spokesperson added thatย Verifone said retailers are โ€œstrongly advised to change the default password.โ€

The fault however lies with the retailers as they should be securing their own machines.ย Consider one case Henderson investigated recently. A nasty keystroke-logging spy software ended up on the computer a store uses to process credit card transactions. It turns out employees had rigged it to play a pirated version of Guitar Hero, and accidentally downloaded the malware.

โ€œIt shows you the level of access that a lot of people have to the point-of-sale environment,โ€ he said. โ€œFrankly, itโ€™s not as locked down as it should be.โ€

Subscribe to our newsletter

To be updated with all the latest news

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post