Research: Majority of Credit Card Machines Are Easily Hackable

05/07/2015 16:15

Researchers at a private cybersecurity firm have discovered that a vast majority of credit card machines in various stores across the U.S., use the same password, making them easy targets for cybercriminals and hackers looking to steal credit card information.

90% of all credit card readers used at big retailers and just about every store with a credit card machine use the same password, according to a report in CNN Money.

These are the findings of Trustwave, a cybersecurity firm where researchers examined credit card terminals at more than 120 retailers throughout the country. These retailers included local, small-scale retail chains to major clothing labels and electronic stores.

Credit card readers are easily vulnerable to malware infections, which helps attackers gain administrative access to the machines. These findings were revealed at the RSA cybersecurity conference in San Francisco recently.

The ridiculously easy hack

Here’s how credit card readers are susceptible to hacking and why they’re so easily vulnerable:

  • Since 1990, the default pass-code set on credit card machines can easily be found with a simple Google search. It’s either 166816 or Z66816, depending on the model and the make of the machine.
  • Once a malicious hacker or attacker acquires the easily available default password, they can potentially gain complete control of a store’s credit card reader.
  • In gaining complete control to the credit card machines, customers’ credit card details can easily be accessed and stolen by the attackers. It’s that simple.

The vulnerable card readers

A significant majority of the machines are manufactured by Verifone, the research found. However, the same vulnerability is found in all major vendors and makers of credit card readers, according to Trustwave.

Speaking for Verifone, a spokesman said that a single password alone isn’t enough to infect machines with attackers’ malware. He added that until now, the company “has not witnessed any attacks on the security of its terminals based on default passwords.”

Additionally, Verifone noted that retailers are “strongly advised to change the default password,” while also insisting that modern Verifone devices come pre-programmed with passwords that expire, forcing retailers to set new master passwords.

Lazy cybersecurity. Easy hacking

Credit card machine makers and vendors sell their machines to distributors and these distributors in-turn sell them to retailers. Unfortunately, nobody involved in this transacting chain updates the master code or the default password, according to Charles Henderson, a Trustwave executive speaking to CNN Money.

“No one is changing the password when they set this up for the first time; everybody thinks the security of their point-of-sale is someone else’s responsibility,” Henderson noted.

“We’re making it pretty easy for criminals,” he concluded.