Credit Card Terminals Haven’t Changed Default Passwords Since the 90’s
As America struggles to convert to EMV technology, researchers have discovered a significant hiccup in the security of credit card terminals. A major vendor of payment processors has been using the same default password for their devices since the 1990’s.
David Byrne and Charles Henderson, two researchers at the RSA Conference in San Francisco, did not name the vendor in their report, but they did release the password in question: 166816. The researchers found this default password is maintained 90% of the time because retailers assume it is unique to them.
This password lines up with several payment terminals sold by Verifone. This company operates out of Silicon Valley, and serves clients in 150 countries worldwide. The vendor says they currently have over 27 million terminals in circulation.
Verifone acknowledged the use of a consistent default password, but they reported it to be Z66831.
“The important fact to point out is that even knowing this password, sensitive payment information or PII (personally identifiable information) cannot be captured. What the password allows someone to do is to configure some settings on the terminal; all executables have to be file signed, and it is not possible to enter malware just by knowing passwords,” said the company.
Verifone encourages users to change their default passwords upon installation, and they refer to their long-standing default as “pre-expiring.” It will not last long and should not pose a threat overall, but the company still advises customers to change the password before beginning operations.