Chicago-based security vendor Trustwave says 90% of Verifone card readers it tested for the first time still carried the default password. These findings reinforce the perception that many merchants don't follow the basics when it comes to their own security.
As if keeping a default password in place isn't dangerous enough for retailers, Trustwave also discovered during a breach investigation that one retailer's employees were using the point of sale system to play pirated video games. The games had malware planted in them, eventually leading to a breach of payment card data.
Like many devices, Verifone terminals are deployed with default passwords, and the company informs retailers that they must change those, said Joe Majka, chief security officer for Verifone. "Newer terminals are being equipped with a requirement that forces merchants to change passwords," Majka said.
Though Verifone card readers were noted in Trustwave's study, the warning holds true for retailers operating any number of manufacturer terminals, said Charles Henderson, vice president of managed security testing for Trustwave.
"Manufacturers definitely tell their users to change the passwords, and some of the newer POS systems are starting to mandate the changing of passwords," Henderson said. "The problem is there are a lot of antiquated POS systems out there."
It is important to note that merchant data breaches do not typically target a terminal or device, Verifone's Majka said.
"They are occurring at the merchant electronic cash register or back office server or back-of-house server at the merchant location," Majka added. Many of the merchant electronic cash registers allow third-party remote access for their software vendors, and "it is those vendors that in many cases use default or common passwords," he said.
Many merchants will obtain new equipment when preparing for the upcoming EMV chip-card liability shift in October, said Al Pascual, senior analyst for Javelin Strategy & Research. "It is going to force a lot of those old terminals out of the market," Pascual said.
Merchants fought hard against EMV because they didn't want to upgrade their terminals, and that has always been a contributing factor because criminals find older equipment easier to hack, Pascual added. Merchants have also been vocal about adding PIN to EMV credit card transactions to improve security over signature authentication.
Despite issues like these, which pit merchants against the card brands and issuers, the need for discipline regarding network security basics is vital.
"Awareness is the largest issue," Pascual said. "It is time for merchant associations, acquirers and ISOs, or anyone who has a vested interest, to step it up a notch and make merchants aware of this problem."
For its part, Verifone has been pushing a "secure commerce architecture" in the U.S. for more than a year, encouraging merchants to remove their point of sale technology from the scope of EMV certification.
Not unlike other terminal manufacturers, Verifone wants to prevent consumer payment data from entering the POS and, instead, send encrypted card credentials directly to the merchant's payment processor.
"It is not Verifone's responsibility to make the merchants change default passwords," said Thad Peterson, senior analyst with Boston-based Aite Group. "The bigger idea clearly is to make sure the credit card number is never exposed anywhere in the process."
Merchants have to take password management seriously, Peterson said.
"There isn't an executive at any retailer that wouldn't routinely change a password to protect personal accounts, so why wouldn't they do it routinely on the biggest vulnerabilities the company has?" Peterson asked.
For now, new strains of malware attacking the POS are garnering most of the headlines and creating fear throughout the industry.
But those in charge of security often get "hyperactive about the new strains of malware" as if they magically show up, Henderson said. Somebody put that malware on the system, and basics of protecting a POS likely could have thwarted the attack, he added.
Terminal manufacturers are in a tricky position because if they develop systems that call for periodic, or even quarterly, password changes they run the risk of selling equipment that is too complicated for busy retailers to deal with, Henderson said. "If you make a product harder to use, the merchant won't buy it."
Ultimately, retailers and other organizations holding consumer payment or personal data have to understand that criminals stealing information are adapting their processes regularly, he added.
"We need to do it as well, and that is the fundamental point," Henderson said. "Security is an ongoing process or a journey without a destination."