
Credit card terminals have used same password since 1990s, claim researchers - wglb
http://www.csoonline.com/article/2913884/access-control/credit-card-terminals-have-used-same-password-since-1990s-claim-researchers.html#tk.rss_news?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=information_security
======
iamleppert
I used to work at a retailer and I know the password myself.

This is a prime example of hyperbole. The password only allows you to change
things like what is printed on the receipt (the banner), merchant ID and other
such things. It basically allows you to enter into a menu to set a few
settings. It's not as if you can get a dump of card swipes.

Just a few researchers spreading fear about what has been known for a long
time.

~~~
abluecloud
So, you could change the merchant ID and send payments to other accounts?

~~~
JTon
That would be an interesting headache. I would hope there are some sort of
back end checks in place for this type of modification

~~~
Nursie
I once heard a story about a store-clerk who, upon finding their POS setup was
broken, went down the street and 'borrowed' a configuration file from another
store in the area that they happened to know had the same software.

Blissful in their ignorance of what was going on they then happily continued
accepting transactions for the rest of the day. Oops.

~~~
JTon
Ha. Pretty damn saavy store clerk

------
sp332
"The important fact to point out is that even knowing this password, sensitive
payment information or PII (personally identifiable information) cannot be
captured," Verifone said. "What the password allows someone to do is to
configure some settings on the terminal; all executables have to be file
signed, and it is not possible to enter malware just by knowing passwords."

~~~
timboslice
I wonder what is available in the settings interface? For example, is there
some gateway address that could be changed to a MITM transparent proxy? They
act like this is no big deal, but 9/10 of these machines has the same
password!

~~~
Nursie
Presumably (and I have worked on devices like these, but not for Verifone)
there is some sort of encryption going on.

I.E. some protocols I've worked with have had all sensitive data protected by
ANSI X9.24 Appendix 1 (I think...) derived keys, or keys derived by various
other standard means, such that being able to read the data stream is pretty
irrelevant.

~~~
gknoy

      > Presumably ... there is some sort of encryption going on.
    

Color me skeptical. I would presume similarly, but I also would have presumed
that they did not have the same password, either. A failure of that scope
seems like it could be indicative of a systemic disregard for security.

~~~
Nursie
>> A failure of that scope seems like it could be indicative of a systemic
disregard for security.

Well, all the security systems have to be audited and signed-off by third-
party testing labs approved by the payment card industry body (PCI) so your
cynicism should be unwarranted.

But then I've seen code that got through those labs that I would be thoroughly
ashamed of, so who knows really...

------
PaulHoule
Speaking of "chip cards" I notice that my banks are stuffing my wallet with
contact smart cards, but I haven't seen a single vendor in the U.S. that
accepts those. Subway in my area, for instance, has terminals that accept ony
contactless cards, and my local Target has gone so far to stuff up the slots
for contact cards.

~~~
kimos
The US is very slow to adopt these kind of payment changes. I'd say I make
about half of my CC purchases in Canada right now contactless.

My understanding is that since there are countless local banks in the US,
adoption of technology changes is difficult and slow.

~~~
hobarrera
What will happen with people who travel from abroad in a few years?

Places like Latin America aren't even thinking about changing cards (heck,
we're still adopting the old magnetic cards in most stores!). What'll happen
when I visit Canada with my card in one or two years? Will those still be
accepted?

------
peapicker
Interestingly, this last year, many businesses I frequent updated to new
Verifone terminals. My credit card doesn't read on only that brand of terminal
(works everywhere else i use it), unless I wrap it in a piece of receipt tape
or plastic bag before sliding it thru, then it works after a try or two. Not
sure why, but I haven't replaced the card yet simply because it is an
interesting experiment.

~~~
creshal
> before sliding it thru

The US are _still_ using magnet stripes?

~~~
mikeash
Yes. We're just now transitioning to chips. My cards are gradually being
replaced with chip cards, starting last year. In October of this year, new
rules will come into effect that basically require all cards and terminals to
use chips, by putting the liability for fraudulent magstrip transactions onto
whatever party was responsible for not being able to use a chip. (In other
words, merchants will foot the bill for fraud if they don't upgrade their
terminals.)

We're taking our time, but we're finally moving there.

Edit: despite _having_ chip cards, I've yet to be able to use the chip in the
US. Many places now have chip-enabled terminals, but often not set up to use
the chip part, and after a few failed attempts I just gave up on it.

~~~
ams6110
_In October of this year, new rules will come into effect that basically
require all cards and terminals to use chips_

How does this affect Square and similar peripheral readers for mobile devices?
Will users of those now be liable for fraud?

~~~
mikeash
Good question. Looks like the answer is, yes, you will be liable just like
anybody else, and just like other providers, Square will start providing chip
readers. They have a page about it here:

[https://squareup.com/emv](https://squareup.com/emv)

Interestingly, it looks like this may be the end of the model where the reader
is so cheap they can give it away for free, as they list it for $29.

~~~
Nursie
I do quite like their tiny reader, and I'm wondering if it uses some sort of
modem for comms over the audio port...? Kinda cool.

~~~
mikeash
I believe they've been using a modem sort of setup for a while, and this is
probably the same sort of thing.

Their original reader was pretty much a magnetic reader head hooked straight
to the microphone port, decoded by Square's software on the phone. You could
record your card's stripe using a voice recorder program (I tried it for fun)
and you'd get this fun squeaking noise from it.

Square's competitors eventually tried to discredit them by pointing out that
this data was unencrypted, and that meant that Nefarious People could Steal
your Precious Card Data using a Square reader. Square eventually responded by
changing over to a reader that encrypted the magstripe data before
communicating it to the phone, meaning there must be some sort of digital
communication happening over the audio port.

~~~
Nursie
OK, that's interesting, I had assumed that the older readers had simply
transmitted the analogue signal generated by moving the mag strip through the
reader, and was wondering if maybe the new one just attached to the mini-jack
port and did its actual comms over bluetooth. But if they've already got a
digital data transmission system in place then that's a whole different game.

Thanks for the insight!

------
kw71
Ingenico have a set-up password, too. Once you enter it you can change network
settings which could be dangerous in the context of a poorly segmented
network.

Given this I am wondering what kinds of settings are available in the Verifone
secret menu. Is there anything like IP address, which could facilitate an MITM
if an attacker walked up and changed it?

~~~
Nursie
If there are keys that secure the traffic between the terminal and the bank,
is an MITM setup going to be of any use?

~~~
kw71
While some card payment terminals talk directly to the bank, there is strong
evidence that this is not how all POS work.

~~~
coleca
Yes. In large scale retailers, the payment terminals would either be connected
via Ethernet to the private point of sale (POS) network in the store where
they could only talk to the POS controllers, or they would be connected via
USB or custom serial cables (IBM) to the POS register itself and all
communications would run through the software on the POS terminal.

This password isn't the encryption key. Usually keys would be injected into
the terminal either remotely through the POS terminal, POS controller or by
shipping a special card w/a magstripe to the store where the manager or loss
prevention person would swipe the card on each terminal that has the new key
on it. PCI standards dictate that the retailer rotates the keys on a schedule
with a documented procedure.

Changing the merchant ID probably would have little effect in most operations
because the transactions aren't going directly to the MC/VISA/etc network, but
are passing through a dedicated link to the merchant's acquiring bank. I've
never tested this, but I would imagine that the acquiring bank would reject
transactions that are for merchant IDs that do not belong to the customer that
is leasing the connection. This situation actually happens quite often by
merchants just mis-keying the merchant ID when setting up new stores.

~~~
kw71
Thanks for this insight. During a low point in my career I took on some
contract work to deploy new POS at some QSR. I had to visit the secret menu on
the Ingenico card terminals to verify network settings and in some cases (when
whatever provisioning process did not work) manually set them. The terminals
were to communicate with a local device in a 10.* IP scheme, and were supposed
to get their own network settings via DHCP.

I've also had Walmart refund partial purchases without my payment card being
present. This shows me that it's possible that Walmart stored the payment card
information.

~~~
Nursie
So there are a few things here I could maybe clarify, having worked in all
sections of the chain from on-device security to issuing bank systems.
(Remember I said maybe!)

You're right, not all POS talk directly to the bank. One of the products I
worked on was a store-level switch, the POS would talk to that. However the
store-level switch did not have the requisite keys to decrypt all of the data
the POS would put out. In particular there are some pieces of data (PIN is
one) that must, by card-scheme rules, be encrypted from the point of entry all
the way to the bank. The keys used to achieve this are injected into the
terminal during manufacture or during an update process that can only be
activated using further keys held by the banks, not at the store level.

On your refund - Walmart may well be able to process a refund simply by
specifying an amount and a transaction reference - they don't necessarily need
to have had the card details to do that. Their bank can take that reference
number and apply a refund against the transaction, looking up your account
details in their database in order to inform your issuing bank about it. In
some cases they may not even need to supply an account or card number to the
issuing bank, just a transaction reference.

------
callesgg
On the ones i have used it is 147369

------
Church-
Saw this an' stars and stones, first thing that popped into my mind. Was
Barnaby Jack that rascapllion. I figure he would've had something to say on
the matter.

