The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
You know how sometimes you sign up for something and you get a default password so you can access that new account? Apparently, that sort of system came under fire recently at a major cybersecurity conference in San Francisco.
At RSA Conference 2015 USA, which ran April 20-24, researchers said that a major payment terminal vendor has been shipping systems with the same default password for more than 20 years, according to a report from the International Data Group (IDG) News Service.
The researchers said the default password is in use at nine out of 10 customers who have the terminals. IDG confirmed the vendor is VeriFone, which operates point-of-sale software in more than 150 countries. VeriFone sent a statement to IDG acknowledging that its devices come with a widely known default password, and new devices now require users change it upon setup.
“The important fact to point out is that even knowing this password, sensitive payment information or PII (personally identifiable information) cannot be captured,” Verifone said to IDG. “What the password allows someone to do is to configure some settings on the terminal; all executables have to be file signed, and it is not possible to enter malware just by knowing passwords.”
The researchers who discussed the issue at RSA Conference had a different perspective, identifying the default password as one of many security flaws in the industry, which they detailed in a session cheekily titled “That Point of Sale is a PoS.”
Vulnerabilities in point-of-sale systems have come under intense scrutiny in the wake of massive data breaches that have hit the retail industry in recent years. Some of the largest attacks hit Target and Home Depot, when hackers installed malware in point-of-sale terminals and stole millions of consumers’ payment card information.
Such breaches can seriously harm consumers’ finances, because the balance that results from any fraudulent charges made with stolen data could end up on consumers’ credit reports, which can be time-consuming to correct. In the case of stolen debit card data, a thief could wipe out a consumer’s bank account, the funds of which may be necessary to make bill and loan payments. Because consumers can’t do much to protect their data from getting stolen in a breach like the ones that hit Target and Home Depot, the best thing to do is closely monitor your financial accounts and credit data. You can get a free credit report summary every 30 days on Credit.com, to help spot fraudulent activity.
Image: Photodisc
October 19, 2023
Identity Theft and Scams
May 17, 2022
Identity Theft and Scams
May 20, 2021
Identity Theft and Scams