At a major US information security event last week a fundamental flaw by a major payment terminal vendor was disclosed, potentially exposing millions of customers to the risk of credit card theft and fraud.
The researchers at the RSA Conference in San Francisco would only reveal the password ‘166816’. This sequence has apparently been used by the same firm on payment terminals shipped worldwide for more than 20 years. A Google search afterwards connected this with several models of credit card terminal sold by Verifone in the Silicon Valley. Verifone are highly active, selling into 150 countries and connecting 27 million payment devices, so it is an embarrassing disclosure for the vendor (although they declined to comment) and a stark warning to businesses to review security.
It is believed that customers assumed the 6-digit password was unique to them and thus made no further changes. This lapse in security practice makes it all too easy for hackers to unscrupulously target payment terminals. Moving to chip-based payment cards remains only part of the answer as they are not bullet proof either.
The financial repercussions for retailers cannot be underestimated both from loss of consumer confidence as well as share price with publicly listed organisations (remember US retailer Target in 2013 – 70 million customers affected and US store Home Depot – reportedly affecting 56 million customers).
The take away for business whatever the market sector and whichever side of the Pond, is to ensure your business has a robust security policy, reviewed regularly at board level and on a deployment basis, if your systems and software are ringfenced, then to have clear protocols on re-securing assets introduced or re-circulated into the organisation. But to this ying we add a yang: no system is any good if an operator is flawed. To best practice cyber security policy we would add a good education programme communicated throughout the workplace, as humans remain the primary conduit for increasingly sophisticated hacking.