The Passcode to Hack Most Credit Card Readers

Signing payment at point of sale terminalAbout 90 percent of checkout payment card readers, like those implicated in last year’s string of retailer data breaches, currently use the same password. Reason: The default setting hasn’t been changed – either by its manufacturer, middlemen vendors or retailer clients that purchase the devices.

That’s the stunning conclusion after researchers from cybersecurity firm Trustware examined point-of-sale (POS) card readers at 120 retailers nationwide. “No one is changing the password when they set this up for the first time; everybody thinks the security of their point-of-sale is someone else’s responsibility,” Trustware’s Charles Henderson told CNNMoney after presenting these findings at a cybersecurity conference last month. “We’re making it pretty easy for criminals.”

Get the latest on protecting your money and saving for retirement — AARP Money newsletter »

Most of the examined checkout terminal devices, which collect customer credit and debit card information, are made by the same manufacturer, which has used the same six-character sequence on its equipment since 1990.

With that factory-sent default passcode – either 166816 or Z66816, depending on the machine – an attacker can gain administrative access to individual readers to infect the device with malware to collect customer payment card data. However, the same vulnerability may exist in unchanged default settings in devices by other terminal makers, added Trustware.

Recent retail data breaches at Target, Home Depot, Neiman Marcus, Michaels and others are believed to have resulted from malware infection of POS card readers and systems. No specific retailers were identified in the Trustware study.

Verifone, which manufactures most of the POS card readers examined by Trustware, said that it “has not witnessed any attacks on the security of its terminals based on default passwords.” Still, the company added that retailers are “strongly advised to change the default password” and that its newer devices now use different passcodes.

Get discounts on financial services from trusted companies — AARP Member Advantages »

What does this mean to you? It’s one more reason to keep close tabs on credit and debit card accounts, along with news about retailer breaches, which authorities predict will continue.

But in the grand scheme, if only payment card data is stolen – versus more worrisome information such as Social Security numbers – there usually is little worry about: Simply notify your card issuer about a known or suspected payment card breach to get new plastic, with a different account number.

If your credit card number is stolen and used fraudulently, you have no liability for unauthorized charges. With stolen debit card numbers, there’s no liability if fraud is reported within 60 days of getting your statement. Rules change if the actual card is lost or stolen, but many credit and debit card issuers have zero-liability policies for those cases.

For information about other scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and gain access to a network of experts, law enforcement and people in your community who will keep you up to date on the latest scams in your area.

Photo: Juanmonino/iStock

Also of Interest


See the AARP home page for deals, savings tips, trivia and more.