HP researcher pops the POS security lid
Matt Oh is one of HP’s senior researchers, and his passion for technology and software systems led him to picking up a second-hand NCR Aloha POS terminal from eBay for little more than $200 (£119) and then hacking into it with little to no effort at all.
In fact, it could hardly even be called hacking when Oh really just guessed the Virtual Network Computer password on his first try. “The first guess I made was so obvious ‘aloha’, but guess what? The password was correct,” writes Oh on the HP blog.
In here he could find a complete list of employee details; seeing who had access to the machine, the cards that were swiped to log in, and the passwords, addresses, phone numbers and access codes associated with them in the system.
So why is this a big deal? After all it’s an old terminal that was purchased on eBay.
While that’s true, the Aloha POS terminal is one of the most common POS devices found in hospitality businesses across America. And as Oh was able to buy the master terminal so easily, it means that others could probably do the same too – allowing them to build decryption software and brush up on their hacking etiquette.
Indeed, Oh points out that, while he was unable to find any shopper information the Aloha terminal, a card reader would usually be attached for payments, and the data transferred down the cable between them is rarely ever encrypted. It’d be very little effort for a seasoned hacker to create a keylogger to skim card information. “Even though credit card numbers are not saved anywhere, gift card numbers are,” noted Oh. “This information could also be used for fraud if it fell into the wrong hands.”
Still, that isn’t Oh, or HP’s issue here. It’s unlikely that any would-be cybercriminals would don a balaclava’s and jumper as stock photos would have you believe, and head on over to eBay to buy an old POS terminal in hope of free customer information. What the real issue is that businesses aren’t taking precautions with sensitive information.
The device that Oh managed to obtain had updates disabled, showing that it had been running on software that was last protected against any external threat in 2007 – despite timestamps suggesting it was still being used in 2014.
Naturally NCR weren’t impressed with HP’s findings and decided to have at it on their own blog. Here they pointed out that the model is no longer sold – which is genuinely of little importance seeing as merchants are still using them. However, they did acknowledge that the article helped shed light on the issues dogging the payments world. “Now more than ever before, business owners should seek professional help when introducing information technology (IT) into their environments,” wrote NCR, “as the complexity of the threats they face is at an all-time high”.[Image: Johan Nilsson - Flickr]