back to article Secondhand Point-o-Sale terminal was horrific security midden

Second hand point-of-sale systems sold through eBay are likely to contain all sorts of sensitive information, according to the work of a security researcher at HP. HP sleuth Matt Oh bought an Aloha point-of-sale terminal on eBay for $200. This type of terminal is widely used in cash registers within the hospitality industry. …

  1. TRT Silver badge

    There was a place in Watford...

    that used to recycle/scrap cash machines. They had thousands of them just sitting around on pallets outside the back of a warehouse, just a chainlink fence between them and a public footpath. Anyone could (and frequently did) climb over and have away with genuine faceplates, readers, screens, software etc. It was like that for the best part of 20 years, despite many attempts to get the local constabulary to have a word with the company about it. Don't know what happened to make them change their ways.

  2. DNTP

    Obviously the solution is to ban the resale of POS terminals to security researchers.

  3. Terry 6 Silver badge


    I've been trying to think of new password, to replace "password".

    That's one I could use.

    1. Ole Juul


      I've got a better one.

      1. VinceH

        Re: Aloha1

        That's just silly. Make it Aloha99 - then it would take at least 99 attempts before they guess it correctly, and new research that I haven't just made up on the spot (honestly) shows your average nefarious person gives up after 43 attempts.

  4. Anonymous Coward
    Anonymous Coward


    POS terminal.

    POS security.

  5. Anonymous Coward
    Anonymous Coward

    Er... news?

    So this is another "stuff bought second hand not wiped" news story?

    I bought some second hand IP phones fairly recently, plugged them in and was able to make calls. Only then did I realise I hadn't set them up yet, they still had all the details from the previous owner in them.

    Where's my news story?

    (anon because of the half dozen test calls).

    1. Robert Helpmann??

      Re: Er... news?

      So this is another "stuff bought second hand not wiped" news story?

      Yes, in as much as there was data on it that might be valuable in and of itself (e.g. account details). However, the researcher was able to learn enough about the second hand box to be able to hack systems that are still in production, assuming they are still set up the same as the terminal he purchased. Knowing that the owner doesn't change the default password or that the password can be recovered from the discarded machine and is likely to be the same on systems still in use can be pure gold (literally). Finally, "Oh's findings suggest the retailer had a poor security policy that went beyond anything particular to the terminal he bought on eBay."

      I would like to know which retailer this is so I can avoid walking through its doors.

  6. Amorous Cowherder

    Bankruptcy stock and dealt with by a load of people who are simply just shifting and lifting old kit to get money back.

    The company goes down, the employees might be lucky to get a token pay off but most are just happy to be out of it and off a new job. The old crap in the offices is just dumped on the back of lorries by people who neither know nor care what it is, they're just told to "pile 'em high and sell them off" to get money back to pay the bankruptcy debt back to the bank.

  7. Andrew Jones 2

    The local shop in the village where I live has 2 POS terminals.

    One of them went wrong and I noticed a USB slot underneath the monitor and offered to plug a keyboard in and take a look for them.

    I was appalled to find (apart from the fact it is running Windows) no antivirus security and the firewall disabled. But I thought well it's not connected to the internet, it's not that terrible......

    Then the shop owner told me, whenever it went wrong in the past - he just phoned up the company that deals with the maintenance of the things, and they remotely fix the problem, and sure enough - yup they are connected to the internet after all..... with no antivirus and no firewall.......

    1. Anonymous Coward
      Anonymous Coward

      Sounds like stores I deal with

      The only thing missing from your list is the fully writeable share for the C:\ root drive. Standard practice of the "support" people who set the system up. They also had disabled Windows updates. They then get all upset if you question them about this!

      Some developers seem to think that security does not apply to them. Some of the arguments I have had with software devs who trash security settings instead of learning how to work within the OS security rules!!

      Or when I was doing support for another unnamed company who produced H&S software. It made use of SQL server. And the devs again would insist on fully writeable access to all kinds of vital folders on the server!! Not as if this was installed anywhere important... Banks, Councils, Police, Fire... Stunning!!

      Companies employ cheaper less trained staff. Don't pay to train them up fully. So the staff only care about getting their product to work, and stuff the security of the customer!

      1. Nick Ryan Silver badge

        Re: Sounds like stores I deal with

        Yep - I've come across crap like this as well as various international companies that insist on testing all windows updates extensively but never ever applying anything just in case it affects some remote system somewhere. Updates only ever went out on new kit which were usually about a year behind on critical updates but that was the plan as it was a known, "supportable" position.

        The concept of writing code that was coded properly and adhered to all the long established windows application guidelines and didn't require ludicrous security permissions was utterly beyond them.

        They still suffer from a lot of hits from viruses and often not recent viruses either. Wonder why?

    2. Someone Else Silver badge

      @Andrew Jones

      I assume you no longer frequent that shop...

      1. Terry 6 Silver badge

        Re: @Andrew Jones

        Pay with cash?

        1. Andrew Jones 2

          Re: @Andrew Jones

          Thankfully - the card reader system is an entirely seperate system that uses the Yellow PayPoint standalone machines.

  8. Slow Joe Crow

    Haven't these people heard of DBAN?

    My own kit and even lab stuff going to the corporate disposal guys get wiped with at least the DBAN autonuke. The DBAN at work is actually redundant since company policy is no hard drives go out the door, they get zapped in a degausser and shredded or crushed. This even applies to warranty repairs since we have enough clout to get the kit vendors to accept a scan of the drive label in lieu of the dead part. Now admittedly I work for a large and paranoid organization but basic data wiping seems like it should be standard procedure.

    1. Anonymous Coward
      Big Brother

      Re: Haven't these people heard of DBAN?

      "The DBAN at work is actually redundant since company policy is no hard drives go out the door, they get zapped in a degausser and shredded or crushed"

      What's the point of DBAN and a degausser if you're going to wack it with a hammer?

      1. Alistair

        @ pakkuman

        At least in my org, we have those drives sitting around for a month or three in storage.

        Wipe/nuke/clean the disk before it goes to storage.

        From storage to the shredder.

        We need a "Big Honkin Magnet" icon.

    2. Nick Ryan Silver badge

      Re: Haven't these people heard of DBAN?

      My brother-in-law worked for a company that supplied systems to the MOD, and when a HDD or a software problem surfaced the MOD returned the HDD; Wiped, smashed and shredded. Software issues were quite difficult to resolve apparently.

  9. Crazy Operations Guy

    I've found that PoS, inventory control, time/staffing systems, and any other systems deployed to stores end up failing due to one of two philosophies (Well over 90% of my clients are guilty of at least one):

    'Configure it until it works, then never touch it again until it breaks'

    This usually happens when a technician setting up a new system does the bare minimum to get it to work; ofter leaving in default passwords, leaving encryption options turned off, and little to no monitoring set up.

    'Make it simple enough for a store manager to fix it'

    I see this a lot at large chain stores where systems are shipped out to stores. Companies will try to cut support costs by configuring systems so that they can be set-up by a local contractor (Usually low-skilled) and then be managed store managers so that they only have to send out skilled employees in only the most serious problems.

    Either way the systems are as secure as a wet cardboard boxes and nothing will be done about them without a serious breach and immense amounts of effort/money.

  10. Terry 6 Silver badge

    Basic security

    Some things should be basic.

    But they don't seem to be.

    When managing in a special ed teaching service I routinely took the HDD out of obsolete admin PCs before I took the boxes to the recycling centre. HDDs wiped and made at least physically unrecoverable by normal means, by breaking them as much as I could, then dumped with the general landfill rubbish.

    The council didn't seem to care about how we disposed of them, since there was no policy for disposal, no option to have the HDDs removed and taken for destruction by central IT.

    But I have a sneaky suspicion that if I hadn't removed the HDDs and one had ended up in the public domain it was my head that would have been on the block.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like