A security researcher recently figured out how to install and play the classic first-person shooter video game Doom on point-of-sale credit card readers, the ubiquitous devices at store registers around the world that complete purchases when you swipe, tap, or insert your credit card.
While Nolan Ray’s hack isn’t going to blow up the POS world, it helps demonstrate the potential insecurities of our retail transactions.
At the annual hacker conference DefCon in July, Ray demonstrated his hack on the Verifone MX 925, a credit card reader still in use and receiving manufacturer updates. You can buy it on Amazon.com for less than $600. He began by unlocking the device with its default personal identification number, or PIN, which Ray says retailers—like consumers, with other Internet-connected devices—rarely change, due to laziness or a lack of guidance. More than 90 percent of POS readers rely on their default PIN for security, according to a 2015 study.
Once the terminal has been unlocked, any malicious hacker could access and steal data stored on the reader—or install a 25-year-old video game like Doom—wirelessly through a Wi-Fi or Bluetooth connection, or directly through its smart-card reader, or its USB or COM ports.
While you might not expect a store clerk to allow a malicious hacker to fiddle with a POS reader long enough to unlock or steal data from it, unmanned registers, especially at big chain stores, make for tantalizing targets. And as retailers increasingly rely on payment devices to process customer purchases and protect customer data, they need to become more vigilant than ever about the security at the register, Ray told The Parallax after his presentation.
Retailers can take various steps to protect their POS readers and, by extension, their customers. The first step, Ray says, is to change the default PIN.