Research from earlier this year revealed that the worst consumer password of 2013 was ‘123456’. Recent headlines around the BrutPOS botnet identified by FireEye this week suggest that remote administration software is not faring much better, with passwords such as ‘administrator’, ‘pos’ and ‘Password1’ exposing retailers to attack.
The majority of the attacks have been suffered in the US, which has not yet made the transition from the old mag-stripe standard to EMV-chip enabled cards. Mag-stripe technology gives the point of sale full sight of the, extremely sensitive, cardholder payment data – a real ‘collectors’ item’ for thieves in their quest to create counterfeit cards.
Of course, if the data is encrypted at point of capture, it will never be ‘seen’ by the POS. That’s all very well, although as we have seen in this case, it simply moves the potential attack further up the chain until the clear data is exposed – likely through badly managed keys and poorly implemented crypto. Implementing trust anchors through hardened, tamper-resistant devices would make this attack much less feasible.
Whether the weak passwords are down to unchanged default passwords or lack of a strong password policy, it comes down to human error. Human error which could easily be mitigated through the use of two-factor authentication. This process is usually mentioned in the same breath as the word ‘inconvenient’, with consumers often disabling the functionality to streamline the user experience. For systems processing card numbers however, this multi-layered approach to security isn’t really an option – two factor authentication should be seen as an essential precaution.
BrutPOS is ‘brute-forcing’ its way into vulnerable POS systems – weak passwords and poor encryption means it’s not having to push as hard as it should much less hard than it should.