Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security HP

Point-of-Sale System Bought On eBay Yields Treasure Trove of Private Data 68

jfruh writes: Point-of-sale systems aren't cheap, so it's not unusual for smaller merchants to buy used terminals second-hand. An HP security researcher bought one such unit on eBay to see what a used POS system will get you, and what he found was disturbing: default passwords, a security flaw, and names, addresses, and social security numbers of employees of the terminal's previous owner.
This discussion has been archived. No new comments can be posted.

Point-of-Sale System Bought On eBay Yields Treasure Trove of Private Data

Comments Filter:
  • by Selur ( 2745445 ) on Friday July 18, 2014 @01:09PM (#47484511)

    I bet 90% of all small businesses still have no real clue data security and about the amount of data their printers, cash registers,.. still contain.

    • by Anonymous Coward on Friday July 18, 2014 @01:21PM (#47484623)

      When someone goes out of business and liquidates (is forced to liquidate) their capital assets, they're not going to give a crap about what data might be left on these devices.

      • by Anonymous Coward

        In theory, the bankruptcy attorney and the auction house is tasked with zeroing out the machine. However, even though some computers have a feature to zero hard disks (even if it is deleting and rebuilding an array from scratch, zeroing out all data that is unused), this can be obscure to impossible to find on most hardware.

        Of course, this is something that might affect people big time if a major cloud provider goes bankrupt. The servers get sold, and just like the point of sale machine, the data gets acc

      • by mythosaz ( 572040 ) on Friday July 18, 2014 @01:36PM (#47484745)

        Restaurant fails to pay the lease.

        Landlord slaps a new lock on the door.

        Equipment is sold to a restaurant supply reclamation company, of which any city of any size has.

        Supply company puts their crap on eBay.

        • A restaurant supply reclamation company should surely have the expertise and the responsibility, no?

          • A restaurant supply reclamation company should surely have the expertise and the responsibility, no?

            Responsibility to do what? It's not their data nor their customers data on the stuff they're selling. They're just a buyer and seller of goods. As long as the equipment is not stolen and is in good working order when supplied to their customers they've met their responsibility. I'm not aware they have any responsibility to the former owners or their employees at all. Correct me if I'm wrong, though, I'm not a lawyer.

            • by Jiro ( 131519 ) on Friday July 18, 2014 @02:29PM (#47485041)

              By that reasoning if the restaurant supply reclamation company instead found equipment contaminated with bacteria, and sold the equipment, and people got sick and died from it, they likewise wouldn't have any responsibility. Equipment that poses a threat to people because it spreads private data is not really all that different from equipment that poses a threat because it spreads disease.

              (Which is not to say that it's legally the same, of course.)

              • by tk2x ( 247295 )

                Yes, the reasoning stands. The new owner of the equipment has a duty to sanitize the equipment before using it for commercial food service and selling things to the public that touch it. Not the supply company.

              • You would buy and use food prep equipment without cleaning it? I wouldn't even do that with a yard sale coffee cup that looked spotless. Even brand new food prep equipment has instructions to say wash before use. If restaurant "B" obtains something from defunct restaurant "A" and then deploys it without cleaning it, the equipment seller is not to blame... same as if new equipment were involved and the contaminant was industrial oil. The party using the item is responsible for the cleanliness of the item, a
            • Supply reclamation. Not just a broker. Not just a trader. Someone who specialises in dealing with these products coming from failing companies. I don't agree that they're 'just a buyer and seller'.

          • You're kidding, right?

            Said reclamation company is a warehouse downtown filled with commercial deep fryers, cold-cut-slicers, and an endless pile of banquet chairs.

            [It's a great place to buy a sturdy table for cheap...]

            • You're just emphasising that they don't make the effort. That doesn't mean I'm wrong to suggest they should. I'm open to being convinced otherwise, but this doesn't strike me as a compelling argument.

        • Restaurant fails to pay the lease.

          Landlord slaps a new lock on the door.

          Equipment is sold to a restaurant supply reclamation company, of which any city of any size has.

          Supply company puts their crap on eBay.

          This tells me that the point of sale equipment is flawed to a
          degree that risks civil action. As bad as they are modern
          routers must be reset if the password is lost and as a minimum

          Payment Card Industry (PCI) Data Security Standards need to
          address this. Please call your IEEE favorite standard person....

      • When someone goes out of business and liquidates (is forced to liquidate) their capital assets, they're not going to give a crap about what data might be left on these devices.

        And even if they do give a crap, they might not be able to do anything about it. It is not uncommon in bankruptcy or liquidation proceedings for property to be seized immediately in order to prevent the (former) owners from carting off all the valuable goods and hiding them, possibly selling them off at a much later time. Businesses can be locked up and chains put on the doors to prevent the owners from looting the place before their inventory can be assessed. This could very well prevent even a security co

        • Unless the local legislation requires handling personal data in a specific way and preventing a business from wiping it after ceasing its operations could be viewed as illegal (and so could simply taking computer systems with the data still on them).
      • they're not going to give a crap about what data might be left on these devices.

        Nor should they, because useful private data should never be stored on them in the first place. My name, address, and phone number are not private. Anyone can get them from the phone book or other public sources. So the only "private" information mentioned is the SSN. So the real solution is to get rid of the idiotic notion that SSNs are a "secret", and to ban their use as authentication keys. Then they can be published in the phone book, along side the name, so you know you are dialing the right "John

        • Interestingly enough, SSNs were never supposed to be used for identification/authentication keys. My father still has an old card that still has "Not to be used for identification" printed on it.
          • Interestingly enough, SSNs were never supposed to be used for identification/authentication keys. My father still has an old card that still has "Not to be used for identification" printed on it.

            The "Not to be used for identification" refers to the card, not the number. It is just saying that a Social Security card is not an identification card.

            There is nothing wrong with using SSNs for identification. The government does it. The government also requires businesses and financial institutions to use SSNs to identify their employees and customers. The problem is the idiotic notion that SSNs can be both widely known (used for identification) and secret (used for authentication). Mere knowledge o

            • Yup. People should really think of SSN's as glorified names. That's all they are really supposed to be: a non-duplicative name, a unique key, an identifier that nobody else shares.

              In fact, an authentication tool doesn't have to be unique. If you had a password associated with your SSN, who would care if both 123-45-6789 and 987-65-4321 had the same password? For all you know, your next-door neighbor could use the exact same gmail password as you and nobody would never know.

              Asking people to verify th

    • by sjbe ( 173966 ) on Friday July 18, 2014 @01:37PM (#47484749)

      I bet 90% of all small businesses still have no real clue data security and about the amount of data their printers, cash registers,.. still contain.

      As someone who has spent many years consulting to small businesses I can tell you that you are being too conservative. 99% is probably closer to the mark. Nearly all small business owners are clueless regarding data security and frankly don't really have the time to worry about it either. Running a small business is a hugely time consuming endeavor and dealing the the nuances of data security is a luxury most do not have time for. Shoot, you'd be terrified at how many of them don't even bother to back up key data like their accounting software.

      I run a small business myself and while I'm more aware than most about our security I don't really have time to deal with all of it. At some point you sometimes simply have to live with a certain level of risk until you have the resources to address things properly.

      • by Threni ( 635302 )

        I think businesses will find time to focus on security when fines for leaking customers details bankrupt them.

      • The research was not about the scandal of data left behind. That data proved to be an excellent fossil showing a business running an insecure system without basic protections, failing even to install security updates for seven years.

        This, though, only confirms your own account and probably falls well within the known range of shortcomings.

        So ...

        Doesn't HP, for whom the author of this report works, compete with sellers of point-of-sale systems, which have become default inventory and accounting systems for m

        • by sjbe ( 173966 )

          That data proved to be an excellent fossil showing a business running an insecure system without basic protections, failing even to install security updates for seven years.

          You will find that the majority of small businesses fit that description. The company I work at right now has about a dozen computers. Before I got there ALL of them hadn't seen a security update in at least 5 years, the server wasn't being backed up, there was no firewall or antivirus to be found, the company books were done on a spreadsheet, etc. And they were better than many. I've consulted with probably 20-30 small businesses in the last 10 years and maybe 3 or 4 handled their computer security and

      • "At some point you sometimes simply have to live with a certain level of risk..."

        The problem is, the risk isn't yours. It's on the people whose private data you've leaked to the world. This just happened to me. My former employer (of about 8 years ago) had his laptop stolen while on location. Names, SSN's and who knows what else from former employees were all on that laptop. No encryption I assume. I got an email of warning but I'm too angry to make contact for more information.

        • The problem is, the risk isn't yours.

          Sure it is. If any of my customers and/or employees found out that I had leaked their sensitive data then I would not only loose that customer/employee I would likely find our company at the pointy end of a lawsuit. (and rightly so) Given that our customers are mostly large companies I assure you that we cannot afford to piss them off. We take reasonable precautions but there are security holes that I'm aware of that the risk/reward ratio do not even come close to being justified. If a serious criminal

    • I bet 90% of all small businesses still have no real clue data security and about the amount of data their printers, cash registers,.. still contain.

      more importantly, when they're selling their POS it likely means they've gone out of business and simply don't care at that point.

    • by Lumpy ( 12016 )

      A friend bought a pallet of computers from an auction back in 1998. on the pallet we had computers from NASA and the DOD as well as other govt locations and many of them still had the hard drives in place. the NASA computer came with a box that was filled with floppies of all their software for satellite solar panel design and testing. There was also a Cromemco minicomputer that still had it's 8" hard drive and a TON of emails left in it (cracking the root password was trivial with an OS boot floppy) fro

  • by mythosaz ( 572040 ) on Friday July 18, 2014 @01:12PM (#47484527)

    It's hard to imagine that used equipment was sold with the default password...

    I always include employee data, but I make the new purchaser guess my password.

  • These are restaurant/retail workers. Society has already s*** all over them, so they shouldn't be surprised this happens to them.

    Serious note: Small businesses (such as Target, or New York City) aren't good at data security.

  • He didn't really get a treasure trove. He got some stuff that was sort of interesting, and maybe unfortunate.

    It's not like he got every transaction of everyone who's used the system, their names, addresses, passwords, credit cards, security questions, etc.

    • i don't know, $200 for a handful of SSNs? He could probably get a $1000 CC for each SSN.
      After laundering, he'll at least double his money if there's just one valid name/SSN/birthday on there.

      • Those SSNs are valuable to tax fraud "drop" scammers.
      • Do you think waitstaff have great credit scores? Most don't even have bank accounts, much less any way to get credit cards. That's not exactly the most lucrative job to target for identity theft.
  • ...I just delete it though, I have absolutely NO NEED for peoples personal data. Maybe NSA does, but the average Joes (small businesses included) have NO need for these, it's material for the local newspapers though. OOOOH...security break, someone sold an unwiped harddisk and someone else took notice instead of formatting it.
    • What this world is coming to is for you and me to decide. </douchey-grammar-cop>
      • What this world is coming to is for you and me to decide. </douchey-grammar-cop>

        Sure, thanks. Changed!

        • np :)
          • not that this matters at all to anyone, except people like me who have the pet-peeve... but..

            a good way to determine if you should you I or Me is to eliminate the other person in the sentence (confusion always happens because it's someone and Me/I... not when its just me/i... so if you drop the other person, and then say it, it becomes clear... ie:
            what this world is coming to is for I to decide

            what this world is coming to is for me to decide
            now it sort of becomes obvious as to which sounds right
  • by Anonymous Coward

    Why were employee Social Security Numbers(SSN) on a Point of Sale(POS) machine?

    • Re:SSN on POS? (Score:5, Informative)

      by GameboyRMH ( 1153867 ) <gameboyrmh@@@gmail...com> on Friday July 18, 2014 @01:51PM (#47484819) Journal

      An excellent question.

      I'm betting this POS machine was basically a full-blown PC hooked up to a cash drawer. It seems to be a popular setup with small businesses (I'm guessing actual cash registers cost a lot - and they're certainly not as versatile).

      A hardware store and a couple car parts stores near my house have this setup. The car parts stores use them for parts info lookup as well. Maybe this machine was also holding the HR files.

      • Full-featured POS systems can handle things like payroll, invoicing, inventory/food ordering, bill payment, appointment reminders for customers, etc.

        • Re:SSN on POS? (Score:4, Informative)

          by Fnord666 ( 889225 ) on Friday July 18, 2014 @02:38PM (#47485109) Journal

          Full-featured POS systems can handle things like payroll, invoicing, inventory/food ordering, bill payment, appointment reminders for customers, etc.

          Yep. They're called Integrated Payment Platforms or Integrated Payment Systems and they're all the rage right now.

      • by tlhIngan ( 30335 )

        I'm betting this POS machine was basically a full-blown PC hooked up to a cash drawer. It seems to be a popular setup with small businesses (I'm guessing actual cash registers cost a lot - and they're certainly not as versatile).

        No, cash registers (the dumb kind) are fairly cheap things - a few hundred bucks tops.

        The problem is, the dumb registers don't do more than record sales and all that.

        The fancy PC based ones do tons more - they integrate with a backend inventory system to update real-time inventory c

        • Auto parts stores terminals are literally acting as terminals in most cases, though. There's one machine in the store that's real, everything else is just there to display a GUI. This is increasingly true for anyone who has more than a couple of terminals, including supermarkets and hardware stores. Meanwhile, your community miniature market will probably still have a mechanical time clock, or something digital which is designed to behave just like one, and a dumb register that can't handle anything more co

  • by Anonymous Coward

    In order to process credit cards, the restaurant has an obligation to the credit card companies to secure card data under a standard called PCI. PCI does have a secure deletion requirement. I had to write a secure delete utility to get rid of PAN data.

    If a company goes out of business, I doubt anybody's gonna care about that. So if you're a restaurant owner don't use a thick client architecture like Aloha where years of customer data resides on the poor Windows terminal. Windows was never meant for that. In

  • I recently visited my local Sears store, and noticed they still had the same registers from 1990, when I worked for them.

    • by Anonymous Coward

      If it works... don't fix it. I've yet to hear about horrid Sears breaches.

      Done right, I don't see what is wrong with a 3151/3153 terminal [1], a card reader/card terminal (for chip and PIN), a UPC scanner, and maybe a cash drawer. Keeping the data on a central server isn't too bad an idea these days.

      I wonder why more larger stores just have the bare essentials at the terminal. Enough IQ to handle Chip/PIN [2], scan stuff with a barcode/QR scanner, open or close the cash drawer, deactivate anti-theft tags

  • One of the more popular point of sale systems on the market is called RealPOS
  • A dentists office bought all new workstation computers, they are friends with my boss and gave him the old computers to see if we could use them or give them away. The were password protected, so I downloaded an easy to find password reset cd from a pirate site, cleared the passwords and booted it up. While it did not have detailed patient information (that was still on their server) it had many patient pictures showing work they have done, word documents with patient names and addresses saying what work

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...