Disposing of Point-of-Sales (POS) Systems

July 29, 2014 Timothy Uncategorized

A few weeks back I posted on disposing of Android phones. This week brings news from security researchers on the hazards of improperly wiped point-of-sales (POS) systems.

As with the used phones, a researcher bought a used POS and went to town exploring it. You aready know what happened, right? Yep! He extracted employee Social Security numbers, credit card numbers, customer personal information and numerous passwords.

The POS was an Aloha model commonly used in hospitality businesses, like bars and restaurants. It apparently had several accounts that used the account name as the password. For example: “Aloha” and “Aloha”. Adding insult to injury, the former owners had turned off Windows updates so the device was missing seven years of security updates. Not a great way to keep the bad guys out!

Interestingly, Aloha’s manufacturer, NCR, posted a reply to the HP blog post. NCR concurs with HP the lack of security updates and easy-to-guess passwords indicate a poorly managed POS system.

So, what are our lessons learned?

  1. “Business owners should seek professional help when introducing information technology (IT) into their environments.” (NCR)
  2. Plan to replace your POS systems regularly, like you do your personal phone.
  3. Ensure all drives and storage media are securely wiped before disposal.
  4. Never, ever use easy-to-guess passwords.

Source: Hacking POS Terminal for Fun and Non-profit


About Timothy Lee

Tim, the Arkansas Small Business and Technology Development Center's webmaster and technical training specialist, has been with ASBTDC since 1995. He retired from the U.S. Air Force with the rank of master sergeant. He's a bit gung-ho, turns cat food cans into cook stoves, and keeps packing ASBTDC equipment for rapid worldwide deployment, but he's your "go to" guy for technical solutions and full-scale disasters.

hospitality business, Security,

Comments are currently closed.