Last month Tech Crunch reported that payment terminal manufacturer Wiseasy had been hacked. Although Wiseasy might not be well known in North America, their Android-based payment terminals are widely used in the Asia Pacific region and hackers managed to steal passwords for 140,000 payment terminals.
How Did the Wiseasy Hack Happen?
Wiseasy employees use a cloud-based dashboard for remotely managing payment terminals. This dashboard allows the company to perform a variety of configuration and management tasks such as managing payment terminal users, adding or removing apps, and even locking the terminal.
Hackers were able to gain access to the Wiseasy dashboard by infecting employee’s computers with malware. This allowed hackers to gain access to two different employee’s dashboards, ultimately leading to a massive harvesting of payment terminal credentials once they gained access.
Top Lessons Learned from the Wiseasy Hack
1 — Transparency isn’t always the best policy
While it is easy to simply dismiss the Wiseasy hack as stemming from an unavoidable malware infection, the truth is that Wiseasy made several mistakes (according to the Tech Crunch article) that allowed the hack to succeed.
For example, the dashboard itself likely exposed more information than it should have. According to Tech Crunch, the dashboard “allowed anyone to view names, phone numbers, email addresses, and access permissions”. Although the case could be made that such information is necessary for Wiseasy to manage terminals on their customers’ behalf, Tech Crunch goes on to say that a dashboard view revealed the Wi-Fi name and plain text password for the network that the payment terminal was connected to.
In a standard security environment, interface should never be designed to display passwords. The open display of customer information, without a secondary verification of the end-user, also goes against a zero-trust policy.
2 — Credentials alone won’t cut it
A second mistake that likely helped the hack to succeed was that Wiseasy did not require multifactor authentication to be used when accessing the dashboard. In the past, most systems were protected solely by authentication credentials. This…