A stolen password gave criminals access to 140,000 payment terminals used worldwide to process credit card payments. The payment terminals are from the company Wiseasy and are used by restaurants, hotels, shops and schools, especially in Asia. Through the Wisecloud cloud service, customers’ devices can be managed, configured and updated remotely by Wiseasy. The passwords that Wiseasy employees use to log into two of the company’s cloud dashboards, including an admin password, were sold online by criminals and allegedly stolen via malware. TechCrunch reports this on the basis of a report by security company Buguard. The dashboards provided access to some 140,000 payment terminals. Both dashboards were accessible to everyone from the web and did not require two-factor authentication. One of the dashboards made it possible to view data from Wiseasy dashboard users, including names, phone numbers, email addresses and access rights. The other dashboard contained the Wi-Fi network name and the plaintext password of the network to which the payment terminal is connected. An attacker could have operated the payment terminals and made adjustments via the dashboards. In a response to TechCrunch, Wiseasy says that the problems have now been solved and two-factor authentication has been added. How the credentials could be stolen by malware has not been disclosed.
