Verifone statement on default password Z66831
Earlier today, DataBreaches.net asked Verifone for a comment or response to the report about an unnamed firm using the same default password for 25 years, as it was pretty easy to figure out from a Google search that an unnamed vendor was them.
Gene Cyranski, Vice President of Zeno Group kindly sent this statement in response:
The Verifone default password is Z66831 and is loaded on all Verifone devices in the field. The purpose of this default password is to simply initiate terminal installation, and it is not intended to serve as a strong security control. The default password made its way over the years into the public domain and can be found on the Internet, along with instructions on programming terminals. The important fact to point out is that even knowing this password, sensitive payment information or PII cannot be captured. To date, Verifone has not witnessed any attacks on the security of its terminals based on default passwords. What the password allows someone to do is to configure some settings on the terminal; all executables have to be file signed, and it is not possible to enter malware just by knowing passwords. While Verifone has not changed the passwords, clients/partners/merchants are always strongly advised to change the “default” password upon terminal installation and set-up. New Verifone products come with a “pre-expired” password, which will require merchants to change the password during installation and set-up.