Last month, Tech Crunch reported that payment terminal maker Wiseeasy had been hacked. Although Wiseeasy may not be well known in North America, their Android-based payment terminals are widely used in the Asia Pacific region and hackers managed to steal passwords for 140,000 payment terminals.
How did the Wiseeasy hack happen?
Wiseeasy employees use a cloud-based dashboard for remote management of payment terminals. This dashboard allows the company to perform a variety of configuration and management tasks such as managing payment terminal users, adding or removing apps and even locking the terminal.
Hackers were able to gain access to the Wiseeasy dashboard by infecting employees’ computers with malware. This allowed hackers to gain access to two different employee dashboards, ultimately leading to a massive collection of payment terminal credentials once they gained access.
Top Lessons from Wiseeasy Hack
1 — Transparency is not always the best policy
While it’s easy to dismiss the Wiseeasy hack as the result of an inevitable malware infection, the truth is that Wiseeasy made several mistakes (according to the Tech Crunch article) that allowed the hack to succeed.
For example, the dashboard itself probably exposed more information than it should have. According to Tech Crunch, the dashboard “allowed anyone to see names, phone numbers, email addresses and access permissions”. While it may be the case that such information is necessary for Wiseeasy to manage terminals on behalf of customers, Tech Crunch continues that a dashboard view revealed the Wi-Fi name and plain text password for the network the payment terminal was on. Connected to.
In a standard security environment, interfaces should never be designed to display passwords. Open display of customer information, without a secondary verification by the end user, also violates a zero-trust policy.
2 — Credentials alone won’t cut it
Another flaw that likely helped the hack succeed was that Wiseeasy did not require multi-factor authentication to be used when accessing the dashboard. In the past, most systems were protected solely by authentication credentials. This meant that anyone with access to a valid username and password could log in, even if the credentials were stolen (as was the case in the Wiseeasy hack).
Multi-factor authentication requires users to use an additional mechanism to prove their identity before accessing sensitive resources. Often this means providing a code sent to the user’s smartphone via SMS text message, but there are many other forms of multi-factor authentication. Wiseeasy didn’t use multi-factor authentication anyway, there was nothing to prevent hackers from logging in with stolen credentials.
3 — Devices should be triple checked
A possible third error may have been that Wiseeasy employees accessed sensitive resources from a non-hardened device. Tech Crunch reported seeing screenshots of the Wiseeasy dashboard where an admin user had remote access to payment terminals. The Tech Crunch article does not say that the administrator’s computer had been infected with malware, but since malware was used to access the dashboard and the screenshot shows an administrator logged into the dashboard, it is entirely possible that an administrator’s machine was compromised.
As a best practice, privileged accounts should only be used when necessary for a specific task (with standard accounts used at other times). Additionally, privileged accounts should ideally only be used on designated management systems that have been hardened and not be used for other tasks.
4 — Stay on top of your own security
Finally, the biggest mistake made in the Wiseeasy hack was that the company apparently (based on the Tech Crunch article) didn’t know the accounts had been compromised until they were contacted by Buguard.
Buguard is a security company specializing in pen testing and dark web monitoring. Ideally, Wiseeasy will monitor its own network for a potential breach and shut it down immediately when it is first noticed.
Go ahead: How to protect your own network from a similar hack
The Wiseeasy hack emphasizes the importance of following long-established security best practices, such as requiring multi-factor authentication and using dedicated administrative workstations for privileged operations. Subscribing to a zero-trust philosophy in your organization can solve many of these problems.
Additionally, it is important to have a way to know if your organization’s accounts have been compromised. Otherwise, an attacker who has gained access to stolen account credentials can use those credentials indefinitely. One of the best ways to prevent this from happening is to use Specop’s Password Policy. Specops maintains a database of billions of passwords known to have been compromised.
This database is kept up to date with passwords that are on lists of known password breaches, as well as passwords that are actively used in attacks. Specops Password Policy uses this information to ensure that none of the user’s passwords have been compromised. If an account is found to be using a compromised password, the software will alert you so you can disable the account or change the password right away. You can test Specop’s Password Policy tool in your ad for free, at any time.
Whether you’re bringing pen testing in-house, moving toward a zero-trust infrastructure, or blocking known password breaches from Active Directory, there are many ways to ensure your organization doesn’t fall victim to the consequences of malware attacks like Wiseeasy.