Hackers gained access over dashboards that remotely managed and manage thousands of credit card terminals produced by the digital payment giant Wiseasy an enterprise in cybersecurity.
Wiseasy is a brand that you may not have heard about but it’s an incredibly popular payment terminal that runs on Android and is used in hotels, restaurants stores, retail outlets, and schools throughout all over the Asia-Pacific region. By using it’s Wisecloud cloud-based service Wiseeasy is able to remotely control customers’ configurations, updates and terminals on the internet.
However, Wiseasy employees’ passwords to log into Wiseasy’s cloud dashboards, including the “admin” account — were discovered in a dark-web marketplace that is utilized by cybercriminals, according to the company.
Youssef Mohamed Chief Technology Officer at pen-testing and dark web monitoring company Buguard has told that passwords had been hacked by malware installed on the computers of the employees. Mohamed claimed that two dashboards on cloud platforms were open, but neither were secured with security features that are basic, like two-factor authentication and allowed hackers access to more than 140,000 Wiseasy payment devices around the world.
The payment systems are usually targeted by hackers driven by money to steal credit card numbers to commit fraud.
Buguard claimed it first contacted Wiseasy regarding the compromised dashboards in the beginning of July. However, efforts to reveal the compromise were rejected by executives in meetings which were then cancelled without warning. According to Mohamed the company, it declined to provide a date or time when the dashboards in the cloud were secured.
Screenshots of dashboards taken by reveal the “admin” user with remote access to Wiseasy payment terminals. This includes the capability to secure the device and remotely install and uninstall applications. The dashboard also gave anyone the ability to see names and phone numbers, as well as email addresses, as well as access permissions for dashboard users of Wiseasy and the option to add users.
A different dashboard view displays the Wi-Fi name as well as plaintext password for the network to which payment terminals connect to.
Mohamed claimed that anyone with access to the dashboards can be able to control Wiseasy Payment terminals as well as make changes to configurations.
Wiseasy chief executive Jason Wang would not comment. In a separate message from Wiseasy spokesperson Ocean An, the company said that the problems were resolved and that it had added two-factor authentication to its dashboards.
It’s unclear what the firm’s plans are to inform customers of the security breach. Also Read