Last month, Tech Crunch reported that payment terminal maker Wiseasy was hacked. Although Wiseasy may not be well known in North America, its Android-based payment terminals are widely used in Asia Pacific and hackers have managed to steal passwords for 140,000 payment terminals.
How did the Wiseasy hack happen?
Wiseasy employees use a cloud-based dashboard for remote management of payment terminals. This dashboard allows the company to perform a variety of configuration and management tasks such as: B. managing payment terminal users, adding or removing apps and even locking the terminal.
Hackers were able to gain access to the Wiseasy dashboard by infecting employees’ computers with malware. This allowed hackers to gain access to two different employees’ dashboards, ultimately leading to a massive capture of payment terminal credentials once they gained access.
The most important findings from the Wiseasy hack
1 — Transparency is not always the best policy
While it’s easy to dismiss the Wiseasy hack simply as the result of an inevitable malware infection, the truth is that Wiseasy made several mistakes (according to the Tech Crunch article) that allowed the hack to succeed.
For example, the dashboard itself probably revealed more information than it should have. According to Tech Crunch, the dashboard “allowed anyone to view names, phone numbers, email addresses, and access permissions.” Although the case could be made that Wiseasy needs such information to manage terminals on behalf of its customers, Tech Crunch goes on to say that a dashboard view shows the Wi-Fi name and plain-text password for the network that the payment terminal is using was revealed connected.
In a standard security environment, the user interface should never be designed to display passwords. Openly displaying customer information without a secondary verification of the end-user also contravenes a zero-trust policy.
2 – Credentials alone are not enough
A second flaw that likely helped the hack succeed was that Wiseasy did not require multi-factor authentication when accessing the dashboard. In the past, most systems were protected solely by authentication credentials. This meant anyone with access to a valid username and password could log in, even if the credentials were stolen (as in the case of the Wiseasy hack).
Multi-factor authentication requires users to use an additional mechanism to prove their identity before accessing sensitive resources. Often this means providing a code texted to the user’s smartphone, but there are many other forms of multifactor authentication. In any case, Wiseasy did not use multi-factor authentication, nothing prevented hackers from logging in with stolen credentials.
3 – Devices should be triple checked
A possible third error could have been that of Wiseasy employees accessing confidential resources from an unhardened device. Tech Crunch reported seeing screenshots of the Wiseasy dashboard where an admin user had remote access to payment terminals. The Tech Crunch article does not state that the admin’s computer was infected with malware, but since malware was used to gain access to the dashboard and the screenshot shows an admin logged into the dashboard, it’s entirely possible that the computer of an administrator was compromised .
As a best practice, privileged accounts should only be used when required for a specific task (standard accounts are used at other times). Additionally, privileged accounts should ideally only be used on designated management systems that have been hardened and are not used for other tasks.
4 — Keep your own safety in mind
Finally, the biggest mistake made in the Wiseasy hack was that the company apparently (based on the Tech Crunch article) was unaware that its accounts had been compromised until contacted by Buguard.
Buguard is a security company specializing in penetration testing and dark web monitoring. Ideally, Wiseasy monitors its own network for a potential breach and immediately shuts it down the first time it’s noticed.
Moving Forward: How to Protect Your Own Network from a Similar Hack
The Wiseasy hack underscores the importance of adhering to security best practices, such as: B. the requirement for multi-factor authentication and the use of dedicated administrative workstations for privileged operations. Adopting a Zero Trust philosophy in your organization can solve many of these problems.
It’s also important to determine if your organization’s accounts have been compromised. Otherwise, an attacker who gained access to stolen account credentials could use those credentials indefinitely. One of the best ways to prevent this is to use Specops’ password policy. Specops maintains a database of billions of passwords that are known to have been compromised.
This database is kept up to date with passwords found on lists of known passwords and passwords that are actively used in attacks. Specops Password Policy uses this information to ensure that none of your users’ passwords have been compromised. If an account is found to be using a compromised password, the software notifies you so you can immediately disable the account or change its password. You can always try Specops Password Policy tools in your AD for free.
Whether you’re rolling out penetration testing in-house, moving to a zero-trust infrastructure, or blocking known-hack passwords from your Active Directory, there are many ways to ensure your organization doesn’t fall victim to a malware attack like Wiseasy.