The vulnerabilities in Verifone and Ingenico products – which are used in millions of stores around the world – have been detailed by independent researcher Aleksei Stennikov and Timur Yunusov, head of offensive security research at Cyber R&D Lab, during a presentation at Black Hat Europe 2020.

The vulnerabilities can now be fixed by applying security patches – although it can't be certain at all if retailers and others involved in the distribution and use of the PoS terminals have applied the updates.

One of the key vulnerabilities in both brands of device is the use of default passwords that could provider attackers with access to a service menu and the ability to manipulate or change the code on the machines in order to run malicious commands.

Researchers say these security issues have existed for at least 10 years while some have even existed in one form or another for up to 20 years – although the latter are mostly in legacy elements of the device that are no longer used.

Tim Callan, Chief Compliance Officer at Sectigo, said: “The bottom line is that usernames and passwords are not a safe method for authentication, whether for PoS terminals or social media accounts. Consumers and enterprises still struggle to change their reliance on the password model. This latest vulnerability underlines just how flawed the model is, as one insecure device protected by a default password on a connected network makes every connected device vulnerable. That is why many device manufacturers are moving to stronger authentication models like PKI.”