Last month Tech Crunch reported that payment terminal manufacturer Wiseasy had been hacked. Although Wiseasy might not be well known in North America, their Android-based payment terminals are widely used in the Asia Pacific region and hackers managed to steal passwords for 140,000 payment terminals.
How Did the Wiseasy Hack Happen?
Wiseasy employees use a cloud-based dashboard for remotely managing payment terminals. This dashboard allows the company to perform a variety of configuration and management tasks such as managing payment terminal users, adding or removing apps, and even locking the terminal.
Hackers were able to gain access to the Wiseasy dashboard by infecting employee's computers with malware. This allowed hackers to gain access to two different employee's dashboards, ultimately leading to a massive harvesting of payment terminal credentials once they gained access.
Top Lessons Learned from the Wiseasy Hack
1 — Transparency isn't always the best policy
While it is easy to simply dismiss the Wiseasy hack as stemming from an unavoidable malware infection, the truth is that Wiseasy made several mistakes (according to the Tech Crunch article) that allowed the hack to succeed.
For example, the dashboard itself likely exposed more information than it should have. According to Tech Crunch, the dashboard "allowed anyone to view names, phone numbers, email addresses, and access permissions". Although the case could be made that such information is necessary for Wiseasy to manage terminals on their customers' behalf, Tech Crunch goes on to say that a dashboard view revealed the Wi-Fi name and plain text password for the network that the payment terminal was connected to.
In a standard security environment, interface should never be designed to display passwords. The open display of customer information, without a secondary verification of the end-user, also goes against a zero-trust policy.
2 — Credentials alone won't cut it
A second mistake that likely helped the hack to succeed was that Wiseasy did not require multifactor authentication to be used when accessing the dashboard. In the past, most systems were protected solely by authentication credentials. This meant that anyone with access to a valid username and password could log in, even if the credentials were stolen (as was the case in the Wiseasy hack).
Multifactor authentication requires users to use an additional mechanism to prove their identity prior to accessing sensitive resources. Often this means providing a code that was sent to the user's smartphone by SMS text message, but there are many other forms of multifactor authentication. In any case, Wiseasy did not use multifactor authentication, there was nothing stopping hackers from logging in using stolen credentials.
3 — Devices should be triple checked
A possible third mistake might have been that of Wiseasy employees accessing sensitive resources from a non-hardened device. Tech Crunch reported seeing screen captures of the Wiseasy dashboard in which an admin user had remote access to payment terminals. The Tech Crunch article does not say that the admin's computer had been infected with malware, but since malware was used to gain access to the dashboard and the screen capture shows an admin logged into the dashboard, it is entirely possible that an admin's machine was compromised.
As a best practice, privileged accounts should only be used when required for a particular task (with standard accounts being used at other times). Additionally, privileged accounts should ideally be used only on designated management systems that have been hardened and are not used for any other tasks.
4 — Stay on top of your own security
Finally, the biggest mistake made in the Wiseasy hack was that the company seemingly (based on the Tech Crunch article) did not know that its accounts had been compromised until they were contacted by Buguard.
Buguard is a security company specializing in pen testing and dark web monitoring. Ideally, Wiseasy would be monitoring their own network for a potential breach and shut it down immediately when it's first noticed.
Moving Forward: How to protect your own network from a similar hack
The Wiseasy hack underscores the importance of adhering to long established security best practices such as requiring multifactor authentication and using dedicated management workstations for privileged operations. Subscribing to a zero-trust philosophy in your organization can solve a lot of these problems.
Additionally, it's important to have a way of knowing if your organization's accounts have been compromised. Otherwise, an attacker who has gained access to stolen account credentials could use those credentials indefinitely. One of the best ways to keep this from happening is to use Specops Password Policy. Specops maintains a database of billions of passwords that are known to have been compromised.
This database is kept up to date with passwords found on known breached password lists, as well as passwords being actively used in attacks. Specops Password Policy uses this information to make sure that none of your user's passwords have been compromised. If an account is found to be using a compromised password, the software will notify you so that you can disable the account or change its password right away. You can test out Specops Password Policy tools in your AD for free, anytime.
Whether you're bringing pen testing in house, moving toward a zero-trust infrastructure, or blocking known breached passwords from your Active Directory, there are a lot of ways to make sure your organization doesn't fall victim to the consequences of a malware attack like Wiseasy.