Hackers had access to dashboards used to remotely manage and control thousands of credit card payment terminals made by digital payments giant Wiseasy, a cybersecurity startup told TechCrunch.
Wiseasy is a brand you may not have heard of, but it is a popular Android-based payment terminal maker that is used in restaurants, hotels, retail outlets, and schools across the Asia Pacific region. With Wisecloud’s cloud service, Wiseeasy can remotely manage, configure and update customer terminals via the Internet.
But Wiseasy employee passwords used to access Wiseasy’s cloud dashboards — including the “admin” account — were found in a dark web market actively used by cybercriminals, according to the startup.
Yusuf Mohamed, chief technology officer of pen-testing startup Buguard and dark web monitoring, told TechCrunch that passwords were stolen by malware on employee computers. Mohammed said two cloud dashboards were exposed, but none were protected with basic security features, such as two-factor authentication, and allowed hackers to access nearly 140,000 easy payment terminals around the world.
Payment systems are often targeted by financially motivated hackers with the aim of stealing credit card numbers to commit fraud.
Buguard said it first contacted Wiseasy about the hacked dashboards in early July, but efforts to uncover the compromise were met with meetings with executives that were subsequently canceled without warning, and according to Muhammad, the company declined to say whether cloud dashboards would do so or When will you do that? Be faithful.
Dashboard screenshots seen by TechCrunch show an “administrator” user with remote access to Wiseasy payment terminals, including the ability to lock the device and install and remove apps remotely. The dashboard also allowed anyone to view the names, phone numbers, email addresses, and access permissions of Wiseasy dashboard users, including the ability to add new users.
Another dashboard view also shows the Wi-Fi name and plain text password of the network to which the payment terminals are connected.
Muhammad said that anyone with access to dashboards can control Wiseasy payment terminals and make configuration changes.
When TechCrunch arrived, Wiseasy CEO Jason Wang did not comment. In a separate email from a Wiseasy Ocean An spokesperson, the company confirmed that the issues had been addressed and that it had added two-factor authentication to its dashboards.
It is not clear if the company plans to notify its customers of the security failure.