October 6, 2022
CyberSecurity News Technology

LESSONS FROM WISEASY HACK – Hackers Steal Passwords For Accessing 140,000 payment terminals

Wiseay hack

Last month saw the hack of a cyberstartup Wiseasy.

It’s a popular Android-based payment terminal maker used in restaurants, hotels, retail outlets and schools across the Asia-Pacific region.  Wiseasy can remotely manage, configure and update customer terminals over the internet through its Wisecloud cloud service, It was reported that the hackers had access to dashboards used to remotely manage and control thousands of credit card payment terminals. Wiseasy employee passwords, including an “admin” account — were found on a dark web marketplace. Hackers got access to the dashboards by infecting the employees’ computers with malware.

Wiseasy

This big hack taught us several lessons.

1. Though the hack could be blamed on the fact that the computers were malfunctioned, but if the truth is thoroughly searched, it is found out that the dashboards itself exposed more information than it should have. According to Tech Crunch, the dashboard “allowed anyone to view names, phone numbers, email addresses, and access permissions” but a normal secure dashboard revealed the Wi-Fi name and plain text password for the network that the payment terminal was connected. In a standard security environment, interface should never be designed to display passwords and the open display of customer information, without a secondary verification of the end-user, also goes against a zero-trustpolicy.

Wisesy Hack

2. Wiseasy did not require multifactor authentication to be used when accessing the dashboard. Multifactor authentication requires users to prove their identity prior to accessing sensitive resources. But, Wiseasy did not use multifactor authentication, and so there was nothing stopping hackers from logging in using stolen credentials.

wiseasy

3. Wiseasy employees accessed sensitive resources from a non-hardened device. Privileged accounts should only be used when required for a particular task

4. And the topmost mistake of Wiseasy hack was that the company didn’t know that the accounts were hacked unless informed by an outer source. But it was expected for Wiseasy to stay on top of its own security.

Image & Video Source : Wiseasy

More Articles Follow Us on Twitter

Leave a Reply

Your email address will not be published.

Post a blog

Post a Quote