// Retail Hardware Revisited // // by dual_parallel // // http://www.oldskoolphreak.com In this article I'll discuss some variations in a common pin pad, a couple of hacks at a large retailer, and finally a disturbing trend. In my last article I discussed the VeriFone PinPad 1000 and the button presses (all simultaneous) needed access the Master Key, or Mkey. Variations exist. Some pads are set to access the Mkey by pressing the bottom right and top right buttons. But the vast majority are set to access the Mkey by pressing the bottom right and top left buttons. The last article discussed Wal-Mart. This article will discuss its failing competitor, Kmart. The pin pads at every Kmart register are Checkmate model CM 2120s, OS 1.07, version 2.1. One can gain access to the pin pad by pressing the four small buttons by the LCD screen, and the two bottom-most buttons, green Enter and red Cancel, simultaneously (think Vulcan mind meld). After an incorrect password, the pad will cycle, verifying the applications that the user has authorized access to. Now, from pin pads to PCs. Walking into Kmart, at the Customer Service counter, one will immediately see one of two public computers running BlueLight.com, Kmart's online shopping application. These computers, the other residing in Electronics or sometimes Sporting Goods, run NT 4, have LCD monitors, a keyboard, and an enclosed trackball where the right button is trapped under plastic. The BlueLight.com application starts automatically, so logging off or shutting down just brings the application right back up. BlueLight.com (v 1.0.55) is an e-commerce application that features products and a shopping cart, running on publicly available NT computers in many Kmarts across the nation. The application is a browser, accessing the Internet to transmit selections from the local Kmart to Kmart.com's servers (kih.kmart.com). BlueLight takes over the machine, running in the foreground. So the first thing to do is to log off by pressing Ctrl+Alt+Delete and clicking Logoff. The machine will cycle quickly, bringing up the NT desktop and then the BlueLight app. Now, do anything to stop the machine from running the BlueLight app. I was lucky; there was a printer configuration problem that popped up an error window and stopped BlueLight. I left the printer error window alone and started poking around the desktop. I saw that anything significant that could be accessed from the Start button was missing. Function keys and Task Manager were disabled. The only thing in the system tray was anti-virus and...the clock. I doubled clicked the clock and the time was correct. Not for long. Windows applications and temporal anomalies do not mix. So I set the year to 1980, clicked Apply, and OK. Dr. Watson promptly crashed. What can I leverage here? One of the buttons in the Dr. Watson error window was Help. Clicking Help brought up your favorite Contents-Index-Search. I messed around in Help until I had the option to search for Windows Help files. This gave me an Open File dialog box. Should I search the C drive, C:\WINNT? No, I went to Network Neighborhood. And there, with little perusing, I saw vast networks like kmnorthamerica, kminternational, kih.kmart.com - way more than I could write down without being noticed. I believe Kmart is counting on securing unwanted access from the BlueLight computers (which probably have trusted access) to these large nets by locking down these NT boxes. As you can see this isn't the case. Finally, I want to discuss, not a hack, but what I can only call negligence. Throughout my explorations I examined quite a few pin pads. And underneath many I would find a sticker with an 800 number and a client number. The 800 numbers belong to either banks or transaction handling companies, and the client number is the only authentication needed to access sales, deposit, and checking account information for a given vendor. Having dealt with small businesses and having found these stickers at such, I know that this information is held closely. It is a shame that someone needs only a remote interest to access this private information.