Point of sale pincode security
Point of sale pincode security
Good day,
Please assist in helping us improve the security of the PIN login on POINT OF SALE.
We have had one user create a pin code for themselves to log in to POS. This pin code happened to be 123456. We discovered that an admin had also previously set their pin code to 123456. DEAR allowed the user to create that pin in spite of it existing already.
However, the greater problem is that logging in to POS using the PIN does not require the co-security of a username. This means that a) DEAR allows easily-cracked PIN codes like 123456 to be chosen at a user level, and b) if a user chooses the same pin as another user, there is nothing that can be done to prevent one user logging in as another user with the same PIN code, as DEAR asks only for PIN and not for username as well.
This is a SERIOUS security risk, and the alternative of switching PIN sign in off means that a sales user logging in must complete all three fields to log in, frustrating the sales process even more.
This vulnerability means that POS data could be compromised in serious ways. Please come back to us with some feedback on this PIN security?
Please assist in helping us improve the security of the PIN login on POINT OF SALE.
We have had one user create a pin code for themselves to log in to POS. This pin code happened to be 123456. We discovered that an admin had also previously set their pin code to 123456. DEAR allowed the user to create that pin in spite of it existing already.
However, the greater problem is that logging in to POS using the PIN does not require the co-security of a username. This means that a) DEAR allows easily-cracked PIN codes like 123456 to be chosen at a user level, and b) if a user chooses the same pin as another user, there is nothing that can be done to prevent one user logging in as another user with the same PIN code, as DEAR asks only for PIN and not for username as well.
This is a SERIOUS security risk, and the alternative of switching PIN sign in off means that a sales user logging in must complete all three fields to log in, frustrating the sales process even more.
This vulnerability means that POS data could be compromised in serious ways. Please come back to us with some feedback on this PIN security?