Insecure Security

I was reading an article on Darkreading.com about PCI issues. One of the things it brought up was that credit card readers store the data from your magnetic stripe by default. So if someone can either compromise the reader or just take it they can get your card number, PIN, address and whatever else is stored on the mag stripe.

This is where security is lacking. Companies that put simple default passwords (or no password), making default settings that compromise security or make an otherwise secure device secure, and not implementing plain common sense is just outrageous! We talk about educating the user, implementing security in depth, using the proper countermeasures, etc... but the crux of the problem is vendors that will not do simple things like make their products secure (or at least partially secure) out of the box.

Would it be so hard for them to require the password to be changed on a device before it will operate? Would it be so hard to set the device NOT to keep sensitive data by default? Would it be so hard to include a tutorial for home users on how to secure the device?

This is just common sense and we as Security professionals are fighting one of our biggest fights against the vendors that are supposed to support us. We are never going to convince "joe home user" to secure his wireless, change the password, change the SSID, turn off unneeded services, block unnecessary ports, not to put their PC on the web without a firewall and NAT router, run updates regularly, install and keep current AV software, etc, etc, etc. There are just too many things that can go wrong and the average person is scared that they will mess up something if they do anything but plug it in and push next. This is true for setting up wireless, Internet access, windows, as well as the small business owner that sets up his own network or credit card scanners.

There needs to be a LOUD outcry from the security profession and all of IT to the vendors. MAKE IT SECURE BEFORE YOU SHIP IT!!!!!!!!!!!!!!!