Digital payments tycoon Wiseasy was subject to an infringement by hackers who gained access to dashboards that maintain and control thousands of credit card payment terminals manufactured by a cybersecurity startup.  

The famous Android-based payment terminal maker is used in restaurants, hotels, retail outlets, and schools across the Asia-Pacific region, through its Wisecloud service, in which the company can remotely configure and update customer terminals via the internet.

But Wiseasy employee passwords that allow entry to its cloud dashboards were discovered on a dark web marketplace frequented by cybercriminals. 

Payment systems are a recurring target by hackers with financial motives, aiming to feed on credit card numbers for fraud purposes. 

No statements or updates from Wiseasy reps  

Youssef Mohamed, chief technology officer at pen-testing and dark web monitoring startup Buguard, stated that two cloud dashboards were exposed with no protection via basic security features, allowing both password theft from employee computers and the access of approximately 140,000 global Wiseasy payment terminals. 

Buguard confirmed it contacted Wiseasy regarding the breach in July, but to no avail, as executives canceled meetings without warning, and according to Mohamed, they declined to issue an update on the security of the cloud dashboards. 

Screenshots of the dashboards show an "admin" user with remote access to the payment terminals, with the ability to lock the device and remotely install and uninstall apps. It also permitted access to personal data like names and email addresses, and even the ability to add new users.

The Wi-Fi name and plaintext password of the network that payment terminals are connected to are also shown as easily accessible. Mohamed said anyone with access to the dashboards could manage Wiseasy payment terminals and make changes.

Following no comment from Wiseasy chief executive Jason Wang, an email from Wiseasy spokesperson Ocean An confirmed that the issues were resolved by adding the two-factor authentication to the dashboard, but it is yet to be confirmed if the company intends to inform its customers of the security breach.