Googling for ATM Master Passwords 356
default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."
Giddy-up! (Score:5, Funny)
Re: (Score:2)
Re:Giddy-up! (Score:5, Informative)
This technique was posted on Boing Boing and Bruce Schneier a couple of weeks ago. Still. Plenty of good stuff out there.
Re:Giddy-up! (Score:5, Informative)
Re:Giddy-up! (Score:5, Funny)
Re: (Score:3, Funny)
Re: (Score:2, Funny)
Re: (Score:3, Funny)
Information Wants to be FREE! (Score:2)
Re: (Score:2)
Re: (Score:2)
Google removed its link to the pdf, not the magnetic series of ones and series that make up the physical location of the actual pdf.
The default password is... (Score:2)
(Man, I am so going to Gitmo if my joke turns out to be right.)
Re:The default password is... (Score:5, Informative)
Re:The default password is... (Score:5, Funny)
Re: (Score:2)
You should go back and play a couple hundred more hours of Contra (or Life Force).
Re: (Score:2)
or u u d d l r l r b a select start
or u u d d l r l l r l b a select start
or u u d d l r l l r l a b select start
select was only for 2 player games, if you wanted only single player you wouldnt hit select.
Re:The default password is... (Score:4, Interesting)
Re:The default password is... (Score:5, Insightful)
Ready-Set -Go (Score:5, Funny)
Which one gets fixed first!
Re: (Score:2)
Like all security, it's a risk-versus-reward question. That would certainly offer better security in a perfect situation, but it could result in you being locked out of your own ATM if that key happens to get lost (or is with the president of the branch who's on vacation, or whatever), and it als
Re: (Score:3, Interesting)
Stating the bleeding obvious, ATMs contain cash.
All ATM's have keys, combination locks or a mixture of the two.
There is no good reason for the operator mode switch not to be locked away.
Whoever makes these ATMs deserves all the bad publicity that they get.
Re:The default password is... (Score:4, Funny)
Might it be Diebold, by any chance?
Re:No password needed.. (Score:4, Funny)
Re: (Score:3, Insightful)
Just to play devil's advocate...
That box should have been on the damn cover of the instruction manual instead of 30 some odd pages back (page 19 + the "intro").
Chances are, if it was right in your face... you'd change it.
Re:The default password is... (Score:5, Insightful)
I would say that's incorrect. It should be a trivial matter for the software to be written to REQUIRE the default password to be changed before the machine will actually give out money. Rather like having to immediately change your password when you first login to an account. It's not a difficult concept, and while this is technically a 'lack' of a feature rather than a bug, it's certainly a flaw in design, and a pretty basic one at that.
Re:Wrong manual (Score:3, Informative)
http://www.wegrowbusiness.ca/manuals/Tranax_MB_Ope rator_Manual.pdf [wegrowbusiness.ca]
or from google cache
http://72.14.209.104/search?q=cache:SUoMvavsghUJ:w ww.wegrowbusiness.ca/manuals/Tranax_MB_Operator_Ma nual.pdf [72.14.209.104]
Re: (Score:2)
Wouldn't you like to be a pepper too?
Trivial search - and the password is.... (Score:4, Funny)
12345
Oh wait. That's my ATM PIN.
Re:Trivial search - and the password is.... (Score:5, Funny)
Re:Trivial search - and the password is.... (Score:4, Funny)
Re: (Score:2)
Re: (Score:2, Flamebait)
Please post a link (Score:2)
Casino (Score:5, Informative)
I couldn't believe it.
Re: (Score:2)
That is the nice thing about working at Chevron. We use smartbadges (+pin#) to log into our computers. The worst a user could do is give away their pin#. They usually don't give away their badges since those are used to access the floors too.
Now if I could just get the users to lock their workstations. Even if they computer is set to lock when their badges are removed, I find computers unlocked with badges in the computer and with the
Re: (Score:2)
The IT Manager (a real twit) had all her passwords written at her desk, and she had full access to everything.
Key Badges (Score:4, Insightful)
After a couple of years of irregularly spaced walk throughs of the cube farm and countless email 'reminders' about computer security we gave that up.
We got tire of being called the 'net nazis' and worse.
Now we just take the badge out of the machine and walk it down to the security desk and tell them we found the on the floor in the bathroom. If we feel bitchy we trash the card or shred them then the 'somebody else problem' effect kicks in.
Re: (Score:3, Insightful)
In that environment, they probably could have kept the lids to the keyboxes open and illuminated with flashing neon signs. Anyone foolish enough to try to pull off some sort of heist, with all those cameras and undercover sec
Re:Casino (Score:4, Interesting)
Casinos prosecute is you steal $5 from them.
Re:Casino (Score:5, Insightful)
All that's in the PDF is the default password, following a warning in BIG BOLD TYPE saying that you need to change the default password before deploying the machine. Would they put in a new combination lock on their vault and leave a combo of 1-2-3? I should hope not...
Re: (Score:2)
Re: (Score:2)
You give people too much credit, I'd say twice.
Re:Casino (Score:4, Insightful)
Movie Quote (Score:2)
"If it wasn't for dickheads like you, there wouldn't be any thievery in this world, would there?"
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:3, Funny)
Well it is BECAUSE they have a division to track organized crime that it doesn't exist, just like how since there is a war on drugs, drug use is virtually non-existant anymore...
Remember when you could go to a concert and see people smoking pot? Or you could find it in high schools, or any night club? Now it's almost impossible to find and if you did (besides be
Re: (Score:3, Funny)
Re: (Score:3, Funny)
And that is how it all happened. [imdb.com]
Aha! (Score:5, Funny)
Re: (Score:2)
Responsability (Score:2)
I think the problem may lie in he fact that too many companies don't teach their employees the difference between the internet and their intranet.
___________________________
Free iPods? Its legit [wired.com]. 5 of my friends got theirs. Get yours here! [freepay.com]
Re: (Score:2)
Re: (Score:2, Funny)
Re: (Score:2)
I think it's the other way around.
We're rich!! We're rich!!! (Score:5, Funny)
That's to all of you who made fun of us geeks!
*Rude Hand Gesture*
That's for every bully who ever shoved someone into a locker during PE.
Due to our superior ability to manipulate poorly secured cash dispensing devices, we shall now rule the world!
First the treasury...then the military. World domination cannot be far behind.
2 cents,
QueenB
Re:We're rich!! We're rich!!! (Score:5, Funny)
Please enter a multiple of $5 or $20.
Nine Days.... (Score:5, Funny)
Re: (Score:2)
Just curious...what would you do? If an ATM gave me $100 instead of $10, I'd take it....if they caught the error and had proof of it, I'd give it back, but, until then, it is their problem, not mine.
Do you give back money when the teller gives you too much?
Re: (Score:2)
If an ATM gave me too much money, I'd take it; if they can prove anything, good for them.
In a shop, though, I even return to the shop to pay for the stuff I wasn't billed for by accident.
However, I don't return any extra money in the students' mess. They should be paying me anyway at least some of the time.
Re:Nine Days.... (Score:5, Insightful)
It's called honesty and ethics.
But if you leve your car door unlocked, and someone takes it, I'm sure you won't mind, since it was your 'fault'.
Google query (Score:3, Insightful)
Re: (Score:3, Informative)
atm operator manual
It returned a fair number of, well, ATM Operator Manuals in
Re: (Score:3, Informative)
Tranax Mini-Bank "Transaction Setup"
All from the article, they even put the quotes around "transation setup" for you. Didn't see
That reminds me... (Score:2)
WOW (Score:5, Informative)
It says that to enter the management screen you hold the key and press one. Then the default UID is 00 and the default password is 12345 so you should enter 0012345 into the prompt.
I am off to the ATM down stairs. I could use a little extra cash.
Re: (Score:2)
I am off to the ATM down stairs. I could use a little extra cash.
Make sure you smile for the camera :-)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Still I don't know If I will personally try this hack as yes, its pretty damned illegal. All those times those machines charged me a 1.25 convience fee however... hmm. Paybacks a bitch.
Re: (Score:3, Interesting)
Heck the ones around here charge $2.25 and then your bank adds another $1.75 for the transaction.
If the ATM is in a remote location or a special event the ATM charge goes up. The last gun show I went to, the ATM was charging $9.56 per transaction. If I could have left and came back with out having to pay the $15 door fee I would have gotten the money from some where else.
Re: (Score:2)
Re: (Score:3, Funny)
the google query (Score:2, Informative)
"Gawd, Idiots!" (Score:5, Insightful)
And what you have to remember (Score:3, Insightful)
Why dont you require a hardware key? (Score:3, Insightful)
Re: (Score:2)
You know what comes next.... (Score:2)
Has to be said (Score:2)
Re:Has to be said (Score:4, Informative)
Re: (Score:2)
I mean, I can just picture Joe Sixpack wandering up and hitting the authorization to charge him $1 or $2 just to take out 5 bucks. Then again, I was at a strip club once before I was married and they charged like $7 for ATM withdrawals. Since you'd already paid the cover charge and burned all your beer money on lap dance
there's enough clues in the article..... (Score:5, Informative)
No, I don't have the manual. I don't really care either, it was an interesting academic exercise.
the trademark for the company in question ... (Score:2)
Putting the master password in the manual? (Score:3, Interesting)
This reminds me the of backdoor password that Nortel had for one of its more common PBX's. At least they didn't put it the manual. But it got passed around enough to land on Usenet (in reponse to a problem that a customer was having). In that case, it was worse. It was not a "default" password, it was hardcoded.
Another day, another brain dead corporate password mistake....
Re: (Score:2)
Re: (Score:2)
How my computer systems have a default password? None that are secure. You have to set the root password yourself as part of the install.
Re: (Score:2)
The Manual in Question (Score:3, Informative)
Try the following search terms:
Tranax 1500 Manual inurl:pdf (and then check the 6th result)
Re: (Score:2)
Defaults:
Master = 555555
Service = 222222
Operator = 111111
Hey, that's the combination to my luggage!
This kind of thing is everywhere (Score:2)
Forget ATMs; the way people post personal information about themselves so freely on the Internet, combined with the average user's lack of imagination, means that I can probably go to any social netwroking site, get a user's site id and some basic information about them (birthday, fav color, dog's name, etc.) and with a little luck, find that they use that information as usernames/passwords for on-line banking, Amazon, etc.
When it comes to the security of information, avergae people are stupid.
I'm surprised it took so long to realize... (Score:4, Interesting)
Hardware wise, they were the most complicated, Rube-Goldberg-esque contraptions you can imagine. The card readers and bill handlers were the worst. The bill handlers had to be calibrated using real money, so the repair center kept several hundred dollars in cash locked in a safe at all times, and replaced it weekly (the handlers didn't like old bills).
The group I was in was responsible for tracking the software problem reports that came in from the field, and forwarding them to the manufacturers. While I found some of the bugs downright hysterical, or just plain bizarre, others were scary enough to make you consider avoiding the machines alltogether.
Doesn't look like they've learned anything in 20 years.
all your... (Score:2)
think of the children .. er .. ATM passwords (Score:2)
Bank Error in Your Favor! (Score:2, Funny)
ATM Industry Association warned them. (Score:5, Interesting)
http://www.gasa-cognito.com/media/GASA-ATMIA%20Fra ud%20Alert1.pdf#search=%22atm%20master%20password% 22 [gasa-cognito.com]
It specifically warned the industry that their passwords were getting out and to tell the banks to CHANGE them.
Frankly, I have zero sympathy for the bank that lost cash.
And not much respect for the idiots that did not report it. What, did they think the banks would never find out what happened? That when they did find out, they would not 'correct' the accounts?
Either report it, or get yourself an untraceable card and return.
Many Years of Slashdot (Score:4, Insightful)
Re: (Score:2)
This is different from other world currencies.... how? From your Wikipedia link: Although fractional-reserve banking is near universal,... [wikipedia.org]
Besides that, how exactly is it justification for currency theft? Are you usually this incorrect in your arguements?
Re: (Score:2)