Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Googling for ATM Master Passwords

Zonk posted more than 7 years ago | from the that-should-probably-not-be-online dept.

356

default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."

cancel ×

356 comments

Giddy-up! (5, Funny)

Logiksan (947439) | more than 7 years ago | (#16156056)

*runs off to Google and YouTube as fast as his little fingers will take him*

Re:Giddy-up! (1)

Marxist Hacker 42 (638312) | more than 7 years ago | (#16156248)

Don't bother- the PDF has already been removed from Google.

Re:Giddy-up! (5, Informative)

russ1337 (938915) | more than 7 years ago | (#16156283)

Well you can always find more interesting things by doing a Google search for: [Confidential "not for public release"] Like this [google.com]

This technique was posted on Boing Boing and Bruce Schneier a couple of weeks ago. Still. Plenty of good stuff out there.

Re:Giddy-up! (4, Informative)

Marxist Hacker 42 (638312) | more than 7 years ago | (#16156434)

Besides, I was wrong- only the PDF for THAT SPECIFIC MODEL has been removed. Operators manuals for hundreds of other ATMs still are up....

Re:Giddy-up! (5, Funny)

dan828 (753380) | more than 7 years ago | (#16156507)

Kids these days got it easy. In my day you had to spend hours digging though dumpsters, now you just click a couple of buttons. What is the world coming to?

Information Wants to be FREE! (1)

Jeremiah Cornelius (137) | more than 7 years ago | (#16156302)

So, money is just more information too, right?

Re:Information Wants to be FREE! (1)

Marxist Hacker 42 (638312) | more than 7 years ago | (#16156472)

It shouldn't be- but sadly it is. Which is why I'm for commodity based money, that is restricted to citizen use.

Re:Giddy-up! (0)

Anonymous Coward | more than 7 years ago | (#16156497)

The pdf is gone but there's still a 48mb Word doc online....

Re:Giddy-up! (1)

voice_of_all_reason (926702) | more than 7 years ago | (#16156546)

I don't think you understand how these intraweb tubes work.

Google removed its link to the pdf, not the magnetic series of ones and series that make up the physical location of the actual pdf.

The default password is... (1)

Tackhead (54550) | more than 7 years ago | (#16156082)

"123420"

(Man, I am so going to Gitmo if my joke turns out to be right.)

Re:The default password is... (0)

Anonymous Coward | more than 7 years ago | (#16156121)

try 555555

Re:The default password is... (5, Informative)

Talondel (693866) | more than 7 years ago | (#16156132)

Close. Actually it apears that it's 001234. http://www.tritonatm.com/en/service/manuals/07103- 00013C%20(FT5KUsrMan(3.0))file.pdf [tritonatm.com]

Re:The default password is... (4, Funny)

jenkin sear (28765) | more than 7 years ago | (#16156184)

I thought it was up, up, down, down, left, right, left, right, B, A, Start ...

Re:The default password is... (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16156358)

Nope, that would be incorrect.

Re:The default password is... (1)

howard_coward (735813) | more than 7 years ago | (#16156379)

and i dont know how in the hellican.

Re:The default password is... (4, Interesting)

zenray (9262) | more than 7 years ago | (#16156354)

001234 as stated in the link. But to be fair it also stated in very big bold type that this default master password should be changed. The fact the master password remains unchanged is a user error in the setup and not a design flaw. Every master password not changed was left that way by 'somebody'. That 'somebody' needs to sued (or beaten severly about the head and shoulders with a security clue stick) for allowing easy access to the money. Unless they were ordered by managment to leave it as defaulted.

Re:The default password is... (4, Insightful)

CastrTroy (595695) | more than 7 years ago | (#16156447)

However, should ATMs even come with a default password so that they can be hacked? Shouldn't reprogramming them require using some sort of physical/electronic key thats more difficult for people to get ahold of? If you can reprogram an ATM by walking up to it and typing in any code, regardless of whether it's the default password or not, then the ATM security is terrible. It's one thing to put a default password on a digital cable box for blocking channels, it's another matter entirely to put a default password on an ATM.

Re:Wrong manual (3, Informative)

uufnord (999299) | more than 7 years ago | (#16156359)

That's the triton manual. The one mentioned in TFA was a Tranax.

http://www.wegrowbusiness.ca/manuals/Tranax_MB_Ope rator_Manual.pdf [wegrowbusiness.ca]

or from google cache

http://72.14.209.104/search?q=cache:SUoMvavsghUJ:w ww.wegrowbusiness.ca/manuals/Tranax_MB_Operator_Ma nual.pdf [72.14.209.104]

Re:The default password is... (0)

Anonymous Coward | more than 7 years ago | (#16156306)

> "123420"

That's the kind of password an ATM hacker would use on his luggage!

Re:The default password is... (0)

Anonymous Coward | more than 7 years ago | (#16156442)

This is so dumb. The default password for Verisign Credit Card readers at like 90% of the POS's is 166831. You can find it on google by typing in something like Verisign POS manual. Don't believe me? Hold the number 7 and the green yes button and then type that number!

Re:The default password is... (1)

ZorinLynx (31751) | more than 7 years ago | (#16156547)

Everyone knows the access code is 42721.

Wouldn't you like to be a pepper too?

Trivial search - and the password is.... (3, Funny)

rblum (211213) | more than 7 years ago | (#16156084)


12345

Oh wait. That's my ATM PIN.

Re:Trivial search - and the password is.... (5, Funny)

1010110010 (1002553) | more than 7 years ago | (#16156096)

1 2 3 4 5? That's the combination an idiot would have on his luggage!

Re:Trivial search - and the password is.... (4, Funny)

JesseL (107722) | more than 7 years ago | (#16156099)

That's the combination to my luggage!

Re:Trivial search - and the password is.... (1)

smithbp (1002301) | more than 7 years ago | (#16156111)

12345? Aren't all ATM pins limited to 4 digits?

Re:Trivial search - and the password is.... (1)

lomedhi (801451) | more than 7 years ago | (#16156212)

12345? Aren't all ATM pins limited to 4 digits?

Seriously? No. Mine is more than that.

Re:Trivial search - and the password is.... (1)

smithbp (1002301) | more than 7 years ago | (#16156264)

"Gunnery Sergeant Hartman: Well, no shit."

Re:Trivial search - and the password is.... (0, Redundant)

syrinx (106469) | more than 7 years ago | (#16156102)

That's the combination on my luggage!

Re:Trivial search - and the password is.... (0, Redundant)

simtel (798974) | more than 7 years ago | (#16156105)

12345? Thats amazing - I have the same combination on my luggage!

Re:Trivial search - and the password is.... (1, Flamebait)

pete6677 (681676) | more than 7 years ago | (#16156469)

That was so funny - up until the 347th time someone posted it.

Re:Trivial search - and the password is.... (1)

aliendisaster (1001260) | more than 7 years ago | (#16156140)

That actually was the default password on old Nokia phones. I made many a free calls by reprogramming the default emergency number from 911 to whatever I needed.

Please post a link (1)

140Mandak262Jamuna (970587) | more than 7 years ago | (#16156100)

to that 105 page pdf file, please.

Casino (4, Informative)

Enderandrew (866215) | more than 7 years ago | (#16156103)

I recently did IT for the largest casino company on the planet. I was dual-property and responsible for two casinos. The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people told each other all their passwords and such all the time.

I couldn't believe it.

Re:Casino (1)

sckeener (137243) | more than 7 years ago | (#16156208)

And people told each other all their passwords and such all the time.

That is the nice thing about working at Chevron. We use smartbadges (+pin#) to log into our computers. The worst a user could do is give away their pin#. They usually don't give away their badges since those are used to access the floors too.

Now if I could just get the users to lock their workstations. Even if they computer is set to lock when their badges are removed, I find computers unlocked with badges in the computer and with the user no where around.

Re:Casino (1)

Enderandrew (866215) | more than 7 years ago | (#16156288)

Supervisors would demand to know all of their employees passwords, people write their passwords at their desk, and the first thing anyone would tell me when they had a problem, was all their passwords.

The IT Manager (a real twit) had all her passwords written at her desk, and she had full access to everything.

Re:Casino (1)

Known Nutter (988758) | more than 7 years ago | (#16156332)

Hello fellow CVX employee! Richmond Refinery here...

Key Badges (3, Insightful)

BobBoring (18422) | more than 7 years ago | (#16156568)

Use to be we'd just wander through the cubage and when we had collected two or three "abandoned" cards from machines, we'd copy the faces of the cards. Then we'd give them to department supervisors for security violation write ups. We'd keep the copy to make sure the supervisors write them up. We suspended the accounts after two violations. If the offenders didn't have a Letter of Counciling on file in 10 working days, we had to write up the supervisors and suspend their accounts until their up-chain managers filed the right paper work to re-enable the account.

After a couple of years of irregularly spaced walk throughs of the cube farm and countless email 'reminders' about computer security we gave that up.

We got tire of being called the 'net nazis' and worse.

Now we just take the badge out of the machine and walk it down to the security desk and tell them we found the on the floor in the bathroom. If we feel bitchy we trash the card or shred them then the 'somebody else problem' effect kicks in.

Re:Casino (2, Insightful)

RobertB-DC (622190) | more than 7 years ago | (#16156220)

I recently did IT for the largest casino company on the planet. I was dual-property and responsible for two casinos. The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people told each other all their passwords and such all the time.

In that environment, they probably could have kept the lids to the keyboxes open and illuminated with flashing neon signs. Anyone foolish enough to try to pull off some sort of heist, with all those cameras and undercover security types, would end up meeting the same fate as the bozo who tries to swipe the dealer's chips -- jail if he's lucky, a trip to swim with the Nevada fishes if he's not.

Re:Casino (3, Interesting)

Enderandrew (866215) | more than 7 years ago | (#16156263)

Very true. The only inch of that casino not covered by cameras was the IT offices. Survailence wasn't allowed to look over my shoulder, because they could see passwords and sensitive data that way. We had cops, investigators and state regulators on property.

Casinos prosecute is you steal $5 from them.

Re:Casino (5, Insightful)

TopShelf (92521) | more than 7 years ago | (#16156296)

That's a perfect illustration of how technological devices are only a small part of security. Having solid policies that are actually followed means every bit as much, if not more. From TFA:

"This isn't a vulnerability," Goldsmith explained. "It's someone exploiting a policy weakness, where ATM owners install these things and never change the default password."

All that's in the PDF is the default password, following a warning in BIG BOLD TYPE saying that you need to change the default password before deploying the machine. Would they put in a new combination lock on their vault and leave a combo of 1-2-3? I should hope not...

Re:Casino (1)

Enderandrew (866215) | more than 7 years ago | (#16156392)

Yep, I couldn't agree more. And people who leave the default password likely aren't going to change their ways until they get robbed once.

Re:Casino (3, Insightful)

MindStalker (22827) | more than 7 years ago | (#16156604)

But what really confuses me is WHY is there access ability from the user keypad. I mean geez. There is a back panel on all ATMS that has a keylock for adding cash and programming the machine. Putting the ability to do ANYTHING but normal user functions from the front keypad just smacks of stupidity.

Re:Casino (2, Funny)

thewils (463314) | more than 7 years ago | (#16156362)

I'm sure big Tony will be along shortly to remove your kneecaps...

Re:Casino (1)

Enderandrew (866215) | more than 7 years ago | (#16156492)

But our government insists that organized crime doesn't exist, while at the same time having a division to track organized crime! I'm so confused!

Re:Casino (2, Funny)

djdavetrouble (442175) | more than 7 years ago | (#16156439)

The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people told each other all their passwords and such all the time.

And that is how it all happened. [imdb.com]

Aha! (4, Funny)

The Grey Clone (770110) | more than 7 years ago | (#16156104)

We've finally found that mysterious step 2!

Re:Aha! (1)

LMacG (118321) | more than 7 years ago | (#16156164)

obHolyGrail: 3, sir.

Responsability (2)

corroncho (1003609) | more than 7 years ago | (#16156107)

We live in the Age of Information. Almost anyone can't post almost anything and make it available to just about everyone (how's that for ambiguos). This is great power. And with great power come great repsonsability (bet you didn'see that coming).

I think the problem may lie in he fact that too many companies don't teach their employees the difference between the internet and their intranet.
___________________________
Free iPods? Its legit [wired.com] . 5 of my friends got theirs. Get yours here! [freepay.com]

Re:Responsability (1)

Artifakt (700173) | more than 7 years ago | (#16156575)

So if my Uncle Ben is already dead, I can use all this stuff from Google, right?

We're rich!! We're rich!!! (4, Funny)

queenb**ch (446380) | more than 7 years ago | (#16156114)

Phhhtttt!!!

That's to all of you who made fun of us geeks!

*Rude Hand Gesture*

That's for every bully who ever shoved someone into a locker during PE.

Due to our superior ability to manipulate poorly secured cash dispensing devices, we shall now rule the world!

First the treasury...then the military. World domination cannot be far behind.

2 cents,

QueenB

Re:We're rich!! We're rich!!! (5, Funny)

lomedhi (801451) | more than 7 years ago | (#16156187)

2 cents,

Please enter a multiple of $5 or $20.

Re:We're rich!! We're rich!!! (1)

nephillim (980798) | more than 7 years ago | (#16156628)

First you get the money,
Then you get the SUGAR,
Then you get the power,
then you get the women!
One of the few paths that leads to / ends with a REAL woman in the life of a nerd :(

Nine Days.... (5, Funny)

Mr.Scamp (974300) | more than 7 years ago | (#16156128)

The machine gave $20's for $5's for NINE days after it was reprogrammed before someone commented on it. God Bless America.

Re:Nine Days.... (1)

Poruchik (1004331) | more than 7 years ago | (#16156180)

Maybe they thought that they had good (Slashdot) karma.

Re:Nine Days.... (1)

k2dbk (724898) | more than 7 years ago | (#16156291)

They only complained because they read on /. that it was supposed to give out $50 bills, not $20s (instead of $5s).

Re:Nine Days.... (1)

chad.koehler (859648) | more than 7 years ago | (#16156377)

How may people actually get amounts of money where $5 bills would be the most appropriate denomintation?

$5 - jackpot!
$10 - NOPE
$15 - Becomes 30$ jackpot!
$20 - NOPE
...

Testing (0)

Anonymous Coward | more than 7 years ago | (#16156133)

penetration testing outfit Matasano Security

If I was man enough to own a penetration testing outfit I would not call it Matasano Security.

Re:Testing (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16156621)

I tested penetration on your mom last night.

Google query (2, Insightful)

szembek (948327) | more than 7 years ago | (#16156134)

So what was his "simple Google query"?

Re:Google query (2, Informative)

Talondel (693866) | more than 7 years ago | (#16156160)

I don't know what his was, but the one I used was:

atm operator manual

It returned a fair number of, well, ATM Operator Manuals in .pdf format. Most seemed to include the default master operator password. Took me about 3 minutes.

Re:Google query (1)

szembek (948327) | more than 7 years ago | (#16156161)

Nevermind, I see somebody posted it.

Re:Google query (0)

Anonymous Coward | more than 7 years ago | (#16156420)

Nevermind, I see somebody posted it.
I'm sorry, I can't see it. Where is it?

Re:Google query (1)

lixee (863589) | more than 7 years ago | (#16156299)

It's a proof-of-concept. Yet, the exploit predates it.

the password (1)

larry2k (592744) | more than 7 years ago | (#16156136)

The password is: 1337

That reminds me... (1)

mcmonkey (96054) | more than 7 years ago | (#16156152)

If Mel Brooks is going to make a Spaceballs cartoon, why stick it where it will be never seen, with the 100-mpg engine and the ark of the covenant?

WOW (4, Informative)

Anon-Admin (443764) | more than 7 years ago | (#16156153)

Wow that is cool, it was a quick search and I found it!

It says that to enter the management screen you hold the key and press one. Then the default UID is 00 and the default password is 12345 so you should enter 0012345 into the prompt.

I am off to the ATM down stairs. I could use a little extra cash.

Re:WOW (1)

Sponge Bath (413667) | more than 7 years ago | (#16156186)

I am off to the ATM down stairs. I could use a little extra cash.

Make sure you smile for the camera :-)

Re:WOW (1)

Anon-Admin (443764) | more than 7 years ago | (#16156217)

No need, A little tape and some paper. Approach from the side and slap it on.

Re:WOW (0)

Anonymous Coward | more than 7 years ago | (#16156289)

Make sure you don't use your own ATM card either...

Re:WOW (1)

crabpeople (720852) | more than 7 years ago | (#16156238)

Ive never seen those private atms with a camera pointed at them. Perhaps the store or bar has a camera, but if they are the ones I always see that charge you 1.25 per transaction, they dont. The ones with cameras are the ones in the bank.

Still I don't know If I will personally try this hack as yes, its pretty damned illegal. All those times those machines charged me a 1.25 convience fee however... hmm. Paybacks a bitch.

Re:WOW (2, Interesting)

Anon-Admin (443764) | more than 7 years ago | (#16156369)

$1.25????

Heck the ones around here charge $2.25 and then your bank adds another $1.75 for the transaction.

If the ATM is in a remote location or a special event the ATM charge goes up. The last gun show I went to, the ATM was charging $9.56 per transaction. If I could have left and came back with out having to pay the $15 door fee I would have gotten the money from some where else.

Re:WOW (0)

Anonymous Coward | more than 7 years ago | (#16156246)


I am off to the ATM down stairs. I could use a little extra cash.


Good idea. Smile for the camera when you are down there.

Re:WOW (2, Funny)

davidmcn (606752) | more than 7 years ago | (#16156344)

You know, I assumed that you were joking about the password, I was thinking there is no way the default password could be 0012345....then low and behold, right there in the doc, there it is....

the google query (2, Informative)

Anonymous Coward | more than 7 years ago | (#16156155)

Search for: atm operator manual filetype:pdf

So what? (0)

Anonymous Coward | more than 7 years ago | (#16156166)

The US dollar is a fictional currency anyway [wikipedia.org] . In fact, why don't we all go out and steal some 'potential' right fucking now?

Ha!

Re:So what? (1)

omega9 (138280) | more than 7 years ago | (#16156272)

The US dollar is a fictional currency anyway

This is different from other world currencies.... how? From your Wikipedia link: Although fractional-reserve banking is near universal,... [wikipedia.org]

Besides that, how exactly is it justification for currency theft? Are you usually this incorrect in your arguements?

Re:So what? (0)

Anonymous Coward | more than 7 years ago | (#16156475)

> how exactly is it justification for currency theft?

It's not theft if I'm borrowing it against my future potential.

"Gawd, Idiots!" (4, Insightful)

patrixmyth (167599) | more than 7 years ago | (#16156182)

Here I was thinking that the problems with voting machines had to be intentional, since ATM's were so much better secured. Now that I find out that a keystroke combination on the interface of an ATM will bring up a GUI to reprogram the machine, protected only by a default password, I can rest assured that the world is not as shrouded in conspiracy as I feared. It's just full of very very very (very very very very very) stupid people. Now, watch as one of these aforementioned idiots elected to public office blames this on Google.

Why dont you require a hardware key? (3, Insightful)

martonlorand (938109) | more than 7 years ago | (#16156183)

Even basic Cash registers require a key to be plugged in turned to to step into manager or some other mode. Why wouldnt those ATM-s require that the case would be open and a key sticked in to go in programming mode... Can you do a memory owerflow hack into the software ower the keyboard? >Othervise I dont understand how could you get the machine out of normal state and put it in programming mode. If it is build in the software - dude - fire the security and software development team... Thats just crazy to have a possibility like that without some harware security check...

Re:Why dont you require a hardware key? (1)

King_TJ (85913) | more than 7 years ago | (#16156564)

Effectively, I think many do. The article said some machines require access to switches found behind the front panel of the machine - which you're not going to be able to get at without unlocking it first.

You know what comes next.... (1)

8127972 (73495) | more than 7 years ago | (#16156185)

.... is the screams of "you can find anything on the Internet, therefore the Internet is evil" from those who are looking for any excuse to clamp down on what's on the net (or Jack Thompson).

Has to be said (1)

Aqua_boy17 (962670) | more than 7 years ago | (#16156194)

Are the ATM's made by Diebold by any chance?

Re:Has to be said (3, Informative)

szembek (948327) | more than 7 years ago | (#16156255)

No but this one is: http://www.diebold.com/ficcdsvdoc/TechPubs/books/T P-820327-001/tp-820327-001-1.htm [diebold.com] that one is. Diebold actually makes really good atms in my opinion. At least as far as the end user interface is considered. The ones my bank uses have a lot of nice features: - can dispense change to the penny - can scan/cash/deposit checks - doesn't make you hit OK after you put in your pin (aren't they all 4 chars long?) - doesn't keep your card until the end of the transaction so you forget it

Re:Has to be said (1)

Aqua_boy17 (962670) | more than 7 years ago | (#16156443)

Curious that your machines dispense change. After reading TFA, I wondered, 'what kind of ATM dipenses 5 dollar bills'? The only ones I remember using dispense nothing smaller than 10's.

I mean, I can just picture Joe Sixpack wandering up and hitting the authorization to charge him $1 or $2 just to take out 5 bucks. Then again, I was at a strip club once before I was married and they charged like $7 for ATM withdrawals. Since you'd already paid the cover charge and burned all your beer money on lap dances, they kind of had a captive audience. To their credit though, on the bank statement it read something like "transaction fee by XYZ entertainment group" so a spouse or SO reviewing your statement didn't know it was an ATM fee for a strip club. :p Ah, technology.

all you need (1)

Thansal (999464) | more than 7 years ago | (#16156226)

All you probably need are the make and model of what ever ATM you want the "master password" for. Punch that into google and you can probably find a operators manual rather quickly.

FTFA:
"If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched,"


yup, peopel don't change the default password and are surprised when some one "hacks" their ATM/account/atmosphear shield.

Most important sentence... (1)

PsychosisC (620748) | more than 7 years ago | (#16156231)

FTA:
"If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed." (Emphasis mine)

The article is about the ease with which one can find the operators manual.. which is a shame, because it entirely misses the point. "ATM Installers use the default password!" is more appropriate.

Not Really (1)

Bob 4knee (756841) | more than 7 years ago | (#16156457)

It is a manufacturer/vender problem if the manual is to be believed:
Passwords MUST be 6 digits in length, use of anything other than a 6 digit password may cause the passwords to revert back to factory default.
If this was a computer, and if I try to set my password to t&!rd17, it defaults to the default. If it's just a numeric keypad, and I use one digit more or one digit less than 6, it defaults back? Pure genius.

Re:Most important sentence... (1)

CastrTroy (595695) | more than 7 years ago | (#16156572)

Exactly, because if you don't change the default password, then it doesn't matter how hard the manual is to get, because somebody is going to get it. Maybe somebody else who also has the same kind of ATM. It's stupid not to change the password in this situation.

there's enough clues in the article..... (4, Informative)

nblender (741424) | more than 7 years ago | (#16156244)

For this one you have to carefully RTFA. You actually have to do it. Not just pretend. A simple google search, plus some whois sleuthing to confirm you have the right one, will turn up a company that currently has it's "support.html" disabled (404), but the wayback machine has an old (2005) copy of "support.htm" which has a list of error codes, FAQ, etc, for the machine in question. It's not too much of a stretch to believe that someone put the manual up for download at some point.

No, I don't have the manual. I don't really care either, it was an interesting academic exercise.

WTF?? (1)

astanley218 (302943) | more than 7 years ago | (#16156278)

I think Tranax deserves a serious WTF! here. I haven't seen a soda machine in 10 years that didn't require a key to be in place BEFORE any "master override" codes could be entered, but the money machine is wide open? WTF?!?!

the trademark for the company in question ... (1)

non (130182) | more than 7 years ago | (#16156293)

is "Where Money Comes From."

Putting the master password in the manual? (2, Interesting)

vinn01 (178295) | more than 7 years ago | (#16156310)

Who here thinks that putting the default master password in the manual is a good idea?

This reminds me the of backdoor password that Nortel had for one of its more common PBX's. At least they didn't put it the manual. But it got passed around enough to land on Usenet (in reponse to a problem that a customer was having). In that case, it was worse. It was not a "default" password, it was hardcoded.

Another day, another brain dead corporate password mistake....

Re:Putting the master password in the manual? (1)

jumpingfred (244629) | more than 7 years ago | (#16156511)

Where else would you put it? You have basically two choices. 1) no default password or 2) a default password.

The Manual in Question (3, Informative)

GenTaco (908306) | more than 7 years ago | (#16156316)

Honestly people, it isn't too hard to find this manual, the article gives you all the info you need. And no, the manual has not been pulled down from the site...yet.

Try the following search terms:

Tranax 1500 Manual inurl:pdf (and then check the 6th result)

This kind of thing is everywhere (1)

Billosaur (927319) | more than 7 years ago | (#16156356)

Forget ATMs; the way people post personal information about themselves so freely on the Internet, combined with the average user's lack of imagination, means that I can probably go to any social netwroking site, get a user's site id and some basic information about them (birthday, fav color, dog's name, etc.) and with a little luck, find that they use that information as usernames/passwords for on-line banking, Amazon, etc.

When it comes to the security of information, avergae people are stupid.

ATM Machines??????? (1)

TT075819 (1003968) | more than 7 years ago | (#16156445)

default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack." How fool he would be? Why don't he just use his brain to crack into some world range business companies rather than into ATM machines in certain places.

Skimming (1)

TT075819 (1003968) | more than 7 years ago | (#16156538)

This kind of crime is increasing all over the world.Many out there are still using magnetic stripe at the ATM to get consumer data and the pin. Why is skimming so prevalent? Because it's easy,we just need to leave a skimming device on an ATM for only 30 to 45 minutes. By the time an FI detects anything, the skimming device and the criminals are long gone. Jitter is a security feature in this case, but it helps only for simple skimmers.Jitter is very effective, but jitter is not all NCR recommends.The Fraudulent Device Inhibitor which automatically sends an alert to the FI when one of its ATMs has been tampered with. The inhibitor also prevents cards-trapping. NCR's Intelligent Fraud Detection plays a similar role in that it detects changes to the ATM's fascia and actually prevents a skimming attack. Anyhow the best way is to make the ATM the least attractive target.

I'm surprised it took so long to realize... (3, Interesting)

Ken Hall (40554) | more than 7 years ago | (#16156459)

Back in the early 80's I worked for a company that did third-party service for all sorts of computer-related stuff. We serviced at least two different lines of ATM machines, for competing companies. We had test machines in our training center for the service guys to play with.

Hardware wise, they were the most complicated, Rube-Goldberg-esque contraptions you can imagine. The card readers and bill handlers were the worst. The bill handlers had to be calibrated using real money, so the repair center kept several hundred dollars in cash locked in a safe at all times, and replaced it weekly (the handlers didn't like old bills).

The group I was in was responsible for tracking the software problem reports that came in from the field, and forwarding them to the manufacturers. While I found some of the bugs downright hysterical, or just plain bizarre, others were scary enough to make you consider avoiding the machines alltogether.

Doesn't look like they've learned anything in 20 years.

all your... (1)

mrroot (543673) | more than 7 years ago | (#16156557)

all your cash are belong to us
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...