Slashdot Mirror
Googling for ATM Master Passwords
default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."
*runs off to Google and YouTube as fast as his little fingers will take him*
(Man, I am so going to Gitmo if my joke turns out to be right.)
12345
Oh wait. That's my ATM PIN.
to that 105 page pdf file, please.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I recently did IT for the largest casino company on the planet. I was dual-property and responsible for two casinos. The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people told each other all their passwords and such all the time.
I couldn't believe it.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
We've finally found that mysterious step 2!
We live in the Age of Information. Almost anyone can't post almost anything and make it available to just about everyone (how's that for ambiguos). This is great power. And with great power come great repsonsability (bet you didn'see that coming).
I think the problem may lie in he fact that too many companies don't teach their employees the difference between the internet and their intranet.
___________________________
Free iPods? Its legit. 5 of my friends got theirs. Get yours here!
Phhhtttt!!!
That's to all of you who made fun of us geeks!
*Rude Hand Gesture*
That's for every bully who ever shoved someone into a locker during PE.
Due to our superior ability to manipulate poorly secured cash dispensing devices, we shall now rule the world!
First the treasury...then the military. World domination cannot be far behind.
2 cents,
QueenB
HDGary secures my bank
The machine gave $20's for $5's for NINE days after it was reprogrammed before someone commented on it. God Bless America.
penetration testing outfit Matasano Security
If I was man enough to own a penetration testing outfit I would not call it Matasano Security.
So what was his "simple Google query"?
nothing
If Mel Brooks is going to make a Spaceballs cartoon, why stick it where it will be never seen, with the 100-mpg engine and the ark of the covenant?
Wow that is cool, it was a quick search and I found it!
It says that to enter the management screen you hold the key and press one. Then the default UID is 00 and the default password is 12345 so you should enter 0012345 into the prompt.
I am off to the ATM down stairs. I could use a little extra cash.
Search for: atm operator manual filetype:pdf
The US dollar is a fictional currency anyway. In fact, why don't we all go out and steal some 'potential' right fucking now?
Ha!
Here I was thinking that the problems with voting machines had to be intentional, since ATM's were so much better secured. Now that I find out that a keystroke combination on the interface of an ATM will bring up a GUI to reprogram the machine, protected only by a default password, I can rest assured that the world is not as shrouded in conspiracy as I feared. It's just full of very very very (very very very very very) stupid people. Now, watch as one of these aforementioned idiots elected to public office blames this on Google.
"Don't you know you're going to shock the monkey?"- Peter Gabriel
Even basic Cash registers require a key to be plugged in turned to to step into manager or some other mode. Why wouldnt those ATM-s require that the case would be open and a key sticked in to go in programming mode... Can you do a memory owerflow hack into the software ower the keyboard? >Othervise I dont understand how could you get the machine out of normal state and put it in programming mode. If it is build in the software - dude - fire the security and software development team... Thats just crazy to have a possibility like that without some harware security check...
.... is the screams of "you can find anything on the Internet, therefore the Internet is evil" from those who are looking for any excuse to clamp down on what's on the net (or Jack Thompson).
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
Please enter a multiple of $5 or $20.
Did you say "insightful" or "inciteful"?
Are the ATM's made by Diebold by any chance?
What if the Hokey Pokey really is what it's all about?
FTFA:
yup, peopel don't change the default password and are surprised when some one "hacks" their ATM/account/atmosphear shield.
Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
FTA:
"If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed." (Emphasis mine)
The article is about the ease with which one can find the operators manual.. which is a shame, because it entirely misses the point. "ATM Installers use the default password!" is more appropriate.
No, I don't have the manual. I don't really care either, it was an interesting academic exercise.
I think Tranax deserves a serious WTF! here. I haven't seen a soda machine in 10 years that didn't require a key to be in place BEFORE any "master override" codes could be entered, but the money machine is wide open? WTF?!?!
is "Where Money Comes From."
...vividly encapsulates that post-Watergate/pre-punk/coked-up moment when you could trust no one, least of all yourself.
So, money is just more information too, right?
"Flyin' in just a sweet place,
Never been known to fail..."
Who here thinks that putting the default master password in the manual is a good idea?
This reminds me the of backdoor password that Nortel had for one of its more common PBX's. At least they didn't put it the manual. But it got passed around enough to land on Usenet (in reponse to a problem that a customer was having). In that case, it was worse. It was not a "default" password, it was hardcoded.
Another day, another brain dead corporate password mistake....
Honestly people, it isn't too hard to find this manual, the article gives you all the info you need. And no, the manual has not been pulled down from the site...yet.
Try the following search terms:
Tranax 1500 Manual inurl:pdf (and then check the 6th result)
Forget ATMs; the way people post personal information about themselves so freely on the Internet, combined with the average user's lack of imagination, means that I can probably go to any social netwroking site, get a user's site id and some basic information about them (birthday, fav color, dog's name, etc.) and with a little luck, find that they use that information as usernames/passwords for on-line banking, Amazon, etc.
When it comes to the security of information, avergae people are stupid.
GetOuttaMySpace - The Anti-Social Network
http://www.wegrowbusiness.ca/manuals/Tranax_MB_Ope rator_Manual.pdf
or from google cache
http://72.14.209.104/search?q=cache:SUoMvavsghUJ:w ww.wegrowbusiness.ca/manuals/Tranax_MB_Operator_Ma nual.pdf
default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack." How fool he would be? Why don't he just use his brain to crack into some world range business companies rather than into ATM machines in certain places.
Back in the early 80's I worked for a company that did third-party service for all sorts of computer-related stuff. We serviced at least two different lines of ATM machines, for competing companies. We had test machines in our training center for the service guys to play with.
Hardware wise, they were the most complicated, Rube-Goldberg-esque contraptions you can imagine. The card readers and bill handlers were the worst. The bill handlers had to be calibrated using real money, so the repair center kept several hundred dollars in cash locked in a safe at all times, and replaced it weekly (the handlers didn't like old bills).
The group I was in was responsible for tracking the software problem reports that came in from the field, and forwarding them to the manufacturers. While I found some of the bugs downright hysterical, or just plain bizarre, others were scary enough to make you consider avoiding the machines alltogether.
Doesn't look like they've learned anything in 20 years.
This kind of crime is increasing all over the world.Many out there are still using magnetic stripe at the ATM to get consumer data and the pin. Why is skimming so prevalent? Because it's easy,we just need to leave a skimming device on an ATM for only 30 to 45 minutes. By the time an FI detects anything, the skimming device and the criminals are long gone. Jitter is a security feature in this case, but it helps only for simple skimmers.Jitter is very effective, but jitter is not all NCR recommends.The Fraudulent Device Inhibitor which automatically sends an alert to the FI when one of its ATMs has been tampered with. The inhibitor also prevents cards-trapping. NCR's Intelligent Fraud Detection plays a similar role in that it detects changes to the ATM's fascia and actually prevents a skimming attack. Anyhow the best way is to make the ATM the least attractive target.
all your cash are belong to us
I Heart Sorting Networks
Use to be we'd just wander through the cubage and when we had collected two or three "abandoned" cards from machines, we'd copy the faces of the cards. Then we'd give them to department supervisors for security violation write ups. We'd keep the copy to make sure the supervisors write them up. We suspended the accounts after two violations. If the offenders didn't have a Letter of Counciling on file in 10 working days, we had to write up the supervisors and suspend their accounts until their up-chain managers filed the right paper work to re-enable the account.
After a couple of years of irregularly spaced walk throughs of the cube farm and countless email 'reminders' about computer security we gave that up.
We got tire of being called the 'net nazis' and worse.
Now we just take the badge out of the machine and walk it down to the security desk and tell them we found the on the floor in the bathroom. If we feel bitchy we trash the card or shred them then the 'somebody else problem' effect kicks in.
First you get the money, :(
Then you get the SUGAR,
Then you get the power,
then you get the women!
One of the few paths that leads to / ends with a REAL woman in the life of a nerd
Slashbots always struck me as being the immoral and greedy types.
888888.
Which one gets fixed first!
When the people fear their government, there is tyranny; when the government fears the people, there is liberty.
Reminds me of the drill sergeant in Full Metal Jacket when he discovers that Private Pyle's footlocker is unlocked:
"If it wasn't for dickheads like you, there wouldn't be any thievery in this world, would there?"
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
This is just a joke, as Red Octane made their name copying Konami game products and controllers. Guitar Hero is just a rip off of Konami Guitar Freaks, 8 years too late. People tend to forget that Red Octane existed for years selling knock of DDR dance pads...
I bet if AG Gonzales had his way, the feds would have been able to intercept the hack searches and nab the bastard researcher before he revealed the secrets to the world. What a boon for security that would be! /sarcasm
Collect $200. Pass Go!
...always used 655321...
http://www.gasa-cognito.com/media/GASA-ATMIA%20Fra ud%20Alert1.pdf#search=%22atm%20master%20password% 22
It specifically warned the industry that their passwords were getting out and to tell the banks to CHANGE them.
Frankly, I have zero sympathy for the bank that lost cash.
And not much respect for the idiots that did not report it. What, did they think the banks would never find out what happened? That when they did find out, they would not 'correct' the accounts?
Either report it, or get yourself an untraceable card and return.
excitingthingstodo.blogspot.com
what software does he used to get those passwords? would you please downloaded for me the right sofware by doing a Google search?
1 2 3 4 5 must be encrpted with caeser cipher with shift 3 key
who knows....maybe...
I recently did IT for the largest casino company on the planet. I was dual-property and responsible for two casinos. The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people tol^@#^NO CARRIER
Finally, "News I Can Use"
Stealing is wrong.
default password can be avoided by not asking any password from the users.there should be no password insertion required but instead a hyter tech solution must be implemented. a user's irish have to be scanned before any transaction being done in any ATM.a user will be required to undergo a irish scanning process when they want to open a new account in any banks.the data need to be stored in the user's respective database.the database mmust be up to date and unauthorize people cannot access those databases.later,before money transaction is done,the user's scanned irish would be compared with the data stored in his or her database. thus,any security threads like googling and hacking can be controlled or avoided.only the respective user can do the transaction process.
I don't know what machines you have used, but I had a horrible experience with a Diebold ATM.
I walk up to it, put my card in, type my PIN, type the amount of money I want, and press Enter. Everything seems to be working fine; it spits out my card and a receipt, and I sit there waiting for the money. After about 10 seconds, I am a little worried. There is nothing to indicate any problems on the screen, so I look at the receipt. ON THE RECEIPT it says "Please enter amount in $20 increments." (I wanted $50). At the time that totally blew my mind. I had never even heard of such a thing before. I've used plenty of ATMs that require amounts in certain increments, and EVERY SINGLE ONE of them indicated so on the screen before completing the transaction.
Folks keep saying "Look how secure the ATMs are, we should be able to do something similar for voting."
Well, looks like the ATMs aren't that secure afterall, now are they? Sure - it's a Admin Error - but if admin errors occur with ATMs, seems electronic voting systems would be just as vulnerable.
Now, that's not so say that I'm completely against electronic voting - with the right checks and balances, such as a voter receipt and open source code, it would probably make things as reliable as the current system.
The Open-Vote people must be doing cartwheels. 'Course, their Webserver appears to be slag.
Now... it's off to the ATM before it's empty.
What kind of ATM gives out $5 bills?
I've never used one that didn't give only $20s.
# Erik
I would have just run the PURGE command page 90. But, this guy must have looked at page 93 and changed the parameters for the Cassette. I'll bbl... Going to go look to see if there is a Triton ATM machine around me and cross my fingers it's this model and then prey to God (or Satan) that the default password hasn't been changed.
Here's the link to the .pdf:
e rator_Manual.pdf?GCE=489d2476c9728ab16cbde0a2acc43 8a5#search=%22Tranax%201500%20Manual%20inurl%3Apdf %22
http://www.wegrowbusiness.ca/manuals/Tranax_MB_Op
I've already heard one attorney talking about this. Can't be the only one.
With the exploit described in TFA, you run a big risk of getting caught unless you have an untraceable credit/debit card. You can tell the machine to dispense the twenties as if they were fives, but it doesn't give out any money until you swipe a valid credit/debit card. So, you are going to be on the short list of suspects once you get your paltry sum of ill-gotten gains. And if you go to the well more than once, you will probably be promoted to the number one suspect. And anyone who took the money and ran will most likely have their account dinged for the extra money they took without reporting the windfall. So, unless you can get an untraceable credit card, you aren't likely to be able to keep your swag.
Or report that it randomly dispenses $20 bills every two minutes and see how SECONDS it takes for a response.
How about phishers putting up a false 2' wall, bogus ATM, and card reader that said "temporarily out-of-service"
AFTER reading the magnetic strip and skimming/scamming your pin?
The guy who just did it used a pre-paid debit card.. Those are easy to get. RTFA before crafting such an eloquent response ;0]
Is that voting and ATM machines have very different security requirements. An ATM needs only be secure against people breaking in to it. So presuming the bank isn't stupid enough to leave the password as default, it accomplishes that pretty well. It doesn't need to be secure from the bank. The bank can lie to the ATM machine or tamper with its data if they want, it's just not in their interest. However voting machines are different. Here the data needs to be secure against tampering from everyone, including the people who are responsible for the machine. That's a whole different design.
But basically what happened is Diebold just applied ATM design to voting machine design. This would be probably be fine if you could trust the people that owned the voting machines (the government) to be honest. But you can't so it is worthless.
Ouch! I missed that point in TFA. No more speed-reading TFAs.
..."I find computers unlocked with badges in the computer and with the user no where around."...and you fail to set goatse as their default wallpaper, screensaver and window theme manager??
http://www.wegrowbusiness.ca/manuals/Tranax_MB_Ope rator_Manual.pdf
Does it run lin.... nevermind I guess not. I guess they missed the service pack 2 on that one.
What the hell? Didn't we learn like 20 years ago that in-band signalling is a security nightmare? Why was this guy able to reprogram the ATM without opening up the case?
http://outcampaign.org/
I don't want to steal anything... I just want to get back all those $1.50 withdrawal fees =)
This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for
Global Election Systems
Once you googled it...
Sig (appended to the end of comments I post, 54 chars)
in years to come, the government agent can just google on the net to find terrorist. Wait! I want to give the service name: GOOGLE HUNT ;)
Voting machines are most obviously _designed_ to be tampered with because of multiple issues
discussed all other net such as the total lack of cryptography to secure voting results.
Pressing CTRL-1 on a Triton ATM to bring up it's management login screen is nowhere near the
total lack of security in comparison to a voting machine and there is no magic key sequence
to get the cash dispenser to empty the cash in the ATM into your greedy hands. Why even if
you got into the Dispenser test diag the dispenser would not send the cash to the exit gate but
instead send it to reject cassette. The only thing you could potentially do IF you had the password
was to reconfigure the cash denominations of the individual cassettes turning a $20 bill into a $5.
I didn't really look all that hard into the manual but there seems no way to change the keys in the
security module to hijack the terminal from its host.
Of course there are even better ways of handling security issue here such as somebody here suggested that
the ATM refuses to perform withdrawal operations with the default password in place. Other ATMs require
pin verification from a special operator card to enter management functions and still others do not allow
any management functions from the customer screen at all, but only from a rear control panel or from an
attached notebook.
All in all ATMs are worlds ahead of the Electionstealer 2000 voting terminals. Transactions with the host are
secured by a security module (looks like a mobile phone SIM Card) which calculates cryptographic checksums and
the host authenticates likewise to the terminal. You can depend that if they built that kind of protection into
voting machines then to make sure only authorized voting fraud occurs.
So please spare us the "very very very stupid people"...
Strange, How people lack so much decency. A similar incident happened in Beirut where an employee mixed up 2 different bills. However, the first customer to get extra cash came back in the morning and returned them. This kind of lets you know what kind of decent/indecent society you live in.
In this field no matter how much you know, You still don't know anything.
It's much easier to charge some soccer mom $200 to install her wireless access point and PC card than it is to steal $200 from an ATM...
He rewired the ATM
at the Food Emporium,
To provide an honorarium
to anyone with the code.
This is old news...the idea has been around since Rent.
Sean D.
"Hmm. I am to metaphor cheese as metaphor cheese is to transitive verb crackers!"
EXACTLY. I was trying to figure out how knowing the default ATM code would help. I've been doing alot of testing with Diebold and NCR ATMs lately and all (okay, most) of the transactions for a bank need to be approved, ONLINE. A valid card with a valid account attached needs to be used. So you can either be blindingly stupid and withdraw 20s instead of 5s on your OWN account, or rip of someone else's debit/credit card, in which case you'd also need their PIN, which is the SERIOUS crime.
I'm not saying having default ATM passwords in the open is good, just that its not a panacea of crime this Slashdot headline suggests.
John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
yeah, but really all you have to do is reprogram the thing, then wait for one or two people to visit before you make your sting. You could even make your first transaction for a normal amount, then make a second immediately afterwards as if you've just realised your luck!
CheShA: Manchester Breakcore / Drill and Bass Yes I'm a s
You're missing the point. You change the machine to think that the $20 bills are $5 bills. Then when you withdraw $20, you get what the machine thinks are four $5 bills, but are actually four $20 bills.
The issue is how can the operator manual which contains master passwords and sensitive security information about the ATM can be legally obtained?!!It should be highly confidential!!Just imagine how easy it is to find sensitive security information using search engines.Just by typing simple four-word Google search engine query,one can found instructions on how to hack and take control of the machines.**Can I just google Donald's Trump 'master password'?**
Something very much is the hell wrong with the GP, so much so that the question was BEGGING to be asked. Modding this user down was excessive, stupid, and several other negative adjectives I'm not really interested enough to come up with right now.
About 80 percent of us here find this great and then did the search ourselves. That's what makes geeks so awesome we could all hang out and talk about stealing stuff without hitting anybody. We are the peaceful theives and deserve to be left alone, so as our "great" government can keep searching for terrorists and serial killers. stop worrying about the hackers and worry about our so called terrorists
want to be rich without being cought up.try by using pre-paid debit card to make withdrawals.
the person who reported the malfunction is a class A moron.
There are luggage locks sold to which TSA already has the master keys. That way you can keep 'em locked, but the TSA can rifle through your wife's lingerie and sex toys as much as they want, take some joke pictures wearing/using them, then lock up your luggage afterwards.
wat the heck? just googling can find ways to hack the ATMs?? then wats the point having password and all the security software installed in it? it just like u put a bag full of money at the sidewalk, and founded by a passerby and he took it~ Noob
why?? why must there be a master password for atm?? does that means that they can just take our money??and how come can it be exposed through the internet?unexceptable....
It's worse than you think. Let me give you 5 reasons:
Point 1> You can turn some ATMs on in "Test Mode" which will approve every transaction without needing to be online. They record the card, but a Wal-Mart gift card or ANY card with a magnetic strip will work. No problem with being anonymous there.
Point 2> Why bother reprogramming the ATM? Many of these ATMs are using standard phone (POTS) phone systems for communication. Break down the syntax and you discover the difference between "Get Cash" and "Phtbtt!" is a 0 and a 1. The only encrypted portion of the communication is the PIN, not the authorization. Just intercept the phone communication with your handy laptop, plug in that essential 1 and empty the ATM with your prepaid phone card.
Point 3> Many of the cameras out there are fake. Get one prepaid card or steal one card and then it's not that hard to be untracable.
Point 4> Sometimes there are other bugs. People have walked away with thousands and thousands of dollars from ATMs with bugs. Usually, they are unprosecuted.
Point 5> If you're able to reprogram, you can change the encryption keys and change the telephone number. Route the calls through your own machine, forwarding to the real authorization point and pick up PINs and card numbers. Either everyone gets cash or you don't forward and they see "Unable to process" or "PIN failed" but by the time a tech arrives, you'd pick up dozens, perhaps thousands of valid PINs.
I'm not guessing here. I use the credit card processing option whenever possible.
Regards to this issue which Googling for ATM Master Passwords that stress out about the eWeek investigation shows a simple Google query will return a 102-page PDF file that provides a road map to the hack...
Either the PDFs were true or false or unremoved or removed,trust me that the world are getting into something that really unexpected. I heard about this issue long time ago and i dont take it seriously because its really something that I dont think it could happens because it just a rumous during that time.
Then,now I read the issue here and really surprise because the rumous were getting to be realistic. Perhaps that someone out there which responsible regards to this issue will do something with this.
Thanks.
http://cryptome.org/atm/atm-passwords.htm
Check out this Video on Youtube...http://www.youtube.com/watch?v=At_HDzJjw HU A different exploit.