Googling for ATM Master Passwords

default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."

Casino

[Enderandrew]

I recently did IT for the largest casino company on the planet. I was dual-property and responsible for two casinos. The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people told each other all their passwords and such all the time.

I couldn't believe it.

Re:The default password is...

[Talondel]

Close. Actually it apears that it's 001234. http://www.tritonatm.com/en/service/manuals/07103- 00013C%20(FT5KUsrMan(3.0))file.pdf

WOW

[Anon-Admin]

Wow that is cool, it was a quick search and I found it!

It says that to enter the management screen you hold the key and press one. Then the default UID is 00 and the default password is 12345 so you should enter 0012345 into the prompt.

I am off to the ATM down stairs. I could use a little extra cash.

there's enough clues in the article.....

[nblender]

For this one you have to carefully RTFA. You actually have to do it. Not just pretend. A simple google search, plus some whois sleuthing to confirm you have the right one, will turn up a company that currently has it's "support.html" disabled (404), but the wayback machine has an old (2005) copy of "support.htm" which has a list of error codes, FAQ, etc, for the machine in question. It's not too much of a stretch to believe that someone put the manual up for download at some point.

No, I don't have the manual. I don't really care either, it was an interesting academic exercise.

Re:Has to be said

[szembek]

No but this one is: http://www.diebold.com/ficcdsvdoc/TechPubs/books/T P-820327-001/tp-820327-001-1.htm that one is. Diebold actually makes really good atms in my opinion. At least as far as the end user interface is considered. The ones my bank uses have a lot of nice features: - can dispense change to the penny - can scan/cash/deposit checks - doesn't make you hit OK after you put in your pin (aren't they all 4 chars long?) - doesn't keep your card until the end of the transaction so you forget it

Re:Giddy-up!

[russ1337]

Well you can always find more interesting things by doing a Google search for: [Confidential "not for public release"] Like this

This technique was posted on Boing Boing and Bruce Schneier a couple of weeks ago. Still. Plenty of good stuff out there.

The Manual in Question

[GenTaco]

Honestly people, it isn't too hard to find this manual, the article gives you all the info you need. And no, the manual has not been pulled down from the site...yet.

Try the following search terms:

Tranax 1500 Manual inurl:pdf (and then check the 6th result)

Re:Wrong manual

[uufnord]

That's the triton manual. The one mentioned in TFA was a Tranax.

http://www.wegrowbusiness.ca/manuals/Tranax_MB_Ope rator_Manual.pdf

or from google cache

http://72.14.209.104/search?q=cache:SUoMvavsghUJ:w ww.wegrowbusiness.ca/manuals/Tranax_MB_Operator_Ma nual.pdf

Re:Giddy-up!

[Marxist+Hacker+42]

Besides, I was wrong- only the PDF for THAT SPECIFIC MODEL has been removed. Operators manuals for hundreds of other ATMs still are up....