Slashdot Mirror

← Back to Stories (view on slashdot.org)

Googling for ATM Master Passwords

Posted by ryuzaki0 on from the that-should-probably-not-be-online dept.

default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."

6 of 356 comments (clear)

  1. Casino by Enderandrew · · Score: 4, Informative

    I recently did IT for the largest casino company on the planet. I was dual-property and responsible for two casinos. The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people told each other all their passwords and such all the time.

    I couldn't believe it.

    --
    http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
  2. Re:The default password is... by Talondel · · Score: 5, Informative

    Close. Actually it apears that it's 001234. http://www.tritonatm.com/en/service/manuals/07103- 00013C%20(FT5KUsrMan(3.0))file.pdf

  3. WOW by Anon-Admin · · Score: 4, Informative

    Wow that is cool, it was a quick search and I found it!

    It says that to enter the management screen you hold the key and press one. Then the default UID is 00 and the default password is 12345 so you should enter 0012345 into the prompt.

    I am off to the ATM down stairs. I could use a little extra cash.

  4. there's enough clues in the article..... by nblender · · Score: 4, Informative
    For this one you have to carefully RTFA. You actually have to do it. Not just pretend. A simple google search, plus some whois sleuthing to confirm you have the right one, will turn up a company that currently has it's "support.html" disabled (404), but the wayback machine has an old (2005) copy of "support.htm" which has a list of error codes, FAQ, etc, for the machine in question. It's not too much of a stretch to believe that someone put the manual up for download at some point.

    No, I don't have the manual. I don't really care either, it was an interesting academic exercise.

  5. Re:Giddy-up! by russ1337 · · Score: 5, Informative

    Well you can always find more interesting things by doing a Google search for: [Confidential "not for public release"] Like this

    This technique was posted on Boing Boing and Bruce Schneier a couple of weeks ago. Still. Plenty of good stuff out there.

  6. Re:Giddy-up! by Marxist+Hacker+42 · · Score: 4, Informative

    Besides, I was wrong- only the PDF for THAT SPECIFIC MODEL has been removed. Operators manuals for hundreds of other ATMs still are up....

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.