Googling for ATM Master Passwords

Posted by ryuzaki0 on Thursday September 21, 2006 @07:31AM from the that-should-probably-not-be-online dept.

default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."

1 of 356 comments (clear)

Min score:

Reason:

Sort:

Re:Casino by TopShelf · 2006-09-21 07:57 · Score: 5, Insightful

That's a perfect illustration of how technological devices are only a small part of security. Having solid policies that are actually followed means every bit as much, if not more. From TFA:

"This isn't a vulnerability," Goldsmith explained. "It's someone exploiting a policy weakness, where ATM owners install these things and never change the default password."

All that's in the PDF is the default password, following a warning in BIG BOLD TYPE saying that you need to change the default password before deploying the machine. Would they put in a new combination lock on their vault and leave a combo of 1-2-3? I should hope not...

--
Stop by my site where I write about ERP systems & more