Slashdot Mirror

← Back to Stories (view on slashdot.org)

Googling for ATM Master Passwords

Posted by ryuzaki0 on from the that-should-probably-not-be-online dept.

default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."

4 of 356 comments (clear)

  1. Re:Casino by Enderandrew · · Score: 3, Interesting

    Very true. The only inch of that casino not covered by cameras was the IT offices. Survailence wasn't allowed to look over my shoulder, because they could see passwords and sensitive data that way. We had cops, investigators and state regulators on property.

    Casinos prosecute is you steal $5 from them.

    --
    http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
  2. Re:The default password is... by zenray · · Score: 4, Interesting

    001234 as stated in the link. But to be fair it also stated in very big bold type that this default master password should be changed. The fact the master password remains unchanged is a user error in the setup and not a design flaw. Every master password not changed was left that way by 'somebody'. That 'somebody' needs to sued (or beaten severly about the head and shoulders with a security clue stick) for allowing easy access to the money. Unless they were ordered by managment to leave it as defaulted.

    --
    zenray
  3. I'm surprised it took so long to realize... by Ken+Hall · · Score: 3, Interesting

    Back in the early 80's I worked for a company that did third-party service for all sorts of computer-related stuff. We serviced at least two different lines of ATM machines, for competing companies. We had test machines in our training center for the service guys to play with.

    Hardware wise, they were the most complicated, Rube-Goldberg-esque contraptions you can imagine. The card readers and bill handlers were the worst. The bill handlers had to be calibrated using real money, so the repair center kept several hundred dollars in cash locked in a safe at all times, and replaced it weekly (the handlers didn't like old bills).

    The group I was in was responsible for tracking the software problem reports that came in from the field, and forwarding them to the manufacturers. While I found some of the bugs downright hysterical, or just plain bizarre, others were scary enough to make you consider avoiding the machines alltogether.

    Doesn't look like they've learned anything in 20 years.

  4. ATM Industry Association warned them. by gurps_npc · · Score: 4, Interesting
    Back in Feb 2005, the ATM Industry Association released a memo or press announcement, found here:

    http://www.gasa-cognito.com/media/GASA-ATMIA%20Fra ud%20Alert1.pdf#search=%22atm%20master%20password% 22

    It specifically warned the industry that their passwords were getting out and to tell the banks to CHANGE them.

    Frankly, I have zero sympathy for the bank that lost cash.

    And not much respect for the idiots that did not report it. What, did they think the banks would never find out what happened? That when they did find out, they would not 'correct' the accounts?

    Either report it, or get yourself an untraceable card and return.

    --
    excitingthingstodo.blogspot.com