Googling for ATM Master Passwords

default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."

Re:The default password is...

[zenray]

001234 as stated in the link. But to be fair it also stated in very big bold type that this default master password should be changed. The fact the master password remains unchanged is a user error in the setup and not a design flaw. Every master password not changed was left that way by 'somebody'. That 'somebody' needs to sued (or beaten severly about the head and shoulders with a security clue stick) for allowing easy access to the money. Unless they were ordered by managment to leave it as defaulted.

ATM Industry Association warned them.

[gurps_npc]

Back in Feb 2005, the ATM Industry Association released a memo or press announcement, found here:

http://www.gasa-cognito.com/media/GASA-ATMIA%20Fra ud%20Alert1.pdf#search=%22atm%20master%20password% 22

It specifically warned the industry that their passwords were getting out and to tell the banks to CHANGE them.

Frankly, I have zero sympathy for the bank that lost cash.

And not much respect for the idiots that did not report it. What, did they think the banks would never find out what happened? That when they did find out, they would not 'correct' the accounts?

Either report it, or get yourself an untraceable card and return.