Googling for ATM Master Passwords

← Back to Stories (view on slashdot.org)

Googling for ATM Master Passwords

Posted by ryuzaki0 on Thursday September 21, 2006 @07:31AM from the that-should-probably-not-be-online dept.

default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."

63 of 356 comments (clear)

Giddy-up! by Logiksan · 2006-09-21 07:33 · Score: 5, Funny

*runs off to Google and YouTube as fast as his little fingers will take him*
1. Re:Giddy-up! by russ1337 · 2006-09-21 07:56 · Score: 5, Informative
  
  Well you can always find more interesting things by doing a Google search for: [Confidential "not for public release"] Like this
  
  This technique was posted on Boing Boing and Bruce Schneier a couple of weeks ago. Still. Plenty of good stuff out there.
2. Re:Giddy-up! by Marxist+Hacker+42 · 2006-09-21 08:13 · Score: 4, Informative
  
  Besides, I was wrong- only the PDF for THAT SPECIFIC MODEL has been removed. Operators manuals for hundreds of other ATMs still are up....
  
  --
  SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
3. Re:Giddy-up! by dan828 · 2006-09-21 08:19 · Score: 5, Funny
  
  Kids these days got it easy. In my day you had to spend hours digging though dumpsters, now you just click a couple of buttons. What is the world coming to?
4. Re:Giddy-up! by Marxist+Hacker+42 · 2006-09-21 11:26 · Score: 2, Funny
  
  Are you from HP?
  
  --
  SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
5. Re:Giddy-up! by Takumi2501 · 2006-09-21 11:49 · Score: 3, Funny
  
  In the snow? Uphill both ways?
  
  --
  Sent from my computer.
  Now GET OFF MY LAWN!
Trivial search - and the password is.... by rblum · 2006-09-21 07:36 · Score: 3, Funny

12345

Oh wait. That's my ATM PIN.
1. Re:Trivial search - and the password is.... by 1010110010 · 2006-09-21 07:37 · Score: 5, Funny
  
  1 2 3 4 5? That's the combination an idiot would have on his luggage!
2. Re:Trivial search - and the password is.... by JesseL · 2006-09-21 07:37 · Score: 4, Funny
  
  That's the combination to my luggage!
  
  --
  "Prefiero morir de pie que vivir siempre arrodillado!"
Casino by Enderandrew · 2006-09-21 07:37 · Score: 4, Informative

I recently did IT for the largest casino company on the planet. I was dual-property and responsible for two casinos. The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people told each other all their passwords and such all the time.

I couldn't believe it.

--
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
1. Re:Casino by RobertB-DC · 2006-09-21 07:49 · Score: 2, Insightful
  
  I recently did IT for the largest casino company on the planet. I was dual-property and responsible for two casinos. The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people told each other all their passwords and such all the time.
  
  In that environment, they probably could have kept the lids to the keyboxes open and illuminated with flashing neon signs. Anyone foolish enough to try to pull off some sort of heist, with all those cameras and undercover security types, would end up meeting the same fate as the bozo who tries to swipe the dealer's chips -- jail if he's lucky, a trip to swim with the Nevada fishes if he's not.
  
  --
  Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
2. Re:Casino by Enderandrew · 2006-09-21 07:54 · Score: 3, Interesting
  
  Very true. The only inch of that casino not covered by cameras was the IT offices. Survailence wasn't allowed to look over my shoulder, because they could see passwords and sensitive data that way. We had cops, investigators and state regulators on property.
  
  Casinos prosecute is you steal $5 from them.
  
  --
  http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
3. Re:Casino by TopShelf · 2006-09-21 07:57 · Score: 5, Insightful
  
  That's a perfect illustration of how technological devices are only a small part of security. Having solid policies that are actually followed means every bit as much, if not more. From TFA:
  
  "This isn't a vulnerability," Goldsmith explained. "It's someone exploiting a policy weakness, where ATM owners install these things and never change the default password."
  
  All that's in the PDF is the default password, following a warning in BIG BOLD TYPE saying that you need to change the default password before deploying the machine. Would they put in a new combination lock on their vault and leave a combo of 1-2-3? I should hope not...
  
  --
  Stop by my site where I write about ERP systems & more
4. Re:Casino by thewils · 2006-09-21 08:04 · Score: 2, Funny
  
  I'm sure big Tony will be along shortly to remove your kneecaps...
  
  --
  Once I was a four stone apology. Now I am two separate gorillas.
5. Re:Casino by djdavetrouble · 2006-09-21 08:13 · Score: 2, Funny
  
  The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people told each other all their passwords and such all the time.
  
  And that is how it all happened.
  
  --
  music lover since 1969
6. Re:Casino by MindStalker · 2006-09-21 08:33 · Score: 3, Insightful
  
  But what really confuses me is WHY is there access ability from the user keypad. I mean geez. There is a back panel on all ATMS that has a keylock for adding cash and programming the machine. Putting the ability to do ANYTHING but normal user functions from the front keypad just smacks of stupidity.
7. Re:Casino by Some_Llama · 2006-09-21 09:31 · Score: 2, Funny
  
  "But our government insists that organized crime doesn't exist, while at the same time having a division to track organized crime! I'm so confused!"
  
  Well it is BECAUSE they have a division to track organized crime that it doesn't exist, just like how since there is a war on drugs, drug use is virtually non-existant anymore...
  
  Remember when you could go to a concert and see people smoking pot? Or you could find it in high schools, or any night club? Now it's almost impossible to find and if you did (besides being a criminal) it would cost in the thousands of dollars for just a gram of the stuff.
  
  Ah, the old days, the WOD eliminated that scourge once and for all... God bless America.
8. Re:Casino by Eivind+Eklund · 2006-09-21 20:18 · Score: 2, Funny
  
  Irony, n: Somewhat like iron. See Goldy, Silvery.
  
  --
  Doubting the existence of evolution is like doubting the existence of China: It just shows that you're uninformed.
Aha! by The+Grey+Clone · 2006-09-21 07:37 · Score: 4, Funny

We've finally found that mysterious step 2!
Responsability by corroncho · 2006-09-21 07:38 · Score: 2

We live in the Age of Information. Almost anyone can't post almost anything and make it available to just about everyone (how's that for ambiguos). This is great power. And with great power come great repsonsability (bet you didn'see that coming).

I think the problem may lie in he fact that too many companies don't teach their employees the difference between the internet and their intranet.
___________________________
Free iPods? Its legit. 5 of my friends got theirs. Get yours here!
1. Re:Responsability by gorckat · 2006-09-21 08:40 · Score: 2, Funny
  
  Don't you mean, "With great power comes great repostability"?
We're rich!! We're rich!!! by queenb**ch · 2006-09-21 07:38 · Score: 4, Funny

Phhhtttt!!!

That's to all of you who made fun of us geeks!

*Rude Hand Gesture*

That's for every bully who ever shoved someone into a locker during PE.

Due to our superior ability to manipulate poorly secured cash dispensing devices, we shall now rule the world!

First the treasury...then the military. World domination cannot be far behind.

2 cents,

QueenB

--
HDGary secures my bank :/
Nine Days.... by Mr.Scamp · 2006-09-21 07:39 · Score: 5, Funny

The machine gave $20's for $5's for NINE days after it was reprogrammed before someone commented on it. God Bless America.
1. Re:Nine Days.... by geekoid · 2006-09-21 10:01 · Score: 4, Insightful
  
  Yes.
  
  It's called honesty and ethics.
  But if you leve your car door unlocked, and someone takes it, I'm sure you won't mind, since it was your 'fault'.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
2. Re:Nine Days.... by avonhungen · 2006-09-21 12:50 · Score: 2, Insightful
  
  I think the fact that most people understand that their banks would never consider returning that "honesty and ethics" factors into the equation. I for one have been forced to "prove" all my bank's errors before they paid me back. They've never approached me first.
  
  I think I hear that soapbox cracking...
3. Re:Nine Days.... by reason · 2006-09-21 15:19 · Score: 2, Interesting
  
  I've twice deposited more than I thought I had into an ATM and had the bank credit my account with the full amount (instead of the amount I entered) and write me a letter to let me know of my error. And yes, I know I'm not careful enough with money.
Re:The default password is... by Talondel · 2006-09-21 07:39 · Score: 5, Informative

Close. Actually it apears that it's 001234. http://www.tritonatm.com/en/service/manuals/07103- 00013C%20(FT5KUsrMan(3.0))file.pdf
Google query by szembek · 2006-09-21 07:40 · Score: 2, Insightful

So what was his "simple Google query"?

--
nothing
1. Re:Google query by Talondel · 2006-09-21 07:42 · Score: 2, Informative
  
  I don't know what his was, but the one I used was:
  
  atm operator manual
  
  It returned a fair number of, well, ATM Operator Manuals in .pdf format. Most seemed to include the default master operator password. Took me about 3 minutes.
2. Re:Google query by MDMurphy · 2006-09-21 10:05 · Score: 2, Informative
  
  This will work:
  
  Tranax Mini-Bank "Transaction Setup" .ca
  
  All from the article, they even put the quotes around "transation setup" for you. Didn't see .ca but did mention it was a Canadian reseller.
WOW by Anon-Admin · 2006-09-21 07:41 · Score: 4, Informative

Wow that is cool, it was a quick search and I found it!

It says that to enter the management screen you hold the key and press one. Then the default UID is 00 and the default password is 12345 so you should enter 0012345 into the prompt.

I am off to the ATM down stairs. I could use a little extra cash.
1. Re:WOW by davidmcn · 2006-09-21 08:02 · Score: 2, Funny
  
  You know, I assumed that you were joking about the password, I was thinking there is no way the default password could be 0012345....then low and behold, right there in the doc, there it is....
  
  --
  Memories become legend, Legend fades to myth, and even myth is forgotten by the time that age comes again.-Robert Jordan
2. Re:WOW by Anon-Admin · 2006-09-21 08:04 · Score: 2, Interesting
  
  $1.25????
  
  Heck the ones around here charge $2.25 and then your bank adds another $1.75 for the transaction.
  
  If the ATM is in a remote location or a special event the ATM charge goes up. The last gun show I went to, the ATM was charging $9.56 per transaction. If I could have left and came back with out having to pay the $15 door fee I would have gotten the money from some where else.
the google query by Anonymous Coward · 2006-09-21 07:42 · Score: 2, Informative

Search for: atm operator manual filetype:pdf
"Gawd, Idiots!" by patrixmyth · 2006-09-21 07:45 · Score: 4, Insightful

Here I was thinking that the problems with voting machines had to be intentional, since ATM's were so much better secured. Now that I find out that a keystroke combination on the interface of an ATM will bring up a GUI to reprogram the machine, protected only by a default password, I can rest assured that the world is not as shrouded in conspiracy as I feared. It's just full of very very very (very very very very very) stupid people. Now, watch as one of these aforementioned idiots elected to public office blames this on Google.

--
"Don't you know you're going to shock the monkey?"- Peter Gabriel
Why dont you require a hardware key? by martonlorand · 2006-09-21 07:45 · Score: 3, Insightful

Even basic Cash registers require a key to be plugged in turned to to step into manager or some other mode. Why wouldnt those ATM-s require that the case would be open and a key sticked in to go in programming mode... Can you do a memory owerflow hack into the software ower the keyboard? >Othervise I dont understand how could you get the machine out of normal state and put it in programming mode. If it is build in the software - dude - fire the security and software development team... Thats just crazy to have a possibility like that without some harware security check...
Re:The default password is... by jenkin+sear · 2006-09-21 07:45 · Score: 4, Funny

I thought it was up, up, down, down, left, right, left, right, B, A, Start ...

--
What a strange bird is the pelican, his beak can hold more than his belly can.
Re:We're rich!! We're rich!!! by lomedhi · 2006-09-21 07:45 · Score: 5, Funny

2 cents,

Please enter a multiple of $5 or $20.

--
Did you say "insightful" or "inciteful"?
there's enough clues in the article..... by nblender · 2006-09-21 07:52 · Score: 4, Informative

For this one you have to carefully RTFA. You actually have to do it. Not just pretend. A simple google search, plus some whois sleuthing to confirm you have the right one, will turn up a company that currently has it's "support.html" disabled (404), but the wayback machine has an old (2005) copy of "support.htm" which has a list of error codes, FAQ, etc, for the machine in question. It's not too much of a stretch to believe that someone put the manual up for download at some point.
No, I don't have the manual. I don't really care either, it was an interesting academic exercise.
Re:Has to be said by szembek · 2006-09-21 07:53 · Score: 3, Informative

No but this one is: http://www.diebold.com/ficcdsvdoc/TechPubs/books/T P-820327-001/tp-820327-001-1.htm that one is. Diebold actually makes really good atms in my opinion. At least as far as the end user interface is considered. The ones my bank uses have a lot of nice features: - can dispense change to the penny - can scan/cash/deposit checks - doesn't make you hit OK after you put in your pin (aren't they all 4 chars long?) - doesn't keep your card until the end of the transaction so you forget it

--
nothing
Putting the master password in the manual? by vinn01 · 2006-09-21 07:58 · Score: 2, Interesting

Who here thinks that putting the default master password in the manual is a good idea?

This reminds me the of backdoor password that Nortel had for one of its more common PBX's. At least they didn't put it the manual. But it got passed around enough to land on Usenet (in reponse to a problem that a customer was having). In that case, it was worse. It was not a "default" password, it was hardcoded.

Another day, another brain dead corporate password mistake....
The Manual in Question by GenTaco · 2006-09-21 07:58 · Score: 3, Informative

Honestly people, it isn't too hard to find this manual, the article gives you all the info you need. And no, the manual has not been pulled down from the site...yet.

Try the following search terms:

Tranax 1500 Manual inurl:pdf (and then check the 6th result)
Re:The default password is... by zenray · 2006-09-21 08:03 · Score: 4, Interesting

001234 as stated in the link. But to be fair it also stated in very big bold type that this default master password should be changed. The fact the master password remains unchanged is a user error in the setup and not a design flaw. Every master password not changed was left that way by 'somebody'. That 'somebody' needs to sued (or beaten severly about the head and shoulders with a security clue stick) for allowing easy access to the money. Unless they were ordered by managment to leave it as defaulted.

--
zenray
Re:Wrong manual by uufnord · 2006-09-21 08:04 · Score: 3, Informative

That's the triton manual. The one mentioned in TFA was a Tranax.
http://www.wegrowbusiness.ca/manuals/Tranax_MB_Ope rator_Manual.pdf
or from google cache
http://72.14.209.104/search?q=cache:SUoMvavsghUJ:w ww.wegrowbusiness.ca/manuals/Tranax_MB_Operator_Ma nual.pdf
Re:The default password is... by CastrTroy · 2006-09-21 08:13 · Score: 4, Insightful

However, should ATMs even come with a default password so that they can be hacked? Shouldn't reprogramming them require using some sort of physical/electronic key thats more difficult for people to get ahold of? If you can reprogram an ATM by walking up to it and typing in any code, regardless of whether it's the default password or not, then the ATM security is terrible. It's one thing to put a default password on a digital cable box for blocking channels, it's another matter entirely to put a default password on an ATM.

--

Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I'm surprised it took so long to realize... by Ken+Hall · 2006-09-21 08:14 · Score: 3, Interesting

Back in the early 80's I worked for a company that did third-party service for all sorts of computer-related stuff. We serviced at least two different lines of ATM machines, for competing companies. We had test machines in our training center for the service guys to play with.

Hardware wise, they were the most complicated, Rube-Goldberg-esque contraptions you can imagine. The card readers and bill handlers were the worst. The bill handlers had to be calibrated using real money, so the repair center kept several hundred dollars in cash locked in a safe at all times, and replaced it weekly (the handlers didn't like old bills).

The group I was in was responsible for tracking the software problem reports that came in from the field, and forwarding them to the manufacturers. While I found some of the bugs downright hysterical, or just plain bizarre, others were scary enough to make you consider avoiding the machines alltogether.

Doesn't look like they've learned anything in 20 years.
Key Badges by BobBoring · 2006-09-21 08:27 · Score: 3, Insightful

Use to be we'd just wander through the cubage and when we had collected two or three "abandoned" cards from machines, we'd copy the faces of the cards. Then we'd give them to department supervisors for security violation write ups. We'd keep the copy to make sure the supervisors write them up. We suspended the accounts after two violations. If the offenders didn't have a Letter of Counciling on file in 10 working days, we had to write up the supervisors and suspend their accounts until their up-chain managers filed the right paper work to re-enable the account.

After a couple of years of irregularly spaced walk throughs of the cube farm and countless email 'reminders' about computer security we gave that up.

We got tire of being called the 'net nazis' and worse.

Now we just take the badge out of the machine and walk it down to the security desk and tell them we found the on the floor in the bathroom. If we feel bitchy we trash the card or shred them then the 'somebody else problem' effect kicks in.
Ready-Set -Go by Analogy+Man · 2006-09-21 08:41 · Score: 4, Funny

However, should voting machines even come with a default password so that they can be hacked? Shouldn't reprogramming them require using some sort of physical/electronic key thats more difficult for people to get ahold of? If you can reprogram a voting machine by walking up to it and typing in any code, regardless of whether it's the default password or not, then the voting machine security is terrible. It's one thing to put a default password on a digital cable box for blocking channels, it's another matter entirely to put a default password on a voting machine.
Which one gets fixed first!

--
When the people fear their government, there is tyranny; when the government fears the people, there is liberty.
Bank Error in Your Favor! by unsigned+integer · 2006-09-21 08:48 · Score: 2, Funny

Collect $200. Pass Go!
ATM Industry Association warned them. by gurps_npc · 2006-09-21 08:49 · Score: 4, Interesting

Back in Feb 2005, the ATM Industry Association released a memo or press announcement, found here:
http://www.gasa-cognito.com/media/GASA-ATMIA%20Fra ud%20Alert1.pdf#search=%22atm%20master%20password% 22
It specifically warned the industry that their passwords were getting out and to tell the banks to CHANGE them.
Frankly, I have zero sympathy for the bank that lost cash.
And not much respect for the idiots that did not report it. What, did they think the banks would never find out what happened? That when they did find out, they would not 'correct' the accounts?
Either report it, or get yourself an untraceable card and return.

--
excitingthingstodo.blogspot.com
Re:What software? by Cctoide · 2006-09-21 08:58 · Score: 2, Funny

Yes, I'll get right to that right after we get you the software that will let you uplink to NORAD.

--
"Let's face it, it's a good story. Accuracy would kill it."
Re:The default password is... by Phillup · 2006-09-21 09:20 · Score: 2, Insightful

But to be fair it also stated in very big bold type that this default master password should be changed.

Just to play devil's advocate...

That box should have been on the damn cover of the instruction manual instead of 30 some odd pages back (page 19 + the "intro").

Chances are, if it was right in your face... you'd change it.

--

--Phillip

Can you say BIRTH TAX
Re:The default password is... by spacerog · 2006-09-21 09:22 · Score: 2, Informative

That is the Triton manual. That machine requires a power cycle to get to the admin interface.
Try this instead http://www.wegrowbusiness.ca/manuals/
The Tranax Mini-Bank 1500 doesn't require a power cycle.
- Space Rogue
Re:The default password is... by Tumbleweed · 2006-09-21 09:27 · Score: 4, Insightful

But to be fair it also stated in very big bold type that this default master password should be changed. The fact the master password remains unchanged is a user error in the setup and not a design flaw.

I would say that's incorrect. It should be a trivial matter for the software to be written to REQUIRE the default password to be changed before the machine will actually give out money. Rather like having to immediately change your password when you first login to an account. It's not a difficult concept, and while this is technically a 'lack' of a feature rather than a bug, it's certainly a flaw in design, and a pretty basic one at that.
Many Years of Slashdot by gewalker · 2006-09-21 09:28 · Score: 3, Insightful

Finally, "News I Can Use"
Re:The default password is... by slashnik · 2006-09-21 09:29 · Score: 2, Interesting

This is clearly rubbish.

Stating the bleeding obvious, ATMs contain cash.
All ATM's have keys, combination locks or a mixture of the two.
There is no good reason for the operator mode switch not to be locked away.

Whoever makes these ATMs deserves all the bad publicity that they get.
Reminder to everyone: by Ty_Webb · 2006-09-21 09:37 · Score: 2

Stealing is wrong.
Re:No password needed.. by avenj · 2006-09-21 09:55 · Score: 4, Funny

That may work for the Irish, but what if you're Russian?
Small problem: still have to use your credit card by FrenchSilk · 2006-09-21 11:10 · Score: 2

With the exploit described in TFA, you run a big risk of getting caught unless you have an untraceable credit/debit card. You can tell the machine to dispense the twenties as if they were fives, but it doesn't give out any money until you swipe a valid credit/debit card. So, you are going to be on the short list of suspects once you get your paltry sum of ill-gotten gains. And if you go to the well more than once, you will probably be promoted to the number one suspect. And anyone who took the money and ran will most likely have their account dinged for the extra money they took without reporting the windfall. So, unless you can get an untraceable credit card, you aren't likely to be able to keep your swag.
And what you have to remember by Sycraft-fu · 2006-09-21 12:03 · Score: 2, Insightful

Is that voting and ATM machines have very different security requirements. An ATM needs only be secure against people breaking in to it. So presuming the bank isn't stupid enough to leave the password as default, it accomplishes that pretty well. It doesn't need to be secure from the bank. The bank can lie to the ATM machine or tamper with its data if they want, it's just not in their interest. However voting machines are different. Here the data needs to be secure against tampering from everyone, including the people who are responsible for the machine. That's a whole different design.

But basically what happened is Diebold just applied ATM design to voting machine design. This would be probably be fine if you could trust the people that owned the voting machines (the government) to be honest. But you can't so it is worthless.
Re:The default password is... by John+Hasler · 2006-09-21 13:02 · Score: 3, Funny

> Whoever makes these ATMs deserves all the bad publicity that they get.

Might it be Diebold, by any chance?

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Re:What software? by freakmn · 2006-09-21 15:44 · Score: 2, Funny

I have the solution to the clogged tubes

--
warning: This post is likely to contain gobs of dripping sarcasm. Consume at your own risk.
Re:The default password is... by garwain · 2006-09-22 00:47 · Score: 2, Informative

The ATM Terminals for my bank have the front keypad tied to transactions only. Want real access? then you have to get past the buildings security systems, into a locked room, unlock the back panel then unlock the cash drawers or enter a password to access the machine. (I was contracted to do the cabling when my branch added a 2nd machine.)