Slashdot Mirror
Googling for ATM Master Passwords
default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."
*runs off to Google and YouTube as fast as his little fingers will take him*
12345
Oh wait. That's my ATM PIN.
I recently did IT for the largest casino company on the planet. I was dual-property and responsible for two casinos. The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people told each other all their passwords and such all the time.
I couldn't believe it.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
We've finally found that mysterious step 2!
Phhhtttt!!!
That's to all of you who made fun of us geeks!
*Rude Hand Gesture*
That's for every bully who ever shoved someone into a locker during PE.
Due to our superior ability to manipulate poorly secured cash dispensing devices, we shall now rule the world!
First the treasury...then the military. World domination cannot be far behind.
2 cents,
QueenB
HDGary secures my bank
The machine gave $20's for $5's for NINE days after it was reprogrammed before someone commented on it. God Bless America.
Close. Actually it apears that it's 001234. http://www.tritonatm.com/en/service/manuals/07103- 00013C%20(FT5KUsrMan(3.0))file.pdf
Wow that is cool, it was a quick search and I found it!
It says that to enter the management screen you hold the key and press one. Then the default UID is 00 and the default password is 12345 so you should enter 0012345 into the prompt.
I am off to the ATM down stairs. I could use a little extra cash.
Here I was thinking that the problems with voting machines had to be intentional, since ATM's were so much better secured. Now that I find out that a keystroke combination on the interface of an ATM will bring up a GUI to reprogram the machine, protected only by a default password, I can rest assured that the world is not as shrouded in conspiracy as I feared. It's just full of very very very (very very very very very) stupid people. Now, watch as one of these aforementioned idiots elected to public office blames this on Google.
"Don't you know you're going to shock the monkey?"- Peter Gabriel
Even basic Cash registers require a key to be plugged in turned to to step into manager or some other mode. Why wouldnt those ATM-s require that the case would be open and a key sticked in to go in programming mode... Can you do a memory owerflow hack into the software ower the keyboard? >Othervise I dont understand how could you get the machine out of normal state and put it in programming mode. If it is build in the software - dude - fire the security and software development team... Thats just crazy to have a possibility like that without some harware security check...
I thought it was up, up, down, down, left, right, left, right, B, A, Start ...
What a strange bird is the pelican, his beak can hold more than his belly can.
Please enter a multiple of $5 or $20.
Did you say "insightful" or "inciteful"?
No, I don't have the manual. I don't really care either, it was an interesting academic exercise.
No but this one is: http://www.diebold.com/ficcdsvdoc/TechPubs/books/T P-820327-001/tp-820327-001-1.htm
that one is.
Diebold actually makes really good atms in my opinion. At least as far as the end user interface is considered. The ones my bank uses have a lot of nice features:
- can dispense change to the penny
- can scan/cash/deposit checks
- doesn't make you hit OK after you put in your pin (aren't they all 4 chars long?)
- doesn't keep your card until the end of the transaction so you forget it
nothing
Honestly people, it isn't too hard to find this manual, the article gives you all the info you need. And no, the manual has not been pulled down from the site...yet.
Try the following search terms:
Tranax 1500 Manual inurl:pdf (and then check the 6th result)
001234 as stated in the link. But to be fair it also stated in very big bold type that this default master password should be changed. The fact the master password remains unchanged is a user error in the setup and not a design flaw. Every master password not changed was left that way by 'somebody'. That 'somebody' needs to sued (or beaten severly about the head and shoulders with a security clue stick) for allowing easy access to the money. Unless they were ordered by managment to leave it as defaulted.
zenray
http://www.wegrowbusiness.ca/manuals/Tranax_MB_Ope rator_Manual.pdf
or from google cache
http://72.14.209.104/search?q=cache:SUoMvavsghUJ:w ww.wegrowbusiness.ca/manuals/Tranax_MB_Operator_Ma nual.pdf
However, should ATMs even come with a default password so that they can be hacked? Shouldn't reprogramming them require using some sort of physical/electronic key thats more difficult for people to get ahold of? If you can reprogram an ATM by walking up to it and typing in any code, regardless of whether it's the default password or not, then the ATM security is terrible. It's one thing to put a default password on a digital cable box for blocking channels, it's another matter entirely to put a default password on an ATM.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Back in the early 80's I worked for a company that did third-party service for all sorts of computer-related stuff. We serviced at least two different lines of ATM machines, for competing companies. We had test machines in our training center for the service guys to play with.
Hardware wise, they were the most complicated, Rube-Goldberg-esque contraptions you can imagine. The card readers and bill handlers were the worst. The bill handlers had to be calibrated using real money, so the repair center kept several hundred dollars in cash locked in a safe at all times, and replaced it weekly (the handlers didn't like old bills).
The group I was in was responsible for tracking the software problem reports that came in from the field, and forwarding them to the manufacturers. While I found some of the bugs downright hysterical, or just plain bizarre, others were scary enough to make you consider avoiding the machines alltogether.
Doesn't look like they've learned anything in 20 years.
Use to be we'd just wander through the cubage and when we had collected two or three "abandoned" cards from machines, we'd copy the faces of the cards. Then we'd give them to department supervisors for security violation write ups. We'd keep the copy to make sure the supervisors write them up. We suspended the accounts after two violations. If the offenders didn't have a Letter of Counciling on file in 10 working days, we had to write up the supervisors and suspend their accounts until their up-chain managers filed the right paper work to re-enable the account.
After a couple of years of irregularly spaced walk throughs of the cube farm and countless email 'reminders' about computer security we gave that up.
We got tire of being called the 'net nazis' and worse.
Now we just take the badge out of the machine and walk it down to the security desk and tell them we found the on the floor in the bathroom. If we feel bitchy we trash the card or shred them then the 'somebody else problem' effect kicks in.
Which one gets fixed first!
When the people fear their government, there is tyranny; when the government fears the people, there is liberty.
http://www.gasa-cognito.com/media/GASA-ATMIA%20Fra ud%20Alert1.pdf#search=%22atm%20master%20password% 22
It specifically warned the industry that their passwords were getting out and to tell the banks to CHANGE them.
Frankly, I have zero sympathy for the bank that lost cash.
And not much respect for the idiots that did not report it. What, did they think the banks would never find out what happened? That when they did find out, they would not 'correct' the accounts?
Either report it, or get yourself an untraceable card and return.
excitingthingstodo.blogspot.com
But to be fair it also stated in very big bold type that this default master password should be changed. The fact the master password remains unchanged is a user error in the setup and not a design flaw.
I would say that's incorrect. It should be a trivial matter for the software to be written to REQUIRE the default password to be changed before the machine will actually give out money. Rather like having to immediately change your password when you first login to an account. It's not a difficult concept, and while this is technically a 'lack' of a feature rather than a bug, it's certainly a flaw in design, and a pretty basic one at that.
Finally, "News I Can Use"
That may work for the Irish, but what if you're Russian?
> Whoever makes these ATMs deserves all the bad publicity that they get.
Might it be Diebold, by any chance?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.