Another ATM Maker Pwned by Googling

bagsc writes "Kevin Poulsen of Wired.com strikes fear into another ATM manufacturer. This time, Triton ATMs had their super-secret master codes revealed by simple Google searches. Tranax was the most recent company with this problem, but probably not the last."

Pwned?

I guess it's time for me to stop reading slashdot. This shit is ridiculous.

Re:Pwned?

[x-kaos]

I agree, I had no idea people from the WoW general forums were submitting stories here!

Re:Pwned?

Not to be picky, but I've seen and hated the term pwned long before WoW ever existed.

Re:Pwned?

ATM raiders > casual ATM users.

Re:Pwned?

[stubbs73nm]

I thought all of the tinfoil hats around here critizing voting machine technology said all of those ATM's were secure?

Re:Pwned?

STFU. "Pwned" is a perfectly cromulent word.

This is why...

[Kenja]

This is why I keep all my money in gold bullion strapped into my underwear. Of course that makes my pants weigh too much to move around in, but I wasn't realy going anyplace any how.

Re:This is why...

[Aqua_boy17]

Yeah, but just think about it for a secons. You've finally made the underpants gnome's business model make sense.

Re:This is why...

[blhack]

i think that gold bullion in your underwear will soon be replacing the H2 as a small penis compensation device.

Re:This is why...

[FuzzyDaddy]

Hey, I had the weight problem too, so I switched to enriched uranium. It's a lot more valuable pound for pound, so it doesn't weigh me down so much.

Re:This is why...

[rbarreira]

It will probably even reduce your weight, by carving holes in your body...

Re:This is why...

but doesn't it make you wonder?

What's phase '4' going to be like?

Re:This is why...

[windsurfer619]

Given my state of dept, my weight would be about negative 20 oz. Easiest way to lose weight!

Re:This is why...

[fdiskne1]

This is why I keep all my money in gold bullion strapped into my underwear.

But what happens when a woman discovers your default password and makes her way into your underwear and leaves you with no money?

wait...

Re:This is why...

Since this is /. that's probably a safe strategy because we all know nobody would want to get into your pants.

Re:This is why...

[eonlabs]

Gold Boullion in Pants
???
Profit!

Re:This is why...

[Brigadier]

Now you can go out and buy glowing condoms for your now glowing balls.......

Re:This is why...

This has been mentioned before here and here. One wonders why it took a Wired article to put forth what has been mentioned by CNN among other sources.

Re:This is why...

[TT075819]

This is why I changed all my gold coins into paper form and keep them inside my wardrobe.

What?!!?

[LordPhantom]

Ok, so people have been hacking pr0n sites, coke machines, etc, for years, but with a bit of warning ATM companies can't manage to practice a bit of security?

Even if it IS stupid user error, then BANKS can't get their act together?!?!

This just makes me feel all warm and fuzzy about Diebold, etc.

Re:What?!!?

[gurps_npc]

It's not 'a little warning'.

It's repeated, frequent warnings from the manufacturers and industry associations for several years.

Now finally it hit the news media.

You can lead a horse to water, but you can't stop him from sticking his head underneath and drowning simply because they painted a carrot at the bottom of the water trough.

Re:What?!!?

[shawn(at)fsu]

Even if it IS a stupid BANK error, why do people feel the need to take advantage of it?!?!
You must be new here, and by here I mean humanity.

Re:What?!!?

[cp.tar]

Is it not said, A fool and his money shall soon be parted?

Re:What?!!?

[queenb**ch]

Even if it IS stupid user error, then BANKS can't get their act together?!?! This just makes me feel all warm and fuzzy about Diebold, etc.

Ah...but you should feel all warm and fuzzy about Diebold handling your votes come election time.

2 cents,

QueenB

Re:What?!!?

[Marxist+Hacker+42]

It's more convience stores than banks I think....the kinds of ATMs hit so far aren't the types used by banks that have backdoor access only (though, with the recent revelation that Diebold uses common A-Code keys, the same used for your desk drawers at work and the mini-bars in hotels, I have to wonder how secure even the bank style ATMs are); they're the stand alone kiosks used in malls and convience stores.

With Apu at the Qwik-E-Mart setting the damn thing up and keeping it stocked with money, is it any wonder that quite a few of them are still running on default passwords even when the PDFs I've seen all say in 14-point-bold font "RESET THIS PASSWORD"?

Re:What?!!?

[thatnerdguy]

Isn't it usually the vendor of the bank machine that fills it up? At the depanneur I worked at, an ATM company installed a Triton machine and every so often an armored van comes by to fill it up. I didn't know that convenience store owners could buy, install and stock their own machines.

Re:What?!!?

[plastic.person]

"You can lead a horse to water, but you can't stop him from sticking his head underneath and drowning simply because they painted a carrot at the bottom of the water trough."

I'm just curious, but will a horse really drown if you do that?

Re:What?!!?

[networkBoy]

Anyone can buy, install, and stock their own machine. It's just that the damn things are so expensive that joe shopowner usually can not afford to amortize the thing in any reasonable ammount of time.
-nB

Re:What?!!?

This just makes me feel all warm and fuzzy about Diebold, etc.

Voting box jokes aside, does anyone know if Diebold ATM's have been hacked also??

With my limited googlities (new word ??; google abilties) I wasn't able to find any links that stated such. As my bank, Citi8ank, and many others probably use them, I guess we should start a tally to see who is left that has covered their bases.

/concerned consumer ...

Re:What?!!?

[r1_97]

You can lead a horse to drink but you can't make him water.

Re:What?!!?

[Peter+Mork]

And all these years I thought it was, "A fool and his money ... soon visit the brothel."

Re:What?!!?

[JonathanR]

Isn't that one of the tenets of the free economy?

Never spend your own money when you can spend someone else's

Re:What?!!?

[KlaymenDK]

Err, no (not that I know of). Granted, horses are stupid, but not THAT stupid.

They can, however, roll themselves up to a wall (if they're in a stable stall of course) in such a way that they cannot get up or away without (human) help. Sigh...

Re:What?!!?

[toonworld]

I'm more worried about the manufacturers, why is it even possible to access the ATM software from the OUTSIDE keypads? Shouldn't here be a terminal or a console port that you can plug into if needed? I mean if the panel to the ATM is opened, an alarm is triggered, so why not use that as an extra protection? Why make it accessible at all???

Re:What?!!?

[1110110001]

They also don't know how to write secure websites. I reported a serious problem in one of these telebanking sites, where they didn't escape user input in the URI of the login page, which would have been fun for phishers. After 2 months they fixed the problem, but only the exact problem I reported. It took me 5 minutes to find an other way to embed the same javascript again. After another month they now fixed this problem too, but there might still be others.

So they not only don't know how to write secure code, they also don't unterstand the problems if you tell them. Instead they wait for a user to test their site without even saying thank you or sorry - seems like security means nothing to them if it's not gratis.

Their excuse for taking so long to fix the problem? "We're not a simple PHP website and have to do serious business". Tell that Flickr - they need less than a day for non-serious problems.

Re:What?!!?

[tt074321]

good point..i feel the same way too

Re:What?!!?

[TT075819]

What i can suggest here is to place the ATM machie inside the respective bank for more security purposes where even it is a bank ERROR, we can avoid those take the advantage to hack the ATM machine to get money. Why don't we implement a thumb screen device that would scan the ATM holders thumb to get his or her details followed by any kind of transaction processes.In this case we can try or avoid the usage of the actual ATM card. By implementing the thumb screen device,the bank needs to generate a well secured new program to run the process. Thus, the chances to get 'attack' from the outsiders could be reduced.By the time the public able to find a crack in the new program, the bank could always update the security features in the program from time to time.

Re:What?!!?

[TT074317]

i wonder .. what is so interesting about Diebold?? hurm ...

Re:What?!!?

[Henk+Poley]

Why does the machine even work (as in, give out money) with the default password still in place?

Re:What?!!?

[Marxist+Hacker+42]

That's a mistake of the manufacturer. Of course, if the manufacturer was really smart (note the overreliance on Windows as an operating system!?!?!?) they'd simply turn on "user must change password at next login" before shipping the system.

"Pwned", indeed

[Otter]

-1, Submitter Doesn't Understand What He Read

Bottom line, this is a perfectly routine default password issue. Blame your bank.

Re:"Pwned", indeed

[8127972]

"Bottom line, this is a perfectly routine default password issue. Blame your bank."

Not exactly. First blame the person who installed it first as s/he left the defaut passord in the first place. Then blame the bank for not ensuring that the installer did their job correctly.

Re:"Pwned", indeed

[patrixmyth]

If anyone was humiliatingly defeated, then it was the ATM installation company, not the ATM manufacturer/owner/store clerk. And that defeat was not by Google, but likely by a trained installer with a grudge/questionable morals. If it were me, given the exorbitant rewards offered on many of these ATMs for information leading to arrest of offenders, I'd put more effort into catching exploiters than risking a theft charge. In my opinion, we should put $100 dollar bills behind thin glass on every corner with an alarm and a camera. In the meantime, this might be the next best thing to catch stupid criminals.

Re:"Pwned", indeed

[QuantumFTL]

Bottom line, this is a perfectly routine default password issue. Blame your bank.

The manufacturers should have the firmware require a password change after the initial set-up. If everyone did this, this wouldn't be a problem. Of course, I also blame my bank!

Re:"Pwned", indeed

[KarmaMB84]

A bank of all places should know better. There can be no blame for a manufacturer who provided a suitable design to a customer that should be an expert at this stuff.

Re:"Pwned", indeed

[99BottlesOfBeerInMyF]

The manufacturers should have the firmware require a password change after the initial set-up. If everyone did this, this wouldn't be a problem. Of course, I also blame my bank!

A lot of companies avoid this because machines are first used in a test lab, or set up by an installation company and then finally configured/stocked by the bank. This leads to incidents where the bank is calling and wants to know the password, but it has been changed from the default. So companies leave a default in, but tell customers to change it. It saves them some support costs with incompetent customers.

Re:"Pwned", indeed

[MikeBabcock]

It would still be a problem -- just like Windows XP requiring a username before completing the installation is a problem in other circumstances.

Believe it or not, the "user" is not always the one setting up the machine in question. The default (or "a" default password) needs to be configured and told to the user reliably. Now you do that with a dozen new ATMs to a bank and see how pissed they get at you or how fast someone writes the password on a sticky note.

Yes, they need to do better security if they're using the default password.

Yes, the person who set the machine to "active" with real cash in it before changing the default password should be fired.

Re:"Pwned", indeed

[MrNougat]

Au contraire - banks are not experts at technology whatsoever. Small banks usually don't have their own IT staff. Most banking applications (provided by third parties) are built on very old technology.

No, banks are good with money and accounting, not the administration of the technology they use to do those tasks.

Re:"Pwned", indeed

[Drachemorder]

Indeed. My company recently did a project for a bank. The IT people there are about as clueless as they come. It was the most painful project I've ever been involved with, because we had to explain every single minor detail of what we needed in order to get the guys to pull log files or change configuration settings or anything. And even then they usually managed to find some way to screw it up.

Re:"Pwned", indeed

[Kaktrot]

In the meantime, this might be the next best thing to catch stupid criminals.

As it stands now, it appears to be a rather smart crime. I suppose you could rig it up so that it takes a picture of anybody who puts in a default password, but one might argue that your time might be better spent catching smart criminals.

Re:"Pwned", indeed

[grolschie]

Thanks for that list. I can never think of a good password. I have now narrowed my next one down to one of the following three choices: "1234", "admin" and "password"! Thanks again. ;-)

Re:"Pwned", indeed

[jridley]

and blame the manufacturer for building a system that can be set into production mode with the default password still active. We can enforce password strength restrictions for goofy web blog sites but somehow it's too hard to do for ATMs?

I've worked with banks before. They will implement exactly the amount of security that they're required to by law. Don't ever count on more than that, and I'd verify before I even trusted that much. They have a huge heirarchy of career programmers and IT people who have been around since COBOL was king of the hill, and a lot of them haven't bothered to keep up and they don't understand much about anything more modern than a modem and serial communications.

Re:"Pwned", indeed

Blame your bank.

Why blame anybody? From the sound of the hack, it looks like the most serious vulnerability allows the attacker to drop the atm into operator mode and change the settings. It's not like it gives them access to look your bank account. Now I guess if the attacker set the machine to think it was giving out $100s when it was only giving out $20s, you might get screwed. But from the sound of it, the only one who is going to lose money is the bank. And they can well afford to eat a few thousand dollars so long as this is a rare occurrence.

Re:"Pwned", indeed

[cloudmaster]

And then they should have to change it every 90 days, because some dumbass read a document entitled "best practices" about that kind of thing.

Re:"Pwned", indeed

[patrixmyth]

Not if you're endeavoring to collect rewards ;)

Re:"Pwned", indeed

Am I the only one who instead of wanting everything to be stupid proof, wants there to be a bigger penalty for those being stupid? All hand holding does is promote ignorance, for something like this the people who are setting it up should damn well know the security guidelines for the bloody thing. If you force them to think up a password on the spot you're probably going to end up with either a completely useless one that they can easily remember, or they'll write it down and keep it somewhere stupid.

If you make something foolproof they'll build a better fool.

Re:"Pwned", indeed

[Jedi+Alec]

It would still be a problem -- just like Windows XP requiring a username before completing the installation is a problem in other circumstances.

Annoying indeed...wtf do I need 2 administrator accounts for? Long story short, first time you boot after installing, do it in safe mode and you never get bothered by the "create a new user" screen. Afterwards you can add a normal user or super-user account.

Re:"Pwned", indeed

[Chelloveck]

A lot of companies avoid this because machines are first used in a test lab, or set up by an installation company and then finally configured/stocked by the bank. This leads to incidents where the bank is calling and wants to know the password, but it has been changed from the default. So companies leave a default in, but tell customers to change it. It saves them some support costs with incompetent customers.

Still, it would be a simple matter for the manufacturer to put in an on-screen warning when the password matches the default. Something like, "WARNING! This ATM has been improperly configured by your bank! Do you really want to trust your money to people who can't be bothered to change the password?" After something like this shows up once or twice on live ATMs, I imagine the new technicians would be pretty good about changing the password.

Or maybe, "WARNING! The default password has not yet been changed. It must be assumed that anyone using this machine is an authorized technician. For convenient reference the password is '12345', and you can dispense all the cash by pressing '1' on the main menu."

Or, better yet, given the cost of these things there's no reason why the manufacturer can't put a test switch behind a locked panel at the rear of the machine. Preferably a momentary (not toggle) switch which must be pressed immediately before entering the front-panel password.

Re:"Pwned", indeed

[TT075486]

bank holds the major responsibility to hold the cash safely or let in drown..

Re:"Pwned", indeed

[TT074317]

of course .. definitely i also agree with you. we as the customer have to be conscious about our right and to avoid the bad thing happen to us. PEOPLE should be aware about this!

UK

[celardore]

I live in the UK, and we use different brands of ATM machine here. I can't find any codes that will give me free money here. Drat! Possibly for the best though, as I'm a member of an accountancy association who will kick me out if I get convicted for fraud. And I'd lose my job. My job is the best source of money for doing very little, it's just time consuming.

"pwned"?

[IHSW]

What is "pwned"?

Re:"pwned"?

[Apocalypse111]

When you have totally humiliated and/or beaten someone, you have "owned" them. A "p" is just an "o" with a stick on it, so "pwned", in my mind, is "owned with a stick".

Re:"pwned"?

[tupshin]

!7'$ 1337 $p34k f0r "411 y0ur 84$3 4r3 8310ng 70 u$"

Re:"pwned"?

[paulthomas]

pwn (v): an intentional misspelling of "own," especially when indicating unauthorized "ownership" of a system. Most commonly seen as pwned or the 1337 variation, pwn3d, as in "i pWn3d j00."

Re:"pwned"?

"Pawned". As in, what you'll do to the various items in your house (read: sell them) if you're the standard Slashdot reader. Can also be known as 'whoring' or 'firST PoSTT"£££'.

Re:"pwned"?

[mark-t]

Wikipedia's entry is reasonably spot on.

Re:"pwned"?

An ignorant person who attempts to appear clever, but fails miserably.

Re:"pwned"?

[vadim_t]

Scary, I didn't need to make any effort to understand that.

Re:"pwned"?

Both you and the parent need remove yourself from the internet. right now.

Re:"pwned"?

[jrmiller84]

ROFL

Re:"pwned"?

[tupshin]

!n $0v!37 ru$$!4, 7h3 !n73rn37 r3m0v3$ y0u.

Re:"pwned"?

!7'$ 1337 $p34k f0r "411 y0ur 84$3 4r3 8310ng 70 u$"

vadim_t (324782) writes:

Scary, I didn't need to make any effort to understand that.

God, I really hate perl.
Since you seem to know, what does that script actually do? :)

Re:"pwned"?

[sasdrtx]

Well, thanks for clearing that up!

Re:"pwned"?

Scary, I didn't need to read past the first 1 to guess the rest of the quote.

Re:"pwned"?

[farnham]

Christ, I didn't realise registration numbers went that high!

Re:"pwned"?

[tm1rules]

You're right. It's "pwnd."

>What is "pwned"?

Re:"pwned"?

A better question is why is the word "pwned" even in the subject line for this post? Has slashdot really succumbed to the immature bantering of the immature online mobs? (Or is that just a unbelievably naive question to even ask?)

Seriously, could one of the "editors" not think up a better headline while deciding to post the article?

Re:"pwned"?

i wish i had mod points, this comment is funny twice.

Re:"pwned"?

[RsG]

Actually what's really scary is that he included the apostrophe in "!7'$". What's the world coming to when 1337 speak is being done with proper grammar? Madness, I say!

Re:"pwned"?

[HolyCause]

Actually, "pwned" is a (usually on purpose) typo of "owned", since on a standard QWERTY keyboard, P and O are beside each other.

I believe that this originated with WarCraft. In multiplayer, a typo for "own" was made: "playerX pwns playerY" or something similar (not sure on this myself, as I've never played WarCraft - it's just what I've heard). Of course, it could have originated as a common typo, but that's an interesting story behind it =)

Re:"pwned"?

[patio11]

It outputs "Just another perl hacker", unless its Tuesday. You don't want to know what happens on Tuesday.

Re:"pwned"?

r3l4x, w3 und3rst4nd j00!

Re:"pwned"?

[Andrewkov]

pwnd!!!11!!1

Re:"pwned"?

[Nogami_Saeko]

pwned: Someone who is bragging about their elite level of playing ability after the latest kill in a multiplayer game of some sort, yet is still unable to spell...

Re:"pwned"?

Perhaps "pwned" could be just a delicious mix of "pawned" and "owned" instead of a simple typo. Hackers like to play with language and words, see Jargon file for lots of examples about that.

http://www.answers.com/topic/pawn

Just in case some of us don't check the link, it says this near the bottom of the page: '"Pawn" is often taken to mean "one who is easily manipulated" or "one who is sacrificed for a larger purpose." The word pawn actually is derived from the Old French word "paon" which comes from the Medieval Latin term for foot soldier, and is etymologically cognate to peon.'

--
BR, not-even-very-cunning-linguist AC.

Re:"pwned"?

[Phroggy]

He's right. It does something completely different on Tuesday.

Re:"pwned"?

[FlipSyde+IT072186]

well humans do make mistakes..but slightest mistakes can be very misleading though. maybe there should be a spell checker to avoid such errors as to which doesn't get other readers misleaded or maybe we should not put so much trust on technology these days!! Not all readers can think like [Apocalypse111 (597674)]. probably each keys on the keyboard should be placed far apart :)

Re:"pwned"?

[FlipSyde+IT072186]

how is this funny?? its just cryptography with numbers!! it can be read though without any doubt.

Predicted response

[aafiske]

Probable solution? Sue google.

I wish this was a joke.

Re:Predicted response

this isn't a troll. the people who work for large financial entities are renowned for their lack of empathy and sense of humor. if you can find passwords for an atm with a google search, fixing the problem is is going to cost the bank money. eventually some bank is going to sue google. which is really really sad, because the bank is clearly the party to blame for their own (pwn) problems.

Re:Predicted response

[john83]

With the recent problems google had with some Belgian newspapers, problems that wouldn't have existed if the newspapers had just added a noarchive command to their page template, that wouldn't surprise me one bit.

Re:Predicted response

[Chacham]

Heh. And i'll bet that's coming up soon enough.

"We were secure, until google indexed our site."

Re:Predicted response

[SheeEttin]

Not sure of the right syntax.

Should have waited

[Midnight+Thunder]

Given that Google is likely to have cached the manuals and the patches will not be ready for a couple of months (certification et al.), I wonder whether the author should have waited a few weeks before publishing the article, to give the manufacturers a chance to spread the word.

Re:Should have waited

[dlim]

The "patch" is a update that forces the banks to change the ATM's default password. The default password has probably been online for as long as the ATM manufacturer has had a website. And with all of the attention the previous ATM password fiasco received, I would hope that my bank has already investigated (and reduced) their vulnerabilities to this type of fraud.

The problem is not that anyone can read these service manuals for the next couple of months. The problem is that some owners of these ATMs did not read the service manuals to begin with.

And if the solution is "spreading the word", then kudos to Kevin Poulsen for assisting the banks.

Re:Should have waited

[Xiroth]

Ha. Most companies' idea of mitigating this kind of disaster is to try and get an injunction put on the hacker who told them so that the public never finds out, and then not change a thing because it's too expensive.

And you wonder why Grey Hats rarely tell the company directly.

Lipman ATM's

[detritus.]

Lipman's Nurit ATM manuals are also available to the public on their website, which also contain the default passwords accessing the operator menus. And unlike Triton, their manuals don't even warn/instruct the user to change the default passwords. Pretty sad if you ask me.

Re:Lipman ATM's

>> And unlike Triton, their manuals don't even warn/instruct the user to change the default passwords.

I don't see why that's a big deal. My car's manual doesnt say "dont dump your carkeys in the middle of the shopping mall" either. common sense.

if it was some USB plug&play dsl modem for granny's and other ignorant people then it would be smart to put something like that in the manual. If it's a money dispencer then you consider this common sense i think.

Re:Lipman ATM's

[Volante3192]

If it's a money dispencer then you consider this common sense i think.

Common sense isn't. This is why curling irons have "Do not insert into any orifice" on a warning label.

Re:Lipman ATM's

[lakeland]

Only in America. Other countries base the legal system around common-sense so stupid people just get what they deserve.

Re:Lipman ATM's

[networkBoy]

Like the european cup o noodles (Tesco I think) that has: "Warning contents may be hot" printed on the bottom of the stinkin cup?

While I am a big fan of the "he was obviously a nit, your honor" defense, it is not only the US that has nit protection warnings on products.

It is our sue happy nature, however, that I think was largly responsible for the multitue of iterations of: "Don't be stupid using this product" labels.
-nB

Re:Lipman ATM's

Those units passwords are usually either customized by the deployment staff, customer service, or the automatic terminal build system before being shipped to the merchant.

Not to mention blowing out a terminal would arouse suspicion in most retail locations..

Re:Lipman ATM's

I am looking for manuals for NCR/Tidel ATM's. It would sure suck if they were smart enough to restrict them :-P

they didn't remove all the docs

[thedrunkensailor]

there's another doc up there exposing the defualt master password at http://www.tritonatm.com/en/service/technical_bull etins/05-48.pdf i emailed them about it so it might come down

Re:they didn't remove all the docs

The password this document refers to just the place where they store the encryption keys for communicating with the bank/processor. It is stored in the keypad.

Also it looks like they got security on this section right:

The VEPP requires that no default password can be entered that allows a user to change the master keys. If a user enters the default password the VEPP will force the user to change them before the option of entering in the master keys is displayed.

Re:they didn't remove all the docs

[AK+Marc]

there's another doc up there exposing the defualt master password

Hiding a password like that is no use. I've had friends with different cell service tell me they couldn't get their voicemail. I have no idea how to get in, so I told them to call themselves from their phone, press pound if they hear their own message, and try 1111, 1234, 9999, and 0000 and see if they get in. So far, that works for all cell carriers I've ever encountered. And a large number don't require you to change it. My voicemail for my work phone is still at defaults. I'm lazy, and hacking my voicemail will not do anyone any good (aside from the 10 minutes of fun for a "call this guys VM and listen to his message" party). The master password is on the list of passwords I'd try if I was trying to break into an ATM. The biggest tricks with these is how to bring up the login screen from the keypad. I've seen a way or two mentioned here, but I don't know enough to know if those are universal. That's what should be locked out. You can't get the login from the keypad unless the ATM is open and a switch is flipped. That would end all of these attacks.

Why do dumb stories like these get accepted?

[gd23ka]

A default password that is MEANT to be CHANGED ASAP is not supersecret. It's in the fucking
manual and even if the manual is not on the web then you can probably order one from the
manufacturer and they wont make sure you even purchased the ATM to go with it.

The real news is that the people who set ATMs up and operate them are as dumb as dog shit.

UUuuuuh secret password! Uuuuuuh!

Re:Why do dumb stories like these get accepted?

[CastrTroy]

I'll agree that the people setting up the ATMs are extremely stupid. However, shouldn't the maker of the ATM have anticipated the stupidity of the users and either A) Not allow the machine to function until the default password was changed, or B) Don't have default password, but instead have a physical lock with a physical key (hopefully one that can't be opened by a vending machine key) that must be used in order to reprogram the machine. We all called MS Stupid for not requiring SQL Server to have a password, and having a blank default password, why not blame the people who make these ATMs.

Re:Why do dumb stories like these get accepted?

[KarmaMB84]

Microsoft was never stupid for assuming people buying their expensive RDBMS and *setting the beast up* would *password protect it* and neither are these ATM manufacturers. These machines are managing *money*. What more reason could you have for the banks to be anal retentive with the security of them? If they don't give a damn, they just don't give a damn.

Re:Why do dumb stories like these get accepted?

[P3NIS_CLEAVER]

The article would of been more interesting if it said $XXXX dollar were stolen using a default password.
Seems like reporting on a non-issue.

Re:Why do dumb stories like these get accepted?

[theLOUDroom]

I'll agree that the people setting up the ATMs are extremely stupid. However, shouldn't the maker of the ATM have anticipated the stupidity of the users...

No.

Let's use a little common sense people.

What is an ATM?
A box full of money.

It is perfectly reasonable to expect someone to RTFM and follow directions before putting a box full of money out in a public space.

The fault here lies squarely on the banks.
Were I the manufacturer, I would maintain that anyone who failed to change the default password had installed the machine improperly. Using the default password in like leaving the key in the frickin door, or writing a combination above a lock.

In the end, banks need to take responsibility for their own security. It is simply impossible for ATM manufacturers to force them to follow good security practices.

Re:Why do dumb stories like these get accepted?

[aug24]

It's a classic "Anything that can go wrong will go wrong".

The system needs to be made to ensure that a password is changed before operation can begin. Duh.

J.

Re:Why do dumb stories like these get accepted?

[gd23ka]

Most ATMs require pin verification against a special operator card to access maintenance functions. Since you're talking about Microsoft's SQL variant here let it be noted that all the key players are no better. For example MySQL didn't even set a password for the default administrative account for a long time and even Oracle let's you logon as scott/tiger and I think the Oracle dba default password is even "changeme" or "changethis". As far as the default password issue is concerned, most products will warn you to change the default passwords ASAP. Change the default password ASAP or you richly deserve what you get.

Re:Why do dumb stories like these get accepted?

[TT075486]

have thumb print match instead of passwords

Re:Why do dumb stories like these get accepted?

[TT075486]

agreed...wat a line of password could do!! bottom line ATM developers are the problem creaters!! have something really reliable!! not this password thingy aat least:)

I'm sorry, but...

[Iphtashu+Fitz]

Anybody who rents/buys an ATM to install in their store deserves exactly what they get if they don't change the default password. Are these people really that clueless to think an ATM would be secure if the password is printed in the users manual?

pwnage sux

Who do I have to murder to remove "pwn" from the common technobabble lexicon?

I'll do it... Seriously...

Re:pwnage sux

[doria13]

and I'll help you dispose of the body.

The usage of these terms is one thing when read in comments, but in the headline? On the front page?!

The minute I see "teh" in a Slashdot headline I will seriously have to think about not reading it anymore...

Re:pwnage sux

[trevor_hellman]

Teh: http://games.slashdot.org/article.pl?sid=05/11/04/ 212214

Re:pwnage sux

I am so going to go postal.

Re:pwnage sux

[theLOUDroom]

Who do I have to murder to remove "pwn" from the common technobabble lexicon? I'll do it... Seriously...

Do you think pwning someone is the answer? :P

Re:pwnage sux

[CheShACat]

Surely you mean "who do I have to pwn"...?

I don't get it...

[Yonzie]

Obviously, people don't have the brain capacity to be serious about security.
What should we do?
It's simple: Shut down the internet.
No more easily-guessed passwords or dissemination of information on how to break into stuff.
No child porn proliferation and no worries about your 9yr old girl chatting with 45yr olds.
An extreme decline in virii and similar stuff for everyone's favorite OS.

In total? Awesomeness :D

Re:I don't get it...

You can't shut down the internet. Believe me, every geek would be digging out their modems and we'd be back up in less than a week. Ok, so you tell the phone company to recognize and block modem signals. So we'll use wifi. Good luck having a 100% blocking rate with that. The point is, there's always another medium to transmit packets. :-)

Re:I don't get it...

[toadlife]

And IP over HAM...if it comes down to it.

Re:I don't get it...

[arkhan_jg]

What should we do?
It's simple: Shut down the internet.

You bastard, you're the one that's been giving ideas to my senior management!

Re:I don't get it...

[TT075486]

no joke... u mean life without internet?? no internet..no life

don't know about spot on

Wikipedia went a bit overboard with their definition. They pulled a bit of a Clavin. Owned started with gaming where one player played so much better than the other that they owned them, in that they could do with them what they pleased. pwned came about much later and is simply a misspelling of owned, look where the o and the p are on the keyboard. pwned and teh are common typos in games where you are franticly trying to type in a comment before you get killed. Therefore using them in your text implies a sense of frantic urgency.

That's all there is to it. Anybody trying to make a distinction on when and where the proper use of the term own vs. pwn is just talking out their tailpipe.

Re:don't know about spot on

[moonbender]

Anybody trying to make a distinction on when and where the proper use of the term own vs. pwn is just talking out their tailpipe.

First of all, you just made such a distinction yourself, saying that "pwn" is (deliberately) used to imply a sense of frantic urgency. And second, I don't think that's correct. My experience is much more in line with what Wikipedia says, namely that pwn is used to refer to a very clear and humiliating defeat. It's not even treated as a misspelling of opwn, if anything it's an alternate spelling, or a word of it's own (pwn?) altogether. Of course the two variants are still very much similar in meaning, with I guess pwn actually being the more popular term (with the crowd I'm referring to, not overall).

Re:don't know about spot on

[topham]

That would be because it is "own" with an embeded face sticking it's tongue out. As in :P :pwn is likely more correct, but dropped usage.

So what?

[oyenstikker]

What does having the password allow you to do? Surely you can't actually get money out of it. Can you make it not charge the $1.50 per use?

Re:So what?

[LunaticTippy]

You can tell it that the $20 bin is $5, making a $15 withdrawal give $60. Of course, the bank has your account information and will "adjust the error" or press charges.

Re:So what?

[Hamster+Of+Death]

You can change many things, you can make it think it's spitting out $5's instead of $20's by changing the denomination settings. Ask for $100 and you get $400 instead; you can also change the per use fee or eliminate it entirely. To really piss people off you can change the denomination to think it's dispensing $100 bills but in reality giving out $20's =)
You can get into the cash drawer too if they weren't smart enough to change the default combination lock code (which they most likely didn't). In short you CAN get money out of it. Just don't use -your- atm card while doing it or you'll be getting a visit once they look through the records.

Re:So what?

[cranktheguy]

This actually happened where I live. Someone found out about it, and a few hours later (oddly around when the bars close) everyone had called their friends. There was a long line of people wearing hoodies or hats in line to get some money when the cops arrived. Everyone had their accounts "readjusted." I read some were prosectued.

Re:So what?

what the hell are you doing hosting those links off your adsl...? getting like 5b/s D:

Re:So what?

[LunaticTippy]

Retards. Why obscure your face when you're putting your own card in the machine?

Re:So what?

Suck it up; I've got ADSL not an OC-3! If you'd like to pay for a better connection for me, feel free. If you want to mirror the files or post a torrent, go ahead. I throttle my web server so that the rest of my LAN doesn't go to hell when I get slashdotted.

Re:So what?

[Fnord666]

The real fun is to change the primary phone number that it dials to get authorization to a phone sex line. The call will fail to connect to a modem and fallback to the secondary number Transactions take longer, but they are racking up $4.99 per call on the ATM owner's line. Payback for the surcharge fee.

Re:So what?

I didn't find a link within a reasonable time. But I remember years ago that someone set up a fax in another country and made it a pay line... then asked the IRS to fax instructions to it. Of course, it was a 300 bauder and booya!

Re:So what?

Duh, that is why you use a stolen ATM card. The PIN number is no problem as you can just beat it out of the person you mugged to get the ATM card in the first place.

Re:So what?

[devilspgd]

People are stupid?

So what?

[delirium+of+disorder]

How many real ATMs have been exploited using this information? Manuals for common hardware are basically public information (although I'm sure the vendor retains copyright to them and could conceivably also use trade secret law to keep people from sharing proprietary information). I don't really think this is much of a threat. If you are a security researcher and want to learn more, here are two ATM manuals that I've found.
Images scanned from a physical ATM manual
A different manual in PDF form

Kevin Poulsen...strikes fear ?

[MarkGriz]

This post from last week's Google/ATM article had a direct link to the Triton manual.

Seriously, if some Wired blogger is striking the fear in ATM manufacturers, they've grossly underestimated the magnitude of the problem.

pwned haha

Listen up kids, "owned", "pwned", "h4x0red", "l33t", was interesting for about 5 minutes 5 years ago, now it's over. Stop using them, it's pathetically annoying. Try using some proper English for once. For the love of shit, even Penny-Arcade makes fun of this crap, and it's a video game based web comic.

Re:pwned haha

[typical]

Listen up kids

Listen up, kids

"owned", "pwned", "h4x0red", "l33t",

"owned", "pwned", "h4x0red", and "l33t" [no comma]

was interesting for about 5 minutes 5 years ago,

were interesting for about five minutes five years ago;

Stop using them, it's pathetically annoying.

Stop using them; it's pathetically annoying.

Try using some proper English for once.

Yes.

Re:pwned haha

"owned", "pwned", "h4x0red", and "l33t"
"owned," "pwned," "h4x0red," and "l33t"

We can all nitpick other people's english, however it is not pertinent to the subject of ATM machines.

Oh wait. Slashdot.

Re:pwned haha

[Man+in+Spandex]

pwned!

oh wait...

Re:pwned haha

[Dr.+Zowie]

Ph33r m% l337 leetspeak 5k1||z d00d. J00 h4\/3 833N 7R0||Z0r3d. J00 h4\/3 l057. h4\/3 4 |V1c3 d@%.

Re:pwned haha

[Dr.+Zowie]

Heh. There goes my karma. Sorry for the grave misspelling...

h4\/3 4 /V1c3 d@%

Re:pwned haha

OK, I can see why "pwned", "h4x0red", "l33t", are annoying.

But what is wrong with "owned?"

AC

Re:pwned haha

Yes, it is. How did this get modded up?

Great-grandparent comments on article, recommends not using the word "pwned", and throwing in flamebaity "Try using some proper English for once." Grandparent notes improper English in Great-grandparent's post. Parent yells at grandparent for going off topic, even though it is perfectly on topic

Why does a master password even exist?

Perhaps I'm just being dumb this morning, but why wouldn't you control diagnostic mode from a switch inside the ATM, rather than by some magical keystrokes that can be input from the keypad (preferably a switch that is automatically nudged back into the normal mode when the case is closed so that you can't accidently leave the machine in diagnostic mode).

Not quite...

[Crasoum]

Weapons grade uranium has a risk of zero of carving hole sin your body, unless you happen to set it off, then you have MUCH larger problems to worry about then... Holes being carved in your body, more like holes being carved in your side of the planet. WGU's radiation is mostly alpha particles which won't even penetrate your skin, let alone get to living tissue.

http://www.umich.edu/~radinfo/introduction/lesson/ properties.htm

Re:Not quite...

[Plutonite]

But if only alpha particles are released then why does the uranium have to be stored in uber-thick containers and the people handling it have to wear all that nasty shite protecting their balls? Hollywood?

Re:Not quite...

It's because metals absorb alpha radiation and in turn give off other nastier rays. Oh, and as heavy metals go, uranium is incredibly poisonous. So in other words, it's only an issue if you have buns of steel, or lick your nuts after the uranium's been there.

Re:Not quite...

[WilliamSChips]

Because if they don't the terrorists win

Re:Not quite...

[Plutonite]

So in other words, it's only an issue if you have buns of steel, or lick your nuts after the uranium's been there.

Actually, it's still an issue if the uranium's just "been there". Licking your nuts afterwards is an extra feature, but having a radioactive metal rod in your underwear is not a non-issue. I hope.

Re:Not quite...

[terrymr]

The only reason for the protective gear is to stop you from breathing in small pieces of the marerial - this is usually more a problem with spent fuel or if you're machining it to make a bomb.

Re:Not quite...

[budgenator]

Of course the big problem is the inverse is also true I.E. if the body absorbs all the radiation harmlessly in the dead-skin, on the way in, the body also absorbs all the radiation very harmfully once the uranium is on the inside and the radiation is heading outside! Don't screw arround with your smoke detectors either, what's true for unranium 235, is also true for americium 241, it's even fissile.

Re:Not quite...

[Crasoum]

Actually no, since it's an alpha emitter, the radiation doesn't tend to get far enough to cause damage, the biggest risk plutonium can cause, inside or outside the body is by explosion. It's less toxic then caffiene, and your risk of getting radiation poisoning are not high unless you powder it and inhale it, and even then you'll still not die immediatly. Our bodies naturally have amounts of measureable PU in them.

Now if you get enough to make a super critical mass of the stuff, then yea, the radiation is going to be much stronger and hurt you a hellalot more. But over all the "effects" of the poisonous nature of PU are exagerated. At best. There hasn't been a single person who's died of plutonium poisoning officially.

Re:Not quite...

[budgenator]

That's why its so dangerous internally, the radiation damage is concentrated into a very small area.
alpha has a q factor as high as 20, gamma and neutrons are approx 1see Measuring radiation dosage.

Re:Not quite...

[Crasoum]

Not arguing that at all, but if it's weapons-grade it's not likely to be small enough to be ingested or powered unless your are machiening it, as wiki states as well ;)

Mm I love when I get marked as troll too, when uh... I wasn't trying. :P

NCR's manuals for their ATM's are also there...

...I didn't read them so i don't know if they also mentions the default password.
NCR ATM's are very common in northern europe.

Probably...

[Lurker2288]

...about 80% of the people who play CS and WoW, but that's a conservative estimate.

Re:Probably...

[mackyrae]

and every one of their friends...if they have any...well, they must because I understand it and I'm not a gamer

Someone posted the manual here

[Stonent1]

In the last story about this, someone posted a link to the Triton manuals. I read the manual and it did have a password in it but it said to make sure you change the password before the ATM is put into production.

Re:Someone posted the manual here

[Talondel]

Yeah, I posted the link to the Triton ATM Manual because it was the first one that came up in a search for "arm operator manual". The specific one they were talking about last week also came up, but later in the search.

Someone mod parent up.

[Khyber]

He's got a damned good point. If we can't even make sure our ATMs are in working order, how can we be so sure about our own voting machines? I don't want to be a conspiracy theorist, but in all honesty too much of our hardware is being dictated by politics instead of progress. If we had less political movements, we would have more progress. Put religion aside and we'd probably learn a lot more than we were probably supposed to learn in such a given amount of time. No bashing against religion. I claim to be athiest but I'm a Scottish-Catholic/Jew in reality. >.>

OT: What is the tune the ATM plays and why?

[paiute]

My local bank has a Diebold ATM. Both this one and the one it replaced play a tune when dispensing bills. It is a short tune as if played on a piccolo with a trill at the end. It has been bugging me for years. Why does the ATM need to play a tune?

Re:OT: What is the tune the ATM plays and why?

[jayloden]

Yeah, and why does it have to have those funny bumps on the keypad, too?

One thing I can think of is that blind ATM users would probably appreciate some sort of feedback to let them know the money is ready to be retrieved from the slot.

Re:OT: What is the tune the ATM plays and why?

[KarmaMB84]

To let the thugs know there's money coming out so they know to beat you for it.

Re:OT: What is the tune the ATM plays and why?

[jam244]

You mean the "charge!" tune? It's the electric motors and related equipment that pick up, sort, stack, align, and dispense the bills. The timing just happens to sound like a little ditty.

Re:OT: What is the tune the ATM plays and why?

[topham]

Does it always play the same tune, or does it vary depending on the amount of money dispensed?

Perhaps they are trying to obscure the amount of money dispensed by playing something over top of the sound as it counts your bills; quickly corrupted if it plays a different tune for different amounts.

Re:OT: What is the tune the ATM plays and why?

[Blackhalo]

"One thing I can think of is that blind ATM users would probably appreciate some sort of feedback to let them know the money is ready to be retrieved from the slot."

In a drive through?

Re:OT: What is the tune the ATM plays and why?

[Jarjarthejedi]

My bank's drive through has brail on the keypad...you know, for all the blind drivers Seriously though, I don't think they manufacture special drive through atms, they're probably just the normal ones in a different box. (Believe it or not I had actually wondered why there was brail on the drive through, then I read this post and figured out why it made sense, then realized it was the answer to my own question)

Re:OT: What is the tune the ATM plays and why?

[BrynM]

To let the thugs know there's money coming out so they know to beat you for it.

almost... It plays a happy tune to cheer them up so they don't beat you so badly. That's why it has the trill. It's been proven that trills put those about to commit assault into a better mood and end up just committing battery... or something

Re:OT: What is the tune the ATM plays and why?

[GTMoogle]

Ya know... most cars have rear seats...

Re:OT: What is the tune the ATM plays and why?

[jstott]

My local bank has a Diebold ATM. Both this one and the one it replaced play a tune when dispensing bills.

It's the same sound that Pacman makes when you eat the power pill. Doesn't taking money out of the machine make you feel energized?

-JS

Re:OT: What is the tune the ATM plays and why?

[Blackhalo]

It's a joke that's almost as old as ATM's.

Re:OT: What is the tune the ATM plays and why?

[danpsmith]

My local bank has a Diebold ATM. Both this one and the one it replaced play a tune when dispensing bills. It is a short tune as if played on a piccolo with a trill at the end. It has been bugging me for years. Why does the ATM need to play a tune?

It's probably a default setting, just use the admin password and turn it off. And while you are at it, might as well grab some compensation for years of having to put up with the jingle.

Great shades of Spaceballs!

[Chas]

Google still has the manual viewable in "View as HTML" (I know this because I was curious and took a look-see).

When I read the default password, I damn near shit myself laughing.

Then I remember that these are default passwords to CASH DISPENSERS, and I stopped laughing (at least for a second).

Re:Great shades of Spaceballs!

[AK+Marc]

Well, I didn't bother to look it up, but if I were guessing the passwords, I'd go 123456 then 000000 then 111111 then 999999 and repeat with lower numbers of numbers to 9999 (unless there was a hint to the length, as some take a fixed length and you can tell). So, if it was really the Spaceballs password, it should be gone on the 5th try. I've not seen any of the ATMs on a default password that would survive such a devious assault.

the easy solution

[jd]

Banks (or any organization, venture or activity involving people) are never going to bother doing more than they have to, so simply waise the bar on what they have to do. Doesn't sound that hard to me. Simply require that on first power-up the sys-admin code MUST be different from the default, and/or requires a dongle to be plugged into a port that can only be reached inside of the machine for the sys-admin code to work (but, in having it plugged in, all other codes are disabled).

Security of physical kiosks is trivial stuff, it has been done to death, and people understand the pros and cons of the different technologies. Personally, I'd abandon the ATM and switch to the Mondo card, or something similar, as the risks are generally lower all-round and the security is far better distributed. (We're not talking what vain PHB's refer to as a smart card - which is a bit of non-volatile RAM and the processing power of a seedless grape. We're talking asymetric strong encryption with full-blown key exchange algorithms, transaction processing and - if the device is to be meaningfully secure - transaction logging, event logging and data validation. Such a system should be totally decentralized with all transactions being 100% local, not indirect via half a dozen organizations with dubious security.)

The basic technology for a totally secure, totally impervious financial system has existed for a decade and a half, maybe two, with far better response times and far lower risks to those involved. If it were updated to the technology that exists today, and enough funding was made available to get the technology in place, you could eliminate 90% of all the points of vulnerability in the banking system and eliminate 50% of the related services which - these days - serve no purpose at all.

Re:the easy solution

so simply waise the bar on what they have to do.

Shhhh...Be wery, wery quiet. I'm hunting a waskally wabbit.

Re:the easy solution

[Muad'Dave]

simply waise the bar

Who are you, Elmer Fudd? 8-)

These Are Textbook Examples of Dumb Design.

[OmniGeek]

OK, so you have a machine full of money that will be placed out in public, where everyone and his third cousin Fingers McCrackit can play Billy Joel on the keyboard all day, using any information they can guess, beg, borrow, or steal (OK, slight exaggeration, but valid principle.)

Now, just HOW STUPID do you need to be to make it possible in the first place to gain system access from that keyboard without at least one hardware interlock that is NOT accessible without the key to the machine? You KNOW the bad guys will try everything they can think of to fool the machine; you should ASSUME that they have every piece of info on the machine that you do. (Cryptosystems -- good ones, at least -- are designed on this assumption; indeed, they assume that the adversary has a copy of your machine and all its specifications.)

A secure ATM thus REQUIRES that it be made completely IMPOSSIBLE to jigger the machine without physically getting inside its hardware. Password-protection just doesn't cut it for that level of security. Failure to provide this level of protection is SO stupid as to be a failure to exercise due care. And after all, how much does it cost to add that hardware interlock switch? Not much compared to the value of the ATM's contents...

Now for the scary part -- ATMs are, on average, far more secure than voting machines.

Re:These Are Textbook Examples of Dumb Design.

"Now for the scary part -- ATMs are, on average, far more secure than voting machines."

You got a source for that?

Re:These Are Textbook Examples of Dumb Design.

[theLOUDroom]

And after all, how much does it cost to add that hardware interlock switch? Not much compared to the value of the ATM's contents...

So take a step back for a minute and think about why it isn't there....

• Maybe there are banks who want to be able to minimize the number of people that need access to the ATMs innards
• Maybe they want to make sure that the people who refill the ATMs have the door open for as little time as possible
• Maybe the code needs to be entered BEFORE the door is opened or else an alarm will be triggered

I do not know if any of these things are true, but I don't think it's right to point the finger at the ATM manufactuers here. What these banks were effectivly doing is about the same as using a magnetic hide-a-key under the ATM.

Re:These Are Textbook Examples of Dumb Design.

[geggo98]

Now for the scary part -- ATMs are, on average, far more secure than voting machines.

You got a source for that?

Yep. You need at least a password to tinker with an ATM; for a voting machine you don't need anything.

Blame it on Monopoly

[Megajim]

Is there anyone who doesn't love the "Bank Error in Your Favor" card? Greed, yes. Ignorance, not really. There are certainly people out there who have lost enough money to ATM fees that the prospect of getting a little back wouldn't seem as "evil" as pure theft, particularly when you're skimming it from a faceless, nameless machine that is tied into a mega-giant bank. I'm not saying that bank robbing is noble or hardly justified, but a faulty ATM seems about as ignorant as my bank forcing to cough up four bucks to withdraw $40 from an unapproved machine.

Re:Blame it on Monopoly

[Known+Nutter]

There are certainly people out there who have lost enough money to ATM fees that the prospect of getting a little back wouldn't seem as "evil" as pure theft...

Sorry, but you don't lose money to ATM fees, you agree to them. Period. Much like EULAs, you probably don't recall reading the "I AGREE" text next to the button you push to get your cash.

Theft is theft is theft is theft.

Re:Blame it on Monopoly

[NumerusSpy]

AGREE?

Bullshit

Re:Blame it on Monopoly

you agree to them.

And I get it free if the fees weren't in the contract I signed? Oh wait, thats right, this is the New Free Market, where contracts aren't even worth the toilet paper they're written on, as long as leaving shit stains makes the CEO richer than cleaning up after himself.

These ATM fees are ridiculous. I still remember the wave of ads by companies a while back who were offering to refund other companies fees if you used someone elses ATM. They charge fees too, now.

Re:Blame it on Monopoly

[Known+Nutter]

Free? Do you expect the 3rd party ATM providers to operate without generating revenue? Free ATMs whereever your American Entitled Ass(tm) takes you? What type of business do you run? Care to do it for free?

Contracts? "You get it free IF... " You're speaking of the terms of the contract which you never bothered to read. Again, much like that EULA you ignore. "If" != $terms_of_contract.

Take your lazy butt to your own banks ATM, or hey... walk inside, if you don't like the fees. Much like the silly DRM discussions on slashdot, if you don't like it...

Re:Blame it on Monopoly

[tepples]

Take your lazy butt to your own banks ATM

What should a university student do if there aren't any banks that have ATMs in both home and home-away-from-home towns?

Re:Blame it on Monopoly

[BVis]

Do you expect the 3rd party ATM providers to operate without generating revenue?

Theoretically they could generate revenue by charging the banks for providing a service to the bank's customers. What I really find offensive is when you get charged $2 to withdraw $20 at the point of "sale", and then another $2 from your bank for using someone else's ATMs. So not only does your bank get to provide fewer ATMs, they get to charge you for it! I believe the term here is "coming and going."

Free ATMs whereever your American Entitled Ass(tm) takes you?

The banks have my money. They make large sums of money, off my money and everyone else's. They make large sums of money off the mortgage that I took out so I could have a place to live, the loan I took out so I could drive to work so I could make MORE money to deposit in their coffers, and so forth. They punish me for not making ENOUGH money to put in their coffers with monthly fees that go away if I meet "minimum balances". I understand that they have operating expenses, and are entitled to make a profit. I would switch to a bank with better terms, but that means I have access to fewer ATMs, which means that I get charged by the other ATM owners whenever I have to use them. (It's simply not practical for me to drive 20 minutes out of my way to get to an ATM I can use for free.) The banks with the ATMs are the banks that exploit that fact to charge you the most fees. I'd go to their competition that doesn't gouge me like this... except there aren't any, what with the mergers that have taken place in the banking industry. My choices are UberMonolithFleetCitizensNorth, who charge me for thinking about writing a check because they can, or RinkyDinkLittleLocalBank who has to charge me more because they don't have the resources to compete, and has about 3 ATMs.

Take your lazy butt to your own banks ATM,

See above. It's impractical for most people to go ATM hunting when they need $20. And I don't feel comfortable walking around with more than that in my pocket.

or hey... walk inside, if you don't like the fees.

That works if #1 your bank has a branch you can get to reasonably, and #2 that bank hasn't started charging you a fee for using a traditional teller window, as many have.

The banks are just another example of the extremely rich making sure the working poor stay that way.

Re:Blame it on Monopoly

[demonlapin]

Open an account in both places, and transfer money as necessary? It's what I did in college a decade ago.

Re:(Offtopic) Re:Pwned?

[diersing]

So is the process for a sex change and full recovery while being institutionalized for mental unstability. But you're a coward so there is no telling how long you've been away is there....

Why? People are dumb.

[raddan]

It's been made clear throughout the last three decades that people who should know better don't change the default password. Routers, firewalls have had this problem. Various incarnations of Unix have had this problem. VMS had this problem! Yes, people should change the default password, but in the interest of security, we should make them do it on first boot. OpenBSD makes you set up a complex root password after install.

People don't wear seatbelts, either, which is why we have such seemingly inane things like seatbelt laws. This is clearly a test for rationality. Because apparently dying isn't bad enough but being punished is. People are stupid.

Did anyone even read this before approving it?

[khrome]

If anything the headline should be "Journalist convinces managers to take support documents offline"

Are routers next?

Because if you want to talk security, you can reset the password and access *all customer data* on the most popular PC transaction software by deleting 1 config file. On every installed system up to current.

*that* is the true state of security in the finacial industry. Security consists of a chain of promises, where if something *does* happen, a chain of fines happens which obscures the impact from the consumer. The insidious reality is it is cheaper to prosecute fraudsters, pay off customers and grease the political, legislative wheels than to actually produce good software. And in an industry where cutting corners is status quo, those who don't can't possibly succeed.

This is why the focus for fraud isn't getting rid of the magnetic swipe technology portfolio, but instead to augment the backend looking for statistical anomolies, and to augment the inherently insecure swipe mechanism with shoehorned technologies (like the new magnetic signature technology), which are logistically impossible to implement nation-wide, but allow the key players to retain thier IP portfolios, investments and clout.

Our system is secure as long as we keep moving our hands and no one looks under all 3 shells at once.

pfff... who needs password?

[partenon]

pffff... Only americans needs the "master password". Some time ago, in Sao Paulo/Brazil, criminals were stealing the entire ATM (no, I'm not joking).

Re:pfff... who needs password?

[benicillin]

hmm u must not watch cops - criminals have been stealin atm's in america for years...

Re:pfff... who needs password?

[partenon]

Darn... For the first time, I thought brazilians were doing something original :-(

Triton ATMs

Triton requires that in order to get support for your ATM, you must first attend a training class on them. In the training class, they always recommend you change the default password. It even says so in the book. So who makes you vulnerable? It's the people who buy the ATM and service them, not Triton.

Wow

[zerosix]

Honestly, if you don't change the password what do you expect??? Hi, I am password please don't change me!

why not just do this?

[benicillin]

these guys came up with much better plans than googling for passwords... just take the whole darn thing!

more manuals

[uufnord]

Diebold Operating Guide for the Diebold 1075ix Exterior Walk-up Cash Dispenser

lipman NURIT 5000 ATM Manual

NURIT 6000 ATM Manual

The NCR Personas manual is out there somewhere, too. They're just manuals -- the vendors give them away on their web sites...

What happens if you install them backwards?

[qyiet]

In an electronics class I took we made our own PCBs. One guy put a tiny little capacitor in backwards. The result was *very* loud.

Anyone know what happens if you plug one of these suckers in backwards?

-Qyiet

Re:What happens if you install them backwards?

[qyiet]

Crap... posted to the wrong story

Good link but......needs updating.

[tacokill]

Pwned came from the word owned. That much is clear. But I have a little update to add based on my own experience. I have no idea if this theory is correct but I think it might add a little context and might explain the origins of pwned, with a "p". I can only tell you about when I first saw it.

...and it's not "owned with a stick" as a previous poster mentioned, which is clever - but wrong.

I have played computer games a long time. A really long time, in fact. And the first time I remember seeing pwned with a "p", was back in the early counterstrike beta days. Yea, as in Half Life 1 - Counterstrike (beta). Like when we had the good ole days of "gun running" (stealing all your enemies guns and "running" them back to your own base). At the time, there were really good CS players (those that had DSL) and really bad CS players (those on dial-up). Obviously, lower latency gave those with DSL a major advantage. And remember, this was the early days of FPS multiplayers so there were still hiccups and imbalances so yes - latency made a major difference. Anyway, on almost every occasion, the low-ping-bastards (LPB) would absolutely destroy the high-ping-bastard (HPBs).

If you look at your keyboard, you will see that "o" is right next to "p", in most cases. The non-word "pwned" originially came from DSL players trying to type between kills. They just hit the wrong damn button. And then some newb (who didn't know what it meant), kept it going as he started "pwN1ng joo".

Anyone remember seeing it earlier?

OT: Seatbelts

[F�an�ro]

People don't wear seatbelts, either, which is why we have such seemingly inane things like seatbelt laws. This is clearly a test for rationality. Because apparently dying isn't bad enough but being punished is. People are stupid.

Then tell me why I am not allowed to drive without seatbelt, yet others are still allowed to smoke, to eat fast food or to go skying without proper training, all of which are probably a lot more deadly?

Forget ATMS - What about VENDING MACHINES?

[Jherek+Carnelian]

I've always wondered if there were any "secret codes" left behind by the firmware developers for vending machines. I'm not up to messing with an ATM, but it sure would be cool to know how to get a free soda or candy bar the next time the damn machine eats my money.

Anyone got a line on those kinds of "default passwords?"

Re:Forget ATMS - What about VENDING MACHINES?

[glesga_kiss]

You need to open them up to get to some hidden switches etc. I guess ATMs have a different design as they need to be physically tougher. Adding access doors is adding weakness.

Re:Forget ATMS - What about VENDING MACHINES?

[BLKMGK]

Umm, you've been asleep then if you think there's nothing out there for vending machines.

There are videos on YouTube etc. explaining how to game soda machines and there are also keypad codes out there for modifying the menus to reduce prices. One of the machines even has an interesting command called changedump or somesuch. the kids who have these in their schools are having a field day with them :-)

You need NOT be inside the machine to do these things and even if you did getting into them is often as easy as getting into the old Kryptonite locks. The "lockpick" tool for these round locks costs under $100 too if you'd like something designed for the job.

Not my cup of tea to rob the soda stocking guy but it IS interesting to know about and it might be fun to change the "Have a Nice Day!" message to something else ;-)

for those who don't know

[sentientbrendan]

Kevin Poulsen is a notorious ex hacker and phone freak, who's feats were much more impressive than most of the better known hackers. This guy is something of a legend.

From wikipedia: http://en.wikipedia.org/wiki/Kevin_Poulsen
"His best-appreciated hack was a takeover of all of the telephone lines for Los Angeles radio station KIIS-FM, guaranteeing that he would be the 102nd caller, and netting him a Porsche 944 S2"

According to the book about him he also
1. Broke into numerous Ma Bell facilities.
2. Hijacked and sold unused numbers to a prostitution ring.
3. Located and listened in on various government taps on foreign embasies.
4. Succesfully snuck into the office of the officer assigned to his case to figure out if they were close to catching him.

However these details are from the book that according to the wikipedia entry, poulsen himself "decries." I don't know what "decries" means in terms of poulsen's view of the books *accuracy*, but maybe some knowledgeable slashdotter could clear things up?

p.s. blog.wired.com isn't loading for me, so I unfortunately didn't RTFA

Re:for those who don't know

[Dachannien]

It's fitting that Poulsen is reporting on this issue, then, because this whole "getting the key to the castle via dumpster diving" thing is remarkably similar to the way that many of the basic phone phreaking techniques were originally uncovered. Of course, the phone industry mitigated their problems by moving control communications out-of-band. The analogue would be to stop making these functions accessible via the ATM keypad. This wouldn't solve all their problems (a mandatory password change upon installation of the machine would help as well, for starters), but it sure couldn't hurt.

This info has been around...

[az1324]

for a while. And just for the record, all Triton ATMs I have tried in the past 4 years have not had the default password.

YouTube video about the ATM attack

[denebian+devil]

http://www.youtube.com/watch?v=cmW_4R81jVU

Re:YouTube video about the ATM attack

[ArtStone]

Is it normal for a gas station / food mart surveillance camera to pan by itself following one individual as he walks across the parking lot and wanders around the store? or did CNN digitally enhance the video?

Since the "news" story mentions that this ATM was in this condition for days (dispensing 20s for 5s to everyone) until an "honest" person told the store, how do they know this was the person who actually did something to the machine? Or that it wasn't a setup mistake made by the store operator? or a malicioous act by a former employee? or an insurance scam by the store owner?

And people in the news business wonder why people don't trust them any more.

Re:Why? People are dumb.

[The+Cisco+Kid]

FWIW, Cisco routers do NOT have this problem, at least as far as remote access. If the 'line' password for the telnet vty isnt set, it simply doesnt let you telnet in, at all. The only way to access a brand new router is with a physical serial port connection.

Only In America

[Z34107]

Actually, the labels are prettry unnecessary, even in American courts. Between the already existing precedents on liability and the laws that specifically govern situations like this, they do little more than let corporate lawyers sleep better at night in a land where McDonalds settled with a woman who spilled coffee on her lap.

Re:Only In America

The McDonald's coffee case is endlessly brought up as the classic frivolous corporate lawsuit but this is unfair. The coffee was extremely hot, McDonald's had previously been advised it was too hot but kept it at the same scalding temperature anyway, it was served at a drive-thru in a flimsy cup that collapsed when you took the lid off, and she suffered serious 3rd degree burns requiring skin grafts to her legs.

Yes she probably should have been more careful, but the court found that McDonald's had been willfully negligent of basic safety issues (in the name of profit) and as such held them partly responsible.

Why condoms?

[Fei_Id]

who needs condoms when you're sterile? :D :P

Re:Why condoms?

[Fred_A]

For the flavour of course ! (link may be offensive to people who don't like hevea sap byproducts).

*ducks*

whats more??

[tt076860]

this is my first time i get into this website and i found it as a really good place to find an information to gain more knowledge about IT...and i can use the knowledge when i am graduate soon as IT worker... there are a lot of information that was new for me and everyday more and more latest news come in... and for this issues which the ATMs had their super-secret master codes revealed by simple Google searches...this is surprise me...make me feel unsecure and take all the money in the bank and make a manual saving at home...hahaha...very funny...

PWNED??

[tt076860]

Another ATM Maker Pwned by Googling... What is PWNED??really need an oxford right now...perhaps more than that...

Re:PWNED??

[sconest]

Well, this is Slashdot. Abandon all hope of 100% correct grammar and spelling :)

Pwn

Re:PWNED??

[tt076860]

does that answer my question??

Re:PWNED??

[nerdy808]

i read some article said that pwned is owned which you change the p with the o...does it make any sense??

Re:PWNED??

[tt076860]

pwned means owned??..does it make any sense for you??

Re:Why? People are dumb.

We have seatbelt laws because the insurance industry lobbies for it. It has nothing to do with heartfelt worry for your walfare(as long as you're well) or rationality as you call it, but then again where is the rationality of spending $Billions on risks that are tantamount to winning a lottery. They are legislating morality in a perverted self-serving way and even if everyone was wearing their seatbelts like a good-luck charm, those laws would still be in the lawbooks. It's as if making people less responsible for their choices will somehow make them more so. Like spoonfeeding someone today will make them less hungry tomorrow. And that's exactly what you are describing.

security through obscurity

[davros-too]

If anything the headline should be "Journalist convinces managers to take support documents offline"

hmmm... yes. I guess this is security through obscurity http://en.wikipedia.org/wiki/Security_through_obsc urity and as has been shown time and again, it doesn't work.

ORLY?

[Sage+Gaspar]

NO WAI!

It's natural attratction,

[budgenator]

Women are just naturaly driven to get in your pants, I can't figure it out. I wear a pair of bluejeans out to the resturant and set them aside, I mean I'm going to mow the grass, clean the garage and put out the trash later the next day so why should i wear a clean/clean pair of jeans when I have a pefect pair of worn/clean blue-jeans to get dirty/dirty! So what happen, the natural instinct takes over, she senses the worn/clean pants on the floor (Temporay storage) picks them up, takes out all of the money in them, leaves the wallet and puts the pants I was saving for yard-work tomorrow in the dirty clothes hamper! After that she's angry with me for making her steal the money out of my pockets and leaving my "dirty" pants on the floor for the rest of the day so I don't even get laid that night! She wouldn't even touch my dirty/dirty stuff, makes me wash it myself; not in "her" machine either, I have to take it the the laundromat and she wouldn't even give me my own change back to do it with!

Never Been Secure

I worked for a small ATM manufacturer/distributor for nearly a year and I'll tell you that ATM security has gotten a lot better (this was 6 months ago so I'd say '05 was the year of change) with encryption changes and more importantly the requirement of BACKGROUND checks on people who purchase ATMs. These little passwords and such are not very important, I have plenty of master passwords to ATMs all around the city and I'll tell that while it is possible to steal money it is NOT easy and does require hardware/programming knowledge that even I can barely handle and I wrote software for these machines. It is very easy to trace information on these atm's and rarely is this an exception.

As a user of an atm all you have to fear is protecting your credit card number and your PIN. Watch for cameras and installed card readers. Past that if the keypad looks tampered you do not want to touch the machine, the latest VISA requirements hold keypads to VERY high standards but only on NEW ATMs. Past that... there are lots of other ways to steal from atms... I'll tell you that there isn't too much to fear though as the people at the manufacturing level (me) are usually not interested in or capable of such complicated thefts. More likely the ATM will get yanked out of the wall, there will be a camera and a tampered machine to get your PIN, or something similair. But once again tampering with keypads is getting VERY difficult and has been impossible on Tritons for some time (german (if I recall correctly) made keypads which are VERY nice). These things are MUCH more secure than voting machines in that without your PIN no one can reach your money.

It may have already been pointed out but...

[Elbowgeek]

Equally important is the password complexity. Windows Server 2003 prompts for a password at installation and insists on a certain level of complexity, although you have the option of entering password of lower complexity, which is guaranteeing that a lazy or overworked admin will enter 'password' and tell himself he'll get back and enter a more complex one when he has time. And inevitably never does.

But an ATM or similar machine should enforce a password complexity level, and even provide a password generator with appropriate precautions and dialogs warning that if that password is lost then it will be *hell* to reset it.

Simple stuff.

world will be saved by google...

[K-074512]

No 1 search engine already proved that they manage to find anything for their user...hehe...like it or not..agree or not...just google it lah..

banks, clients or google ..

[K-074512]

Banks should be more aware if they want to publish or to give any data to others. This thing might happen unintentionally but it's definitely scared the clients. But, banks are not the only side to blame, because they can't monitor their entire client all the time. Plus, something is more secured if we do it in a traditional way. I'm not sayin that technology is not good enough but the more security we implement, the more people trying to crack them out. Take the online voting as an example. We should not blame google as well. Google is just doing its job by providing the requested information to the users.

Lastly, all I want to say is, long live Google.. Google rocks... Y(*_*)Y

how??!??

[K-074512]

can somebody tell me how to get score more than one??
i aint loosing my money..but i'm gonna loose my mind... thinking about how can i get more score in slashdot..

banks, clients or google ..

[K-074512]

Banks should be more aware if they want to publish or to give any data to others. This thing might happen unintentionally but it's definitely scared the clients. But, banks are not the only side to blame, because they can't monitor their entire client all the time. Plus, something is more secured if we do it in a traditional way. I'm not sayin that technology is not good enough but the more security we implement, the more people trying to crack them out. Take the online voting as an example. We should not blame google as well. Google is just doing its job by providing the requested information to the users. Lastly, all I want to say is, long live Google.. Google rocks... Y(*_*)Y

Diebold

[Fallen+Mongoose]

Actually Diebold ATMs need to be physically opened (in some cases opening a combination lock with a constantly changing combination) and then require two passwords (one to disable the alarm and one to login) to access any admin controls. These appear to be the low end models of the ATM world that have this blatant flaw.

Re: Fingers McCrackit!

[TaoPhoenix]

Is Fingers McCrackit a Free Open Source character, so I can write stories of his continuing adventures terrorizing ATM vendors everywhere?

atm

[lisa+parker]

this situation make me always think about money everyday,everytime,everyseconds and maybe one day i cannot sleept. think about money that i always carry on in my beg and make me see the doctor coz of backpain...maybe scary of atm.... but no matter what, atm is still atm but now in danger version. "u know what, sometimes i think to create my own atm to be put in my house in the future"

It's whom!

[WilliamSChips]

Samantha Carter: Actually, it's what.

impossible is nothing!

[FlipSyde+IT072186]

oh well on the internet nothing is impossible!

insecure

[tt074286]

Ever since the world revolution, technology has been changing at a fast pace. technology more updated and bring good consequences to human but sometimes tecnology also bring negative effects to society and this is the effect from the technology itself. :easily to be pawned oh my god really feel insecure now.

Air Shield

[grilled-cheese]

So I just noticed that the "Master Code" is equal to the password for the Air Shield. On a lesser note, I need to remember to change my luggage combination now.