Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another ATM Maker Pwned by Googling

Posted by ryuzaki0 on from the press-here-to-accept-fee-and-continue dept.

bagsc writes "Kevin Poulsen of Wired.com strikes fear into another ATM manufacturer. This time, Triton ATMs had their super-secret master codes revealed by simple Google searches. Tranax was the most recent company with this problem, but probably not the last."

9 of 252 comments (clear)

  1. Re:What?!!? by gurps_npc · · Score: 4, Informative
    It's not 'a little warning'.

    It's repeated, frequent warnings from the manufacturers and industry associations for several years.

    Now finally it hit the news media.

    You can lead a horse to water, but you can't stop him from sticking his head underneath and drowning simply because they painted a carrot at the bottom of the water trough.

    --
    excitingthingstodo.blogspot.com
  2. Lipman ATM's by detritus. · · Score: 5, Informative

    Lipman's Nurit ATM manuals are also available to the public on their website, which also contain the default passwords accessing the operator menus. And unlike Triton, their manuals don't even warn/instruct the user to change the default passwords. Pretty sad if you ask me.

  3. they didn't remove all the docs by thedrunkensailor · · Score: 2, Informative

    there's another doc up there exposing the defualt master password at http://www.tritonatm.com/en/service/technical_bull etins/05-48.pdf i emailed them about it so it might come down

    --
    i support the right to offend.
  4. Re:"pwned"? by mark-t · · Score: 3, Informative

    Wikipedia's entry is reasonably spot on.

    --
    File under 'M' for 'Manic ranting'
  5. So what? by delirium+of+disorder · · Score: 2, Informative

    How many real ATMs have been exploited using this information? Manuals for common hardware are basically public information (although I'm sure the vendor retains copyright to them and could conceivably also use trade secret law to keep people from sharing proprietary information). I don't really think this is much of a threat. If you are a security researcher and want to learn more, here are two ATM manuals that I've found.
    Images scanned from a physical ATM manual
    A different manual in PDF form

    --
    ------ Take away the right to say fuck and you take away the right to say fuck the government.
  6. Re:"Pwned", indeed by QuantumFTL · · Score: 3, Informative

    Bottom line, this is a perfectly routine default password issue. Blame your bank.

    The manufacturers should have the firmware require a password change after the initial set-up. If everyone did this, this wouldn't be a problem. Of course, I also blame my bank!

  7. Re:OT: What is the tune the ATM plays and why? by jayloden · · Score: 2, Informative

    Yeah, and why does it have to have those funny bumps on the keypad, too?

    One thing I can think of is that blind ATM users would probably appreciate some sort of feedback to let them know the money is ready to be retrieved from the slot.

  8. the easy solution by jd · · Score: 5, Informative
    Banks (or any organization, venture or activity involving people) are never going to bother doing more than they have to, so simply waise the bar on what they have to do. Doesn't sound that hard to me. Simply require that on first power-up the sys-admin code MUST be different from the default, and/or requires a dongle to be plugged into a port that can only be reached inside of the machine for the sys-admin code to work (but, in having it plugged in, all other codes are disabled).


    Security of physical kiosks is trivial stuff, it has been done to death, and people understand the pros and cons of the different technologies. Personally, I'd abandon the ATM and switch to the Mondo card, or something similar, as the risks are generally lower all-round and the security is far better distributed. (We're not talking what vain PHB's refer to as a smart card - which is a bit of non-volatile RAM and the processing power of a seedless grape. We're talking asymetric strong encryption with full-blown key exchange algorithms, transaction processing and - if the device is to be meaningfully secure - transaction logging, event logging and data validation. Such a system should be totally decentralized with all transactions being 100% local, not indirect via half a dozen organizations with dubious security.)


    The basic technology for a totally secure, totally impervious financial system has existed for a decade and a half, maybe two, with far better response times and far lower risks to those involved. If it were updated to the technology that exists today, and enough funding was made available to get the technology in place, you could eliminate 90% of all the points of vulnerability in the banking system and eliminate 50% of the related services which - these days - serve no purpose at all.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  9. Re:"pwned"? by HolyCause · · Score: 2, Informative

    Actually, "pwned" is a (usually on purpose) typo of "owned", since on a standard QWERTY keyboard, P and O are beside each other.

    I believe that this originated with WarCraft. In multiplayer, a typo for "own" was made: "playerX pwns playerY" or something similar (not sure on this myself, as I've never played WarCraft - it's just what I've heard). Of course, it could have originated as a common typo, but that's an interesting story behind it =)

    --
    Visit http://theshrine.ca/ at irregular intervals and you might see something interesting.