Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another ATM Maker Pwned by Googling

Posted by ryuzaki0 on from the press-here-to-accept-fee-and-continue dept.

bagsc writes "Kevin Poulsen of Wired.com strikes fear into another ATM manufacturer. This time, Triton ATMs had their super-secret master codes revealed by simple Google searches. Tranax was the most recent company with this problem, but probably not the last."

15 of 252 comments (clear)

  1. What?!!? by LordPhantom · · Score: 4, Insightful

    Ok, so people have been hacking pr0n sites, coke machines, etc, for years, but with a bit of warning ATM companies can't manage to practice a bit of security?

    Even if it IS stupid user error, then BANKS can't get their act together?!?!

    This just makes me feel all warm and fuzzy about Diebold, etc.

  2. "Pwned", indeed by Otter · · Score: 4, Insightful
    -1, Submitter Doesn't Understand What He Read

    Bottom line, this is a perfectly routine default password issue. Blame your bank.

    --
    What I'm listening to now on Pandora...
    1. Re:"Pwned", indeed by 8127972 · · Score: 2, Insightful

      "Bottom line, this is a perfectly routine default password issue. Blame your bank."

      Not exactly. First blame the person who installed it first as s/he left the defaut passord in the first place. Then blame the bank for not ensuring that the installer did their job correctly.

      --
      This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
    2. Re:"Pwned", indeed by MikeBabcock · · Score: 2, Insightful

      It would still be a problem -- just like Windows XP requiring a username before completing the installation is a problem in other circumstances.

      Believe it or not, the "user" is not always the one setting up the machine in question. The default (or "a" default password) needs to be configured and told to the user reliably. Now you do that with a dozen new ATMs to a bank and see how pissed they get at you or how fast someone writes the password on a sticky note.

      Yes, they need to do better security if they're using the default password.

      Yes, the person who set the machine to "active" with real cash in it before changing the default password should be fired.

      --
      - Michael T. Babcock (Yes, I blog)
  3. Why do dumb stories like these get accepted? by gd23ka · · Score: 5, Insightful

    A default password that is MEANT to be CHANGED ASAP is not supersecret. It's in the fucking
    manual and even if the manual is not on the web then you can probably order one from the
    manufacturer and they wont make sure you even purchased the ATM to go with it.

    The real news is that the people who set ATMs up and operate them are as dumb as dog shit.

    UUuuuuh secret password! Uuuuuuh!

    1. Re:Why do dumb stories like these get accepted? by CastrTroy · · Score: 3, Insightful

      I'll agree that the people setting up the ATMs are extremely stupid. However, shouldn't the maker of the ATM have anticipated the stupidity of the users and either A) Not allow the machine to function until the default password was changed, or B) Don't have default password, but instead have a physical lock with a physical key (hopefully one that can't be opened by a vending machine key) that must be used in order to reprogram the machine. We all called MS Stupid for not requiring SQL Server to have a password, and having a blank default password, why not blame the people who make these ATMs.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  4. pwned haha by Anonymous Coward · · Score: 5, Insightful

    Listen up kids, "owned", "pwned", "h4x0red", "l33t", was interesting for about 5 minutes 5 years ago, now it's over. Stop using them, it's pathetically annoying. Try using some proper English for once. For the love of shit, even Penny-Arcade makes fun of this crap, and it's a video game based web comic.

    1. Re:pwned haha by Anonymous Coward · · Score: 1, Insightful

      "owned", "pwned", "h4x0red", and "l33t"
      "owned," "pwned," "h4x0red," and "l33t"

      We can all nitpick other people's english, however it is not pertinent to the subject of ATM machines.

      Oh wait. Slashdot.

    2. Re:pwned haha by Dr.+Zowie · · Score: 2, Insightful

      Ph33r m% l337 leetspeak 5k1||z d00d. J00 h4\/3 833N 7R0||Z0r3d. J00 h4\/3 l057. h4\/3 4 |V1c3 d@%.

  5. Re:Lipman ATM's by lakeland · · Score: 2, Insightful

    Only in America. Other countries base the legal system around common-sense so stupid people just get what they deserve.

  6. These Are Textbook Examples of Dumb Design. by OmniGeek · · Score: 4, Insightful

    OK, so you have a machine full of money that will be placed out in public, where everyone and his third cousin Fingers McCrackit can play Billy Joel on the keyboard all day, using any information they can guess, beg, borrow, or steal (OK, slight exaggeration, but valid principle.)

    Now, just HOW STUPID do you need to be to make it possible in the first place to gain system access from that keyboard without at least one hardware interlock that is NOT accessible without the key to the machine? You KNOW the bad guys will try everything they can think of to fool the machine; you should ASSUME that they have every piece of info on the machine that you do. (Cryptosystems -- good ones, at least -- are designed on this assumption; indeed, they assume that the adversary has a copy of your machine and all its specifications.)

    A secure ATM thus REQUIRES that it be made completely IMPOSSIBLE to jigger the machine without physically getting inside its hardware. Password-protection just doesn't cut it for that level of security. Failure to provide this level of protection is SO stupid as to be a failure to exercise due care. And after all, how much does it cost to add that hardware interlock switch? Not much compared to the value of the ATM's contents...

    Now for the scary part -- ATMs are, on average, far more secure than voting machines.

    --

    "My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
  7. Why? People are dumb. by raddan · · Score: 4, Insightful

    It's been made clear throughout the last three decades that people who should know better don't change the default password. Routers, firewalls have had this problem. Various incarnations of Unix have had this problem. VMS had this problem! Yes, people should change the default password, but in the interest of security, we should make them do it on first boot. OpenBSD makes you set up a complex root password after install.

    People don't wear seatbelts, either, which is why we have such seemingly inane things like seatbelt laws. This is clearly a test for rationality. Because apparently dying isn't bad enough but being punished is. People are stupid.

  8. Did anyone even read this before approving it? by khrome · · Score: 2, Insightful

    If anything the headline should be "Journalist convinces managers to take support documents offline"

    Are routers next?

    Because if you want to talk security, you can reset the password and access *all customer data* on the most popular PC transaction software by deleting 1 config file. On every installed system up to current.

    *that* is the true state of security in the finacial industry. Security consists of a chain of promises, where if something *does* happen, a chain of fines happens which obscures the impact from the consumer. The insidious reality is it is cheaper to prosecute fraudsters, pay off customers and grease the political, legislative wheels than to actually produce good software. And in an industry where cutting corners is status quo, those who don't can't possibly succeed.

    This is why the focus for fraud isn't getting rid of the magnetic swipe technology portfolio, but instead to augment the backend looking for statistical anomolies, and to augment the inherently insecure swipe mechanism with shoehorned technologies (like the new magnetic signature technology), which are logistically impossible to implement nation-wide, but allow the key players to retain thier IP portfolios, investments and clout.

    Our system is secure as long as we keep moving our hands and no one looks under all 3 shells at once.

  9. Re:So what? by LunaticTippy · · Score: 2, Insightful

    Retards. Why obscure your face when you're putting your own card in the machine?

    --
    Man, you really need that seminar!
  10. Re:Blame it on Monopoly by Known+Nutter · · Score: 4, Insightful
    There are certainly people out there who have lost enough money to ATM fees that the prospect of getting a little back wouldn't seem as "evil" as pure theft...
    Sorry, but you don't lose money to ATM fees, you agree to them. Period. Much like EULAs, you probably don't recall reading the "I AGREE" text next to the button you push to get your cash.

    Theft is theft is theft is theft.
    --
    Beware of the Leopard.