Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another ATM Maker Pwned by Googling

Posted by ryuzaki0 on from the press-here-to-accept-fee-and-continue dept.

bagsc writes "Kevin Poulsen of Wired.com strikes fear into another ATM manufacturer. This time, Triton ATMs had their super-secret master codes revealed by simple Google searches. Tranax was the most recent company with this problem, but probably not the last."

27 of 252 comments (clear)

  1. This is why... by Kenja · · Score: 4, Funny

    This is why I keep all my money in gold bullion strapped into my underwear. Of course that makes my pants weigh too much to move around in, but I wasn't realy going anyplace any how.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:This is why... by Aqua_boy17 · · Score: 5, Funny

      Yeah, but just think about it for a secons. You've finally made the underpants gnome's business model make sense.

      --
      What if the Hokey Pokey really is what it's all about?
    2. Re:This is why... by FuzzyDaddy · · Score: 3, Funny

      Hey, I had the weight problem too, so I switched to enriched uranium. It's a lot more valuable pound for pound, so it doesn't weigh me down so much.

      --
      It's not wasting time, I'm educating myself.
  2. What?!!? by LordPhantom · · Score: 4, Insightful

    Ok, so people have been hacking pr0n sites, coke machines, etc, for years, but with a bit of warning ATM companies can't manage to practice a bit of security?

    Even if it IS stupid user error, then BANKS can't get their act together?!?!

    This just makes me feel all warm and fuzzy about Diebold, etc.

    1. Re:What?!!? by gurps_npc · · Score: 4, Informative
      It's not 'a little warning'.

      It's repeated, frequent warnings from the manufacturers and industry associations for several years.

      Now finally it hit the news media.

      You can lead a horse to water, but you can't stop him from sticking his head underneath and drowning simply because they painted a carrot at the bottom of the water trough.

      --
      excitingthingstodo.blogspot.com
    2. Re:What?!!? by shawn(at)fsu · · Score: 4, Funny

      Even if it IS a stupid BANK error, why do people feel the need to take advantage of it?!?!
      You must be new here, and by here I mean humanity.

      --
      500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
  3. "Pwned", indeed by Otter · · Score: 4, Insightful
    -1, Submitter Doesn't Understand What He Read

    Bottom line, this is a perfectly routine default password issue. Blame your bank.

    --
    What I'm listening to now on Pandora...
    1. Re:"Pwned", indeed by QuantumFTL · · Score: 3, Informative

      Bottom line, this is a perfectly routine default password issue. Blame your bank.

      The manufacturers should have the firmware require a password change after the initial set-up. If everyone did this, this wouldn't be a problem. Of course, I also blame my bank!

  4. "pwned"? by IHSW · · Score: 3, Funny

    What is "pwned"?

    1. Re:"pwned"? by Apocalypse111 · · Score: 4, Funny

      When you have totally humiliated and/or beaten someone, you have "owned" them. A "p" is just an "o" with a stick on it, so "pwned", in my mind, is "owned with a stick".

      --
      There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
    2. Re:"pwned"? by tupshin · · Score: 5, Funny

      !7'$ 1337 $p34k f0r "411 y0ur 84$3 4r3 8310ng 70 u$"

    3. Re:"pwned"? by mark-t · · Score: 3, Informative

      Wikipedia's entry is reasonably spot on.

      --
      File under 'M' for 'Manic ranting'
    4. Re:"pwned"? by vadim_t · · Score: 5, Funny

      Scary, I didn't need to make any effort to understand that.

    5. Re:"pwned"? by Anonymous Coward · · Score: 4, Funny
      !7'$ 1337 $p34k f0r "411 y0ur 84$3 4r3 8310ng 70 u$"

      vadim_t (324782) writes:
      Scary, I didn't need to make any effort to understand that.

      God, I really hate perl.
      Since you seem to know, what does that script actually do? :)
  5. Predicted response by aafiske · · Score: 4, Funny

    Probable solution? Sue google.

    I wish this was a joke.

  6. Lipman ATM's by detritus. · · Score: 5, Informative

    Lipman's Nurit ATM manuals are also available to the public on their website, which also contain the default passwords accessing the operator menus. And unlike Triton, their manuals don't even warn/instruct the user to change the default passwords. Pretty sad if you ask me.

  7. Why do dumb stories like these get accepted? by gd23ka · · Score: 5, Insightful

    A default password that is MEANT to be CHANGED ASAP is not supersecret. It's in the fucking
    manual and even if the manual is not on the web then you can probably order one from the
    manufacturer and they wont make sure you even purchased the ATM to go with it.

    The real news is that the people who set ATMs up and operate them are as dumb as dog shit.

    UUuuuuh secret password! Uuuuuuh!

    1. Re:Why do dumb stories like these get accepted? by CastrTroy · · Score: 3, Insightful

      I'll agree that the people setting up the ATMs are extremely stupid. However, shouldn't the maker of the ATM have anticipated the stupidity of the users and either A) Not allow the machine to function until the default password was changed, or B) Don't have default password, but instead have a physical lock with a physical key (hopefully one that can't be opened by a vending machine key) that must be used in order to reprogram the machine. We all called MS Stupid for not requiring SQL Server to have a password, and having a blank default password, why not blame the people who make these ATMs.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  8. pwnage sux by Anonymous Coward · · Score: 5, Funny

    Who do I have to murder to remove "pwn" from the common technobabble lexicon?

    I'll do it... Seriously...

  9. I don't get it... by Yonzie · · Score: 3, Funny

    Obviously, people don't have the brain capacity to be serious about security.
    What should we do?
    It's simple: Shut down the internet.
    No more easily-guessed passwords or dissemination of information on how to break into stuff.
    No child porn proliferation and no worries about your 9yr old girl chatting with 45yr olds.
    An extreme decline in virii and similar stuff for everyone's favorite OS.

    In total? Awesomeness :D

  10. pwned haha by Anonymous Coward · · Score: 5, Insightful

    Listen up kids, "owned", "pwned", "h4x0red", "l33t", was interesting for about 5 minutes 5 years ago, now it's over. Stop using them, it's pathetically annoying. Try using some proper English for once. For the love of shit, even Penny-Arcade makes fun of this crap, and it's a video game based web comic.

  11. OT: What is the tune the ATM plays and why? by paiute · · Score: 3, Funny

    My local bank has a Diebold ATM. Both this one and the one it replaced play a tune when dispensing bills. It is a short tune as if played on a piccolo with a trill at the end. It has been bugging me for years. Why does the ATM need to play a tune?

    --
    If Slashdot were chemistry it would look like this:Cadaverine
    1. Re:OT: What is the tune the ATM plays and why? by KarmaMB84 · · Score: 3, Funny

      To let the thugs know there's money coming out so they know to beat you for it.

  12. the easy solution by jd · · Score: 5, Informative
    Banks (or any organization, venture or activity involving people) are never going to bother doing more than they have to, so simply waise the bar on what they have to do. Doesn't sound that hard to me. Simply require that on first power-up the sys-admin code MUST be different from the default, and/or requires a dongle to be plugged into a port that can only be reached inside of the machine for the sys-admin code to work (but, in having it plugged in, all other codes are disabled).


    Security of physical kiosks is trivial stuff, it has been done to death, and people understand the pros and cons of the different technologies. Personally, I'd abandon the ATM and switch to the Mondo card, or something similar, as the risks are generally lower all-round and the security is far better distributed. (We're not talking what vain PHB's refer to as a smart card - which is a bit of non-volatile RAM and the processing power of a seedless grape. We're talking asymetric strong encryption with full-blown key exchange algorithms, transaction processing and - if the device is to be meaningfully secure - transaction logging, event logging and data validation. Such a system should be totally decentralized with all transactions being 100% local, not indirect via half a dozen organizations with dubious security.)


    The basic technology for a totally secure, totally impervious financial system has existed for a decade and a half, maybe two, with far better response times and far lower risks to those involved. If it were updated to the technology that exists today, and enough funding was made available to get the technology in place, you could eliminate 90% of all the points of vulnerability in the banking system and eliminate 50% of the related services which - these days - serve no purpose at all.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  13. These Are Textbook Examples of Dumb Design. by OmniGeek · · Score: 4, Insightful

    OK, so you have a machine full of money that will be placed out in public, where everyone and his third cousin Fingers McCrackit can play Billy Joel on the keyboard all day, using any information they can guess, beg, borrow, or steal (OK, slight exaggeration, but valid principle.)

    Now, just HOW STUPID do you need to be to make it possible in the first place to gain system access from that keyboard without at least one hardware interlock that is NOT accessible without the key to the machine? You KNOW the bad guys will try everything they can think of to fool the machine; you should ASSUME that they have every piece of info on the machine that you do. (Cryptosystems -- good ones, at least -- are designed on this assumption; indeed, they assume that the adversary has a copy of your machine and all its specifications.)

    A secure ATM thus REQUIRES that it be made completely IMPOSSIBLE to jigger the machine without physically getting inside its hardware. Password-protection just doesn't cut it for that level of security. Failure to provide this level of protection is SO stupid as to be a failure to exercise due care. And after all, how much does it cost to add that hardware interlock switch? Not much compared to the value of the ATM's contents...

    Now for the scary part -- ATMs are, on average, far more secure than voting machines.

    --

    "My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
  14. Why? People are dumb. by raddan · · Score: 4, Insightful

    It's been made clear throughout the last three decades that people who should know better don't change the default password. Routers, firewalls have had this problem. Various incarnations of Unix have had this problem. VMS had this problem! Yes, people should change the default password, but in the interest of security, we should make them do it on first boot. OpenBSD makes you set up a complex root password after install.

    People don't wear seatbelts, either, which is why we have such seemingly inane things like seatbelt laws. This is clearly a test for rationality. Because apparently dying isn't bad enough but being punished is. People are stupid.

  15. Re:Blame it on Monopoly by Known+Nutter · · Score: 4, Insightful
    There are certainly people out there who have lost enough money to ATM fees that the prospect of getting a little back wouldn't seem as "evil" as pure theft...
    Sorry, but you don't lose money to ATM fees, you agree to them. Period. Much like EULAs, you probably don't recall reading the "I AGREE" text next to the button you push to get your cash.

    Theft is theft is theft is theft.
    --
    Beware of the Leopard.