Another ATM Maker Pwned by Googling

bagsc writes "Kevin Poulsen of Wired.com strikes fear into another ATM manufacturer. This time, Triton ATMs had their super-secret master codes revealed by simple Google searches. Tranax was the most recent company with this problem, but probably not the last."

Lipman ATM's

[detritus.]

Lipman's Nurit ATM manuals are also available to the public on their website, which also contain the default passwords accessing the operator menus. And unlike Triton, their manuals don't even warn/instruct the user to change the default passwords. Pretty sad if you ask me.

Re:"pwned"?

[tupshin]

!7'$ 1337 $p34k f0r "411 y0ur 84$3 4r3 8310ng 70 u$"

Re:This is why...

[Aqua_boy17]

Yeah, but just think about it for a secons. You've finally made the underpants gnome's business model make sense.

Why do dumb stories like these get accepted?

[gd23ka]

A default password that is MEANT to be CHANGED ASAP is not supersecret. It's in the fucking
manual and even if the manual is not on the web then you can probably order one from the
manufacturer and they wont make sure you even purchased the ATM to go with it.

The real news is that the people who set ATMs up and operate them are as dumb as dog shit.

UUuuuuh secret password! Uuuuuuh!

pwnage sux

Who do I have to murder to remove "pwn" from the common technobabble lexicon?

I'll do it... Seriously...

Re:"pwned"?

[vadim_t]

Scary, I didn't need to make any effort to understand that.

pwned haha

Listen up kids, "owned", "pwned", "h4x0red", "l33t", was interesting for about 5 minutes 5 years ago, now it's over. Stop using them, it's pathetically annoying. Try using some proper English for once. For the love of shit, even Penny-Arcade makes fun of this crap, and it's a video game based web comic.

the easy solution

[jd]

Banks (or any organization, venture or activity involving people) are never going to bother doing more than they have to, so simply waise the bar on what they have to do. Doesn't sound that hard to me. Simply require that on first power-up the sys-admin code MUST be different from the default, and/or requires a dongle to be plugged into a port that can only be reached inside of the machine for the sys-admin code to work (but, in having it plugged in, all other codes are disabled).

Security of physical kiosks is trivial stuff, it has been done to death, and people understand the pros and cons of the different technologies. Personally, I'd abandon the ATM and switch to the Mondo card, or something similar, as the risks are generally lower all-round and the security is far better distributed. (We're not talking what vain PHB's refer to as a smart card - which is a bit of non-volatile RAM and the processing power of a seedless grape. We're talking asymetric strong encryption with full-blown key exchange algorithms, transaction processing and - if the device is to be meaningfully secure - transaction logging, event logging and data validation. Such a system should be totally decentralized with all transactions being 100% local, not indirect via half a dozen organizations with dubious security.)

The basic technology for a totally secure, totally impervious financial system has existed for a decade and a half, maybe two, with far better response times and far lower risks to those involved. If it were updated to the technology that exists today, and enough funding was made available to get the technology in place, you could eliminate 90% of all the points of vulnerability in the banking system and eliminate 50% of the related services which - these days - serve no purpose at all.