Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Googling for ATM Master Passwords

Posted by Zonk on Thu Sep 21, 2006 03:31 PM
from the that-should-probably-not-be-online dept.
Security The Almighty Buck The Internet Technology
default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."
+ -
story

Related Stories

[+] Another ATM Maker Pwned by Googling 252 comments
bagsc writes "Kevin Poulsen of Wired.com strikes fear into another ATM manufacturer. This time, Triton ATMs had their super-secret master codes revealed by simple Google searches. Tranax was the most recent company with this problem, but probably not the last."
[+] Slashback: ITunes, Debian, ATMs 122 comments
Slashback tonight brings some clarifications and updates to previous Slashdot stories, including: iTunes 7.0, Wal-Mart threatens studios over iTunes sales, debate over a proposal to fund Debian, and Googling for ATM master passwords. Read on for details.
Offsite: Wired Coverage
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Googling for ATM Master Passwords 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Giddy-up! (Score:5, Funny)

    by Logiksan (947439) on Thursday September 21 2006, @03:33PM (#16156056)
    *runs off to Google and YouTube as fast as his little fingers will take him*

  • Trivial search - and the password is.... (Score:4, Funny)

    by rblum (211213) on Thursday September 21 2006, @03:36PM (#16156084)

    12345

    Oh wait. That's my ATM PIN.

  • Casino (Score:5, Informative)

    by Enderandrew (866215) <enderandrew&gmail,com> on Thursday September 21 2006, @03:37PM (#16156103) Homepage Journal
    I recently did IT for the largest casino company on the planet. I was dual-property and responsible for two casinos. The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people told each other all their passwords and such all the time.

    I couldn't believe it.

    • Re:Casino (Score:5, Insightful)

      by TopShelf (92521) on Thursday September 21 2006, @03:57PM (#16156296) Homepage Journal
      That's a perfect illustration of how technological devices are only a small part of security. Having solid policies that are actually followed means every bit as much, if not more. From TFA:

      "This isn't a vulnerability," Goldsmith explained. "It's someone exploiting a policy weakness, where ATM owners install these things and never change the default password."

      All that's in the PDF is the default password, following a warning in BIG BOLD TYPE saying that you need to change the default password before deploying the machine. Would they put in a new combination lock on their vault and leave a combo of 1-2-3? I should hope not...

      • Re:Casino (Score:4, Interesting)

        by Enderandrew (866215) <enderandrew&gmail,com> on Thursday September 21 2006, @03:54PM (#16156263) Homepage Journal
        Very true. The only inch of that casino not covered by cameras was the IT offices. Survailence wasn't allowed to look over my shoulder, because they could see passwords and sensitive data that way. We had cops, investigators and state regulators on property.

        Casinos prosecute is you steal $5 from them.

  • Aha! (Score:5, Funny)

    by The Grey Clone (770110) on Thursday September 21 2006, @03:37PM (#16156104) Homepage
    We've finally found that mysterious step 2!

  • We're rich!! We're rich!!! (Score:5, Funny)

    by queenb**ch (446380) on Thursday September 21 2006, @03:38PM (#16156114) Homepage Journal
    Phhhtttt!!!

    That's to all of you who made fun of us geeks!

    *Rude Hand Gesture*

    That's for every bully who ever shoved someone into a locker during PE.

    Due to our superior ability to manipulate poorly secured cash dispensing devices, we shall now rule the world!

    First the treasury...then the military. World domination cannot be far behind.

    2 cents,

    QueenB

  • Nine Days.... (Score:5, Funny)

    by Mr.Scamp (974300) on Thursday September 21 2006, @03:39PM (#16156128)
    The machine gave $20's for $5's for NINE days after it was reprogrammed before someone commented on it. God Bless America.

  • WOW (Score:5, Informative)

    by Anon-Admin (443764) on Thursday September 21 2006, @03:41PM (#16156153) Journal
    Wow that is cool, it was a quick search and I found it!

    It says that to enter the management screen you hold the key and press one. Then the default UID is 00 and the default password is 12345 so you should enter 0012345 into the prompt.

    I am off to the ATM down stairs. I could use a little extra cash.

  • "Gawd, Idiots!" (Score:5, Insightful)

    by patrixmyth (167599) on Thursday September 21 2006, @03:45PM (#16156182)
    Here I was thinking that the problems with voting machines had to be intentional, since ATM's were so much better secured. Now that I find out that a keystroke combination on the interface of an ATM will bring up a GUI to reprogram the machine, protected only by a default password, I can rest assured that the world is not as shrouded in conspiracy as I feared. It's just full of very very very (very very very very very) stupid people. Now, watch as one of these aforementioned idiots elected to public office blames this on Google.

  • there's enough clues in the article..... (Score:5, Informative)

    by nblender (741424) on Thursday September 21 2006, @03:52PM (#16156244)
    For this one you have to carefully RTFA. You actually have to do it. Not just pretend. A simple google search, plus some whois sleuthing to confirm you have the right one, will turn up a company that currently has it's "support.html" disabled (404), but the wayback machine has an old (2005) copy of "support.htm" which has a list of error codes, FAQ, etc, for the machine in question. It's not too much of a stretch to believe that someone put the manual up for download at some point.

    No, I don't have the manual. I don't really care either, it was an interesting academic exercise.

  • ATM Industry Association warned them. (Score:5, Interesting)

    by gurps_npc (621217) on Thursday September 21 2006, @04:49PM (#16156726)
    Back in Feb 2005, the ATM Industry Association released a memo or press announcement, found here:

    http://www.gasa-cognito.com/media/GASA-ATMIA%20Fra ud%20Alert1.pdf#search=%22atm%20master%20password% 22 [gasa-cognito.com]

    It specifically warned the industry that their passwords were getting out and to tell the banks to CHANGE them.

    Frankly, I have zero sympathy for the bank that lost cash.

    And not much respect for the idiots that did not report it. What, did they think the banks would never find out what happened? That when they did find out, they would not 'correct' the accounts?

    Either report it, or get yourself an untraceable card and return.

    • Re:The default password is... (Score:5, Informative)

      by Talondel (693866) on Thursday September 21 2006, @03:39PM (#16156132)
      Close. Actually it apears that it's 001234. http://www.tritonatm.com/en/service/manuals/07103- 00013C%20(FT5KUsrMan(3.0))file.pdf [tritonatm.com]

      • Re:The default password is... (Score:5, Funny)

        by jenkin sear (28765) * on Thursday September 21 2006, @03:45PM (#16156184) Homepage Journal
        I thought it was up, up, down, down, left, right, left, right, B, A, Start ...

        • Re:The default password is... (Score:5, Insightful)

          by CastrTroy (595695) on Thursday September 21 2006, @04:13PM (#16156447) Homepage
          However, should ATMs even come with a default password so that they can be hacked? Shouldn't reprogramming them require using some sort of physical/electronic key thats more difficult for people to get ahold of? If you can reprogram an ATM by walking up to it and typing in any code, regardless of whether it's the default password or not, then the ATM security is terrible. It's one thing to put a default password on a digital cable box for blocking channels, it's another matter entirely to put a default password on an ATM.

          • Ready-Set -Go (Score:5, Funny)

            by Analogy Man (601298) on Thursday September 21 2006, @04:41PM (#16156673)
            However, should voting machines even come with a default password so that they can be hacked? Shouldn't reprogramming them require using some sort of physical/electronic key thats more difficult for people to get ahold of? If you can reprogram a voting machine by walking up to it and typing in any code, regardless of whether it's the default password or not, then the voting machine security is terrible. It's one thing to put a default password on a digital cable box for blocking channels, it's another matter entirely to put a default password on a voting machine.

            Which one gets fixed first!

        • Re:The default password is... (Score:5, Insightful)

          by Tumbleweed (3706) * on Thursday September 21 2006, @05:27PM (#16157038) Homepage
          But to be fair it also stated in very big bold type that this default master password should be changed. The fact the master password remains unchanged is a user error in the setup and not a design flaw.

          I would say that's incorrect. It should be a trivial matter for the software to be written to REQUIRE the default password to be changed before the machine will actually give out money. Rather like having to immediately change your password when you first login to an account. It's not a difficult concept, and while this is technically a 'lack' of a feature rather than a bug, it's certainly a flaw in design, and a pretty basic one at that.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.