Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Googling for ATM Master Passwords 356

Posted by Zonk
from the that-should-probably-not-be-online dept.
default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."
This discussion has been archived. No new comments can be posted.

Googling for ATM Master Passwords

Comments Filter:
  • Google query (Score:3, Insightful)

    by szembek (948327) on Thursday September 21, 2006 @02:40PM (#16156134) Homepage
    So what was his "simple Google query"?
  • "Gawd, Idiots!" (Score:5, Insightful)

    by patrixmyth (167599) on Thursday September 21, 2006 @02:45PM (#16156182)
    Here I was thinking that the problems with voting machines had to be intentional, since ATM's were so much better secured. Now that I find out that a keystroke combination on the interface of an ATM will bring up a GUI to reprogram the machine, protected only by a default password, I can rest assured that the world is not as shrouded in conspiracy as I feared. It's just full of very very very (very very very very very) stupid people. Now, watch as one of these aforementioned idiots elected to public office blames this on Google.
  • by martonlorand (938109) on Thursday September 21, 2006 @02:45PM (#16156183) Homepage
    Even basic Cash registers require a key to be plugged in turned to to step into manager or some other mode. Why wouldnt those ATM-s require that the case would be open and a key sticked in to go in programming mode... Can you do a memory owerflow hack into the software ower the keyboard? >Othervise I dont understand how could you get the machine out of normal state and put it in programming mode. If it is build in the software - dude - fire the security and software development team... Thats just crazy to have a possibility like that without some harware security check...
  • Re:Casino (Score:3, Insightful)

    by RobertB-DC (622190) * on Thursday September 21, 2006 @02:49PM (#16156220) Homepage Journal
    I recently did IT for the largest casino company on the planet. I was dual-property and responsible for two casinos. The master code that would open the keyboxes and get you keys to anywhere in the casino was 654321. And people told each other all their passwords and such all the time.

    In that environment, they probably could have kept the lids to the keyboxes open and illuminated with flashing neon signs. Anyone foolish enough to try to pull off some sort of heist, with all those cameras and undercover security types, would end up meeting the same fate as the bozo who tries to swipe the dealer's chips -- jail if he's lucky, a trip to swim with the Nevada fishes if he's not.
  • Re:Casino (Score:5, Insightful)

    by TopShelf (92521) on Thursday September 21, 2006 @02:57PM (#16156296) Homepage Journal
    That's a perfect illustration of how technological devices are only a small part of security. Having solid policies that are actually followed means every bit as much, if not more. From TFA:

    "This isn't a vulnerability," Goldsmith explained. "It's someone exploiting a policy weakness, where ATM owners install these things and never change the default password."

    All that's in the PDF is the default password, following a warning in BIG BOLD TYPE saying that you need to change the default password before deploying the machine. Would they put in a new combination lock on their vault and leave a combo of 1-2-3? I should hope not...
  • by CastrTroy (595695) on Thursday September 21, 2006 @03:13PM (#16156447) Homepage
    However, should ATMs even come with a default password so that they can be hacked? Shouldn't reprogramming them require using some sort of physical/electronic key thats more difficult for people to get ahold of? If you can reprogram an ATM by walking up to it and typing in any code, regardless of whether it's the default password or not, then the ATM security is terrible. It's one thing to put a default password on a digital cable box for blocking channels, it's another matter entirely to put a default password on an ATM.
  • Key Badges (Score:4, Insightful)

    by BobBoring (18422) on Thursday September 21, 2006 @03:27PM (#16156568) Homepage
    Use to be we'd just wander through the cubage and when we had collected two or three "abandoned" cards from machines, we'd copy the faces of the cards. Then we'd give them to department supervisors for security violation write ups. We'd keep the copy to make sure the supervisors write them up. We suspended the accounts after two violations. If the offenders didn't have a Letter of Counciling on file in 10 working days, we had to write up the supervisors and suspend their accounts until their up-chain managers filed the right paper work to re-enable the account.

    After a couple of years of irregularly spaced walk throughs of the cube farm and countless email 'reminders' about computer security we gave that up.

    We got tire of being called the 'net nazis' and worse.

    Now we just take the badge out of the machine and walk it down to the security desk and tell them we found the on the floor in the bathroom. If we feel bitchy we trash the card or shred them then the 'somebody else problem' effect kicks in.
  • Re:Casino (Score:4, Insightful)

    by MindStalker (22827) <mindstalker.gmail@com> on Thursday September 21, 2006 @03:33PM (#16156604) Journal
    But what really confuses me is WHY is there access ability from the user keypad. I mean geez. There is a back panel on all ATMS that has a keylock for adding cash and programming the machine. Putting the ability to do ANYTHING but normal user functions from the front keypad just smacks of stupidity.
  • by Phillup (317168) on Thursday September 21, 2006 @04:20PM (#16156992)
    But to be fair it also stated in very big bold type that this default master password should be changed.

    Just to play devil's advocate...

    That box should have been on the damn cover of the instruction manual instead of 30 some odd pages back (page 19 + the "intro").

    Chances are, if it was right in your face... you'd change it.
  • by Tumbleweed (3706) * on Thursday September 21, 2006 @04:27PM (#16157038)
    But to be fair it also stated in very big bold type that this default master password should be changed. The fact the master password remains unchanged is a user error in the setup and not a design flaw.

    I would say that's incorrect. It should be a trivial matter for the software to be written to REQUIRE the default password to be changed before the machine will actually give out money. Rather like having to immediately change your password when you first login to an account. It's not a difficult concept, and while this is technically a 'lack' of a feature rather than a bug, it's certainly a flaw in design, and a pretty basic one at that.
  • by gewalker (57809) <Gary...Walker@@@AstraDigital...com> on Thursday September 21, 2006 @04:28PM (#16157051)
    Finally, "News I Can Use"
  • Re:Nine Days.... (Score:5, Insightful)

    by geekoid (135745) <(dadinportland) (at) (yahoo.com)> on Thursday September 21, 2006 @05:01PM (#16157301) Homepage Journal
    Yes.

    It's called honesty and ethics.
    But if you leve your car door unlocked, and someone takes it, I'm sure you won't mind, since it was your 'fault'.
  • by Sycraft-fu (314770) on Thursday September 21, 2006 @07:03PM (#16157996)
    Is that voting and ATM machines have very different security requirements. An ATM needs only be secure against people breaking in to it. So presuming the bank isn't stupid enough to leave the password as default, it accomplishes that pretty well. It doesn't need to be secure from the bank. The bank can lie to the ATM machine or tamper with its data if they want, it's just not in their interest. However voting machines are different. Here the data needs to be secure against tampering from everyone, including the people who are responsible for the machine. That's a whole different design.

    But basically what happened is Diebold just applied ATM design to voting machine design. This would be probably be fine if you could trust the people that owned the voting machines (the government) to be honest. But you can't so it is worthless.
  • Re:Nine Days.... (Score:2, Insightful)

    by avonhungen (108123) on Thursday September 21, 2006 @07:50PM (#16158200)
    I think the fact that most people understand that their banks would never consider returning that "honesty and ethics" factors into the equation. I for one have been forced to "prove" all my bank's errors before they paid me back. They've never approached me first.

    I think I hear that soapbox cracking...

There is nothing so easy but that it becomes difficult when you do it reluctantly. -- Publius Terentius Afer (Terence)

Working...