Forgot your password?
typodupeerror

Googling for ATM Master Passwords 356

Posted by Zonk
from the that-should-probably-not-be-online dept.
default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."
This discussion has been archived. No new comments can be posted.

Googling for ATM Master Passwords

Comments Filter:
  • Re:Casino (Score:4, Interesting)

    by Enderandrew (866215) <[moc.liamg] [ta] [werdnaredne]> on Thursday September 21, 2006 @03:54PM (#16156263) Homepage Journal
    Very true. The only inch of that casino not covered by cameras was the IT offices. Survailence wasn't allowed to look over my shoulder, because they could see passwords and sensitive data that way. We had cops, investigators and state regulators on property.

    Casinos prosecute is you steal $5 from them.
  • by vinn01 (178295) on Thursday September 21, 2006 @03:58PM (#16156310)
    Who here thinks that putting the default master password in the manual is a good idea?

    This reminds me the of backdoor password that Nortel had for one of its more common PBX's. At least they didn't put it the manual. But it got passed around enough to land on Usenet (in reponse to a problem that a customer was having). In that case, it was worse. It was not a "default" password, it was hardcoded.

    Another day, another brain dead corporate password mistake....

  • by zenray (9262) on Thursday September 21, 2006 @04:03PM (#16156354) Journal
    001234 as stated in the link. But to be fair it also stated in very big bold type that this default master password should be changed. The fact the master password remains unchanged is a user error in the setup and not a design flaw. Every master password not changed was left that way by 'somebody'. That 'somebody' needs to sued (or beaten severly about the head and shoulders with a security clue stick) for allowing easy access to the money. Unless they were ordered by managment to leave it as defaulted.
  • Re:WOW (Score:3, Interesting)

    by Anon-Admin (443764) on Thursday September 21, 2006 @04:04PM (#16156369) Journal
    $1.25????

    Heck the ones around here charge $2.25 and then your bank adds another $1.75 for the transaction.

    If the ATM is in a remote location or a special event the ATM charge goes up. The last gun show I went to, the ATM was charging $9.56 per transaction. If I could have left and came back with out having to pay the $15 door fee I would have gotten the money from some where else.
  • by Ken Hall (40554) on Thursday September 21, 2006 @04:14PM (#16156459)
    Back in the early 80's I worked for a company that did third-party service for all sorts of computer-related stuff. We serviced at least two different lines of ATM machines, for competing companies. We had test machines in our training center for the service guys to play with.

    Hardware wise, they were the most complicated, Rube-Goldberg-esque contraptions you can imagine. The card readers and bill handlers were the worst. The bill handlers had to be calibrated using real money, so the repair center kept several hundred dollars in cash locked in a safe at all times, and replaced it weekly (the handlers didn't like old bills).

    The group I was in was responsible for tracking the software problem reports that came in from the field, and forwarding them to the manufacturers. While I found some of the bugs downright hysterical, or just plain bizarre, others were scary enough to make you consider avoiding the machines alltogether.

    Doesn't look like they've learned anything in 20 years.
  • by gurps_npc (621217) on Thursday September 21, 2006 @04:49PM (#16156726) Homepage
    Back in Feb 2005, the ATM Industry Association released a memo or press announcement, found here:

    http://www.gasa-cognito.com/media/GASA-ATMIA%20Fra ud%20Alert1.pdf#search=%22atm%20master%20password% 22 [gasa-cognito.com]

    It specifically warned the industry that their passwords were getting out and to tell the banks to CHANGE them.

    Frankly, I have zero sympathy for the bank that lost cash.

    And not much respect for the idiots that did not report it. What, did they think the banks would never find out what happened? That when they did find out, they would not 'correct' the accounts?

    Either report it, or get yourself an untraceable card and return.

  • by slashnik (181800) on Thursday September 21, 2006 @05:29PM (#16157065)
    This is clearly rubbish.

    Stating the bleeding obvious, ATMs contain cash.
    All ATM's have keys, combination locks or a mixture of the two.
    There is no good reason for the operator mode switch not to be locked away.

    Whoever makes these ATMs deserves all the bad publicity that they get.
  • Re:Nine Days.... (Score:2, Interesting)

    by reason (39714) on Thursday September 21, 2006 @11:19PM (#16158733)
    I've twice deposited more than I thought I had into an ATM and had the bank credit my account with the full amount (instead of the amount I entered) and write me a letter to let me know of my error. And yes, I know I'm not careful enough with money.

Prediction is very difficult, especially of the future. - Niels Bohr

Working...