Another ATM Maker Pwned by Googling

bagsc writes "Kevin Poulsen of Wired.com strikes fear into another ATM manufacturer. This time, Triton ATMs had their super-secret master codes revealed by simple Google searches. Tranax was the most recent company with this problem, but probably not the last."

This is why...

[Kenja]

This is why I keep all my money in gold bullion strapped into my underwear. Of course that makes my pants weigh too much to move around in, but I wasn't realy going anyplace any how.

Re:This is why...

[Aqua_boy17]

Yeah, but just think about it for a secons. You've finally made the underpants gnome's business model make sense.

Re:

[eonlabs]

Gold Boullion in Pants
???
Profit!

Re:This is why...

[FuzzyDaddy]

Hey, I had the weight problem too, so I switched to enriched uranium. It's a lot more valuable pound for pound, so it doesn't weigh me down so much.

Re:

[rbarreira]

It will probably even reduce your weight, by carving holes in your body...

Not quite...

[Crasoum]

Weapons grade uranium has a risk of zero of carving hole sin your body, unless you happen to set it off, then you have MUCH larger problems to worry about then... Holes being carved in your body, more like holes being carved in your side of the planet. WGU's radiation is mostly alpha particles which won't even penetrate your skin, let alone get to living tissue.

http://www.umich.edu/~radinfo/introduction/lesson/ properties.htm [umich.edu]

Re:

[terrymr]

The only reason for the protective gear is to stop you from breathing in small pieces of the marerial - this is usually more a problem with spent fuel or if you're machining it to make a bomb.

Re:

[Brigadier]

Now you can go out and buy glowing condoms for your now glowing balls.......

Re:

[Fred_A]

For the flavour [ripnroll.com] of course ! (link may be offensive to people who don't like hevea sap byproducts).

*ducks*

Re:

[fdiskne1]

This is why I keep all my money in gold bullion strapped into my underwear.

But what happens when a woman discovers your default password and makes her way into your underwear and leaves you with no money?

wait...

What?!!?

[LordPhantom]

Ok, so people have been hacking pr0n sites, coke machines, etc, for years, but with a bit of warning ATM companies can't manage to practice a bit of security?

Even if it IS stupid user error, then BANKS can't get their act together?!?!

This just makes me feel all warm and fuzzy about Diebold, etc.

Re:What?!!?

[gurps_npc]

It's not 'a little warning'.

It's repeated, frequent warnings from the manufacturers and industry associations for several years.

Now finally it hit the news media.

You can lead a horse to water, but you can't stop him from sticking his head underneath and drowning simply because they painted a carrot at the bottom of the water trough.

Re:

[queenb**ch]

Even if it IS stupid user error, then BANKS can't get their act together?!?! This just makes me feel all warm and fuzzy about Diebold, etc.

Ah...but you should feel all warm and fuzzy about Diebold handling your votes come election time.

2 cents,

QueenB

the easy solution

[jd]

Banks (or any organization, venture or activity involving people) are never going to bother doing more than they have to, so simply waise the bar on what they have to do. Doesn't sound that hard to me. Simply require that on first power-up the sys-admin code MUST be different from the default, and/or requires a dongle to be plugged into a port that can only be reached inside of the machine for the sys-admin code to work (but, in having it plugged in, all other codes are disabled).

Security of physical kiosks is trivial stuff, it has been done to death, and people understand the pros and cons of the different technologies. Personally, I'd abandon the ATM and switch to the Mondo card, or something similar, as the risks are generally lower all-round and the security is far better distributed. (We're not talking what vain PHB's refer to as a smart card - which is a bit of non-volatile RAM and the processing power of a seedless grape. We're talking asymetric strong encryption with full-blown key exchange algorithms, transaction processing and - if the device is to be meaningfully secure - transaction logging, event logging and data validation. Such a system should be totally decentralized with all transactions being 100% local, not indirect via half a dozen organizations with dubious security.)

The basic technology for a totally secure, totally impervious financial system has existed for a decade and a half, maybe two, with far better response times and far lower risks to those involved. If it were updated to the technology that exists today, and enough funding was made available to get the technology in place, you could eliminate 90% of all the points of vulnerability in the banking system and eliminate 50% of the related services which - these days - serve no purpose at all.

Re:

[Marxist Hacker 42]

It's more convience stores than banks I think....the kinds of ATMs hit so far aren't the types used by banks that have backdoor access only (though, with the recent revelation that Diebold uses common A-Code keys, the same used for your desk drawers at work and the mini-bars in hotels, I have to wonder how secure even the bank style ATMs are); they're the stand alone kiosks used in malls and convience stores.

With Apu at the Qwik-E-Mart setting the damn thing up and keeping it stocked with money, is it any

Re:

[networkBoy]

Anyone can buy, install, and stock their own machine. It's just that the damn things are so expensive that joe shopowner usually can not afford to amortize the thing in any reasonable ammount of time.
-nB

Re:What?!!?

[shawn(at)fsu]

Even if it IS a stupid BANK error, why do people feel the need to take advantage of it?!?!
You must be new here, and by here I mean humanity.

Re:

[cp.tar]

Is it not said, A fool and his money shall soon be parted?

Re:

[Peter Mork]

And all these years I thought it was, "A fool and his money ... soon visit the brothel."

Re:Blame it on Monopoly

[Known Nutter]

There are certainly people out there who have lost enough money to ATM fees that the prospect of getting a little back wouldn't seem as "evil" as pure theft...

Sorry, but you don't lose money to ATM fees, you agree to them. Period. Much like EULAs, you probably don't recall reading the "I AGREE" text next to the button you push to get your cash.

Theft is theft is theft is theft.

"Pwned", indeed

[Otter]

-1, Submitter Doesn't Understand What He Read

Bottom line, this is a perfectly routine default password [phenoelit.de] issue. Blame your bank.

Re:

[8127972]

"Bottom line, this is a perfectly routine default password issue. Blame your bank."

Not exactly. First blame the person who installed it first as s/he left the defaut passord in the first place. Then blame the bank for not ensuring that the installer did their job correctly.

Re:

[jridley]

and blame the manufacturer for building a system that can be set into production mode with the default password still active. We can enforce password strength restrictions for goofy web blog sites but somehow it's too hard to do for ATMs?

I've worked with banks before. They will implement exactly the amount of security that they're required to by law. Don't ever count on more than that, and I'd verify before I even trusted that much. They have a huge heirarchy of career programmers and IT people who have

Re:

[patrixmyth]

If anyone was humiliatingly defeated, then it was the ATM installation company, not the ATM manufacturer/owner/store clerk. And that defeat was not by Google, but likely by a trained installer with a grudge/questionable morals. If it were me, given the exorbitant rewards offered on many of these ATMs for information leading to arrest of offenders, I'd put more effort into catching exploiters than risking a theft charge. In my opinion, we should put $100 dollar bills behind thin glass on every corner with

Re:

[patrixmyth]

Not if you're endeavoring to collect rewards ;)

Re:"Pwned", indeed

[QuantumFTL]

Bottom line, this is a perfectly routine default password issue. Blame your bank.

The manufacturers should have the firmware require a password change after the initial set-up. If everyone did this, this wouldn't be a problem. Of course, I also blame my bank!

Re:

[KarmaMB84]

A bank of all places should know better. There can be no blame for a manufacturer who provided a suitable design to a customer that should be an expert at this stuff.

Re:

[MrNougat]

Au contraire - banks are not experts at technology whatsoever. Small banks usually don't have their own IT staff. Most banking applications (provided by third parties) are built on very old technology.

No, banks are good with money and accounting, not the administration of the technology they use to do those tasks.

Re:

[Drachemorder]

Indeed. My company recently did a project for a bank. The IT people there are about as clueless as they come. It was the most painful project I've ever been involved with, because we had to explain every single minor detail of what we needed in order to get the guys to pull log files or change configuration settings or anything. And even then they usually managed to find some way to screw it up.

Re:

[99BottlesOfBeerInMyF]

The manufacturers should have the firmware require a password change after the initial set-up. If everyone did this, this wouldn't be a problem. Of course, I also blame my bank!

A lot of companies avoid this because machines are first used in a test lab, or set up by an installation company and then finally configured/stocked by the bank. This leads to incidents where the bank is calling and wants to know the password, but it has been changed from the default. So companies leave a default in, but tell cus

Re:

[MikeBabcock]

It would still be a problem -- just like Windows XP requiring a username before completing the installation is a problem in other circumstances.

Believe it or not, the "user" is not always the one setting up the machine in question. The default (or "a" default password) needs to be configured and told to the user reliably. Now you do that with a dozen new ATMs to a bank and see how pissed they get at you or how fast someone writes the password on a sticky note.

Yes, they need to do better security if they'r

Re:

[cloudmaster]

And then they should have to change it every 90 days, because some dumbass read a document entitled "best practices" about that kind of thing.

Re:

[grolschie]

Thanks for that list. I can never think of a good password. I have now narrowed my next one down to one of the following three choices: "1234", "admin" and "password"! Thanks again. ;-)

UK

[celardore]

I live in the UK, and we use different brands of ATM machine here. I can't find any codes that will give me free money here. Drat! Possibly for the best though, as I'm a member of an accountancy association who will kick me out if I get convicted for fraud. And I'd lose my job. My job is the best source of money for doing very little, it's just time consuming.

"pwned"?

[IHSW]

What is "pwned"?

Re:"pwned"?

[Apocalypse111]

When you have totally humiliated and/or beaten someone, you have "owned" them. A "p" is just an "o" with a stick on it, so "pwned", in my mind, is "owned with a stick".

Re:

[HolyCause]

Actually, "pwned" is a (usually on purpose) typo of "owned", since on a standard QWERTY keyboard, P and O are beside each other.

I believe that this originated with WarCraft. In multiplayer, a typo for "own" was made: "playerX pwns playerY" or something similar (not sure on this myself, as I've never played WarCraft - it's just what I've heard). Of course, it could have originated as a common typo, but that's an interesting story behind it =)

Re:"pwned"?

[tupshin]

!7'$ 1337 $p34k f0r "411 y0ur 84$3 4r3 8310ng 70 u$"

Re:"pwned"?

[vadim_t]

Scary, I didn't need to make any effort to understand that.

Re:"pwned"?

[Anonymous Coward]

!7'$ 1337 $p34k f0r "411 y0ur 84$3 4r3 8310ng 70 u$"

vadim_t (324782) writes:

Scary, I didn't need to make any effort to understand that.

God, I really hate perl.
Since you seem to know, what does that script actually do? :)

Re:

[patio11]

It outputs "Just another perl hacker", unless its Tuesday. You don't want to know what happens on Tuesday.

Re:

[RsG]

Actually what's really scary is that he included the apostrophe in "!7'$". What's the world coming to when 1337 speak is being done with proper grammar? Madness, I say!

Re:

[paulthomas]

pwn (v): an intentional misspelling of "own," especially when indicating unauthorized "ownership" of a system. Most commonly seen as pwned or the 1337 variation, pwn3d, as in "i pWn3d j00."

Re:"pwned"?

[mark-t]

Wikipedia's entry is reasonably spot on. [wikipedia.org]

Good link but......needs updating.

[tacokill]

Pwned came from the word owned. That much is clear. But I have a little update to add based on my own experience. I have no idea if this theory is correct but I think it might add a little context and might explain the origins of pwned, with a "p". I can only tell you about when I first saw it.

...and it's not "owned with a stick" as a previous poster mentioned, which is clever - but wrong.

I have played computer games a long time. A really long time, in fact. And the first time I remember seeing

Re:

[moonbender]

Anybody trying to make a distinction on when and where the proper use of the term own vs. pwn is just talking out their tailpipe.

First of all, you just made such a distinction yourself, saying that "pwn" is (deliberately) used to imply a sense of frantic urgency. And second, I don't think that's correct. My experience is much more in line with what Wikipedia says, namely that pwn is used to refer to a very clear and humiliating defeat. It's not even treated as a misspelling of opwn, if anything it's an alte

Re:

[topham]

That would be because it is "own" with an embeded face sticking it's tongue out. As in :P :pwn is likely more correct, but dropped usage.
 

Re:

[tupshin]

!n $0v!37 ru$$!4, 7h3 !n73rn37 r3m0v3$ y0u.

Predicted response

[aafiske]

Probable solution? Sue google.

I wish this was a joke.

Should have waited

[Midnight Thunder]

Given that Google is likely to have cached the manuals and the patches will not be ready for a couple of months (certification et al.), I wonder whether the author should have waited a few weeks before publishing the article, to give the manufacturers a chance to spread the word.

Re:

[dlim]

The "patch" is a update that forces the banks to change the ATM's default password. The default password has probably been online for as long as the ATM manufacturer has had a website. And with all of the attention the previous ATM password fiasco received, I would hope that my bank has already investigated (and reduced) their vulnerabilities to this type of fraud.

The problem is not that anyone can read these service manuals for the next couple of months. The problem is that some owners of these ATMs

Lipman ATM's

[detritus.]

Lipman's Nurit ATM manuals are also available to the public on their website [lipmanusa.com], which also contain the default passwords accessing the operator menus. And unlike Triton, their manuals don't even warn/instruct the user to change the default passwords. Pretty sad if you ask me.

Re:

[Volante3192]

If it's a money dispencer then you consider this common sense i think.

Common sense isn't. This is why curling irons have "Do not insert into any orifice" on a warning label.

Re:

[lakeland]

Only in America. Other countries base the legal system around common-sense so stupid people just get what they deserve.

Re:

[networkBoy]

Like the european cup o noodles (Tesco I think) that has: "Warning contents may be hot" printed on the bottom of the stinkin cup?

While I am a big fan of the "he was obviously a nit, your honor" defense, it is not only the US that has nit protection warnings on products.

It is our sue happy nature, however, that I think was largly responsible for the multitue of iterations of: "Don't be stupid using this product" labels.
-nB

Only In America

[Z34107]

Actually, the labels are prettry unnecessary, even in American courts. Between the already existing precedents on liability and the laws that specifically govern situations like this, they do little more than let corporate lawyers sleep better at night in a land where McDonalds settled with a woman who spilled coffee on her lap.

they didn't remove all the docs

[thedrunkensailor]

there's another doc up there exposing the defualt master password at http://www.tritonatm.com/en/service/technical_bull etins/05-48.pdf [tritonatm.com] i emailed them about it so it might come down

Re:

[AK Marc]

there's another doc up there exposing the defualt master password

Hiding a password like that is no use. I've had friends with different cell service tell me they couldn't get their voicemail. I have no idea how to get in, so I told them to call themselves from their phone, press pound if they hear their own message, and try 1111, 1234, 9999, and 0000 and see if they get in. So far, that works for all cell carriers I've ever encountered. And a large number don't require you to change it. My voicemail

Why do dumb stories like these get accepted?

[gd23ka]

A default password that is MEANT to be CHANGED ASAP is not supersecret. It's in the fucking
manual and even if the manual is not on the web then you can probably order one from the
manufacturer and they wont make sure you even purchased the ATM to go with it.

The real news is that the people who set ATMs up and operate them are as dumb as dog shit.

UUuuuuh secret password! Uuuuuuh!

Re:Why do dumb stories like these get accepted?

[CastrTroy]

I'll agree that the people setting up the ATMs are extremely stupid. However, shouldn't the maker of the ATM have anticipated the stupidity of the users and either A) Not allow the machine to function until the default password was changed, or B) Don't have default password, but instead have a physical lock with a physical key (hopefully one that can't be opened by a vending machine key) that must be used in order to reprogram the machine. We all called MS Stupid for not requiring SQL Server to have a password, and having a blank default password, why not blame the people who make these ATMs.

Re:

[KarmaMB84]

Microsoft was never stupid for assuming people buying their expensive RDBMS and *setting the beast up* would *password protect it* and neither are these ATM manufacturers. These machines are managing *money*. What more reason could you have for the banks to be anal retentive with the security of them? If they don't give a damn, they just don't give a damn.

Re:

[theLOUDroom]

I'll agree that the people setting up the ATMs are extremely stupid. However, shouldn't the maker of the ATM have anticipated the stupidity of the users...

No.

Let's use a little common sense people.

What is an ATM?
A box full of money.

It is perfectly reasonable to expect someone to RTFM and follow directions before putting a box full of money out in a public space.

The fault here lies squarely on the banks.
Were I the manufacturer, I would maintain that anyone who failed to change the default passw

Re:

[aug24]

It's a classic "Anything that can go wrong will go wrong".

The system needs to be made to ensure that a password is changed before operation can begin. Duh.

J.

Why? People are dumb.

[raddan]

It's been made clear throughout the last three decades that people who should know better don't change the default password. Routers, firewalls have had this problem. Various incarnations of Unix have had this problem. VMS had this problem! Yes, people should change the default password, but in the interest of security, we should make them do it on first boot. OpenBSD makes you set up a complex root password after install.

People don't wear seatbelts, either, which is why we have such seemingly inane things like seatbelt laws. This is clearly a test for rationality. Because apparently dying isn't bad enough but being punished is. People are stupid.

Re:

[The Cisco Kid]

FWIW, Cisco routers do NOT have this problem, at least as far as remote access. If the 'line' password for the telnet vty isnt set, it simply doesnt let you telnet in, at all. The only way to access a brand new router is with a physical serial port connection.

I'm sorry, but...

[Iphtashu Fitz]

Anybody who rents/buys an ATM to install in their store deserves exactly what they get if they don't change the default password. Are these people really that clueless to think an ATM would be secure if the password is printed in the users manual?

pwnage sux

[Anonymous Coward]

Who do I have to murder to remove "pwn" from the common technobabble lexicon?

I'll do it... Seriously...

Re:

[theLOUDroom]

Who do I have to murder to remove "pwn" from the common technobabble lexicon? I'll do it... Seriously...

Do you think pwning someone is the answer? :P

I don't get it...

[Yonzie]

Obviously, people don't have the brain capacity to be serious about security.
What should we do?
It's simple: Shut down the internet.
No more easily-guessed passwords or dissemination of information on how to break into stuff.
No child porn proliferation and no worries about your 9yr old girl chatting with 45yr olds.
An extreme decline in virii and similar stuff for everyone's favorite OS.

In total? Awesomeness :D

Re:

[arkhan_jg]

What should we do?
It's simple: Shut down the internet.

You bastard, you're the one that's been giving ideas to my senior management!

So what?

[oyenstikker]

What does having the password allow you to do? Surely you can't actually get money out of it. Can you make it not charge the $1.50 per use?

Re:

[LunaticTippy]

You can tell it that the $20 bin is $5, making a $15 withdrawal give $60. Of course, the bank has your account information and will "adjust the error" or press charges.

Re:

[LunaticTippy]

Retards. Why obscure your face when you're putting your own card in the machine?

Re:

[Hamster Of Death]

You can change many things, you can make it think it's spitting out $5's instead of $20's by changing the denomination settings. Ask for $100 and you get $400 instead; you can also change the per use fee or eliminate it entirely. To really piss people off you can change the denomination to think it's dispensing $100 bills but in reality giving out $20's =)
You can get into the cash drawer too if they weren't smart enough to change the default combination lock code (which they most likely didn't). In short

Re:

[Fnord666]

The real fun is to change the primary phone number that it dials to get authorization to a phone sex line. The call will fail to connect to a modem and fallback to the secondary number Transactions take longer, but they are racking up $4.99 per call on the ATM owner's line. Payback for the surcharge fee.

So what?

[delirium of disorder]

How many real ATMs have been exploited using this information? Manuals for common hardware are basically public information (although I'm sure the vendor retains copyright to them and could conceivably also use trade secret law to keep people from sharing proprietary information). I don't really think this is much of a threat. If you are a security researcher and want to learn more, here are two ATM manuals that I've found.
Images scanned from a physical ATM manual [no-ip.org]
A different manual in PDF form [no-ip.org]

Kevin Poulsen...strikes fear ?

[MarkGriz]

This post [slashdot.org] from last week's Google/ATM article had a direct link to the Triton manual.

Seriously, if some Wired blogger is striking the fear in ATM manufacturers, they've grossly underestimated the magnitude of the problem.

pwned haha

[Anonymous Coward]

Listen up kids, "owned", "pwned", "h4x0red", "l33t", was interesting for about 5 minutes 5 years ago, now it's over. Stop using them, it's pathetically annoying. Try using some proper English for once. For the love of shit, even Penny-Arcade makes fun of this crap, and it's a video game based web comic.

Re:

[Dr. Zowie]

Ph33r m% l337 leetspeak 5k1||z d00d. J00 h4\/3 833N 7R0||Z0r3d. J00 h4\/3 l057. h4\/3 4 |V1c3 d@%.

Re:

[Dr. Zowie]

Heh. There goes my karma. Sorry for the grave misspelling...

h4\/3 4 /V1c3 d@%

ORLY?

[Sage Gaspar]

NO WAI!

Re:

[Man in Spandex]

pwned!

oh wait...

Someone posted the manual here

[Stonent1]

In the last story about this, someone posted a link to the Triton manuals. I read the manual and it did have a password in it but it said to make sure you change the password before the ATM is put into production.

Re:

[Talondel]

Yeah, I posted the link to the Triton ATM Manual because it was the first one that came up in a search for "arm operator manual". The specific one they were talking about last week also came up, but later in the search.

OT: What is the tune the ATM plays and why?

[paiute]

My local bank has a Diebold ATM. Both this one and the one it replaced play a tune when dispensing bills. It is a short tune as if played on a piccolo with a trill at the end. It has been bugging me for years. Why does the ATM need to play a tune?

Re:

[jayloden]

Yeah, and why does it have to have those funny bumps on the keypad, too?

One thing I can think of is that blind ATM users would probably appreciate some sort of feedback to let them know the money is ready to be retrieved from the slot.

Re:OT: What is the tune the ATM plays and why?

[KarmaMB84]

To let the thugs know there's money coming out so they know to beat you for it.

Re:

[BrynM]

To let the thugs know there's money coming out so they know to beat you for it.

almost... It plays a happy tune to cheer them up so they don't beat you so badly. That's why it has the trill. It's been proven that trills put those about to commit assault into a better mood and end up just committing battery... or something

Re:

[topham]

Does it always play the same tune, or does it vary depending on the amount of money dispensed?

Perhaps they are trying to obscure the amount of money dispensed by playing something over top of the sound as it counts your bills; quickly corrupted if it plays a different tune for different amounts.

Re:

[jstott]

My local bank has a Diebold ATM. Both this one and the one it replaced play a tune when dispensing bills.

It's the same sound that Pacman makes when you eat the power pill. Doesn't taking money out of the machine make you feel energized?

-JS

These Are Textbook Examples of Dumb Design.

[OmniGeek]

OK, so you have a machine full of money that will be placed out in public, where everyone and his third cousin Fingers McCrackit can play Billy Joel on the keyboard all day, using any information they can guess, beg, borrow, or steal (OK, slight exaggeration, but valid principle.)

Now, just HOW STUPID do you need to be to make it possible in the first place to gain system access from that keyboard without at least one hardware interlock that is NOT accessible without the key to the machine? You KNOW the bad guys will try everything they can think of to fool the machine; you should ASSUME that they have every piece of info on the machine that you do. (Cryptosystems -- good ones, at least -- are designed on this assumption; indeed, they assume that the adversary has a copy of your machine and all its specifications.)

A secure ATM thus REQUIRES that it be made completely IMPOSSIBLE to jigger the machine without physically getting inside its hardware. Password-protection just doesn't cut it for that level of security. Failure to provide this level of protection is SO stupid as to be a failure to exercise due care. And after all, how much does it cost to add that hardware interlock switch? Not much compared to the value of the ATM's contents...

Now for the scary part -- ATMs are, on average, far more secure than voting machines.

Re:

[theLOUDroom]

And after all, how much does it cost to add that hardware interlock switch? Not much compared to the value of the ATM's contents...

So take a step back for a minute and think about why it isn't there....

• Maybe there are banks who want to be able to minimize the number of people that need access to the ATMs innards
• Maybe they want to make sure that the people who refill the ATMs have the door open for as little time as possible
• Maybe the code needs to be entered BEFORE the door is opened or else an alar

Did anyone even read this before approving it?

[khrome]

If anything the headline should be "Journalist convinces managers to take support documents offline"

Are routers next?

Because if you want to talk security, you can reset the password and access *all customer data* on the most popular PC transaction software by deleting 1 config file. On every installed system up to current.

*that* is the true state of security in the finacial industry. Security consists of a chain of promises, where if something *does* happen, a chain of fines happens which obscures the impac

Forget ATMS - What about VENDING MACHINES?

[Jherek Carnelian]

I've always wondered if there were any "secret codes" left behind by the firmware developers for vending machines. I'm not up to messing with an ATM, but it sure would be cool to know how to get a free soda or candy bar the next time the damn machine eats my money.

Anyone got a line on those kinds of "default passwords?"

for those who don't know

[sentientbrendan]

Kevin Poulsen is a notorious ex hacker and phone freak, who's feats were much more impressive than most of the better known hackers. This guy is something of a legend.

From wikipedia: http://en.wikipedia.org/wiki/Kevin_Poulsen [wikipedia.org]
"His best-appreciated hack was a takeover of all of the telephone lines for Los Angeles radio station KIIS-FM, guaranteeing that he would be the 102nd caller, and netting him a Porsche 944 S2"

According to the book about him he also
1. Broke into numerous Ma Bell facilities.
2. Hijacked an

Re:

[Dachannien]

It's fitting that Poulsen is reporting on this issue, then, because this whole "getting the key to the castle via dumpster diving" thing is remarkably similar to the way that many of the basic phone phreaking techniques were originally uncovered. Of course, the phone industry mitigated their problems by moving control communications out-of-band. The analogue would be to stop making these functions accessible via the ATM keypad. This wouldn't solve all their problems (a mandatory password change upon inst

YouTube video about the ATM attack

[denebian devil]

http://www.youtube.com/watch?v=cmW_4R81jVU [youtube.com]

Re:

[x-kaos]

I agree, I had no idea people from the WoW general forums were submitting stories here!

Re:

[AK Marc]

Well, I didn't bother to look it up, but if I were guessing the passwords, I'd go 123456 then 000000 then 111111 then 999999 and repeat with lower numbers of numbers to 9999 (unless there was a hint to the length, as some take a fixed length and you can tell). So, if it was really the Spaceballs password, it should be gone on the 5th try. I've not seen any of the ATMs on a default password that would survive such a devious assault.

Re:

[sconest]

Well, this is Slashdot. Abandon all hope of 100% correct grammar and spelling :)

Pwn [wikipedia.org]