Googling for ATM Master Passwords 356
default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."
Google query (Score:3, Insightful)
"Gawd, Idiots!" (Score:5, Insightful)
Why dont you require a hardware key? (Score:3, Insightful)
Re:Casino (Score:3, Insightful)
In that environment, they probably could have kept the lids to the keyboxes open and illuminated with flashing neon signs. Anyone foolish enough to try to pull off some sort of heist, with all those cameras and undercover security types, would end up meeting the same fate as the bozo who tries to swipe the dealer's chips -- jail if he's lucky, a trip to swim with the Nevada fishes if he's not.
Re:Casino (Score:5, Insightful)
All that's in the PDF is the default password, following a warning in BIG BOLD TYPE saying that you need to change the default password before deploying the machine. Would they put in a new combination lock on their vault and leave a combo of 1-2-3? I should hope not...
Re:The default password is... (Score:5, Insightful)
Key Badges (Score:4, Insightful)
After a couple of years of irregularly spaced walk throughs of the cube farm and countless email 'reminders' about computer security we gave that up.
We got tire of being called the 'net nazis' and worse.
Now we just take the badge out of the machine and walk it down to the security desk and tell them we found the on the floor in the bathroom. If we feel bitchy we trash the card or shred them then the 'somebody else problem' effect kicks in.
Re:Casino (Score:4, Insightful)
Re:The default password is... (Score:3, Insightful)
Just to play devil's advocate...
That box should have been on the damn cover of the instruction manual instead of 30 some odd pages back (page 19 + the "intro").
Chances are, if it was right in your face... you'd change it.
Re:The default password is... (Score:5, Insightful)
I would say that's incorrect. It should be a trivial matter for the software to be written to REQUIRE the default password to be changed before the machine will actually give out money. Rather like having to immediately change your password when you first login to an account. It's not a difficult concept, and while this is technically a 'lack' of a feature rather than a bug, it's certainly a flaw in design, and a pretty basic one at that.
Many Years of Slashdot (Score:4, Insightful)
Re:Nine Days.... (Score:5, Insightful)
It's called honesty and ethics.
But if you leve your car door unlocked, and someone takes it, I'm sure you won't mind, since it was your 'fault'.
And what you have to remember (Score:3, Insightful)
But basically what happened is Diebold just applied ATM design to voting machine design. This would be probably be fine if you could trust the people that owned the voting machines (the government) to be honest. But you can't so it is worthless.
Re:Nine Days.... (Score:2, Insightful)
I think I hear that soapbox cracking...