Googling for ATM Master Passwords 356
default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."
Re:Casino (Score:4, Interesting)
Casinos prosecute is you steal $5 from them.
Putting the master password in the manual? (Score:3, Interesting)
This reminds me the of backdoor password that Nortel had for one of its more common PBX's. At least they didn't put it the manual. But it got passed around enough to land on Usenet (in reponse to a problem that a customer was having). In that case, it was worse. It was not a "default" password, it was hardcoded.
Another day, another brain dead corporate password mistake....
Re:The default password is... (Score:4, Interesting)
Re:WOW (Score:3, Interesting)
Heck the ones around here charge $2.25 and then your bank adds another $1.75 for the transaction.
If the ATM is in a remote location or a special event the ATM charge goes up. The last gun show I went to, the ATM was charging $9.56 per transaction. If I could have left and came back with out having to pay the $15 door fee I would have gotten the money from some where else.
I'm surprised it took so long to realize... (Score:4, Interesting)
Hardware wise, they were the most complicated, Rube-Goldberg-esque contraptions you can imagine. The card readers and bill handlers were the worst. The bill handlers had to be calibrated using real money, so the repair center kept several hundred dollars in cash locked in a safe at all times, and replaced it weekly (the handlers didn't like old bills).
The group I was in was responsible for tracking the software problem reports that came in from the field, and forwarding them to the manufacturers. While I found some of the bugs downright hysterical, or just plain bizarre, others were scary enough to make you consider avoiding the machines alltogether.
Doesn't look like they've learned anything in 20 years.
ATM Industry Association warned them. (Score:5, Interesting)
http://www.gasa-cognito.com/media/GASA-ATMIA%20Fra ud%20Alert1.pdf#search=%22atm%20master%20password% 22 [gasa-cognito.com]
It specifically warned the industry that their passwords were getting out and to tell the banks to CHANGE them.
Frankly, I have zero sympathy for the bank that lost cash.
And not much respect for the idiots that did not report it. What, did they think the banks would never find out what happened? That when they did find out, they would not 'correct' the accounts?
Either report it, or get yourself an untraceable card and return.
Re:The default password is... (Score:3, Interesting)
Stating the bleeding obvious, ATMs contain cash.
All ATM's have keys, combination locks or a mixture of the two.
There is no good reason for the operator mode switch not to be locked away.
Whoever makes these ATMs deserves all the bad publicity that they get.
Re:Nine Days.... (Score:2, Interesting)