Another ATM Maker Pwned by Googling 252
bagsc writes "Kevin Poulsen of Wired.com strikes fear into another ATM manufacturer. This time, Triton ATMs had their super-secret master codes revealed by simple Google searches. Tranax was the most recent company with this problem, but probably not the last."
This is why... (Score:5, Funny)
Re:This is why... (Score:5, Funny)
Re: (Score:2)
???
Profit!
Re:This is why... (Score:4, Funny)
Re: (Score:2)
Not quite... (Score:2, Troll)
http://www.umich.edu/~radinfo/introduction/lesson/ properties.htm [umich.edu]
Re: (Score:2)
Re: (Score:2)
Now you can go out and buy glowing condoms for your now glowing balls.......
Re: (Score:2)
*ducks*
Re: (Score:2)
This is why I keep all my money in gold bullion strapped into my underwear.
But what happens when a woman discovers your default password and makes her way into your underwear and leaves you with no money?
wait...
What?!!? (Score:5, Insightful)
Even if it IS stupid user error, then BANKS can't get their act together?!?!
This just makes me feel all warm and fuzzy about Diebold, etc.
Re:What?!!? (Score:5, Informative)
It's repeated, frequent warnings from the manufacturers and industry associations for several years.
Now finally it hit the news media.
You can lead a horse to water, but you can't stop him from sticking his head underneath and drowning simply because they painted a carrot at the bottom of the water trough.
Re: (Score:2)
Ah...but you should feel all warm and fuzzy about Diebold handling your votes come election time.
2 cents,
QueenB
the easy solution (Score:5, Informative)
Security of physical kiosks is trivial stuff, it has been done to death, and people understand the pros and cons of the different technologies. Personally, I'd abandon the ATM and switch to the Mondo card, or something similar, as the risks are generally lower all-round and the security is far better distributed. (We're not talking what vain PHB's refer to as a smart card - which is a bit of non-volatile RAM and the processing power of a seedless grape. We're talking asymetric strong encryption with full-blown key exchange algorithms, transaction processing and - if the device is to be meaningfully secure - transaction logging, event logging and data validation. Such a system should be totally decentralized with all transactions being 100% local, not indirect via half a dozen organizations with dubious security.)
The basic technology for a totally secure, totally impervious financial system has existed for a decade and a half, maybe two, with far better response times and far lower risks to those involved. If it were updated to the technology that exists today, and enough funding was made available to get the technology in place, you could eliminate 90% of all the points of vulnerability in the banking system and eliminate 50% of the related services which - these days - serve no purpose at all.
Re: (Score:2)
With Apu at the Qwik-E-Mart setting the damn thing up and keeping it stocked with money, is it any
Re: (Score:2)
-nB
Re:What?!!? (Score:5, Funny)
You must be new here, and by here I mean humanity.
Re: (Score:2)
Is it not said, A fool and his money shall soon be parted?
Re: (Score:2)
Re:Blame it on Monopoly (Score:4, Insightful)
Theft is theft is theft is theft.
"Pwned", indeed (Score:5, Insightful)
Bottom line, this is a perfectly routine default password [phenoelit.de] issue. Blame your bank.
Re: (Score:3, Insightful)
Not exactly. First blame the person who installed it first as s/he left the defaut passord in the first place. Then blame the bank for not ensuring that the installer did their job correctly.
Re: (Score:2)
I've worked with banks before. They will implement exactly the amount of security that they're required to by law. Don't ever count on more than that, and I'd verify before I even trusted that much. They have a huge heirarchy of career programmers and IT people who have
Re: (Score:3, Interesting)
Re: (Score:2)
Re:"Pwned", indeed (Score:4, Informative)
The manufacturers should have the firmware require a password change after the initial set-up. If everyone did this, this wouldn't be a problem. Of course, I also blame my bank!
Re: (Score:2)
Re: (Score:2)
No, banks are good with money and accounting, not the administration of the technology they use to do those tasks.
Re: (Score:2)
Re: (Score:2)
The manufacturers should have the firmware require a password change after the initial set-up. If everyone did this, this wouldn't be a problem. Of course, I also blame my bank!
A lot of companies avoid this because machines are first used in a test lab, or set up by an installation company and then finally configured/stocked by the bank. This leads to incidents where the bank is calling and wants to know the password, but it has been changed from the default. So companies leave a default in, but tell cus
Re: (Score:3, Insightful)
Believe it or not, the "user" is not always the one setting up the machine in question. The default (or "a" default password) needs to be configured and told to the user reliably. Now you do that with a dozen new ATMs to a bank and see how pissed they get at you or how fast someone writes the password on a sticky note.
Yes, they need to do better security if they'r
Re: (Score:2)
Re: (Score:2)
UK (Score:2)
"pwned"? (Score:3, Funny)
Re:"pwned"? (Score:5, Funny)
Re: (Score:2, Informative)
I believe that this originated with WarCraft. In multiplayer, a typo for "own" was made: "playerX pwns playerY" or something similar (not sure on this myself, as I've never played WarCraft - it's just what I've heard). Of course, it could have originated as a common typo, but that's an interesting story behind it =)
Re:"pwned"? (Score:5, Funny)
Re:"pwned"? (Score:5, Funny)
Re:"pwned"? (Score:4, Funny)
vadim_t (324782) writes:
God, I really hate perl.
Since you seem to know, what does that script actually do?
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
Re:"pwned"? (Score:4, Informative)
Good link but......needs updating. (Score:2)
I have played computer games a long time. A really long time, in fact. And the first time I remember seeing
Re: (Score:2)
First of all, you just made such a distinction yourself, saying that "pwn" is (deliberately) used to imply a sense of frantic urgency. And second, I don't think that's correct. My experience is much more in line with what Wikipedia says, namely that pwn is used to refer to a very clear and humiliating defeat. It's not even treated as a misspelling of opwn, if anything it's an alte
Re: (Score:2)
Re: (Score:3, Funny)
Predicted response (Score:5, Funny)
I wish this was a joke.
Should have waited (Score:3, Funny)
Re: (Score:2, Interesting)
The problem is not that anyone can read these service manuals for the next couple of months. The problem is that some owners of these ATMs
Lipman ATM's (Score:5, Informative)
Re: (Score:2, Funny)
Common sense isn't. This is why curling irons have "Do not insert into any orifice" on a warning label.
Re: (Score:3, Insightful)
Re: (Score:2)
While I am a big fan of the "he was obviously a nit, your honor" defense, it is not only the US that has nit protection warnings on products.
It is our sue happy nature, however, that I think was largly responsible for the multitue of iterations of: "Don't be stupid using this product" labels.
-nB
Only In America (Score:2)
Actually, the labels are prettry unnecessary, even in American courts. Between the already existing precedents on liability and the laws that specifically govern situations like this, they do little more than let corporate lawyers sleep better at night in a land where McDonalds settled with a woman who spilled coffee on her lap.
they didn't remove all the docs (Score:2, Informative)
Re: (Score:2)
Hiding a password like that is no use. I've had friends with different cell service tell me they couldn't get their voicemail. I have no idea how to get in, so I told them to call themselves from their phone, press pound if they hear their own message, and try 1111, 1234, 9999, and 0000 and see if they get in. So far, that works for all cell carriers I've ever encountered. And a large number don't require you to change it. My voicemail
Why do dumb stories like these get accepted? (Score:5, Insightful)
manual and even if the manual is not on the web then you can probably order one from the
manufacturer and they wont make sure you even purchased the ATM to go with it.
The real news is that the people who set ATMs up and operate them are as dumb as dog shit.
UUuuuuh secret password! Uuuuuuh!
Re:Why do dumb stories like these get accepted? (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
No.
Let's use a little common sense people.
What is an ATM?
A box full of money.
It is perfectly reasonable to expect someone to RTFM and follow directions before putting a box full of money out in a public space.
The fault here lies squarely on the banks.
Were I the manufacturer, I would maintain that anyone who failed to change the default passw
Re: (Score:2)
The system needs to be made to ensure that a password is changed before operation can begin. Duh.
J.
Why? People are dumb. (Score:5, Insightful)
People don't wear seatbelts, either, which is why we have such seemingly inane things like seatbelt laws. This is clearly a test for rationality. Because apparently dying isn't bad enough but being punished is. People are stupid.
Re: (Score:2)
I'm sorry, but... (Score:2)
pwnage sux (Score:5, Funny)
I'll do it... Seriously...
Re: (Score:2)
Do you think pwning someone is the answer?
I don't get it... (Score:3, Funny)
What should we do?
It's simple: Shut down the internet.
No more easily-guessed passwords or dissemination of information on how to break into stuff.
No child porn proliferation and no worries about your 9yr old girl chatting with 45yr olds.
An extreme decline in virii and similar stuff for everyone's favorite OS.
In total? Awesomeness
Re: (Score:2)
It's simple: Shut down the internet.
You bastard, you're the one that's been giving ideas to my senior management!
So what? (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
You can get into the cash drawer too if they weren't smart enough to change the default combination lock code (which they most likely didn't). In short
Re: (Score:3, Interesting)
So what? (Score:3, Informative)
Images scanned from a physical ATM manual [no-ip.org]
A different manual in PDF form [no-ip.org]
Kevin Poulsen...strikes fear ? (Score:2)
Seriously, if some Wired blogger is striking the fear in ATM manufacturers, they've grossly underestimated the magnitude of the problem.
pwned haha (Score:5, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
h4\/3 4
ORLY? (Score:2)
Re: (Score:2)
oh wait...
Someone posted the manual here (Score:3, Interesting)
Re: (Score:2)
OT: What is the tune the ATM plays and why? (Score:4, Funny)
Re: (Score:3, Informative)
One thing I can think of is that blind ATM users would probably appreciate some sort of feedback to let them know the money is ready to be retrieved from the slot.
Re:OT: What is the tune the ATM plays and why? (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Does it always play the same tune, or does it vary depending on the amount of money dispensed?
Perhaps they are trying to obscure the amount of money dispensed by playing something over top of the sound as it counts your bills; quickly corrupted if it plays a different tune for different amounts.
Re: (Score:2)
It's the same sound that Pacman makes when you eat the power pill. Doesn't taking money out of the machine make you feel energized?
-JS
These Are Textbook Examples of Dumb Design. (Score:5, Insightful)
Now, just HOW STUPID do you need to be to make it possible in the first place to gain system access from that keyboard without at least one hardware interlock that is NOT accessible without the key to the machine? You KNOW the bad guys will try everything they can think of to fool the machine; you should ASSUME that they have every piece of info on the machine that you do. (Cryptosystems -- good ones, at least -- are designed on this assumption; indeed, they assume that the adversary has a copy of your machine and all its specifications.)
A secure ATM thus REQUIRES that it be made completely IMPOSSIBLE to jigger the machine without physically getting inside its hardware. Password-protection just doesn't cut it for that level of security. Failure to provide this level of protection is SO stupid as to be a failure to exercise due care. And after all, how much does it cost to add that hardware interlock switch? Not much compared to the value of the ATM's contents...
Now for the scary part -- ATMs are, on average, far more secure than voting machines.
Re: (Score:2)
So take a step back for a minute and think about why it isn't there....
Did anyone even read this before approving it? (Score:2, Insightful)
Are routers next?
Because if you want to talk security, you can reset the password and access *all customer data* on the most popular PC transaction software by deleting 1 config file. On every installed system up to current.
*that* is the true state of security in the finacial industry. Security consists of a chain of promises, where if something *does* happen, a chain of fines happens which obscures the impac
Forget ATMS - What about VENDING MACHINES? (Score:2)
Anyone got a line on those kinds of "default passwords?"
for those who don't know (Score:2)
From wikipedia: http://en.wikipedia.org/wiki/Kevin_Poulsen [wikipedia.org]
"His best-appreciated hack was a takeover of all of the telephone lines for Los Angeles radio station KIIS-FM, guaranteeing that he would be the 102nd caller, and netting him a Porsche 944 S2"
According to the book about him he also
1. Broke into numerous Ma Bell facilities.
2. Hijacked an
Re: (Score:2)
YouTube video about the ATM attack (Score:2)
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
Well, this is Slashdot. Abandon all hope of 100% correct grammar and spelling :)
Pwn [wikipedia.org]