Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Googling for ATM Master Passwords



 By: Ryan Naraine
2006-09-21
Article Rating:starstarstarstarstar / 19


There are 1 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Using clues obtained from a YouTube video and a simple four-word search engine query, a criminal can find step-by-step instructions on how to hack into and take control of thousands of cash-dispensing ATMs.

Using clues obtained from a YouTube video and a simple four-word Google search engine query, a criminal can find step-by-step instructions for how to hack into and take control of thousands of ATMs scattered around the United States.

Following up on a CNN report out of Virginia Beach, Va., here as a YouTube video, that a man reprogrammed an ATM at a gas station to dispense $20 bills instead of $5 bills, a New York-based security researcher did some old-fashioned online sleuthing and discovered that the operator manual for that specific model of ATM could be legally obtained in about 15 minutes.

Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual—which contains master passwords and other sensitive security information about the cash-dispensing machines—but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack.

Goldsmith, a respected researcher who co-founded @Stake and previously led Symantecs Security Academy, said he traced clues from the video to identify the make and model of the ATM, a Tranax Mini-Bank 1500 Series, and started an experiment to see how easy it would be to legally obtain an operator manual.

In an interview with eWEEK, Goldsmith said he first dug around on Tranax Technologies Web site and found a knowledge base article that mentioned that the ATM is programmed with passwords that can be found in the operators manual.

"If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched," Goldsmith said.

Resource Library:
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Officials at Tranax did not respond to eWEEK requests for comment. According to a note on the companys Web site, Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around the country. The majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist.

In the operator manual freely available on the Web site of a Canadian reseller, a section titled "Programming" provides the specific key sequence that will pop up a screen on the ATM that asks for the master password. It then lists three default passwords—master, service and operator—that could be used to hijack and possibly rig a machine.

The manual also contains instructions on how to enter the diagnostic mode, how to program the ATMs number keys to spit out cash withdrawals and how to change the passwords to take future ownership of the machine.

"This isnt a vulnerability," Goldsmith explained. "Its someone exploiting a policy weakness, where ATM owners install these things and never change the default password."

Thieves steal $700,000 by hacking ATMs. Click here to read more.

"If you maintain one of these devices, make sure that you are not using the default password. If you are, change it immediately," Goldsmith wrote in a blog entry that details some of his findings.

A section of the manual titled "Transaction Setup" provides a walk-through of how to configure the ATM to dispense cash and set up the cassettes within the machine that stores the cash.

According to Tranax, the Mini-Bank 1500 can dispense a maximum of 40 notes per transaction, limiting a criminals withdrawal at a single machine and using a single card.

However, as Goldsmith noted, a criminal with access to machines with default passwords could launch a major crime spree.

It is also likely that operator manuals for other ATM brands are readily available, Goldsmith said.

A quick Google search for several other mini-ATM machine models also produced user manuals with default passwords, although some require that the attacker have physical access to the power settings on the machine.

The episode underscores how easy it is to use the power of search engines to find sensitive security information. In the past, Google queries have been used to find security flaws in Web-facing applications, default passwords in Oracle databases and even live malware samples seeded on forums and other malicious sites.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Googling for ATM Master Passwords
>>> Post your comment now!
my pass word
6220180091400098025
Posted At: 11-24-09
By: S.PARVATHI
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xv8(;^ӲM"eɶhڶ<Ozﳴ(ئHI%o8x -gŖPU* @ ?J9s4ô'1%c }{֤w~HRkg͛6;\QQ##3)9S]MHwW3fөP/ovGl$J޼w *sR;€wɔiT[oلLP_FܨW|e0/:Aq6+ְO0ov@/T| pfL&;"{>$e%k4ExL1"x\g{仍2Pa |!BU[U;0}rhPL߅ecay0k5Uy0 Ίgxk_m:OOo9'>9]Χqٙ{F0qgs z\OO|w3R& ںa#{IxCu{Lr,_edpBap~F xh-4K;9K*}xyp%#",>JA͂94o߶Af· - :sH;L} $mҔj %B%y4Xr Cc)#8?S̓A xJq䰉c.B+oƈ# 2#~B(גHHIR NƲE5\S4mpu]m7kDm--ٺ 5-U?;{::'ٻyoǫG",QqcuTSuTkՃu =Jj2+&0r/L [Ԗ-0òˌA ޿NfY |>95Gm'!|Аe>m=3Ixn"I,86Zt pIscмy:n`05Af_']5I#ϋ00} (?Ch9N@tmS(}=\0 |mV3-mdZ1 5:%ޥ6|+s^(tw^{" 0D EOe @h!$͵`v= ŊY~^~qRNz '1RtyB#̙8br_)rZ |)p٘:ʬ$5Lt]_5EG,E`~9j,\.{ 6ZԍurYiA4MǦn).Gs2H`0D%BEw,O F|n4 H߱n)yha} n/| `@-]7lP@sf0aDWjm>!4ÃaА5XԹæZ&5 CF`ߐ^86w06ÜL~@μgw詉m>PT0FKwm˴o*RЛva39n!WnY 2ctRU6y,Jt">*[Y3nR1*}Uj*::X9點vgıw@~Q9G SǏypB)e`֬Pbb 35-  _ǂK ރ؁UrrX3lib?, {E[Iq6O:V}f9Ke!68cji=c{Os=9_ /0hTW+JXYd[f"wd60Ae9޴.3v,˹f FFd~ VbLX!=G΀5uL85G[OAXyif~ai~0.Ly.zV}ufV0MЕaӘ32}qֳL,*I(rIQ KkMfO5O_cӀ1aj$pHE@y[kxpL\RYv> j 7VL07l)`U lSKm1C`^a~JMh0eQT{>Sy̏)gl5d+'HV/굘Pb(koV s1ǔ)23Kuq |a_>4ftY9kJoοCpYt )pȥx䣋*L*`IJ|Ϙ ixT*I;d#wbY cazTwfؘ/Y)ng?!|.+D\QOL_]XÎc( Γm O#c:Ed!:w\ݐZ,2tݘ `1}jd>a쑎! `wf0%b( wڬv33Ho 0ӛ-lq"~iͻ'M^|l9s@NqL+3psYl D@̬kG:adp:n&2pclz``|LyQU+ ʿ,x`1s*?K .=)3p3/o21wϥ~PñpapeHo|/UA9\b= lsKq393"oJt@/'!&G|E=8P7Xl=-v=h 5{qzDpqS(j \:HįiqMݗ0C7d'lG[~upM&eM=J暽v{<#6?Ws~̡f ApgJHU ]Uj\Řȹi@#u8L)W>=ʶHH?l^*A F *sޑPP 9ɗwf"?؆ + ~w?l)ɑ$>D[*ceb;}ZTe&+wD}}bh^?j]5a(0X_Tpm;dU]uv>= +fKI-1~+uys=|8$%-c.i{0#f^;.y007ȇNA&`}W? oRCRiDꞷwŰC-Y2c'A)hҰ icܵ'qf^ON+6|v9</dO!IhQo0 8 %qwO5Y#% z;s5C*Y!ˁBVw_!{:zSLl2&F:$]w& TH 0R2-W˱B3p'qU?C덵dlQ돝/O# Z`1ސBNg APH0]V lIyN g@$@48X+*LPW"REX%IA&t{Wm.xD|mr/Uى w½iV T t~hO7K0fNd.WVr['t?>!;g>48|㿜y$- !qze8n18JP /M>u@R4 jGYsnN&c6?opJrCC:Ėd: ecڂΣ#3y5iEQ-=VE;i H:kɘ ,zst3 T?nx z>2Po!&.M81wKtP/Ifi>U~)T*[\/aOyVZtCqEkG_U+ T㒏WgڢE&%D6%y#Ya(N Ģ]Wپg{sL&>dO#.u,v k4?0G~!Ӡ9j7ǖs$gr@#@*yx\\ݘ8(<A~A< vĔ4:)[7yJf}hn3dⳆ܆u ǵc^`l4-'4jtl$[ʷ/nj'َZ7U{cC|3 m\OST!-PxpM]{t+&v ۑ'Vc%OM1xLM/ϧdZ:`8?6#,i4rUه &Lћdk^L;2p''Ąyj89ʷ2 fӯFiR<+lݲ$],<uvzR:h0$9]zI1bӦ|.ןW\6vxlb)~1$:to ̴5ϷB|B-V9b{\3mR-(xޱ 15ψR.i.n E|i!N/, &f ͵ e1IDDVhB,wB+;r|'co.hP t٦K],OAzth{q@9D`s-DE:,˨d0Yn!0PiS2Pq |Gu;S^>8V 1(v/ЀmY{2,S~tNӚX,q?09ɤb;.lkZYLɒ+v!oWH\J!Mf 3Y &q'qReeÅLZSW+UzѶۂAo"~4$]Z,FHM &17OzZJ.$VvR@v+\& hKPr҂n:&/@6\j~ ];_fIPڃs'A Pe뎻=<.! !0 D-C,.._ǩk=Ze:}.OUR$@*%^JPdUS_f~K}NIKti>ςrYU24IL JTB I&d˓Xz[OW~i+YT$@>$U2Sx E^_*jz%P <^OdEȅ-)omW{*7+YikRf~=̧Dk*JIQ b@&D 72 ߢچ%݀ʦR}%Y(}3}N UZGȄv ^J=EizVF׎+ i|3L `PWʗ'#xY/H|7 t˱fan9+Z۾cN |tavoHg }J9kӎ(1B}MA0hę!s!UJ(tBoxZď֧e@7Ao|3}=Hk+Y rǙ33˵v6 u@Bky]̤ϱZ*jo$ɑ[v}tOK6oqz䞦۝f0tWNoKf[bë18צn:%4f5fA+6צ 2]^Y/ߤm_uauZ$^j/yB*췑Gg-]JUʲejj&:we>-kֲ_fHd$&3}b8bE\1̭,YNdn+MäCH{ A r;v341]Z4'|O߅"x<-NA ΍/*-k[xO C`"nbEKjgh$0$GɊ3^[i:.&}ܝMNhƀT^' no1.qId_MBakD0‡qa ) ʱ, :~؉.""^ ֔jE<=G/ `X:mb+2/o #~kPWsƂWFCZ9Ƥ=Pɣ.jbWthU% &upZ` ?bTy G<)F<@&L8h;b\=Vںfs; }KMyޜ̇PU)esÑ7Q$7C_T~X*ğ@K-N%Dr !8h-}aXrIt*r=jah D.ҤIdzVZR*jp;rWyźznG@V0A 5:R:7'|x` >IB1ꓩvcG(Tr^MQ<끴 $xtz5+0e@Q0ˇ|xzYڊRk?HwvCHO>%`G+17uw=MkѺl ,RxwBob̄7&|ͱɲGfs;@Nyގ]UbrMȭTR^yGyjvY3B[sYe뛛u.)Ǹf\Y>^Bg3/nsj+b-F]F5rx #} 4[Mm` pIߥ0+?r)_6R~u9PV=)l$i6pdfBI/Ht!(iq+KB q:םί(\:A窏V5p }a3bpL5f9ڗgiUCWAwA:gk<΄m-j=Oq+tz'{O˫ :5=qalL[d^4 Γ,C rz>0?eN+gڽE ²*rDK xu, /2fb?l"8?ᔨ.!bTչ6 W?fmz ''W~_V\k.>?Vՙt.3]rVO-?h@Kg7s5Κ>]o S~s< Nn ,W(57(- ʯ֗AR=(e֗N:P~s ?tsݓ\{Qu3L"fk?Q?/?gakg9A9?ς=9`ۓk`o]6tpQhpI|*SG09.Hkr>u9"K~|^gA7gn"B7EjIn2d m.ŎK #jOA ̓)TajV};{4΄jPLC$9w>eU-kXUj\ L`'bs>=9HQ$`rXT5r(RyB4|YW)s 84C-p艓<+Lwа-}"0F^?fG'&^QlM/c"A6of!9^8ռDOe/=3✝*{EQ/aI'; >cqnO (,7 gs+.Ġ/ >'4gB x" +U|&n:8X0:rMhQxDq焿H9aCm5LdԢԱ#t/I߱" 9U%,?kPxUEH=Ca Kqps,FƝxyhoȲǷAE#3௹*W5EZa%3I\nT¬smqCun^cv۰xI/_| P 3{`#Yޱ .aӆ#]^Πob_ҥ^v6eEMctS][/D#RVtⷓ5 aHA{H, AQr+EJ>a< &T | -{6dDRw}Jm?'6jV0A9DEPީik./["wn3)gVNp)hA<}?٣ uK ğ?X \ 6 |;qQ' w.r+wnMkp-jLh|#U`7S~" 3fA6h4&s܈}I5#O"?Fs: /A.s|K 6- - `⚈Mee`[vGOWeg[,| _R[p~X+m+bA,\B tYl%NqdxZv%.3_Hʶ],{ QIbvB#q좢U .D<"xEƝfg k3HTx,XMU\m(S_m\TNEۢ¶*:u`]Ǡz~;<k *lqk[4(* <Ǵ-!U , ᘭ=_xA|0XqxyrA}QY&4ɶV+/*N4 w)FöI,'aaȖgƆh~%'ж7e3}*@͎a*5z`Inf@x"H{J]gG- sexD_"?Q<8Vq̨M-16eol'- Eb;5rbF(ȯZ0 9\\OhcA{pffw(g,1f.& w Ax: v4<5G TFE@KI7bWČ& IR&la"f?rf&oف,G[НLB><&ah}|+{,rjT}o+$v)VS _Xџ\<~^5oiid"y!n`x87&ř>;??vޘc{P$x>5`]e"oAXLf4sw`Dϝ7aYx/EM:(F//9QƷF#F FL3 So^3WS1~S`F~![<](y}kMaFkptrnk8:N.v5y 3 hW~Ίƻ=leh 枝zWRD}{nYI }gINNŢZhL6 <Ůkd}bJ#Ӗuɂkc7X7Vt̓rgs4_-)5Ua?\EQXA-A 쫕5W,i͐*)~N|UؼFc2TSf~Ca0;_$sEE)6vErp_oB~+ԕشN]QԬ#[?Y!]:q9pƞ<#Xx QŞ%vE{8LT*J!嶱5 HC|9 4 }e-7!x /īX޼=' Bd±nkP=BiB$l`ELq( .&?L֗!c:{ zR=˼/ t|) _ v\u,c |GkOHi]Gb IZjёrN@]l;God=ejjv|w$.:&/!xͽ6 <҂΍ OkçYOmЮ3M9tD6m ֶE9| o<Ց#|>bkzx_wݪ,}zQH!U}5&V#%!^)Z T`C,R eyo_/mV$1?,9((Mae gln&iRђglBcdGM9Xcy6P߬ei4 hp~Ƶ&6@}&I$HHhySf"yQwg'n>ErF TO.a;44}u)#"֔O{*x`7apZCog!sib ϻg>6O!LՈwFN (>QF}apwֻ:L;"Tǿ}8Š%ZQwuI`ןz퓓dE[&{ 5t$7{ *=%SժZK$!q} %((C \/aނ"a{k;a^Wz ۔Q e GZRLxTɉ8I06y8l|S4n-^AaeX& ܆>