78 Comments so far

• Chris

  September 20th, 2006 3:58 pm

  My initial reaction was that the stories had to be wrong. There is no way that input from the keypad could reprogram the unit, I figured. Silly me.

• name

  September 20th, 2006 4:47 pm

  Yeah right buddy. *15 minutes later* what a crock of shit. publish it if you actually have it otherwise fuck you!

• b

  September 20th, 2006 5:32 pm

  LoL to previous comment, but he does have a point

• Social Content Headline News

  September 20th, 2006 5:33 pm

  Built-in ATM Backdoor: Many ATMs have default-passworded admin interface!

  [link][more]

• BTW

  September 20th, 2006 7:26 pm

  Tranax ATMs aren’t the only ones that have security codes that allow you to reconfigure them.

  The first comment on the article that you linked to said “investigators know the only people with these codes work for armored car services”. This statement is totaly untrue, as many ATMs are serviced and replenished by the business they are located in. There are three employees at the place I work, that know what the code is to the one located in the lobby.

  I, personally do not want to know it, as I am the type of person that would want to take advantage of it. Jail isn’t any fun, either.

• Jonah

  September 20th, 2006 8:07 pm

  My friend showed me this hack up in Boston probably 5 years ago. Amazing but true, I saw it with my own eyes. The drawback is that the ATM card swiped to make the change is in the system, so you have to be a bona fide bad actor and use a stolen/borrowed card with the full knowledge that whoever owns it is going to get dinged for this. But still a ridiculous feature and easily circumvented by Ed Felten or others smarter than I… And Diebold says “TRUST US” with their voting machines… heh.

• Ben

  September 20th, 2006 8:12 pm

  I agree with the comment calling you a crock of shit. Why even write about it if you wont share the info. Its not like youre really stopping anyone dedicated from finding one, youre simply annoying them by saying its extremely easy to find but look elsewhere.

• Thomas Ptacek

  September 20th, 2006 8:21 pm

  Ben, “name”, I apologize. On behalf of Matasano, I am authorized to offer you your money back.

• cheapdaddy

  September 20th, 2006 8:23 pm

  The ATM story doesn’t surprise me. I briefly worked as an alarm technician. The alarm systems have a default or INSTALLER password for when clients don’t want to give their passwords. I was surprised how many people trusted an installer they had never met with their passwords or even used the original default password. Even most vending machines have diagnostic modes that can be accessed by pressing the right button combo or even remotely. My brother made a small fortune retrofitting cigarette machines before they became illegal.

  Most Windows computers are ridiculously easy to reset the motherboard password. I boot all my computers from a server which checks the time on the mobo and refuses to boot the machine if the time is off by more than a few minutes. Sometimes the lithium battery dies and the mobo forgets its settings. Any IT dept. could install security to prevent access if it cared to do so.

• Josh Daymont

  September 20th, 2006 8:43 pm

  Ben,

  Matasano won’t stoop to your level so I will.

  You are an idiot.

  Why? See your above comment.

  I rest my case.

  Josh

• Reginald

  September 20th, 2006 10:36 pm

  Who cares about the motherboard password? just pull the drive…

  As to codes yes, there was one on youtube. I can do it and it works with all coke machines. Its either 1-3-2-4 or 2-3-4-1 as in, the drink selection buttons, and it drops you into a diagnostic menu where you can see items baught, costs and shit.. I never found out how to get free pop because it was in plain view and meddling with it for more than a few minutes wasnt fun. The change return is ESC if you get nervous and have to log out.

• Reginald

  September 20th, 2006 10:38 pm

  4231

  http://hackedgadgets.com/2006/06/27/hacking-coca-cola-machines/

  Well it could have been one of four options lol.

• Wired

  September 20th, 2006 11:06 pm

  LOL. The guy on Wired found it in a few seconds.

• Ruddiger

  September 21st, 2006 2:11 am

  >> Yeah right buddy. *15 minutes later* what a crock >> of shit. publish it if you actually have it >> otherwise fuck you!

  I second that.

  Or at the very least tell us how you got it.

• Nz

  September 21st, 2006 2:34 am

  cheapdaddy,

  Nice try, but anyone who has actually seen the inside of a PC knows the BIOS password has nothing to do with any installed OS.

  And anyone that has actually worked with PCs (like you pretend to do) knows that you can reset the password (and all other bios settings) by flipping the CMOS Clear jumper, which is clearly labled on most motherboards.

• toby

  September 21st, 2006 2:59 am

  Yeah! Just because you’ve published a huge number of papers and in-depth discussions of vulnerabilities isn’t any reason for us to believe you actually did this!
  If you aren’t going to give us detailed instructions on how to get a copy ourselves then I want my money back too! With interest!

  “Worst Episode Ever”
  -Comicbook guy

• Danny

  September 21st, 2006 7:42 am

  Lol…. Wahhh! You won’t give me detailed instructions on how to hack an ATM.

  Grow up you script kiddies and try figuring it out yourself.

  /Go take something apart and learn how it works some time…. and get off my lawn….

• jash

  September 21st, 2006 8:32 am

  all of you nubs that are saying he didn’t do it, and want instructions on how to get the manual are just mad that you don’t have it. if you were really worth anything you would stop asking for everything to be handed to you on a silver platter and actually do something for yourself.

  god forgive me for even reading the comments, let alone making a comment myself.

• ML

  September 21st, 2006 8:34 am

  What you have here is someone familiar with ATM installations. Regardless if it is a TRANAX, TRITON, TIDEL or any of the other models, it is easy to do this…..IF you know the password.

  This is one reason the merchant or installer should NEVER leave the ATM master password at default. This guy can also be an ATM installer…..and has a record of the new passwords that were put in the ATM, therfore making it very easy for him to do this.

  It is unlikely that any buffoon off the street would be doing this.

• Chris

  September 21st, 2006 9:00 am

  I used to work at an Indian casino in the vault. We had 7 ATMs there that I serviced and refilled every night I worked. I knew the codes to all of them and could, if I had wanted to, reprogram the ATMs to think they had any dollar amount in the cassette. All without opening the ATM, just from the keypad.

• Guest

  September 21st, 2006 9:31 am

  This is why hardware-access switches are a must. “What you know plus what you have” is a good rule of thumb. For some machines, such as vending machines where only the money-collector will be doing maintenance, the door-open or door-key-turned sensor can be the switch. In others, such as an ATM, an ATM card unique to the machine or password-that-changes-every-minute code-generator can substitute for a door-opening key.

• Landon Lewis

  September 21st, 2006 10:10 am

  Took me about twenty minutes to find it. Unbelievable.

• TC

  September 21st, 2006 10:35 am

  Holy cow batman:

  Less than 5 minutes.

  I kid thee not

• ixyk

  September 21st, 2006 10:43 am

  it took me less than 2 minutes to find a copy of this manual…

• LonerVamp

  September 21st, 2006 10:49 am

  FYI, all of this is not new information, really. These attacks have been around for ages. Similarly, any sort of stationary electronic has been explored similarly. Do a search for videos on hacking programmable construction signs, for a popular one.

  The concepts are simple. Devices need to be configured such that a simple operator can install and/or use them. Manuals are kept on site, default passwords rarely changed (or if they are, are sometimes written inside the operator’s panel), and information on how to use the device kept secret as much as possible. Barring this obscurity, the only other real protection has long been a simple lock and the good conscience of regular people.

  Likewise, many curious people have gotten hands on devices like old ATMs and such (illegally or not) and have tinkered and poked at them enough to publish their findings as well. Or just buy an operator some drinks and start asking the questions.

  This is all about as old as phreaking and ATM machines themselves. However, hopefully this publicity changes some policies (corps really only respond to economic pressures…).

• xrayspex

  September 21st, 2006 11:20 am

  Seems like a lot of huzzah over nothing. I have a friend who was a locksmith for many years. According to him, about half of the people who locked themselves out of their safe (and thus called him) had left the combination set at the factory default. Stupid is what stupid does. Or something like that.

  I wrote software for ATM machines for 6 years, so I have my own perspective on all of this. It’s just like any other system which must be a) secure and b) usable by a variety of people. As part of my job I occasionally handled telephone support for ATM owners. Most of them were decent folks. Not too many of them were rocket-scientist types, however. In fact, a sizeable percentage didn’t speak enough english to be coached through even simple procedures. So what are the ATM manufacturers going to do? Secure it to the max, but frustrate technologically unsophisticated owners? Well, you COULD do that. Or you could make it simple(r) to user, and provide ADEQUATE security that does, unfortunately, require some extra diligence on the part of the operators. Nothing requiring an engineering degree; just common sense and the ability to read a bold sentence in the manual which says something like “CHANGE THIS PASSWORD”. Seems to me to be a little like those notices on an automobile radiator that says “don’t stick your hand in this moving fan”, or on a gas can that says “warning: this is flammable”. But, well.

  There are a lot of ways to be dishonest. This particular scheme isn’t really noteworthy except that everybody goes gaga when they hear that an ATM machine is involved.

  The company I worked for had a couple of thousand machines out in the real wicked world, and AFAIK none were ever compromised. We did have several snatched out the front door on the end of a chain dragged behind a pick up truck, though. That was the real-world problem most ATM owners actually worry about (and deal with.)

  Nothing to see here. Move along.

• anonymous coward

  September 21st, 2006 11:27 am

  ixyk:

  I got it in 22 seconds. And 13 of those, I was distracted by a porn link.

• Thomas Ptacek

  September 21st, 2006 11:27 am

  xrayspex: I couldn’t possibly disagree with you more, but that’s still one of the best comments we’ve gotten this month. Thanks for writing it.

  You’re laying out a microcosm of the whole problem of information security. End-users will not educate themselves about security; they are too busy managing the cooling rods, trying cases in front of the Supreme Court, and repairing gall bladders. So the challenge vendors face is amplified: they can’t take the easy route and “secure everything to the max”, and they can’t leave everything wide open.

  What’s left in between? Finesse.

  There’s a whole other post you could write about simple mechanisms these ATMs could use that would not substantially increase end-user frustration but would make these attacks a lot less likely. The meta -lesson is that “security usability” is drastically underrated; “security usability” has less to do with human interface design and more to do with security engineering done under heavy constraints.

• Privacy Digest: Privacy News (Civil Rights, Encryption, Free Speech, Cryptography)

  September 21st, 2006 11:41 am

  ATM Hack Uncovered.

• tom

  September 21st, 2006 12:33 pm

  nice one…

  http://blog.wired.com/27BStroke6/index.blog?entry_id=1560245

• Chris W.

  September 21st, 2006 12:58 pm

  For some manufacturers, default master password information is generally available in their user manuals. They put in big warnings that it be changed but of course that isn’t always done.

  Here is an obvious google query so I am not posting a URL.

  http://www.google.com/search?q=user-manual+site%3Atritonatm.com

  -Chris

• Chris

  September 21st, 2006 2:21 pm

  Of course ATM owners will be stupid and not RTFM.

  Of course ATM users want a system that is easy to use after 15 beers.

  Of course ATM manufacturers don’t want to field a buttload of “Duh…I forgot the password” support calls, or lose sales to the other guy who makes a noticeably cheaper box.

  Tom’s right — simple, obvious stuff can still help here:

  One manufacturer makes it so that if the master and admin passwords are identical then the ATM won’t do all the good stuff 37337 hax0rs want. Why not also check that the values are not the defaults?

  If the concern is that recovery is impossible if the owner gets hit by a bus, then how about adding $1.50 to the cost of each ATM and storing the values in a module which is inside the “vault”? How about giving the owner the chance to print the passwords (with big letters saying “If you leave this in sight you are an idiot who deserves whatever he gets”)?

  How about giving each box random PWs, and supplying a card with what those values are, AND doing any of the above?

  None of these measures is perfect, but any of them is better than shipping a box full of money that can be opened, more or less, by typing “password”.

• tom

  September 21st, 2006 3:51 pm

  hm, Kind of worrying, I mean it just seems too easy to get the information.

  I always think that a mixture of physical security and software is needed, e.g. you need a key to add money to the machine, why don’t you need a key to enter the setup of it ( + a password), how hard is it to say, enter your key, then enter your password, would also work to have the keyhole positioned away form the screen e.g, on the floor.

  “hello Mr customer, why are you bending down round the back of my ATM, oh you are inserting the security key, I think the police would like to know about that…”

  Surly it can’t be that hard to program in a method to make sure that the default password is different for each machine, if wordpress can do it (which they do), why can’t a manufacture of ATM’s do it?

  oh well, strange how it dosn’t surprise me that much…

• Ralph L.

  September 21st, 2006 4:24 pm

  Chris W.,
  I’m shocked and appalled at the obvious gall you posess with posting google search links. You and your l0pht ilk have been promoting research and learning for too many years now! When will it all end? Please do better next time and just post: “http://www.google.com” and leave it as an exercise for the expert search geeks.

• grey

  September 21st, 2006 4:31 pm

  So, with regards to xrayspex’s quip about safe’s and default combinations. In _Surely you must be joking Mr. Feynman_ this is discussed a bit in a chapter on his lockpicking adventures while working on the a bomb. He had found a technique to simplify the notion of guessing a combination on a password, but a new general, locksmith and safe were brought once which no one knew the combo to. The locksmith opened it miraculously, and when Feynman and he later had an exchange trading tricks of the trade, while Feynman had actually been developing some lockpicking techniques, the locksmith just used a default combination which had never been changed.

  By the way just because it’s common practice, doesn’t mean it’s not absolutely wrong and stupid. It’s much more a case of ‘locks on doors only keep honest people honest’ just putting up a show for those who don’t care to subvert things, while those who do find it stupifyingly easy.

  Oh, one other nice bit from that chapter - Feynman tried to work with his superiors to get them to switch safes or report the weakness to the safe vendor. Their response? “Keep Feynman away from your safes!” Glad to know smart guys have been slain messengers long before I was born. A great read for this, and many other stories, quite a few of which discuss crappy security in what should’ve been the highest security facilities in the world at the time.

• roboknave

  September 21st, 2006 5:08 pm

  To everyone that says this is BS: You’re wrong. I too obtained the said manual in less that 15 minutes. About 5. No, I won’t post anything for the script kiddies either. I will say that the manual contains very detailed information on the master operator interface, does contain default passwords, the default passwords are what you’d expect to see as defaults (i.e. lame and should be changed immediately), shows detailed info on how to use the keys and what screens should appear, and I would expect that EVERY Tranax machine should be disabled for “service” to update these default passwords so that the script kiddies reading this can’t go out and steal a machine’s cash. The only thing I can say is at least the guy who pulled this off didn’t need to carry a gun.

• name

  September 21st, 2006 5:52 pm

  How many years in jail if you get caught?
  Could you get a job with at ATM company after you got out?
  Most high tech or IT departments require a background check.
  Just some thoughts.

• Tech Gadgets

  September 21st, 2006 6:14 pm

  ATM hack uncovered, financial freedom abounds?

  Filed under: Misc. GadgetsYou’re probably familiar with the Virginia Beach trickster who reprogrammed

• |333473|3|_||3

  September 21st, 2006 8:57 pm

  grey, you made a mistake about Feynman. All he told people to do was to shut thier filing cabinets when not using them so he couldn’t read the number by twiddling the dial.

  The ATM backdoor is an old hack which people didn’t care about until it got into the news. I am aware of one ATM (well one ATM location), which has been hacked, stolen, or smashed open so many times things are geting rediculous, but no-one cares.

• |333473|3|_||3

  September 21st, 2006 9:04 pm

  Traffic Lisghts are anoth potential target. In Adelaide they are all controlled by an old P2 box sitting under someones desk, linked to the public phone network’s fibre connection. at each of the traffic lights is a P1 running a DOS script which controls the lights. THe local units can be over-ridden by commands form the central server (i.e. for the Fire Brigade), and so the units can be hacked by anyone who can connect to the phone network, if they know how.

• Chris

  September 21st, 2006 9:53 pm

  Over at 27B Stroke 6, Kevin Poulsen is reporting that Tranax (rhymes with Xanax!) is going to require a PW change in the new firmware rev.

  Who says responsible disclosure doesn’t work?

  :^)

• scalefree

  September 21st, 2006 11:42 pm

  Dave,

  It’s really funny for me to read this story. I found a Tranax 1500 manual on the sidewalk outside my apartment, maybe a year ago. No idea how it got there, there’s no Tranax ATM anywhere near me; sometimes my life is just like that. I’ve been waiting for this story to happen ever since.

  And Tom, don’t ever change.

• Thomas Ptacek

  September 21st, 2006 11:48 pm

  You can’t control me!

• Cyberknife

  September 22nd, 2006 12:19 am

  My god this is so idiotic its not even funny. I tried to find and almost choked on my soda I was drinking when I had the pdf. file. Then I tried the same theory to another ” brand ” of ATM and it worked the same.

• ATM Tech

  September 22nd, 2006 12:24 am

  Okay, I’m an ATM technician and have experience with these machines, so I’ll provide some background on the hack.

  There are three passwords that can be imputted from the keypad:

  1. Operator (guy who fills machine)
  2. Technician (same access with more diagnostic options)
  3. Master (Everything)

  If you want to perform the hack mentioned above, you need the Master password, which is obviously pretty easy to get. I’ve seen armored car rent-a-cops on $12/hour use the Master passord for simply filling the machine.

  All passwords will give you access to the ATMs electronic journal which shows the last x000 transaction. When you wipe it using the “Clear Journal” option…

  If you’re prepared to spend time reprogramming the machine to dispense $20s when it thinks it’s dispensing $5s, go ahead. It may make people like the dumb f*cks who run the machines I service start taking things seriously.

• GlenO

  September 22nd, 2006 2:32 am

  I like the one about traffic lights. Years ago I worked in Beijing for while, on the way from the pub one night I noticed the door to the traffic light controller was unlocked so we switched it off and sat back to watch the fun. Sure enough we were rewarded after a couple oiof minutes.
  Best thing though was the next night it was still unlocked.
  Stupid is as stupid does!

• Chris

  September 22nd, 2006 8:27 am

  ATM Tech
  If the thief had used the “clear jounal” option would there be any way to trace who had done this?

• NightStalker

  September 22nd, 2006 12:48 pm

  It is hilarious, I found the master password in 5 minutes after skimming through the .pdf, and it’s as easy as the coke machine hack.

  Is there a way to make the ATM think you never got any cash out, before it writes your card balance/limit to the card, like the pre-1989/1979 ATM glitch?

  As I understood the manual, clearing the journal just “audited” the entrys, didn’t erase them. Is there a way to erase the entrys?

  Can you “load” the bill-transporter, and THEN purge it? Would make for a hell of a way to get money without having to insert a card.

• slavo

  September 22nd, 2006 12:54 pm

  A nema niekto aj manual pre slovenske bankomaty? :))

• jack-

  September 22nd, 2006 4:18 pm

  fuck yourself with your pathetic blog and die…

  dont give advices for the machine operators you fool because I cant use these passwords then, I sick of kiddies like you who belive they are big hackers and do social things like this, fuck man…
  you are nothing more than a pathetic [expletive removed], peoples like you screw the internet, thanks.

• NightStalker-

  September 22nd, 2006 5:14 pm

  You’d better not be talking to me, [wah!]

• jack-

  September 23rd, 2006 11:17 am

  yeah then what? I will skin your [wah!] after I [wah wah!] her then I put a shotgun to your [wah wah wah] and rip off your [wah!] head, after that I torture and [wah wah wah wah] your whole family if you open your mouth again [wah!]…

• retards

  September 24th, 2006 5:37 am

  why are you all so suprised?

• NightStalker-

  September 24th, 2006 10:22 am

  jack, [wah!] your mothers [wah! wah!].

• Ma petite parcelle d'Internet...

  September 24th, 2006 2:58 pm

  Quand le DAB qui perd la boule…

  Un distributeur de billets qu’on peut reprogrammer pour donner des billets de 20$ à la place de ceux de 5$, juste en en tapotant sur le clavier, vous y croyez ? C’est pourtant ce qui s’est produit récemment en Virginie, aux États-Unis.

• halfkoreanstudmuffin

  September 24th, 2006 9:41 pm

  whoa, that’s one clever sonofabitch! lol.

• [Wah!] Jake's Mom

  September 25th, 2006 10:47 am

  Hell yes I believe it, in fact the woman who issued me my first VISA card, took me OUT TO THE ATM, and put the card in, and PRESSED THE KEYS to bring up a SPECIAL MENU, in which she ACTIVATED MY VISA.

• ATM Tech

  September 26th, 2006 1:35 am

  @ Chris,

  Yes, you can still get hold of a copy of the TRANSACTION journal from the switch which links the bank’s computer to the ATM.

  However, the transaction journal does not include terminal-only entries like power on/off, change of receipt layout or changes to passwords. Dial-up machines like the Minibank only communicate with the switch (and bank’s computers) when there is something “interesting” happening, like a request for cash to be dispensed.

• mrskin

  October 1st, 2006 1:53 am

  This reality stuff is scary.

• Chico

  October 2nd, 2006 9:04 am

  For all those who have “found” the manual. Isn’t there a switch that needs to be flipped before you can enter the “Master Password” I serviced many different types of ATM machines, and they all had a service switch/key that was located under a locked hood on the stand alone models or in the rear of the machine on the through the wall modeld. This switch needed to be activated before anyone could go into diagnostic or programming modes. I think there is more to this story that is being left out. Perhaps the armored car company, left the machine in service mode, or the thief did more than just enter a password.

• Chico

  October 2nd, 2006 9:34 am

  Wow, I found out for myself. The manual is out there still, but you have to view it as HTML, to get the cached version of it. What a piece of Garbage. I remember seeing the prototype of the Tranax at the BAI trade show in Dallas somewhere around 1999. It’s a real Rube Goldberg contraption. I believe this thing was developed in some guys garage. It cannot be compared to the real ATMs that are made by Diebold, NCR, and Fujitsu which are remarkably secure and reliable.

• The Lazy Genius

  October 2nd, 2006 3:26 pm

  ATM Hack Uncovered *Working Link Update*

  A security expert in New York has learned how to get free money from
  some ATMs by entering a special code sequence on the PIN …

• Blank

  October 7th, 2006 5:02 am

  With everyone wanting to get ahold of the manual now, it raises a question since I received mine in about 2 minutes.

  Am I the only one with access to Google?

• Dan Walter

  December 29th, 2006 11:23 pm

  Mmmmm… all of this makes me think of the disaster Diebold has going with their electronic voting machine! If it’s electronic you can bet your ‘arse’ someone can manipulate it.

• FBI

  February 3rd, 2007 11:30 am

  you are a fucking stupid arsehole nothing but a typical deadbeat scamming bastard just close this site down Ill report you son of a bitch to the FBI for money laundering and fraud you’ll get 10 years
  I have copied this website for proof and have your IP adress and adress details and thats all proof they need to aresst your scamming arse , just a reminder when your in prision dont drop the soap

• Thomas Ptacek

  February 3rd, 2007 11:38 am

  I’m so sorry!

• Dan Walter

  February 9th, 2007 8:00 pm

  “FBI” needs to take advantage of our public school system before he(she?)makes any sort of legal declarations. “DUH” would be a better handle. :O/

• ATM Guy

  March 22nd, 2007 2:16 pm

  I work on and program these machines every day.

  There is a fact you are missing. You can program whatever denomination of bill you want into the machine, however the processor the machine dials into and connects to has to have the matching amount programmed in. If it is set at the processor server end to $20, you can enter $5, $10 whatever the hell you want, it still knows it should have $20’s in it.

  The average layman or even medium tech aware can do little more than screw the machine up by going into management and playing with settings.

• ATM Guy

  March 22nd, 2007 2:20 pm

  >What a piece of Garbage. I remember seeing the >prototype of the Tranax at the BAI trade show in >Dallas somewhere around 1999. It’s a real Rube >Goldberg contraption. I believe this thing was >developed in some guys garage. It cannot be >compared to the real ATMs that are made by Diebold, >NCR, and Fujitsu which are remarkably secure and >reliable.

  The Tranax machine is by far the best 3rd party bank machine made. It is professionally made, well designed and operates flawlessly. We operate a large number of these. I would rather own these than the others you mention, which I have also worked on.

• Dan Walter

  March 29th, 2007 5:27 pm

  What is this blog about? I scroll and find a bunch of kids making asinine threats to one another. Are any of you nitwits older then say 13?

• Thomas Ptacek

  March 29th, 2007 5:32 pm

  Yes. But not by much.

• yaknivek

  June 16th, 2007 11:23 pm

  this scam works in the UK, but only on the american type ATM’s people say this don’t work, it does if it was non-reprogramable then it would be useless because what if the time would alter then it would have to be changed back.

• Alex

  September 1st, 2007 6:30 pm

  There are strict policies and security procedures regarding ATM installation & operation, which when followed properly make this 100% impossible.

  Unfortunately, the amount of white-label ATM operators who don’t follow them is growing. (For example, to enter the secret master keys to connect to the network you are supposed to have TWO separate people enter codes which get mailed to the company in two separate envelopes and they should not be entered at the same time, and they should be destroyed as soon as they are entered.. and companies send one guy to install the ATM all the time, sigh)

  To make matters worse, some of the newer ATMs do allow you to enter a service menu without opening the ATM or doing anything more suspicious than entering a few codes in the keyboard and a numerical password. (Not that opening the ATM for half a second and closing it (say on an MCD-2) is all that difficult to begin with, at least if you’re an ATM technician and have master keys.., but seriously, what were people thinking when they removed this?! And the older machines even required you to open it ALL the way up AND flip a switch inside it to enter supervisor mode (MCD-1) )

  The only good news is that only the owner of the stolen card who failed to report it stolen (only someone mental would use their own ATM card) OR the silly ATM owner will incur the losses if you simply reprogram the denomination of bills inside the machine. So this means non-moronic ATM providers and users are perfectly safe.

  PS: Erasing the log only erases it on the machine. The network still has copies of all transactions.

• Get a Job

  September 5th, 2007 2:19 pm

  Alex and ATM guy are both correct. As an ATM tech, there are lots of back-end procedures that keep idiots like you from stealing from an ATM.

  Yes, you can change the denomination at the terminal, but unless it is also changed on the processors end then you’ll still be charged the full amount of your withdrawal. Go ahead and put your card in nub.

  And how about this? Instead of feeling like it’s your right to scam the IDIOTS who build and run these ATM’s, get a job and contribute to society. The only reason we need the type of security currently found on ATM’s is because of worthless two-bit hacks such as yourselves.

• ATM Tech

  November 14th, 2007 1:54 pm

  ok, just to clarify some of this, i am a head tech for one of the countries largest atm distributors, so allow me to clarifty.

  1) if you change the denomination, yes you get away with it, you do NOT have to make a change at the host as the previous poster suggested (that only applies to surcharge, not to dispensed amount)

  2) all currently manufactured atm’s REQUIRE that you change the master password to the atm, the passwords they’re using to “hack” these are defaults that the atm’s ship at, and for the longest time you didn’t have to change them and many people just left them, all current software versions require a password change.

  3) unless you’re using a card generator you can get caught very easily doing this, and most people that try this do get caught, it is possible to look at the changes made on the atm, and when you see the denomination changed, then somebody pulls a load of cash, you just track that card number.

  4) there is NOT a magic back door, it’s just that most people are lazy and don’t want to make any changes they don’t have to make.

• Dave

  January 12th, 2008 2:10 am

  Guys, I have worked with Tranax extensively and I can tell you this, it is very easy to reprogram an atm to give out lower denominations than are in it. If you have the password; however, most people do change those passwords but I have found many that are the standard factory default passwords. I’m not sure about the current tranax model but from the 1500 series down you can leave factory passwords in.

  Ok so here is where everyone says great but you have to find one with factory password or know the password to make the demonination changes. True but there is a back door. I wont tell you the specifics but for the service tech that answered above address this one. What is someone clears the NVRam? now the passwords are reset but the master keys still reside within the ATM.

  Thanks,

• Dave

  January 12th, 2008 2:13 am

  Sorry one clarification, this would apply to a visa upgraded ATM but most old ones are visa key pad upgraded. The reason is that the passwords reside in the motherboard and the master keys are now in the visa key pad which means you can reset the mother board independent of the visa master keys.
  Thanks,

• Mussa

  February 17th, 2008 6:09 pm

  just a quick question, ive heard that wincor now have a sensor that detects any foreign object like a skimmer and shuts down the atm. does anybody know how long it takes for it to detect anything and how can one tell if it has those sensors bcuz i know they are optional.

Leave a reply

name (required)

email ( will not be shown ) (required)

website