ATM Security Roundup

Dave G. | September 22nd, 2006 | Filed Under: Uncategorized

Ryan Naraine and Kevin Poulson both have excellent coverage of this, and disclosed how they obtained copies of the manual. I had made a decision that I didn’t want to be directly distributing the details of this. However, the cat is out of the bag on manuals being online and accessible by using Google. This isn’t specific to Tranax. It isn’t even specific to ATMs.

This is not the only way a manual or the credentials can be obtained. Already, a reader mentioned in the initial blog post that they found one outside their apartment:

It’s really funny for me to read this story. I found a Tranax 1500 manual on the sidewalk outside my apartment, maybe a year ago. No idea how it got there, there’s no Tranax ATM anywhere near me; sometimes my life is just like that. I’ve been waiting for this story to happen ever since.

That is not to say that it is trivial to obtain. It really isn’t even the point. Default password information is essentially public knowledge.

And I am hardly the first person to have found this. Neither is the person in Virginia (assuming the ATM machine still had default passwords). A joint bulletin was issued by Global ATM Security Alliance and the ATM Industry Association in Feb 2005. It read (in part):

In our continuing efforts to minimize risk exposure for our members, we are providing the following information about ATM master passwords. As we all understand, ATMs, in the vast majority of cases, are initially distributed from the factory with master passwords pre-set.

Recently, we have been advised of situations in which Master Passwords for ATMs have been compromised, either by not having these changed from the initial factory settings, or by allowing this information to be available to individuals other than the ISO/ATM deployer directly responsible for the installation.

In these examples of fraud, unknown suspect(s) gained access through the master password and reprogrammed the cassettes to lower the cash dispensing denomination indicated below the required denomination, resulting in cash losses to the deployer.

The fascinating thing about this is how many people that manage or have managed ATMs

This is an issue that need to be addressed by both sides:

  • ATM manufacturers should to make it harder for people to maintain default passwords.

  • ATM Owners need to make sure their passwords are secure.

Viewing 7 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus