ATM Security Roundup
Dave G. | September 22nd, 2006 | Filed Under: Uncategorized
Ryan Naraine and Kevin Poulson both have excellent coverage of this, and disclosed how they obtained copies of the manual. I had made a decision that I didn’t want to be directly distributing the details of this. However, the cat is out of the bag on manuals being online and accessible by using Google. This isn’t specific to Tranax. It isn’t even specific to ATMs.
This is not the only way a manual or the credentials can be obtained. Already, a reader mentioned in the initial blog post that they found one outside their apartment:
It’s really funny for me to read this story. I found a Tranax 1500 manual on the sidewalk outside my apartment, maybe a year ago. No idea how it got there, there’s no Tranax ATM anywhere near me; sometimes my life is just like that. I’ve been waiting for this story to happen ever since.
That is not to say that it is trivial to obtain. It really isn’t even the point. Default password information is essentially public knowledge.
And I am hardly the first person to have found this. Neither is the person in Virginia (assuming the ATM machine still had default passwords). A joint bulletin was issued by Global ATM Security Alliance and the ATM Industry Association in Feb 2005. It read (in part):
In our continuing efforts to minimize risk exposure for our members, we are providing the following information about ATM master passwords. As we all understand, ATMs, in the vast majority of cases, are initially distributed from the factory with master passwords pre-set.Recently, we have been advised of situations in which Master Passwords for ATMs have been compromised, either by not having these changed from the initial factory settings, or by allowing this information to be available to individuals other than the ISO/ATM deployer directly responsible for the installation.
In these examples of fraud, unknown suspect(s) gained access through the master password and reprogrammed the cassettes to lower the cash dispensing denomination indicated below the required denomination, resulting in cash losses to the deployer.
The fascinating thing about this is how many people that manage or have managed ATMs
This is an issue that need to be addressed by both sides:
ATM manufacturers should to make it harder for people to maintain default passwords.
ATM Owners need to make sure their passwords are secure.
LonerVamp
September 22nd, 2006 2:47 pmReally, this is a years-old issue, pretty much as old as ATM machines, honestly, and has been a known problem.
There are reasons phreakers and other curious folk love manuals on technology below and beyond computer systems, such as telephone boxes, lighted construction signs, and ATM machines. In the gap between union operators and IT personnel is that grey area where changing default passwords is not considered and the only defenses are a lock on the box and obscurity through lack of widespread knowledge (i.e. non-widely printed manuals).
However, until an actual high-profile event gets enough media attention, many people prefer to live with the blissful ignorance of not pondering the “what ifs…” Then again, perhaps this is just a collective progression in having a secure mindset or not trusting fellow men anymore…
newsham
September 22nd, 2006 6:19 pmGood thing these guys dont make voting machines!
Oh, shit! wait! http://www.boomantribune.com/story/2006/9/21/15233/0027
Thomas Ptacek
September 22nd, 2006 6:36 pmI don’t buy it. Too risky. Throwing an election would end Diebold. Directors charged with treason.
I’m with everyone on the voting machines thing. I just think these patches were to fix broken unreliable bad machines.
Daniel Veditz
September 22nd, 2006 6:50 pmI suppose these things really do have to ship with a default or blank password, but couldn’t they prevent the machine from doing any banking transactions until it had been changed?
I’ve had many accounts over the years that functioned this way, where the password protected things far less valuable than big wads of cash. I guess the problem is that the big wads of cash don’t belong to the organization (ATM manufacturer) handing out the passwords.
izzy
September 24th, 2006 10:11 amATM’s that can be reprogramed through the keypad alone is ridiculous. In Japan all of the ATM require you to open it up with a key and program it from the inside. (Of course that doesnt stop people here with access to cranes or other large machinery). I have no sympathy for these manufacturers who obviously did not put any thought into the security of these machines. I say go ahead an publish the manuals.. make it into a big fuss and then hopefully it wont happen again…
John
May 6th, 2007 5:12 pmBeing in the atm business myself, i find it astonishing how many individuals forgo security for convenience!
Leave a reply