![]() ![]() “If you maintain one of these devices, make sure that you are not using the default password. zimages/2/28571.gif Thieves steal $700,000 by hacking ATMs. ![]() “Its someone exploiting a policy weakness, where ATM owners install these things and never change the default password.” “This isnt a vulnerability,” Goldsmith explained. The manual also contains instructions on how to enter the diagnostic mode, how to program the ATMs number keys to spit out cash withdrawals and how to change the passwords to take future ownership of the machine. It then lists three default passwords-master, service and operator-that could be used to hijack and possibly rig a machine. In the operator manual freely available on the Web site of a Canadian reseller, a section titled “Programming” provides the specific key sequence that will pop up a screen on the ATM that asks for the master password. The majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist. According to a note on the companys Web site, Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around the country. Officials at Tranax did not respond to eWEEK requests for comment. zimages/2/28571.gif For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. ![]() My guess is that most of these mini-bank terminals are sitting around with default passwords untouched,” Goldsmith said. “If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. In an interview with eWEEK, Goldsmith said he first dug around on Tranax Technologies Web site and found a knowledge base article that mentioned that the ATM is programmed with passwords that can be found in the operators manual. ![]() Goldsmith, a respected researcher who co-founded and previously led Symantecs Security Academy, said he traced clues from the video to identify the make and model of the ATM, a Tranax Mini-Bank 1500 Series, and started an experiment to see how easy it would be to legally obtain an operator manual. Using clues obtained from a YouTube video and a simple four-word Google search engine query, a criminal can find step-by-step instructions for how to hack into and take control of thousands of ATMs scattered around the United States.įollowing up on a CNN report out of Virginia Beach, Va., here as a YouTube video, that a man reprogrammed an ATM at a gas station to dispense $20 bills instead of $5 bills, a New York-based security researcher did some old-fashioned online sleuthing and discovered that the operator manual for that specific model of ATM could be legally obtained in about 15 minutes.ĭave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual-which contains master passwords and other sensitive security information about the cash-dispensing machines-but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack. We may make money when you click on links to our partners. EWEEK content and product recommendations are editorially independent. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |