Googling for ATM Master Passwords

By Ryan Naraine  |  Posted 09-21-2006
Using clues obtained from a YouTube video and a simple four-word Google search engine query, a criminal can find step-by-step instructions for how to hack into and take control of thousands of ATMs scattered around the United States.

Following up on a CNN report out of Virginia Beach, Va., here as a YouTube video, that a man reprogrammed an ATM at a gas station to dispense $20 bills instead of $5 bills, a New York-based security researcher did some old-fashioned online sleuthing and discovered that the operator manual for that specific model of ATM could be legally obtained in about 15 minutes.

Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual—which contains master passwords and other sensitive security information about the cash-dispensing machines—but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack.

Goldsmith, a respected researcher who co-founded @Stake and previously led Symantec's Security Academy, said he traced clues from the video to identify the make and model of the ATM, a Tranax Mini-Bank 1500 Series, and started an experiment to see how easy it would be to legally obtain an operator manual.

In an interview with eWEEK, Goldsmith said he first dug around on Tranax Technologies' Web site and found a knowledge base article that mentioned that the ATM is programmed with passwords that can be found in the operator's manual.

"If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched," Goldsmith said.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.

Officials at Tranax did not respond to eWEEK requests for comment. According to a note on the company's Web site, Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around the country. The majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist.

Read the full story on eWEEK.com: Googling for ATM Master Passwords