ATM Hacking

Bruce Schneier reports today on a great future crime story in which the culprit uses an unchanged administrative password to reprogram an ATM to think it holds $5 bills instead of $20 bills. There are a couple of interesting aspects to this story. First the attack exploits a well known security flaw which remains an unbelievably common practice in a variety of settings: failing to change default passwords. Second, the attack doesn’t require the system to be altered, but rather uses the correct operation of the system (the Tranax Mini-Bank 1500 series) as part of the attack.

Another interesting aspect of this story is that it illustrates the tension between competitive business practices and security. Tranax has been trying to use innovative business practices to become more competitive in the ATM business, and these very practices may have enabled or aided this attack. This article from ATM Marketplace describes how Tranax is trying to make it as easy to order an ATM as it is to get a laptop from Dell. In fact a quick visit to the Tranax support pages, tells you that the default passwords can be found in the printed manual which you can also order directly from their site. I note that although its probably a little harder today to get your hands on a Tranax manual, any legitimate owner of a machine has one. And therefore any legitimate owner or employee with access to a manual could easily try this exploit on any Tranax 1500 machine regardless of who owned that machine.

Finally, the role surveillance played in discovering the exploit is interesting. While the culprit might have disguised himself and used a nearly untraceable prepaid ATM card to access the machine, the exploit might have gone undiscovered for a long time without the surveillance video showing how it was accomplished.

About these ads

7 Responses to “ATM Hacking”

  1. therning.org/ magnus » Thought on ATM hack… Says:

    [...] Everyone was talking about tricking an ATM into believing $20 bills were $5 bills. There’s even a clip from CNN on YouTube. But why isn’t anyone pointing out what a bad idea it is to make maintenance functionality fully available via the same UI that customers use? atm, hacking [...]

  2. dangrsmind Says:

    Good point. This sort of thing is often done to save the expense of developing a second administrative interface of course. But this case shows quite clearly why that’s not always such a good idea.

  3. mas6 Says:

    someone called: Th0R
    copy + paste this article and claims this article as their own article without adding credit for this article.
    he’s already famoused with his copy + paste skill :)

    check their pages:

    http://z10.invisionfree.com/S_A_T_E/index.php?showtopic=1005

    http://z10.invisionfree.com/S_A_T_E/index.php?showtopic=1058

    they also make a tutorial on jasakom.com (Indonesian Security Related Community) and claims that Th0R founded this idea without crediting this article.

    check this page: Jasakom – ATM Hacking Tutorial: http://www.jasakom.com/article.aspx?ID=838

  4. cyberspot Says:

    Nice information given by mas6 up there. I found a way to do it and some set of default passwords. It is really unsecure for ATM Vendor or whoever set it up, by leaving them like that with all default passwords.

  5. JepZ Says:

    lol @ mas6
    im just willing to know, whats the reason for:
    “he’s already famoused with his copy + paste skill :)”

    LOL

    do you HAVE the proof?

    have u read that page? he even supplied that news with a video which from CNN..

    and, the other link u gave me, thats named tutorial mate =p

    another idiots? :)

  6. More Silly ATM Tricks « Future Crime Says:

    [...] to their ATM machines directly in their user manuals.  Future Crime readers will recall that I previously reported on a similar issue with the Tranax [...]

  7. A new fraud on the Internet Says:

    A new fraud on the Internet

    A new fraud on the Internet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: