Programming ATMs to Believe $20 Bills Are $5 Bills

Clever attack:

Last month, a man reprogrammed an automated teller machine at a gas station on Lynnhaven Parkway to spit out four times as much money as it should.

He then made off with an undisclosed amount of cash.

No one noticed until nine days later, when a customer told the clerk at a Crown gas station that the machine was disbursing more money than it should. Police are now investigating the incident as fraud.

Police spokeswoman Rene Ball said the first withdrawal occurred at 6:17 p.m. Aug. 19. Surveillance footage documented a man about 5-foot-8 with a thin build walking into the gas station on the 2400 block of Lynnhaven Parkway and swiping an ATM card.

The man then punched a series of numbers on the machine's keypad, breaking the security code. The ATM was programmed to disburse $20 bills. The man reprogrammed the machine so it recorded each $20 bill as a $5 debit to his account.

The suspect returned to the gas station a short time later and took more money, but authorities did not say how much. Because the account was pre-paid and the card could be purchased at several places, police are not sure who is behind the theft.

What's weird is that it seems that this is easy. The ATM is a Tranax Mini Bank 1500. And you can buy the manuals from the Tranax website. And they're useful for this sort of thing:

I am holding in my hands a legitimately obtained copy of the manual. There are a lot of security sensitive things inside of this manual. As promised, I am not going to reveal them, but there are:
  • Instructions on how to enter the diagnostic mode
  • Default passwords
  • Default Combinations For the Safe

Do not ask me for them. If you maintain one of these devices, make sure that you are not using the default password. If you are, change it immediately.

This is from an eWeek article:

"If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched," Goldsmith said.

Officials at Tranax did not respond to eWEEK requests for comment. According to a note on the company's Web site, Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around the country. The majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist.

So, as long as you can use an account that's not traceable back to you, and you disguise yourself for the ATM cameras, this is a pretty easy crime.

eWeek claims you can get a copy of the manual simply by Googling for it. (Here's one on eBay.

And Tranax is promising a fix that will force operators to change the default passwords. But honestly, what's the liklihood that someone who can't be bothered to change the default password will take the time to install a software patch?

EDITED TO ADD (9/22): Here's the manual.

Posted on September 22, 2006 at 7:04 AM • 82 Comments

Comments

TimSeptember 22, 2006 7:49 AM

I worked in the ATM business for a little bit and know for a fact that default keys were used in most of our machines ( though I shall not say ). What is the point of using a DES key standarad when nobody is willing to actually set them ? Companies turnover rate is so high, I just figured they wanted to be sure that everyone had them.

You think this is bad, try taking this same mentality, but this time a change of venue - Computer servers. I am currently rebuilding our entire computer network because he decided to not worry about any bit of security and used defaults on everything. His view - fix the machines when they break.

I am sick and tired of complaining about security when clearly government systems are around that do not even exist on hexidecimal er bit code. I hear of the NSA using large scale networks, at our expense, to spy on Americans, yet we don't get any bit of their computing power, knowledge, or advise. Although we did see SeLinux become popular as of late, which I am using by the way, but you would not believe what companies such as Adobe and Microsoft are saying in order to get their crappy applications to work.

Set SeLinux to promiscuous mode !!!! DISABLE SECURITY ! Ha.

I like you guys on here. You all are pioneers in whatever field,probably serving in an advisor role of some sort. But we all know how it goes. Companies do not care about security and they never will. All they care about is the bottom line. And I will say this until the day I die. All companies that make a profit are corrupt.

Jan DoggenSeptember 22, 2006 7:57 AM

From now on, whenever I'm in the States, I'm only going to withdraw money from Tranax Mini Bank 1500's ;-)

AnonymousSeptember 22, 2006 8:03 AM

"From now on, whenever I'm in the States, I'm only going to withdraw money from Tranax Mini Bank 1500's ;-)"

Until, of course, you attempt to withdraw a couple of hundred dollars from the one which some joker has programmed to dispense $5 bills instead of $20 bills... 8)

DannySeptember 22, 2006 8:11 AM

Isn't this the same problem that telephone networks suffered from some time ago (in-band signalling)? Why is it even possible to access the an ATM's internal system through the PUBLIC keypad rather than through some other non-public interface?

GarethSeptember 22, 2006 8:22 AM

... But honestly, what's the likelihood that someone who can't be bothered to change the default password will take the time to install a software patch?

None... until it starts costing them money. Given that it's going to start costing them as more and more people learn how this attack works, it shouldn't take too long, I'd hope.

NiranjSeptember 22, 2006 8:55 AM

A couple of years back, something on similar lines happened in Mumbai, India. The ATM was disbursing Rs. 500 notes instead of Rs. 100. This was traced back as a problem in loading the money into the ATM.

Andre LePlumeSeptember 22, 2006 9:30 AM

Tranax says a code change in the next EPROM rev will require a change of the default PWs.

Meanwhile, Tranax is far from the only ATM vendor with this exact issue.

ChrisSeptember 22, 2006 9:30 AM

I doubt this attack would be much of a problem at most of the ATMs I use as they only distribute amounts in multiples of $20. If that's the only denomonation present in the device, it can't accidentally give me $5s or $10s.

It's been this way for years, most likely as a cost-saving measure to simplify the machine, avoid mistakes loading the wrong magazines, and as a distant third to prevent this kind of attack.

ChrisSeptember 22, 2006 9:30 AM

I doubt this attack would be much of a problem at most of the ATMs I use as they only distribute amounts in multiples of $20. If that's the only denomonation present in the device, it can't accidentally give me $5s or $10s.

It's been this way for years, most likely as a cost-saving measure to simplify the machine, avoid mistakes loading the wrong magazines, and as a distant third to prevent this kind of attack.

BrettSeptember 22, 2006 9:43 AM

What has me wondering a bit...it was *9* days before this was found out....how many people used the machine in the interim just pocketed their 300% "profit", and didn't tell their bank or anything, and are all of those withdrawls getting fixed on bank statements?

PhilipSeptember 22, 2006 9:51 AM

Chris, just because the machine only distributes one denomination doesn't mean you can't tell it that it's been loaded with $5s.

BrinksSeptember 22, 2006 9:56 AM

I'm sure it would work just fine on a $20 only ATM. You'd just set some configuration parameter to say that the bills in the dispenser are $5s. I imagine one could load the machine with any bill and configure the machine to match or mis-match what is physically loaded. Doing bill verification on output would be a significant expense that competent people wouldn't want to pay for.

AnonymooseSeptember 22, 2006 10:04 AM

@Brinks:
You could have the bill cartridges "keyed" so there's, say, 4 contacts inside the machine, a stack of 5's shorts pins 0 and 1, 10's shorts 0 and 2, 20's shorts 0, 1, & 2, etc. That way in multi-currency machines you couldn't mis-load the cartridge in the wrong slot--you could load the cartridge with the wrong currency, but that's done more centrally and you could have bill verification there.

dhasenanSeptember 22, 2006 10:05 AM

How about having machines report when any setting is changed? Then the bank hears about the attack when it happens and can correlate that data to work orders on the machines. Any spurious usage could result in an automatic audit of the machine in question.

Of course, this is no better than a standard alarm, and has the same vulnerabilities.

LazySumoSeptember 22, 2006 10:07 AM

I used to install Tidel ATM machines. They also had (have) this issue and it's NOT an issue with the machine, seriously, it's not. It's a human issue.

Every time I installed one and trained the owner of the machine I always insisted that they change the passwords as soon as I left the store. Of course, they didn't.

For quite a while I was walking around Texas with a universal access card in my wallet that accessed the program of the Tidel machines. Any machine with a default password could be altered however I wanted to. Fortunately I never did, but I could have.

Again, the way the systems are designed are adequate, it's the humans that are broken and need fixing.

Oh, and for the poster complaining about the access to the system being through the publicly available keypad... think about it... you're going to put a private, internal keypad into thousands of machines knowing that in a best-case scenario that keypad will only be used once at set-up and then maybe 2-3 times per year at most. It's just not econimically feasible to do that.

So, as an alternative you come up with a competent security process that promptly gets ignored by the majority of your users. Lovely. :^)

Sticky FingersSeptember 22, 2006 10:09 AM

I found some ATM manuals on the web and had a quick look. Most of these devices seem ship with default management passwords and have diagnostics that can be used to test the cash dispeners.

If anything, I'm surprised this sort of thing doesn't happen more often. Probably there will be more of this sort of attack in the future.

Surely the ATM manufacturers could arrange a mailshot to their customers warning them that they are liable for failing to set proper security.

P.S. I really, really wouldn't advise trying this. I bet the police will soon get whoever attacked the Tranax machine. I also expect future ATMs to be fitted with alarms or something to warn if anybody is trying to get in with a default password. Smart crooks think of new ideas and maybe steal some cash. Dumb crooks copy and get caught.

Fred PSeptember 22, 2006 10:31 AM

@Lazy Sumo
"Oh, and for the poster complaining about the access to the system being through the publicly available keypad... think about it... you're going to put a private, internal keypad into thousands of machines knowing that in a best-case scenario that keypad will only be used once at set-up and then maybe 2-3 times per year at most. It's just not econimically feasible to do that."
- The slot industry has a very simular issue (they are typically designed to accept and spit single denomination coins where the customer (casino) determines the denomination). The most typical solution was to combine any password entry mechanism (such as a keypad or touchscreen) with a sensor that would only be accessible with a key. It would be presumed that only someone with legitimate access (or someone who could just steal the coins directly, at any rate) would be able to access such features.

AlanSeptember 22, 2006 10:39 AM

If they guy were really smart, after he made his withdrawal he would have reprogrammed the ATM back to its correct settings. Then his crime may have never been detected.

Craig HughesSeptember 22, 2006 11:01 AM

> But honestly, what's the liklihood that someone who can't be bothered to change the default password will take the time to install a software patch?

Oh? Bruce, I thought one of your big things was that when people are financially on the hook for their lax security, then they actually secure things. Aren't the people managing these ATMs on the hook when 3x the cash is withdrawn" from them as is recorded? At least until they catch the thief and/or retrace every transaction and debit every account that was paid out from by the missing amount?

Bruce SchneierSeptember 22, 2006 11:10 AM

"Oh? Bruce, I thought one of your big things was that when people are financially on the hook for their lax security, then they actually secure things. Aren't the people managing these ATMs on the hook when 3x the cash is withdrawn from them as is recorded? At least until they catch the thief and/or retrace every transaction and debit every account that was paid out from by the missing amount?"

True. Good point.

Bruce SchneierSeptember 22, 2006 11:14 AM

"I doubt this attack would be much of a problem at most of the ATMs I use as they only distribute amounts in multiples of $20. If that's the only denomonation present in the device, it can't accidentally give me $5s or $10s."

You're missing the point of the attack. The ATM would be configured to *think* is has $5s when it actually has $20s.

D-CafSeptember 22, 2006 11:16 AM

Actually, that's the wrong manual. That's a different brand manual (though still that's just another example of another company which is going to likely have issues. There was a copy of the manual for the Tranax available on the web, but it was taken down by this morning. Of course it was still available in html format via the google cache at around 10am EST with the right search terms. Haven't checked to see if it's still there now though.

I see the only time these ATMs getting fixed is after the local operater looses a couple thousand from the machines. The fix will only be money driven. I don't even blame the manufacture that much. The instructions for setting up these machines include locking them down first. Lazy people just seem to ignore this... Sad how common that is.

Mike SchiraldiSeptember 22, 2006 11:18 AM

The default master password is 1234. Forcing people to change it will probably be mostly worthless, because the kind of people who were still using the default password will doubtlessly just change it to one of the following:

5678
4321
1111
6969

derfSeptember 22, 2006 11:25 AM

There's almost always a camera pointed directly at the atm. If the log has timestamps, it can be correlated with the video. If you cleverly delete the log, it should still show when it was deleted and correlate that with your mugshot. I just don't see this as being an easy crime to get away with unless you keep the illicit money withdrawals very low.

roySeptember 22, 2006 11:30 AM

It is insane that the machine could be reprogrammed from the front panel. Reprogramming, or even testing, should be possible only from a back panel after opening the locked machine and unlocking the back panel.

LizardSeptember 22, 2006 11:32 AM

"There's almost always a camera pointed directly at the atm. If the log has timestamps, it can be correlated with the video."

Unless you're wearing a gorilla mask or the classic sunglasses-and-bandana. Most ATM's I see anymore are not in "manned" locations where a clerk can get a good up-close look at somebody doing repeated $15->$60 withdrawals.

D-CafSeptember 22, 2006 11:35 AM

It's very easy to get some cheap makup, a wig and maybe some facial prostetics, mustache, etc to disguise yourself. Even colored contact lenses are easy enough. I doubt anyone checks people carefully as they walk up to use the ATMs. Yes it will cost you maybe $200 in supplies and a little time. But you hit say 3 atms with a $20-to-$5 ratio of return on say a $200 transaction, you get $800-$200(real cash)-$200(supplies)-$100(time)=$300 profit. Not to bad, repeat for 5 ATMs and your clearing ~$2700 for a day. Not to bad.

Pat CahalanSeptember 22, 2006 11:42 AM

@ roy

> It is insane that the machine could be reprogrammed from the front panel.

I agree.

However, I can easily see someone who knows nothing about security saying, "Code it this way, so that we can sell it as 'easily maintained'."

some dudeSeptember 22, 2006 11:47 AM

D-Caf:

Repeating the crime a total of 15 times leaves you with a pretty good chance of slipping somehow and getting caught, especially if the police really are looking for you. For most people, $2700 for, say, a 5% chance of spending a couple years in jail wouldn't look like all that great a deal. (On the other hand, that's pretty much the kind of tradeoff the low-level drug dealers Steve Levitt was investigating in Chicago lived with all the time.)

Israel TorresSeptember 22, 2006 11:56 AM

Machines with front panel access interfaces are bound to be compromised by anyone that has a few seconds to spare. We've seen it done on anything from gas pumps, food chains, cafe kiosks, and ATMs. They are made to make things easier for management and repair, except we all know that paying for convenience usually takes a bite out of security and that is just a risk entities that purchase these products are willing to take (whether they know it or not).

Israel Torres

marcSeptember 22, 2006 11:59 AM

i used to own a trident 960 atm (if memory serves me correctly) in a convenience /deli that i sold 3 years back.
at least four years ago a customer, who happened to be a security consultant, told me that this particular model could be reprogrammed to spit out 20 times the amount recorded. if you got past the default password (123456 in this case) you were home and dry and could reprogram it back to the original settings.
obviously though the journal would have given away the culprit if he was not using a throwaway card (which i don't believe existed then). however, how many people would fessup if they received $400 instead of $20??


RamriotSeptember 22, 2006 11:59 AM

What realy gets be about this crime is all the other people that must have used the machine over the 9 days it was incorrectly configured, before the "good samaritan" reported the fault.

one wonders if the bank will be persuing them all for the money back, and if so what defence could they put up if for some reason they were paid out correctly.

I would just like to add that having worked for a short time with a UK bank while on work expience from school, that their ATM had the metal contacts and pins that denote currency values on cassettes. Also when I once had to reload the machine after a feed jam (10,000 Pounds in a little tight wad), I acidently swaped the cassettes and was tolk it was OK as the machine could tell and would still pay out correctly.

Nobby NutsSeptember 22, 2006 12:16 PM

What's a pre-paid account where you can but a card an any number of places? And a throwaway card, for that matter? Don't think we have such a thing on this side of the Pond.

RvnPhnxSeptember 22, 2006 12:24 PM

The EWeek people seem to have fallen for the same sort of mentality as the standard user whom doesn't respect passwords:
"The episode underscores how easy it is to use the power of search engines to find sensitive security information. In the past, Google queries have been used to find security flaws in Web-facing applications, default passwords in Oracle databases and even live malware samples seeded on forums and other malicious sites." (from the linked article above)

Give me a break. Default passwords are not and should not be considered "sensitive security information" (unless you are the emperor whom has lost his brains). They are what is needed to configure the machine when it shows up so that it can be secure. Now, I will grant that sending out each machine with a sticker on the inside cover having that machine's specific default password on it might sound better, but in reality it isn't much better at all. It is a band-aid, and a dangerous one at that. In fact, it could lead to a higher failure rate of newly delivered machines (the sticker fell off?)--which is reason enough for manufacturers to not usually use this method of setting a default entry code.
As to the rest of EWeek's statement, I would hope most everyone here understands what is scarily wrong about that.

To the comment that the debug interface should be a different one than the user one:
Shall we introduce yet another failure mode?
What if there is maintenance which needs to be done by a clerk to do things like check if the machine needs to be refilled?
Can you explain to me why a simple machine configured correctly is any less secure than a complex machine configured incorrectly?

swiss connectionSeptember 22, 2006 1:18 PM

@ Nobby Nuts

"What's a pre-paid account where you can but a card an any number of places? And a throwaway card, for that matter? Don't think we have such a thing on this side of the Pond."

Yes that seems indeed strange. Can one of you US guys explain to us naive Europeans how it is possible to have (truly) anonymous cards?

A while back Swiss SIM cards could be had anonimously, not long ago everything that can handle money and communications is buttoned down.

NicSeptember 22, 2006 1:36 PM

Clearly some people are paying attention to this - both the manuals linked to above are no longer available.

Sticky FingersSeptember 22, 2006 2:10 PM

@earthy

I didn't manage to get hold of any Tranax manuals (see earlier post). When I tried to download this to add to my collection, my browser says "site unavailable". Just guessing here but I reckon Tranax and some of the other ATM vendors are running around the web trying to remove as many of these documents as they can. Horse in field ... bolted door ... painful security lesson for ATM designers!

@LazySumo

"... it's NOT an issue with the machine, seriously, it's not. It's a human issue."

Yes, ideally we would all choose strong passwords, RTFM etc. Every good security designer knows that humans are not like this and tries to design for failure; basic example: Windows XP will not permit Windows network logins on accounts with no password (crude but better than nothing). Surely the ATMs could have been designed to go to a failsafe default mode if the default passwords had not been changed? A simple message like "Operator configuration error: default passwords not changed. RTFM!" would be better than nothing.

Bryan FeirSeptember 22, 2006 2:18 PM

@Ramriot:

Well, I remember the time I acted as a "good samaritan" to the bank. I was in Redmond, Washington, some fifteen years ago now, and got given $20 more than I had requested from the ATM. The first bill out of the machine was ripped and quite crumpled in the middle; my immediate conclusion was that the bill had been stuck inside the dispenser, and that the person who had used the ATM before me was $20 short.

I went into the bank to report it, and the teller's response was to look at me as if I were insane for complaining about getting more money than I had asked for. She also took no useful information that could have been used to find the person before me who was out the corresponding $20.

Given the demonstrated lack of interest from the bank for dealing with problems, I can see why some otherwise honest people might have no real issue with ripping off the bank.

AnonymousSeptember 22, 2006 4:14 PM

1234

Who would have thought the default admin passcode was the same one I use on my debit card?

Matthew SkalaSeptember 22, 2006 4:38 PM

So, how about those people who were telling Ed Felten "Diebold should make its voting machines secure with the know-how it must necessarily have from being a manufacturer of ATMs"?

marcSeptember 22, 2006 6:54 PM

"one wonders if the bank will be persuing them all for the money back, and if so what defence could they put up if for some reason they were paid out correctly."

the "bank" effectively is the merchant. a third party vendor processes the transactions and, typically within one to three days, transfers the daily outgoings to the merchants bank account.
obviously, the merchant failed to reconcile his atm with the journal on a daily and weekly basis. although he paid out 4x he was only being reinbursed 1x.
my guess is that he only cottoned on to the loss when his checks started bouncing.
although i'm sure some folk figured that their good fortune would be recognized and reversed on their next monthly statement, you've got to wonder how many others went back to the well again and again.
i wouldn't be surprised if the merchant lost over $40,000, possibly a lot more.
it's also a good possibility that the merchant would not want to publicize his loss (for tax reasons) and so everyone lucked out. the merchant took a blow to the crotch but he'll make it up in a month or so and, hopefully has learnt his lesson.
my guess is that these incidents are much more frequent than you'd imagine.

AnonymousSeptember 22, 2006 11:53 PM

I work on the tech support hotline for a company whose software is used by major corporations. Our software ships with default passwords for the superuser account. It's rare that I work with a customer who has changed this password. I bet half the companies in the Fortune 500 have our software and have not changed the default password. The superuser could do millions of dollars in damage.

Every couple of weeks I get a call from a customer who doesn't know the superuser password; they call tech support to ask. I make a practice of politely refusing to divulge it on the phone. Most customers are understanding when I tell them why I can't give it to them. But I'm sure a social engineering attacker could just call a second time and get a tech who would tell them. I'm always trying to convince my coworkers of the importance of not giving or receiving passwords, but I don't think very many of them get it. They just think I'm weird.

I also get calls from people who want me to help them figure out exactly who entered some transaction, and when we look at the audit trail it's just "superuser". Further discussion then reveals that they're having every manager in the company log in as superuser. So far the bad transactions have always been stupidity, not malice, but it's only a matter of time before something huge happens.

The other funny thing is that customers are constantly trying to tell me their passwords. I've taken to saying "Don't tell me your password, but can you please enter it here?" I tell them not to tell it to me first, because otherwise they're shouting it out to me before I can stop them.

Someone needs to update that joke about tech support to something about passwords, instead of the cup holder CD player.

Neil KSeptember 22, 2006 11:53 PM

Suggestion for future ATMs: they cannot be reprogrammed unless the access panel is open. (I presume there are physical locks. If someone has forced those open, reprogramming the unit is the least of your problems.)

This is simple and does not require a second keypad inside the machine. And you won't ever forget to take it out of programming mode that way. Close the door... done!

oh noesSeptember 23, 2006 4:34 AM

heh hahaha i saw an atm last night at the pub, it was at an unusual terminal screen asking for a login ..

now I know why!

just a suggestionSeptember 23, 2006 4:36 AM

"It's rare that I work with a customer who has changed this password."

perhaps if the default password is really really complex, the users will change it just so they can make it something easier to type ...

EricSeptember 23, 2006 7:38 AM

Bruce,
I'm a bit surprised that a link to an ATM manual has been posted. I think it would be good to remove it. Yes I do realize it could be found elsewhere.

Lally SinghSeptember 24, 2006 6:41 PM

"Every time I installed one and trained the owner of the machine I always insisted that they change the passwords as soon as I left the store. Of course, they didn't.
..
Again, the way the systems are designed are adequate, it's the humans that are broken and need fixing."

With all due respect, if it's a known problem by the vendor, then it's their problem. Why not assign a randomly-generated password for each customer, and preconfigure the box with it?

ChrisSeptember 25, 2006 11:07 AM

Perhaps my problem has been that I'm giving the ATM manufacturer's more credit than is due.

My point was that as ATMs have gotten "simpler" to distribute only $20 bills, there is no need to tell the machine that hopper #1 has 20s, hopper #2 has 10s, and hopper #3 has 5s. A natural assumption is that all hoppers have 20s and the machine is denomonation-agnostic. I don't program or service these machines, so obviously I reserve the right to be completely wrong on this point. But it's how I would program the machine.

If you can fool the machine into giving you 4 times as many bills as requested (5s instead of 20s), then yes this is a serious attack. I just don't know how much of the machine's configuration can be altered in the field.

KringleSeptember 25, 2006 6:14 PM

I just read about the hack this afternoon (Sep 26) and keyed Google with the ATM name mentioned in the story Tranax Mini-Bank 1500 and added two other arguments "+PDF +manual". Eight minutes later I was reading one of those manuals.

One site had apparently taken down the PDF but as you know some sites are set up to provide an HTML version of the same. Other sites haven't apparrently informed their web masters, or maybe someone else maintains tech manuals.

It struck me that more than a few folks perhaps haven't just read the news lately. However I was struck by the number of vendors and resellers who still had useful manuals available. It made me wonder if there isn't more money to be made by the vendors in some way or are all patches/upgrades free?

I'm not doing anything with the information, I was simply curious if I could beat the clock time of the guy who broke the story.

AlexSeptember 26, 2006 5:19 AM

The card referred to is a so-called "stored-value card", typically available from bureaux de change. You load it up with cash, and can then withdraw up to that amount in local currency from ATMs. They have been criticised over money-laundering and tax evasion issues.

wmSeptember 26, 2006 7:05 AM

@marc: "how many people would fessup if they received $400 instead of $20?"

Well, you'd certainly want to wait 'till after you'd seen your next bank statement, even if you were completely honest.

I mean, sure, you *asked* for $20, but the fact that it spat out $400 suggests there's at least a possibility that it took $400 off your account balance.

In which case, giving away the cash wouldn't be a great move.

Damian CugleySeptember 26, 2006 10:44 AM

The way to tackle default passwords is to install the machine with a unique password from the start. The engineer installing the ATM finishes the job by pressing a button that makes it spit out a receipt slip with a new, randomly generated password. This is then stored in a little cabinet on the inside of the case next to the tray of $20 notes.

anonymousSeptember 27, 2006 11:56 PM

"whew, it is a good thing our voting machines aren't this easy to hack (sarcasm intended)..."

Don't worry, I'm sure Diebold uses a less common password on their machines. Like "1111", or perhaps "666"...

JamesSeptember 28, 2006 4:53 AM

I would like to know who thought it was a good idea to release a manual for the machines on the website surely if it contains details such as a default password (which people raraly change) then there should be some kind of law stopping it.

JungsonnSeptember 28, 2006 6:15 AM

Oh i forgot something about our ATM's in my country (the netherlands)

our ATM's run on Windows, i saw it twice, while getting cash, it booted into win2000...

*biggg sigh*

RogerSeptember 28, 2006 8:54 PM

It's ironic that people are using this as an opportunity to diss Diebold, because Diebold ATMs in fact already have the improvement suggested by several readers (they can't enter supervisor mode from outside the physically secured compartment).

This isn't to say that Diebold ATMs have unimpeachable security; not only do they run Windows (XP Embedded, in this case), but they have actually been infected by the Welchia/Nachi worm!!

This means that these ATMs were not only unpatched non-server grade PCs visible to the internet (or at least to an unhardened intranet that was visible), but they even had the notorious port 135 exposed!!

By the way, Diebold Election Systems (who make the voting machines) are a completely different (and much smaller) division of Diebold than the division who make ATMs. In fact DES is actually a separate company (formerly known as Global Election Systems) which was purchased by Diebold in 2002. There are five of these divisions altogether, and their combined annual revenue is 100 times greater than the purchase price of DES.

Peter BOctober 5, 2006 8:59 PM

I worked in banking for fifteen years and still do some consulting in the field, risk and project management mainly.

When I first started in a bank I did a whole range of things just to 'get a feel for' them, including re-stocking ATMs. Back then (late '80s) we had machines with a key-pad on the inside as well as outside, but I know that if not all, then certainly some of the engineer / diagnostic codes would be accepted by the external pad. This did lead to some problems...

My favourite was when a machine had been serviced and the engineer failed to take it out of diagnostic mode when he left. It carried on working more or less as normal until along came a customer whose PIN number just happened to be the same as the four digit diagnostic code to run a continuous test of the note counting mechanism - at which point the machine simply started to empty each hopper in turn, one note at a time, as fast as it could until there was about £20,000 on the pavement outside.

The customer went into the bank to tell them what was happening, but in the meantime a few passers by simply walked off with several £k of notes that were blowing down the street.

ryanOctober 5, 2006 10:54 PM

I'd say, only allow reprogramming when the access panel is open, a door sensor wouldn't cost much, that way, when it looks vulnerable, it is vulnerable. and vise versa.

NobodyOctober 7, 2006 3:03 AM

I think the obvious solution is simple. The ATM distributes no cash if the password is set to the default, and the owners are instructed to change it upon installation of the unit. That way, not only does it force a password change, but also owners can yell and scream at the ATM company all they like to no avail. If they changed it to something just as insecure as 1234, well, it's their own damn fault, right?

KevinEOctober 15, 2006 6:48 AM

Seems to me that for the people proposing only having "secure" access from an internal keypad (i.e. service personnel only). This would mean opening the machine up which in turn would expose the money hoppers. This wouldn't seem a good idea in a convenience store.

I have always felt that these machines were a security risk. I never use them personally. Now you know why banks enclose the back of their ATMs in a safe.

RoieOctober 15, 2006 2:29 PM

I have a PBX at work. When we moved to a different city a few years ago, a tech came and installed it in our new location. He opened up a port, stuck in a serial cable and connected it to his laptop.

Wouldn't a port on the side of the machine to which you hook something up make a bit more sense than an internal keypad? You wouldn't have to open the hatch that exposes everything, and if you hook up a laptop to an ATM someone's bound to notice if the ATM isn't entirely deserted. Additionally, you have the option of using a complex alphanumeric password instead of just a few digits entered on a keypad.

Speaking of more complex passwords, our gracious host Mr. Schneier has said that a combination of "something you know" and "something you have" (at least) should be used for secure dealings. There's already a card reader on the front of the machine, why not require something to be inserted there?

JonnyOctober 16, 2006 9:36 AM

Even if you used this hack and did small withdrawals at many different machines and you were wearing a disguise... isn't it all traceable back to your own bank card? It's still your own account that you are accessing.

EVen if you delete the log on the ATM, the bank still has a record.

MichaelOctober 17, 2006 9:42 AM

Re: internal keypads

What problem does an internal keypad cause for the would-be thief? It requires them to have a key of some form to open the machine. Are you going to make thousands of different keys for the machines?

Why not use a unique identifier on a mag-strip card instead of just the punch-code (since all ATMs inherently have mag-strip readers). Ship the card with the ATM with a random code (correlated to the serial number hidden inside the unit?) and hand it to the owner.

Now the thief needs a (copy of) the correct card and the correct password. Even better? Whenever diagnostic mode is entered or a setting changed, emit a very loud siren sound. Just look at the face of the would-be thief when they punch in "1234" and a very loud "awwooogah" alerts the owner that someone is changing its settings.

Terry ClothOctober 17, 2006 8:09 PM

@KevinE ``I have always felt that these machines were a security risk. I never use them personally.''

That's why I have a standalone ATM account. It's not connected to any other accounts (most of which are at different institution). I keep little enough in the account (always less than USD 1000) that I won't really be hurt if it all disappears. As needed, I just deposit a check far enough ahead of the hold period, and voila---cash on demand with very little liability.

I wonder why my friends look at me funny when I explain this setup.

aghNovember 19, 2006 5:36 AM

I'm just wondering what was thinking ATM manufacurer when decided to "secure" its ATMs in such bullish way.

Why not to use service card with PIN ?

Yes, I now it was cheaper, and the sales and marketing executives complained about "time to market" ;).
Now quietly and security dose not mater, the only think which is sales.

JonrunsDecember 30, 2006 9:44 AM

I am an ATM guy.

What is even more scary is that most of the big ATM companies use the same Master Password for all of their machines.

At one point, I told the higher-ups at E*TRADE (now Cardtronics) about this issue and they laughed, saying they had security plans in place to deal with it. I asked how? but they wouldn't give me any details.

Then I changed the denomination on one of my machines from $20 to $5 (thereby stealing my own money) did a withdrawal and waited for the FBI to come pay a visit. They never did.

Jonny - use a stolen card

jonrunsDecember 30, 2006 9:48 AM

Re-reading the above comments.

Most retail ATMs do not have security cameras pointed at them. I own 50 and none do.

This reprogram of the denomination is easy; I could do it in less than 30 seconds and can be done from the keyboard. Nothing to open up, no key required.

The easiest machines to make this change on are Tranax and Triton. The min denomation is $5 so the most you could probably get is 4x your money....

DylanAugust 14, 2007 11:32 AM

The person who said " security is to tight, you would need a gorilla mask or bandana to hide your face "

Did it not occur that muslim women cover there face up, i think 9/10 muslim woman would withdraw money out of a cash machine if you payed them 50$ for 5 minutes work.

Lance PollFebruary 22, 2008 9:40 PM

The machines I work on you have to authorize the dispense of bills out the front by pushing a toggle switch in the vault. No way should an ATM dispense without this kind of feature.

POXMLApril 14, 2008 11:38 AM

Neither link to the manual is valid anymore. Since there's no longer a need to be subtle, can the article be updated to give a little more info about the nature of the software? Given the severity and duration of the problem, one would assume it can be traced back to use of MS products, except that it would defy reason to use them in mission critical components, like ATMs.

AniNovember 10, 2012 10:59 PM

i actually have seen this done. really. and it was done with a bigger profit margin. the person changed the denomination from 20's to 1's. so if you asked the machine to give you 20 dollars it would give you 20 20's equalling 800 dollars. on the receipt it says 20.00 still because it is showing 20 "notes" disbursed, not the value of each note. and the minimum is not 5, it is 1.

Joseph SheridanMarch 13, 2013 7:06 PM

This sounds very much like the type of social engineering Kevin Mitnick was doing, back in the day. During routine pen tests, I still come across software vendors' manuals/guides on the web containing default passwords and database credentials etc. You would think they would have learned by now...*sigh*...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..