Programming ATMs to Believe $20 Bills Are $5 Bills
Clever attack:
Last month, a man reprogrammed an automated teller machine at a gas station on Lynnhaven Parkway to spit out four times as much money as it should.
He then made off with an undisclosed amount of cash.
No one noticed until nine days later, when a customer told the clerk at a Crown gas station that the machine was disbursing more money than it should. Police are now investigating the incident as fraud.
Police spokeswoman Rene Ball said the first withdrawal occurred at 6:17 p.m. Aug. 19. Surveillance footage documented a man about 5-foot-8 with a thin build walking into the gas station on the 2400 block of Lynnhaven Parkway and swiping an ATM card.
The man then punched a series of numbers on the machine’s keypad, breaking the security code. The ATM was programmed to disburse $20 bills. The man reprogrammed the machine so it recorded each $20 bill as a $5 debit to his account.
The suspect returned to the gas station a short time later and took more money, but authorities did not say how much. Because the account was pre-paid and the card could be purchased at several places, police are not sure who is behind the theft.
What’s weird is that it seems that this is easy. The ATM is a Tranax Mini Bank 1500. And you can buy the manuals from the Tranax website. And they’re useful for this sort of thing:
I am holding in my hands a legitimately obtained copy of the manual. There are a lot of security sensitive things inside of this manual. As promised, I am not going to reveal them, but there are:
- Instructions on how to enter the diagnostic mode
Default passwords
- Default Combinations For the Safe
Do not ask me for them. If you maintain one of these devices, make sure that you are not using the default password. If you are, change it immediately.
This is from an eWeek article:
“If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched,” Goldsmith said.
Officials at Tranax did not respond to eWEEK requests for comment. According to a note on the company’s Web site, Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around the country. The majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist.
So, as long as you can use an account that’s not traceable back to you, and you disguise yourself for the ATM cameras, this is a pretty easy crime.
eWeek claims you can get a copy of the manual simply by Googling for it. (Here’s one on eBay.
And Tranax is promising a fix that will force operators to change the default passwords. But honestly, what’s the liklihood that someone who can’t be bothered to change the default password will take the time to install a software patch?
EDITED TO ADD (9/22): Here’s the manual.
Tim • September 22, 2006 7:49 AM
I worked in the ATM business for a little bit and know for a fact that default keys were used in most of our machines ( though I shall not say ). What is the point of using a DES key standarad when nobody is willing to actually set them ? Companies turnover rate is so high, I just figured they wanted to be sure that everyone had them.
You think this is bad, try taking this same mentality, but this time a change of venue – Computer servers. I am currently rebuilding our entire computer network because he decided to not worry about any bit of security and used defaults on everything. His view – fix the machines when they break.
I am sick and tired of complaining about security when clearly government systems are around that do not even exist on hexidecimal er bit code. I hear of the NSA using large scale networks, at our expense, to spy on Americans, yet we don’t get any bit of their computing power, knowledge, or advise. Although we did see SeLinux become popular as of late, which I am using by the way, but you would not believe what companies such as Adobe and Microsoft are saying in order to get their crappy applications to work.
Set SeLinux to promiscuous mode !!!! DISABLE SECURITY ! Ha.
I like you guys on here. You all are pioneers in whatever field,probably serving in an advisor role of some sort. But we all know how it goes. Companies do not care about security and they never will. All they care about is the bottom line. And I will say this until the day I die. All companies that make a profit are corrupt.