Memo To Banks: In Case You Missed The First Memo, Change Your ATMs' Default Passwords

from the double-the-cash-double-the-fun dept

Tue, Oct 24th 2006 9:19am — Carlo Longino

Last month, we wrote about the story making the rounds showing how easily some ATMs could be reprogrammed and set to dispense more money than they should because banks and ATM owners never bothered to change the machines' default passwords -- passwords which were easily found in the ATMs' manual online. JimH writes in to point out a story from Bristol, England, where people discovered an ATM dispensing double the amount of money they requested (via The Register). Word quickly traveled around, leading to three-hour lines at the machine, while an identical but properly configured ATM beside it sat unused. Local restaurants, bars and liquor stores said they did a roaring trade as people spent their "free" money -- but the bank has a record of all the withdrawals and says it will chase down everyone that took advantage of the broken machine. It's not clear if the ATM in question was one of the same models discussed last month, or indeed just how the machine came to be misconfigured, but this seems like quite an interesting coincidence. In any case, if you run a bank, it might not be a bad idea to check your ATMs and ensure they're not still using the default password.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

25 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

James, 24 Oct 2006 @ 9:57am

Maybe...
...the same people in charge of Diebold's electronic voting machines are in charge of the ATMs.
[ link to this | view in thread ]
Anonymous Coward, 24 Oct 2006 @ 10:03am

not likely. the article said "the bank has a record of all the withdrawals" and we all know that diebold doesnt record anything.
[ link to this | view in thread ]
Anonymous Coward, 24 Oct 2006 @ 10:31am

Re: Maybe...
Being that Diebold is one of the largest producers of ATM's worldwide....
[ link to this | view in thread ]
Araemo, 24 Oct 2006 @ 10:32am

Re: Maybe...
I doubt that. ATM's are actually fairly well secured. Even if you have the default password, it seems the worst you can do is make it give more money than it should(Sounds bad, but it keeps a perfect record of this, so the banks can hold people accountable).

Diebold voting machines that don't keep a printed paper trail do not keep any record that can show tampering. Even ones that do keep a paper trail might not show tampering if people can't read the paper trail at the time of voting (What is the point of a paper trail if it records something different from what buttons you pushed?)

The diebold machines I used last year print a paper 'receipt' of your vote that you have to verify(and then tell the machine you verified it) that they show in a glass window. So you can see yes, it really did print out what you told it to before you leave the polls.
[ link to this | view in thread ]
James, 24 Oct 2006 @ 10:39am

Re: Re: Maybe...
Uhmmm....

http://www.google.com/search?hl=en&q=define%3Asarcasm
[ link to this | view in thread ]
Josh, 24 Oct 2006 @ 10:53am

Re: Re: Maybe...
Umm I'm also curious they say they have records of all the people that used the machine they say they can track them down which is absolutely true however are they going to be able to prove what each person actually got as a result of the reprogrammed ATM??
[ link to this | view in thread ]
sceptic, 24 Oct 2006 @ 10:53am

Re: Re: Maybe...
http://www.diebold.com/solutions/default.htm

They DO make ATM machines, for the ones that don't pay attention at the bank. They even make the actual metal deposit boxes, which is probably the best engineered part of it all.
[ link to this | view in thread ]
Its true, 24 Oct 2006 @ 10:53am

Brad
Diebold manufactures a huge portion of the worlds ATM's.
[ link to this | view in thread ]
Corey, 24 Oct 2006 @ 10:54am

Don't know what's worse...
The fact that ATM's are vulnerable in this way or that people willingly took the extra money dispensed thinking that they won a small lottery prize, further they didn't even stop to think that the bank has logs of the transactions. I wonder if anyone who was in receipt of extra cash actually notified the branch. --- I doubt it.
[ link to this | view in thread ]
Anonymous Coward, 24 Oct 2006 @ 10:58am

Stop reporting it, so we can take advantage.
[ link to this | view in thread ]
Shag, 24 Oct 2006 @ 11:04am

Re: Don't know what's worse...
Even though they have the records that you withdrew the money, I'm not sure that they can actually go after you.

If a teller accidentally slipped you an extra 50$, how can they go after you for that?

I think that the machine will record the transaction as withdrawing 100$ that you asked for. Not the 200 that it gave you.
[ link to this | view in thread ]
David, 24 Oct 2006 @ 11:17am

Manual error
They claimed that this was a manual error. Are we sure that it's that someone hacked the machine, or could it possibly be that some dunce just loaded the 20 quid notes into the 10 quid note tray? I'd be more inclined to think that's what happened...
[ link to this | view in thread ]
Chris, 24 Oct 2006 @ 11:22am

ATM fraud persecution is EZ, so long as it's not s
Tellers and computers are completely different in the fact that a computer can never mess up. It can only ever do what it's told. So if it's told to dispense 10 bills for $100, instead of 5 bills, then it does. It logs that for $100, 10 $20's were given. All you do is change the table amount by a multiply factor of 2 and for whatever amount you say you get twice as much. With logs and a nice video camera for surveliance pruposes tracking down all involved in this fiasco probably wont be anything short of simple.
[ link to this | view in thread ]
Anonymous Coward, 24 Oct 2006 @ 11:25am

If you withdrew some money using a prepaid VISA or MC card, and you bought it with cash, then they won't be able to find you.
[ link to this | view in thread ]
Rich, 24 Oct 2006 @ 11:44am

Re: Re: Re: Maybe...
Well they at least can catch one...

"Eleanor Woodward, 23, of Bristol"
[ link to this | view in thread ]
Alex Chavarin, 24 Oct 2006 @ 11:56am

Stealing is Stealing!
It's sad to see that the younger generation doesn't see anything wrong with taking someone else's money. I guess Banks are up there with Corporations, and they haven't given us a good example, but it's still not right.
[ link to this | view in thread ]
Anonymous Coward, 24 Oct 2006 @ 11:59am

ha ha what idiots!!
[ link to this | view in thread ]
sceptic, 24 Oct 2006 @ 12:06pm

Re: Stealing is Stealing!
Younger generation? Of course, the older generation set up such beautiful examples through ravaging their corporations at the expense of employees. Please, if you are bitter because you are no longer young, find a better way to deal with it than faulting younger generation with it. I hear BASE jumping is a cure-all.
[ link to this | view in thread ]
weblarg.com, 24 Oct 2006 @ 12:09pm

How does this happen?
Why would someone who manages an ATM use the same interface as the end user? It seems a bit daft to even give someone the opportunity of trying to "hack" in to an ATM through a common interface.
[ link to this | view in thread ]
Anonymous Coward, 24 Oct 2006 @ 12:24pm

Re: How does this happen?
Agreed. put a USB or other interface behind on the backside of the machine you lazy sods!
[ link to this | view in thread ]
Xeno the Phobia Warrior Princess, 24 Oct 2006 @ 12:32pm

As vunerable as the OS?
The last time I saw my local bank's ATM booting up, the start up screen showed:
OS 2 Warp
Is that better or worse than "XP"? Better or worse for hackers?
[ link to this | view in thread ]
Anonymous Coward, 24 Oct 2006 @ 11:57pm

Re: Re: Re: Maybe...
Hahah. Some people say sarcasm can be hard to detect on the internet... but for you to say that your post was sarcastic is just stupid. If you didn't know it doesn't mean you have to reply with "sarcasm" to cover it up. People don't care if you didn't know that.
[ link to this | view in thread ]
ebrke, 25 Oct 2006 @ 6:34am

Re: As vunerable as the OS?
OS/2 was a great operating system that IBM never knew how to market effectively, whereas MS knew just how to market everything and thereby got the jump on IBM. OS/2 has been moribund for so many years I don't know if anyone really knows how secure it is in terms of today's threats, but I would suspect probably pretty secure.
[ link to this | view in thread ]
Anonymous Coward, 25 Oct 2006 @ 10:12am

Re: Re: Re: Maybe...
Uhmmm....

http://www.google.com/search?hl=en&q=denial&btnG=Google+Search
[ link to this | view in thread ]
King, 16 Jul 2007 @ 7:00am

i looked all over for the diebold default passwords but had no luck finding it. Where would i find it? or the whole manual. the actual diebold site doesnt have the default passwords.
[ link to this | view in thread ]