If You Own An ATM, You Probably Want To Change The Default Password
from the 123456-really-isn't-very-secure dept
Nearly two years ago, we posted a story about how easy it was to find the user manuals for certain automatic teller machines online, and then use the default passwords listed in them to reprogram the machines so they'd give out $20 bills when they thought they were giving out $5s or $1s. The fix for this was easy -- change the default passcode -- but apparently it wasn't hard to find machines whose owners' hadn't changed them. Somehow, it really isn't too surprising to find out that, despite the publicity, some ATM owners still haven't bothered to change them, and are getting hit by the same scam. The owner of the machine in question this time, at a market in Pennsylvania, says that he was never told he needed to change the master passcode from "123456", and says it's not his job to know the technical ins and outs of the ATM he owns (despite, of course, owning it and the money inside); the ATM's manufacturer disagrees. As is the case with most things, there's probably enough blame to go around here. So, to the ATM company: it might be a good idea to reinforce the need for owners to change their machines' passwords. And ATM owners: change the default passwords.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Can't they force them to on new machines?
However in order to just simply get around this and avoid all the arguments, surely it would be a simple thing for manufacturers of new ATM machines to have a reset password step in the initial setup process
Nothing fancy just a "now enter a new password", and have the machine refuse to complete setup until one is entered (and obviously refuse 123456, 111111 etc as too weak)
Sort of lead the owner to water and force them to drink.... ;0)
[ link to this | view in chronology ]
Re: Can't they force them to on new machines?
[ link to this | view in chronology ]
Re: Can't they force them to on new machines?
[ link to this | view in chronology ]
Re: Can't they force them to on new machines?
[ link to this | view in chronology ]
And then what happens is...
[ link to this | view in chronology ]
Re: And then what happens is...
The point of this is just to stop people casually reprogramming the machine from the normal keypad as this guy did
Perhaps a load "beeeep, warning admin password entered, danger Will Robinson, awooooga awooooga" type of alarm would also deter this type of sneak thief
Dunno - just ideas, but reducing exposure to this problem would be simple for ATM manufacturers in my opinion
[ link to this | view in chronology ]
Re: And then what happens is...
And the ATM should do something like this, the first time you plug it in: "Hello, new ATM owner. Here is your new password, randomly generated. Please make a note of it, or change it now".
There's plenty of blame for everyone involved here.
[ link to this | view in chronology ]
Re: And then what happens is...
[ link to this | view in chronology ]
face it
[ link to this | view in chronology ]
Re: face it
most people are retards when it come to technology matters
[ link to this | view in chronology ]
From PA, there's your problem
For example: A friend of mine will not lock the doors on his car. He figures that since he has nothing of value in the car it won't temp anyone. Well one day he got all of his school books stolen. He had to pay around $500 to get them replaced. (College books) To this day, he still will not lock his doors.
From what I understand, most people in this state are the same way. Probably a good place to get some easy cash.
[ link to this | view in chronology ]
Re: From PA, there's your problem
[ link to this | view in chronology ]
Re: From PA, there's your problem
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Ultimate responsibility for ATM password is the owner. Partial responsibility is the ATM maker and installer for telling the owner how critical it is to change and remember this important password. A convenience store owner cannot be expected to think of all these complex technical details(sarcasm). It should be up to the ATM maker to "idiot proof" the maintenance/management of the ATM.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Use the Schwartz
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Movie Reference
[ link to this | view in chronology ]
Re: Re: Movie Reference
and lolz
[ link to this | view in chronology ]
Re: luggage
[ link to this | view in chronology ]
Not a "scam"
[ link to this | view in chronology ]
I'm sure it's a course they won't forget the second time around - but then, you never know.
[ link to this | view in chronology ]
Does it matter?
I don't feel bad for this ATM owner, it's his own fault. At least change the password to 654321, chances of a thief spending time to figure out any password other than the default is very small.
[ link to this | view in chronology ]
Re: Does it matter?
[ link to this | view in chronology ]
Heh
"Hey, thats the combination to my luggage!"
[ link to this | view in chronology ]
Is there any reason to even allow this at all, even to the owner of the ATM? It's not like the owner will ever set up a buy-one-get-one-free deal on cash from the ATM.
This is a bug in the ATMs if I've ever seen one. All the admin password should let you do is modify the welcome text and fee.
[ link to this | view in chronology ]
Re:
The problem is elementary to solve, change the software to refuse to operate if the password is still the default password.
[ link to this | view in chronology ]
Re:
Its a pretty stupid option to even have in the settings.
"hmmm, today I feel like giving a customer $20.00 for every dollar he withdraws" Yeah that makes sense.
Sounds like the ATM company is asking for scams like this to happen when they put things like that in their program.
[ link to this | view in chronology ]
Re: Re:
But yeah, do it at night and don't come back for a few hours. Watch out for cameras, and go somewhere you'll never be at again.
[ link to this | view in chronology ]
Re:
So you pop your ATM card in, tell it you want to withdrawl $20, and 20 bills come out because the machine thinks that it is filled with $1 bills. Lo and behold, you get 20 $20 bills.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If an ATM gave me the wrong amount of money, would I report the error? Fuck no! But I would hold onto the money and not spend it right away, knowing that rule #1 is that The Man always wins.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Dumb, dumb dumb.
I personally use what I call "roll five" for most of my passcodes. For instance, I take a number that I use every day. Phone number, SSN, birth date or even street address, and add five to each digit. (Think of the digits as being on a wheel-type lock like a briefcase) In this case, 12345 would become 67890 and no longer closely resembles your 'clue number'.
[ link to this | view in chronology ]
but those are usually located at a bank.
these 7-11 atms are little things, with enough for one or two clips.
i can see why you'd want the ability to change denominations. but not always the case.
so yes, it's on the owner to know their equipment, but like every other product made, it has to be "idiot" proofed.
that's a big lession i learned while getting my engineering degree
[ link to this | view in chronology ]
I hope to fool everyone :)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It's not as easy as it sounds
Not only does every ATM maintain a local journal of transactions, maintenance actions, errors, etc., so does the remote network which the ATM uses. Once they realize there's been a security breach they'll use both those logs to determine at what point they occurred and adjust everyone's accounts accordingly. Also, it stands to reason that the first person who uses the ATM after the breach is likely to be the same person who altered the ATM's configuration, and since they'll have your card information, you can expect a visit from the local police.
Also, nearly every ATM in service today has some sort of video recording of everyone who uses them. This is assuredly the case if the ATM is located at a branch of a financial institution, but even if the ATM is located inside of a gas station or convenience store. They will use those images also to form a case against whomever abuses the ATM.
[ link to this | view in chronology ]
Re: It's not as easy as it sounds
[ link to this | view in chronology ]
Plasma
[ link to this | view in chronology ]
re: It's not as easy as it sounds
[ link to this | view in chronology ]
Passwords
[ link to this | view in chronology ]
That way maybe only one or two lucky souls had used the thing before you, and your transaction would appear to be something done by chance.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
meh
[ link to this | view in chronology ]
[ link to this | view in chronology ]
ATM setups
Someone else mentioned that the ATM should not need to be programmed for different amounts of cash etc... Judging by that statement I'll assume it was made by a typical Yank who thinks that ATM's are only made for the good old USA. Companies design their ATM's to work with notes from many different countries, different size bills, etc.... Creating separate hardware/software for each country would cost way too much.
And as Charles mentioned, it would be very hard to get away with this sort of scam. The bills are audited at many points along the way before they even are loaded in to the ATM, and they are also audited when they are removed and compared to the journal entries etc...
Good luck to any idiot willing to try this and believe he/she would get away with it for very long.
[ link to this | view in chronology ]
Yikers!
[ link to this | view in chronology ]
Why not have a "special card" instead?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I would imagine not all ATM machines have currency cartridges that automatically indicate the denomination of currency, especially these made mostly of plastic, gas station & quickie mart types.
To answer the question of a few of you: This is why there is a denomination setting in software. If there are three currency cartridge slots in the machine, the owner could choose to dispense fives, tens, and twenties, giving customers more denominations for withdrawal. An ATM owner would more likely want all slots to dispense twenties, however, since that way they would have to service the machine less often, and the machine would be able to take the weekend rush for cash. (The owner wants their two dollars; they could care less if you'd prefer to withdrawal less than twenty bucks, and they want to make damned sure they have cash in the machine when you want to use it.)
[ link to this | view in chronology ]
Atm Maint. Mode
Secondly, there are no software changes you can make that would tell the machine to dispense 20.s in place of 5's or 10's. In both Diebold and NCR atm's the cassettes that hold the currency are programmable in that on Diebold cash cassettes there are 2 rows of buttons accross the front. By removing all of the little buttons except certain ones determines what currency is in which cassette and the dispenser in which the cassettes fit read the buttons no matter which slot the cassettes are inserted into. On the Ncr cassettes there are a row of four small magnets on the side. The currency amount is determined by which magnets are left in place. The dispenser reads the magnets and knows which currence is in that cassette
[ link to this | view in chronology ]
[ link to this | view in chronology ]
On a side note...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Better than an ATM
[ link to this | view in chronology ]
Diebold sucks
[ link to this | view in chronology ]
geroucha!!!!
I mean a combination is only as good as the person trying to break in to it in the first place.
Most people would not even think of anyone using such a simple combination, so would not even bother.
But on the other hand, some criminals would just try that one first just to see if someone used such a simple code, and make their life a whole lot easier. I agree a more complex pass word would be better (ie: 123466 or 123455 or 124456 or 111112 or 111115 or infinity)
My point is though, with over a million possible combos, there really is NO BAD combination.
[ link to this | view in chronology ]
Robin Hood
[ link to this | view in chronology ]
Seriously?
[ link to this | view in chronology ]
passcodes
[ link to this | view in chronology ]
Your all idiots! Your stupidity runs amuck
[ link to this | view in chronology ]
Re: Your all idiots! Your stupidity runs amuck
[ link to this | view in chronology ]
-- A keyboard commando.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
ATM Machines
[ link to this | view in chronology ]