Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Googling for ATM Master Passwords

From: David Farber <dave () farber net>
Date: Sat, 23 Sep 2006 08:51:12 +0200


Begin forwarded message:

From: Monty Solomon <monty () roscom com>
Date: September 22, 2006 9:01:46 PM GMT+02:00
To: undisclosed-recipient:;
Subject: Googling for ATM Master Passwords


Googling for ATM Master Passwords
By Ryan Naraine
September 21, 2006

Using clues obtained from a YouTube video and a simple four-word
Google search engine query, a criminal can find step-by-step
instructions for how to hack into and take control of thousands of
ATMs scattered around the United States.

Following up on a CNN report out of Virginia Beach, Va., here as a
YouTube video, that a man reprogrammed an ATM at a gas station to
dispense $20 bills instead of $5 bills, a New York-based security
researcher did some old-fashioned online sleuthing and discovered
that the operator manual for that specific model of ATM could be
legally obtained in about 15 minutes.

Dave Goldsmith, founder and president of penetration testing outfit
Matasano Security, in New York, did not say how he obtained the
operator manual-which contains master passwords and other sensitive
security information about the cash-dispensing machines-but an eWEEK
investigation shows that a simple Google query will return a 102-page
PDF file that provides a road map to the hack.

Goldsmith, a respected researcher who co-founded @Stake and
previously led Symantec's Security Academy, said he traced clues from
the video to identify the make and model of the ATM, a Tranax
Mini-Bank 1500 Series, and started an experiment to see how easy it
would be to legally obtain an operator manual.

In an interview with eWEEK, Goldsmith said he first dug around on
Tranax Technologies' Web site and found a knowledge base article that
mentioned that the ATM is programmed with passwords that can be found
in the operator's manual.

...

http://www.eweek.com/article2/0,1895,2018674,00.asp



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: