Re: ATMs vulnerable to digital break-ins

[Chris Walsh <cwalsh () cwalsh org>]

On Fri, Sep 22, 2006 at 12:53:23PM -0400, B.K. DeLong wrote:
> Am I over reacting?


I got the Tranax admin pw in 15 seconds of googling.

I found the Triton manuals in another 10 seconds, once I learned (from a link
in the Tranax results!) that Triton was a popular brand of ATMs for 7-11 or
gas station deployment.  Those manuals have the passwords, of course.

Among the fun things you can do (aside from the banal theft of cash) is view
or print the ATMs' journal.  I, obviously, have not tried this, but sources
tell me that these journals are based on ISO 8583, so in principle could
contain all sorts of the kind of info readers of this list might care about.

How would you like to see the names and card numbers of the last few people
that used an ATM before you did?  In a setting where many of these users
use debit or credit cards -- perhaps an airport lounge -- this could be
an interesting way to get card numbers.  An added benefit is that you know
the real card owner is in transit but was recently nearby, this making
(I think) fraud detection less likely to fire.

If I had decent info on what these ATMs journals actually *do* record, rather
than what the spec says they *could* record, I could do more than sketch a
possible attack.


cw

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 146 million compromised records in 361 incidents over 6 years.