BreachExchange mailing list archives
Re: ATMs vulnerable to digital break-ins
From: Chris Walsh <cwalsh () cwalsh org>
Date: Fri, 22 Sep 2006 14:31:04 -0500
On Fri, Sep 22, 2006 at 12:53:23PM -0400, B.K. DeLong wrote:
Am I over reacting?
I got the Tranax admin pw in 15 seconds of googling. I found the Triton manuals in another 10 seconds, once I learned (from a link in the Tranax results!) that Triton was a popular brand of ATMs for 7-11 or gas station deployment. Those manuals have the passwords, of course. Among the fun things you can do (aside from the banal theft of cash) is view or print the ATMs' journal. I, obviously, have not tried this, but sources tell me that these journals are based on ISO 8583, so in principle could contain all sorts of the kind of info readers of this list might care about. How would you like to see the names and card numbers of the last few people that used an ATM before you did? In a setting where many of these users use debit or credit cards -- perhaps an airport lounge -- this could be an interesting way to get card numbers. An added benefit is that you know the real card owner is in transit but was recently nearby, this making (I think) fraud detection less likely to fire. If I had decent info on what these ATMs journals actually *do* record, rather than what the spec says they *could* record, I could do more than sketch a possible attack. cw _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 361 incidents over 6 years.
Current thread:
- ATMs vulnerable to digital break-ins B.K. DeLong (Sep 22)
- Re: ATMs vulnerable to digital break-ins Chris Walsh (Sep 22)