Breaking into an ATM cashpoint might not involve ramming it with a forklift truck after all. A security researcher has discovered it can be done using some thing much less violent – a Google search.
According to a report on eWeek, respected security researcher Dave Goldsmith, founder of Matasano Security and formerly of @Stake, used Google to find master passwords for a popular brand of US ATM, the Tranax Mini-Bank 1500 series, in only 15 minutes.
Inspired by a CNN TV report on a man who had hacked an ATM to spit $20 for every $5 bill requested, Goldsmith was able to identify the make and model involved to start his Google search for the machine’s manual. The passwords were discovered along with other sensitive information in a PDF of the 102-page manual on a reseller website.
Anyone using this information to hack the machine would do so by entering a specified key sequence and then trying the master, service or operator passwords. Goldsmith was in no doubt these could be used to hijack or re-program the ATM.
"This isn't a vulnerability," Goldsmith explained. "It's someone exploiting a policy weakness, where ATM owners install these things and never change the default password," he told eWeek.
"If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched."
The company has apparently refused to comment on the extraordinary revelation, but it is known that the ATM in question can dispense up to 40 notes in a single transaction, placing a ceiling on how much a criminal could steal from a single machine using a single card. Assuming a denomination of $20, that would still, in theory, be an easy $800.
Goldsmith has blogged on the topic, while omitting precise details of how he tracked down the manual for security reasons.
The alleged ATM passcode hack that promoted Goldsmith’s digging can be seen here on YouTube video.
Goldsmith is best-known as one of the founders of @Stake, eventually bought by Symantec in 2004.