RSS
Twitter
Memo To Banks: In Case You Missed The First Memo, Change Your ATMs' Default Passwords
from the double-the-cash-double-the-fun dept
Last month, we wrote about the story making the rounds showing how easily some ATMs could be reprogrammed and set to dispense more money than they should because banks and ATM owners never bothered to change the machines' default passwords -- passwords which were easily found in the ATMs' manual online. JimH writes in to point out a story from Bristol, England, where people discovered an ATM dispensing double the amount of money they requested (via The Register). Word quickly traveled around, leading to three-hour lines at the machine, while an identical but properly configured ATM beside it sat unused. Local restaurants, bars and liquor stores said they did a roaring trade as people spent their "free" money -- but the bank has a record of all the withdrawals and says it will chase down everyone that took advantage of the broken machine. It's not clear if the ATM in question was one of the same models discussed last month, or indeed just how the machine came to be misconfigured, but this seems like quite an interesting coincidence. In any case, if you run a bank, it might not be a bad idea to check your ATMs and ensure they're not still using the default password.
Reader Comments (rss)
(Flattened / Threaded)
Maybe...
...the same people in charge of Diebold's electronic voting machines are in charge of the ATMs.
(reply to this comment) (link to this comment)
not likely. the article said "the bank has a record of all the withdrawals" and we all know that diebold doesnt record anything.
(reply to this comment) (link to this comment)
Re: Maybe...
Being that Diebold is one of the largest producers of ATM's worldwide....
(reply to this comment) (link to this comment)
Re: Maybe...
I doubt that. ATM's are actually fairly well secured. Even if you have the default password, it seems the worst you can do is make it give more money than it should(Sounds bad, but it keeps a perfect record of this, so the banks can hold people accountable).
Diebold voting machines that don't keep a printed paper trail do not keep any record that can show tampering. Even ones that do keep a paper trail might not show tampering if people can't read the paper trail at the time of voting (What is the point of a paper trail if it records something different from what buttons you pushed?)
The diebold machines I used last year print a paper 'receipt' of your vote that you have to verify(and then tell the machine you verified it) that they show in a glass window. So you can see yes, it really did print out what you told it to before you leave the polls.
(reply to this comment) (link to this comment)
Re: Re: Maybe...
Uhmmm....
http://www.google.com/search?hl=en&q=define%3Asarcasm
(reply to this comment) (link to this comment)
Re: Re: Maybe...
Umm I'm also curious they say they have records of all the people that used the machine they say they can track them down which is absolutely true however are they going to be able to prove what each person actually got as a result of the reprogrammed ATM??
(reply to this comment) (link to this comment)
Re: Re: Maybe...
http://www.diebold.com/solutions/default.htm
They DO make ATM machines, for the ones that don't pay attention at the bank. They even make the actual metal deposit boxes, which is probably the best engineered part of it all.
(reply to this comment) (link to this comment)
Brad
Diebold manufactures a huge portion of the worlds ATM's.
(reply to this comment) (link to this comment)
Don't know what's worse...
The fact that ATM's are vulnerable in this way or that people willingly took the extra money dispensed thinking that they won a small lottery prize, further they didn't even stop to think that the bank has logs of the transactions. I wonder if anyone who was in receipt of extra cash actually notified the branch. --- I doubt it.
(reply to this comment) (link to this comment)
Stop reporting it, so we can take advantage.
(reply to this comment) (link to this comment)
Re: Don't know what's worse...
Even though they have the records that you withdrew the money, I'm not sure that they can actually go after you.
If a teller accidentally slipped you an extra 50$, how can they go after you for that?
I think that the machine will record the transaction as withdrawing 100$ that you asked for. Not the 200 that it gave you.
(reply to this comment) (link to this comment)
Manual error
They claimed that this was a manual error. Are we sure that it's that someone hacked the machine, or could it possibly be that some dunce just loaded the 20 quid notes into the 10 quid note tray? I'd be more inclined to think that's what happened...
(reply to this comment) (link to this comment)
ATM fraud persecution is EZ, so long as it's not s
Tellers and computers are completely different in the fact that a computer can never mess up. It can only ever do what it's told. So if it's told to dispense 10 bills for $100, instead of 5 bills, then it does. It logs that for $100, 10 $20's were given. All you do is change the table amount by a multiply factor of 2 and for whatever amount you say you get twice as much. With logs and a nice video camera for surveliance pruposes tracking down all involved in this fiasco probably wont be anything short of simple.
(reply to this comment) (link to this comment)
If you withdrew some money using a prepaid VISA or MC card, and you bought it with cash, then they won't be able to find you.
(reply to this comment) (link to this comment)
Re: Re: Re: Maybe...
Well they at least can catch one...
"Eleanor Woodward, 23, of Bristol"
(reply to this comment) (link to this comment)
Stealing is Stealing!
It's sad to see that the younger generation doesn't see anything wrong with taking someone else's money. I guess Banks are up there with Corporations, and they haven't given us a good example, but it's still not right.
(reply to this comment) (link to this comment)
ha ha what idiots!!
(reply to this comment) (link to this comment)
Re: Stealing is Stealing!
Younger generation? Of course, the older generation set up such beautiful examples through ravaging their corporations at the expense of employees. Please, if you are bitter because you are no longer young, find a better way to deal with it than faulting younger generation with it. I hear BASE jumping is a cure-all.
(reply to this comment) (link to this comment)
How does this happen?
Why would someone who manages an ATM use the same interface as the end user? It seems a bit daft to even give someone the opportunity of trying to "hack" in to an ATM through a common interface.
(reply to this comment) (link to this comment)
Re: How does this happen?
Agreed. put a USB or other interface behind on the backside of the machine you lazy sods!
(reply to this comment) (link to this comment)
As vunerable as the OS?
The last time I saw my local bank's ATM booting up, the start up screen showed:
OS 2 Warp
Is that better or worse than "XP"? Better or worse for hackers?
(reply to this comment) (link to this comment)
Re: Re: Re: Maybe...
Hahah. Some people say sarcasm can be hard to detect on the internet... but for you to say that your post was sarcastic is just stupid. If you didn't know it doesn't mean you have to reply with "sarcasm" to cover it up. People don't care if you didn't know that.
(reply to this comment) (link to this comment)
Re: As vunerable as the OS?
OS/2 was a great operating system that IBM never knew how to market effectively, whereas MS knew just how to market everything and thereby got the jump on IBM. OS/2 has been moribund for so many years I don't know if anyone really knows how secure it is in terms of today's threats, but I would suspect probably pretty secure.
(reply to this comment) (link to this comment)
Re: Re: Re: Maybe...
Uhmmm....
http://www.google.com/search?hl=en&q=denial&btnG=Google+Search
(reply to this comment) (link to this comment)
i looked all over for the diebold default passwords but had no luck finding it. Where would i find it? or the whole manual. the actual diebold site doesnt have the default passwords.
(reply to this comment) (link to this comment)
Add Your Comment