-
Website
http://www.matasano.com/log -
Original page
http://www.matasano.com/log/506/atm-backdoor-why-is-no-one-talking-about-this/ -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
All Comments
The first comment on the article that you linked to said "investigators know the only people with these codes work for armored car services". This statement is totaly untrue, as many ATMs are serviced and replenished by the business they are located in. There are three employees at the place I work, that know what the code is to the one located in the lobby.
I, personally do not want to know it, as I am the type of person that would want to take advantage of it. Jail isn't any fun, either.
Most Windows computers are ridiculously easy to reset the motherboard password. I boot all my computers from a server which checks the time on the mobo and refuses to boot the machine if the time is off by more than a few minutes. Sometimes the lithium battery dies and the mobo forgets its settings. Any IT dept. could install security to prevent access if it cared to do so.
Matasano won't stoop to your level so I will.
You are an idiot.
Why? See your above comment.
I rest my case.
Josh
As to codes yes, there was one on youtube. I can do it and it works with all coke machines. Its either 1-3-2-4 or 2-3-4-1 as in, the drink selection buttons, and it drops you into a diagnostic menu where you can see items baught, costs and shit.. I never found out how to get free pop because it was in plain view and meddling with it for more than a few minutes wasnt fun. The change return is ESC if you get nervous and have to log out.
http://hackedgadgets.com/2006/06/27/hacking-coc...
Well it could have been one of four options lol.
I second that.
Or at the very least tell us how you got it.
Nice try, but anyone who has actually seen the inside of a PC knows the BIOS password has nothing to do with any installed OS.
And anyone that has actually worked with PCs (like you pretend to do) knows that you can reset the password (and all other bios settings) by flipping the CMOS Clear jumper, which is clearly labled on most motherboards.
If you aren't going to give us detailed instructions on how to get a copy ourselves then I want my money back too! With interest!
"Worst Episode Ever"
-Comicbook guy
Grow up you script kiddies and try figuring it out yourself.
/Go take something apart and learn how it works some time.... and get off my lawn....
god forgive me for even reading the comments, let alone making a comment myself.
This is one reason the merchant or installer should NEVER leave the ATM master password at default. This guy can also be an ATM installer.....and has a record of the new passwords that were put in the ATM, therfore making it very easy for him to do this.
It is unlikely that any buffoon off the street would be doing this.
Less than 5 minutes.
I kid thee not :-(
The concepts are simple. Devices need to be configured such that a simple operator can install and/or use them. Manuals are kept on site, default passwords rarely changed (or if they are, are sometimes written inside the operator's panel), and information on how to use the device kept secret as much as possible. Barring this obscurity, the only other real protection has long been a simple lock and the good conscience of regular people.
Likewise, many curious people have gotten hands on devices like old ATMs and such (illegally or not) and have tinkered and poked at them enough to publish their findings as well. Or just buy an operator some drinks and start asking the questions.
This is all about as old as phreaking and ATM machines themselves. However, hopefully this publicity changes some policies (corps really only respond to economic pressures...).
I wrote software for ATM machines for 6 years, so I have my own perspective on all of this. It's just like any other system which must be a) secure and b) usable by a variety of people. As part of my job I occasionally handled telephone support for ATM owners. Most of them were decent folks. Not too many of them were rocket-scientist types, however. In fact, a sizeable percentage didn't speak enough english to be coached through even simple procedures. So what are the ATM manufacturers going to do? Secure it to the max, but frustrate technologically unsophisticated owners? Well, you COULD do that. Or you could make it simple(r) to user, and provide ADEQUATE security that does, unfortunately, require some extra diligence on the part of the operators. Nothing requiring an engineering degree; just common sense and the ability to read a bold sentence in the manual which says something like "CHANGE THIS PASSWORD". Seems to me to be a little like those notices on an automobile radiator that says "don't stick your hand in this moving fan", or on a gas can that says "warning: this is flammable". But, well.
There are a lot of ways to be dishonest. This particular scheme isn't really noteworthy except that everybody goes gaga when they hear that an ATM machine is involved.
The company I worked for had a couple of thousand machines out in the real wicked world, and AFAIK none were ever compromised. We did have several snatched out the front door on the end of a chain dragged behind a pick up truck, though. That was the real-world problem most ATM owners actually worry about (and deal with.)
Nothing to see here. Move along.
I got it in 22 seconds. And 13 of those, I was distracted by a porn link.
You're laying out a microcosm of the whole problem of information security. End-users will not educate themselves about security; they are too busy managing the cooling rods, trying cases in front of the Supreme Court, and repairing gall bladders. So the challenge vendors face is amplified: they can't take the easy route and "secure everything to the max", and they can't leave everything wide open.
What's left in between? Finesse.
There's a whole other post you could write about simple mechanisms these ATMs could use that would not substantially increase end-user frustration but would make these attacks a lot less likely. The meta -lesson is that "security usability" is drastically underrated; "security usability" has less to do with human interface design and more to do with security engineering done under heavy constraints.
http://blog.wired.com/27BStroke6/index.blog?ent...
Here is an obvious google query so I am not posting a URL.
http://www.google.com/search?q=user-manual+site...
-Chris
Of course ATM users want a system that is easy to use after 15 beers.
Of course ATM manufacturers don't want to field a buttload of "Duh...I forgot the password" support calls, or lose sales to the other guy who makes a noticeably cheaper box.
Tom's right -- simple, obvious stuff can still help here:
One manufacturer makes it so that if the master and admin passwords are identical then the ATM won't do all the good stuff 37337 hax0rs want. Why not also check that the values are not the defaults?
If the concern is that recovery is impossible if the owner gets hit by a bus, then how about adding $1.50 to the cost of each ATM and storing the values in a module which is inside the "vault"? How about giving the owner the chance to print the passwords (with big letters saying "If you leave this in sight you are an idiot who deserves whatever he gets")?
How about giving each box random PWs, and supplying a card with what those values are, AND doing any of the above?
None of these measures is perfect, but any of them is better than shipping a box full of money that can be opened, more or less, by typing "password".
I always think that a mixture of physical security and software is needed, e.g. you need a key to add money to the machine, why don't you need a key to enter the setup of it ( + a password), how hard is it to say, enter your key, then enter your password, would also work to have the keyhole positioned away form the screen e.g, on the floor.
"hello Mr customer, why are you bending down round the back of my ATM, oh you are inserting the security key, I think the police would like to know about that..."
Surly it can't be that hard to program in a method to make sure that the default password is different for each machine, if wordpress can do it (which they do), why can't a manufacture of ATM's do it?
oh well, strange how it dosn't surprise me that much...
I'm shocked and appalled at the obvious gall you posess with posting google search links. You and your l0pht ilk have been promoting research and learning for too many years now! When will it all end? Please do better next time and just post: "http://www.google.com" and leave it as an exercise for the expert search geeks.
By the way just because it's common practice, doesn't mean it's not absolutely wrong and stupid. It's much more a case of 'locks on doors only keep honest people honest' just putting up a show for those who don't care to subvert things, while those who do find it stupifyingly easy.
Oh, one other nice bit from that chapter - Feynman tried to work with his superiors to get them to switch safes or report the weakness to the safe vendor. Their response? "Keep Feynman away from your safes!" Glad to know smart guys have been slain messengers long before I was born. A great read for this, and many other stories, quite a few of which discuss crappy security in what should've been the highest security facilities in the world at the time.
Could you get a job with at ATM company after you got out?
Most high tech or IT departments require a background check.
Just some thoughts.
The ATM backdoor is an old hack which people didn't care about until it got into the news. I am aware of one ATM (well one ATM location), which has been hacked, stolen, or smashed open so many times things are geting rediculous, but no-one cares.
Who says responsible disclosure doesn't work?
:^)
It's really funny for me to read this story. I found a Tranax 1500 manual on the sidewalk outside my apartment, maybe a year ago. No idea how it got there, there's no Tranax ATM anywhere near me; sometimes my life is just like that. I've been waiting for this story to happen ever since.
And Tom, don't ever change.
There are three passwords that can be imputted from the keypad:
1. Operator (guy who fills machine)
2. Technician (same access with more diagnostic options)
3. Master (Everything)
If you want to perform the hack mentioned above, you need the Master password, which is obviously pretty easy to get. I've seen armored car rent-a-cops on $12/hour use the Master passord for simply filling the machine.
All passwords will give you access to the ATMs electronic journal which shows the last x000 transaction. When you wipe it using the "Clear Journal" option...
If you're prepared to spend time reprogramming the machine to dispense $20s when it thinks it's dispensing $5s, go ahead. It may make people like the dumb f*cks who run the machines I service start taking things seriously.
Best thing though was the next night it was still unlocked.
Stupid is as stupid does!
If the thief had used the "clear jounal" option would there be any way to trace who had done this?
Is there a way to make the ATM think you never got any cash out, before it writes your card balance/limit to the card, like the pre-1989/1979 ATM glitch?
As I understood the manual, clearing the journal just "audited" the entrys, didn't erase them. Is there a way to erase the entrys?
Can you "load" the bill-transporter, and THEN purge it? Would make for a hell of a way to get money without having to insert a card.
dont give advices for the machine operators you fool because I cant use these passwords then, I sick of kiddies like you who belive they are big hackers and do social things like this, fuck man...
you are nothing more than a pathetic [expletive removed], peoples like you screw the internet, thanks.
Yes, you can still get hold of a copy of the TRANSACTION journal from the switch which links the bank's computer to the ATM.
However, the transaction journal does not include terminal-only entries like power on/off, change of receipt layout or changes to passwords. Dial-up machines like the Minibank only communicate with the switch (and bank's computers) when there is something "interesting" happening, like a request for cash to be dispensed.
Am I the only one with access to Google?
I have copied this website for proof and have your IP adress and adress details and thats all proof they need to aresst your scamming arse , just a reminder when your in prision dont drop the soap
There is a fact you are missing. You can program whatever denomination of bill you want into the machine, however the processor the machine dials into and connects to has to have the matching amount programmed in. If it is set at the processor server end to $20, you can enter $5, $10 whatever the hell you want, it still knows it should have $20's in it.
The average layman or even medium tech aware can do little more than screw the machine up by going into management and playing with settings.
The Tranax machine is by far the best 3rd party bank machine made. It is professionally made, well designed and operates flawlessly. We operate a large number of these. I would rather own these than the others you mention, which I have also worked on.
Unfortunately, the amount of white-label ATM operators who don't follow them is growing. (For example, to enter the secret master keys to connect to the network you are supposed to have TWO separate people enter codes which get mailed to the company in two separate envelopes and they should not be entered at the same time, and they should be destroyed as soon as they are entered.. and companies send one guy to install the ATM all the time, sigh)
To make matters worse, some of the newer ATMs do allow you to enter a service menu without opening the ATM or doing anything more suspicious than entering a few codes in the keyboard and a numerical password. (Not that opening the ATM for half a second and closing it (say on an MCD-2) is all that difficult to begin with, at least if you're an ATM technician and have master keys.., but seriously, what were people thinking when they removed this?! And the older machines even required you to open it ALL the way up AND flip a switch inside it to enter supervisor mode (MCD-1) )
The only good news is that only the owner of the stolen card who failed to report it stolen (only someone mental would use their own ATM card) OR the silly ATM owner will incur the losses if you simply reprogram the denomination of bills inside the machine. So this means non-moronic ATM providers and users are perfectly safe.
PS: Erasing the log only erases it on the machine. The network still has copies of all transactions.
Yes, you can change the denomination at the terminal, but unless it is also changed on the processors end then you'll still be charged the full amount of your withdrawal. Go ahead and put your card in nub.
And how about this? Instead of feeling like it's your right to scam the IDIOTS who build and run these ATM's, get a job and contribute to society. The only reason we need the type of security currently found on ATM's is because of worthless two-bit hacks such as yourselves.
1) if you change the denomination, yes you get away with it, you do NOT have to make a change at the host as the previous poster suggested (that only applies to surcharge, not to dispensed amount)
2) all currently manufactured atm's REQUIRE that you change the master password to the atm, the passwords they're using to "hack" these are defaults that the atm's ship at, and for the longest time you didn't have to change them and many people just left them, all current software versions require a password change.
3) unless you're using a card generator you can get caught very easily doing this, and most people that try this do get caught, it is possible to look at the changes made on the atm, and when you see the denomination changed, then somebody pulls a load of cash, you just track that card number.
4) there is NOT a magic back door, it's just that most people are lazy and don't want to make any changes they don't have to make.
Ok so here is where everyone says great but you have to find one with factory password or know the password to make the demonination changes. True but there is a back door. I wont tell you the specifics but for the service tech that answered above address this one. What is someone clears the NVRam? now the passwords are reset but the master keys still reside within the ATM.
Thanks,
Thanks,