We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

ATM cashpoints hacked via Google

Money for nothing

Breaking into an ATM cashpoint might not involve ramming it with a forklift truck after all. A security researcher has discovered it can be done using some thing much less violent – a Google search.

According to a report on eWeek, respected security researcher Dave Goldsmith, founder of Matasano Security, used Google to find master passwords for a popular brand of US ATM, the Tranax Mini-Bank 1500 series, in only 15 minutes.

Inspired by a CNN TV report on a man who had hacked an ATM to spit $20 for every $5 bill requested, Goldsmith was able to identify the make and model involved to start his Google search for the machine’s manual. The passwords were discovered along with other sensitive information in a PDF of the 102-page manual on a reseller website.

Anyone using this information to hack the machine would do so by entering a specified key sequence and then trying the master, service or operator passwords. Goldsmith was in no doubt these could be used to hijack or re-program the ATM.

"This isn't a vulnerability," Goldsmith explained. "It's someone exploiting a policy weakness, where ATM owners install these things and never change the default password," he told eWeek.

"If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched."

The company has apparently refused to comment on the extraordinary revelation, but it is known that the ATM in question can dispense up to 40 notes in a single transaction, placing a ceiling on how much a criminal could steal from a single machine using a single card. Assuming a denomination of $20, that would still, in theory, be an easy $800.

Goldsmith has blogged on the topic, while omitting precise details of how he tracked down the manual for security reasons.

The alleged ATM passcode hack that promoted Goldsmith's digging can be seen here on YouTube video.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia