September 21, 2006

Get Rich From ATMs Using Google

EWeek reports that you don't have to be clever to get rich.

"Using clues obtained from a YouTube video and a simple four-word Google search engine query, a criminal can find step-by-step instructions for how to hack into and take control of thousands of ATMs scattered around the United States. (...)

In the operator manual freely available on the Web site of a Canadian reseller, a section titled Programming provides the specific key sequence that will pop up a screen on the ATM that asks for the master password. It then lists three default passwords—master, service and operator—that could be used to hijack and possibly rig a machine."

And because most people are lazy, many ATMs still have the default passwords, which are freely available. A quote from the manual of an ATM:

"The default Master password is 123456 and the default Administrative password is 987654. To enter Management Functions as the Administrative user, enter 987654 and press ENTER (OK)."

The article concludes that "the episode underscores how easy it is to use the power of search engines to find sensitive security information. In the past, Google queries have been used to find security flaws in Web-facing applications, default passwords in Oracle databases and even live malware samples seeded on forums and other malicious sites." That's true, but you should also think that publicly available information is... available to public, so anyone can use it. Google and other search engines can only make this process easier, but the fault is not theirs.

4 comments:

  1. Some interesting comments on Slashdot:

    "However, should ATMs even come with a default password so that they can be hacked? Shouldn't reprogramming them require using some sort of physical/electronic key thats more difficult for people to get ahold of? If you can reprogram an ATM by walking up to it and typing in any code, regardless of whether it's the default password or not, then the ATM security is terrible. It's one thing to put a default password on a digital cable box for blocking channels, it's another matter entirely to put a default password on an ATM."

    ReplyDelete
  2. yes, there is an alarming precendence in occurance using current technlogy space. I also noted the FEDEX/KINKO hack

    http://peterdawson.typepad.com/scmv20/2006/02/fedex_expresspa.html

    ReplyDelete
  3. We all know the internet is a way of accessing information both quickly and easily, including informatin that would otherwise be hard to find. I don't think the medium is to blame here. Why would anyone post this information online? If anyone possesses information that is sensitive in nature... DON'T POST IN ONLINE! There is no such thing as "secure" data on the web.

    ReplyDelete
  4. i know how to hack an atm its upon you to comtact me and you will get rich in no time. tumshizo@gmail.com

    ReplyDelete