Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ATM cashpoints hacked via Google

Researcher finds passwords in 15 minutes.

Article comments

Breaking into an ATM cashpoint might not involve ramming it with a forklift truck after all. A security researcher has discovered it can be done using some thing much less violent – a Google search.

According to a report on eWeek, respected security researcher Dave Goldsmith, founder of Matasano Security and formerly of @Stake, used Google to find master passwords for a popular brand of US ATM, the Tranax Mini-Bank 1500 series, in only 15 minutes.

Inspired by a CNN TV report on a man who had hacked an ATM to spit $20 for every $5 bill requested, Goldsmith was able to identify the make and model involved to start his Google search for the machine’s manual. The passwords were discovered along with other sensitive information in a PDF of the 102-page manual on a reseller website.

Anyone using this information to hack the machine would do so by entering a specified key sequence and then trying the master, service or operator passwords. Goldsmith was in no doubt these could be used to hijack or re-program the ATM.

"This isn't a vulnerability," Goldsmith explained. "It's someone exploiting a policy weakness, where ATM owners install these things and never change the default password," he told eWeek.

"If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched."

The company has apparently refused to comment on the extraordinary revelation, but it is known that the ATM in question can dispense up to 40 notes in a single transaction, placing a ceiling on how much a criminal could steal from a single machine using a single card. Assuming a denomination of $20, that would still, in theory, be an easy $800.

Goldsmith has blogged on the topic, while omitting precise details of how he tracked down the manual for security reasons.

The alleged ATM passcode hack that promoted Goldsmith’s digging can be seen here on YouTube video.

Goldsmith is best-known as one of the founders of @Stake, eventually bought by Symantec in 2004.


More from Techworld

More relevant IT news


unknown said: manual for UK ATM are available on the internet for any one to see

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *