http://www.wired.com/news/technology/0,71832-0.html By Kevin Poulsen Sept 21, 2006 The maker of a popular line of automated teller machines is planning a software upgrade that forces operators to change a default administrative pass code, after a surveillance tape showed a high-tech thief successfully hacking one of its ATMs in a Virginia gas station. "If we can make them change this default password, the security will be infinitely greater," said Hansup Kwon, CEO of California-based Tranax Technologies. Last week, news and video reports circulated of a swindler who strolled into a Virginia Beach, Virginia, gas station and, with no special equipment, reprogrammed a mini ATM to act as if it had $5 bills in its dispensing tray instead of $20 bills. Using a pre-paid debit card, the crook then made a withdrawal and casually strolled off with a 300 percent profit. The ATM stayed misprogrammed for nine days -- presumably to the delight of other customers -- before a good Samaritan reported the issue and exposed the caper. The thief was not caught. Details on how the swindle worked were scant until Wednesday, when Dave Goldsmith, a computer security researcher at Matasano Security in New York, analyzed CNN's report on the crime and identified the ATM as a Tranax Mini-Bank 1500 series. He then set out to see if he could obtain a copy of the manual for the apparently vulnerable ATM and find out how the crime was pulled off. Fifteen minutes later, he reported success on both counts. Wired News located a copy of the manual on a Tranax distributor's website. The manual reveals a special key sequence that puts the Mini-Bank ATM into "Operator Mode," from which the machine can be reconfigured. One of the options lets the user change the denominations of the bills the machine dispenses -- exactly as the Virginia thief did. A numeric password is required to perform the operation, but the default factory-set password is listed in the manual. Kwon acknowledged Thursday that ATM owners don't always change the password from that default. "Raising this type of awareness is very important," said Kwon. "We've been trying, and are continuously trying, to talk to our customers and operators. A very high percentage change their passwords." The manual includes a note that: "Tranax Technologies, Inc. highly recommends changing your passwords from default as soon as possible." Kwon said the company first heard of the denomination-change hack a few years ago, when its ATMs had only a single passcode to access all the management functions. That meant the person who performs routine servicing of the machine had more privileges than he needed, and could leak the passcode to accomplices or hack the machine himself. Tranax responded by changing its software to incorporate a hierarchy of three levels of access, so "the average guy who puts the money into it and services the ATM can work without accessing the denomination changes and other things," Kwon said. The company thought that ended the push-button heists, until news of the Virginia Beach caper broke last week. When CNN's video showed a Tranax Mini-Bank at the heart of the crime, the company began exploring its options, said Kwon, and decided to make the password change mandatory in a new firmware release. The patch will be ready "in weeks, not months," he said, and will be installed in all new ATMs the company sells. Tranax has no way to force the upgrade onto existing machine operators, however. They'll have to choose to install it. The company has 75,000 Mini-Bank ATMs in service. They are sold through distributors, either to independent operators like gas stations and convenience stores, or to companies that run a number of machines in a geographic area. Kwon said the service manual should not have been published on the web, but he defended the company's practice of including the default passcodes in its pages. "It's almost the industry standard practice," he said. Indeed, a manual for a line of retail ATMs made by Tranax-competitor Triton reveals that company's cash machines also contain a special key sequence to gain control of the ATM. A default passcode is listed in the manual. Triton didn't immediately return a phone call for comment. The Tranax machines will dispense at most 40 bills at a time, which puts an $800 dollar cap on a fraudulent withdrawal from a machine loaded with twenties. It's unclear whether the Virginia incident was an isolated case, or part of a broad scheme, exposed only because the crook neglected to change the ATM back to its proper configuration before leaving with his cash. Kwon said he hasn't heard of a similar crime in years, and believes they are exceedingly rare. "However the chances are there ... (and) going up." _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Sep 21 2006 - 22:35:01 PDT