[ISN] ATM Maker Readies Anti-Hack Patch

From: InfoSec News (alerts@private)
Date: Thu Sep 21 2006 - 22:16:21 PDT


By Kevin Poulsen
Sept 21, 2006

The maker of a popular line of automated teller machines is planning a 
software upgrade that forces operators to change a default 
administrative pass code, after a surveillance tape showed a high-tech 
thief successfully hacking one of its ATMs in a Virginia gas station.

"If we can make them change this default password, the security will be 
infinitely greater," said Hansup Kwon, CEO of California-based Tranax 

Last week, news and video reports circulated of a swindler who strolled 
into a Virginia Beach, Virginia, gas station and, with no special 
equipment, reprogrammed a mini ATM to act as if it had $5 bills in its 
dispensing tray instead of $20 bills.

Using a pre-paid debit card, the crook then made a withdrawal and 
casually strolled off with a 300 percent profit. The ATM stayed 
misprogrammed for nine days -- presumably to the delight of other 
customers -- before a good Samaritan reported the issue and exposed the 
caper. The thief was not caught.

Details on how the swindle worked were scant until Wednesday, when Dave 
Goldsmith, a computer security researcher at Matasano Security in New 
York, analyzed CNN's report on the crime and identified the ATM as a 
Tranax Mini-Bank 1500 series.

He then set out to see if he could obtain a copy of the manual for the 
apparently vulnerable ATM and find out how the crime was pulled off.  
Fifteen minutes later, he reported success on both counts.

Wired News located a copy of the manual on a Tranax distributor's 
website. The manual reveals a special key sequence that puts the 
Mini-Bank ATM into "Operator Mode," from which the machine can be 
reconfigured. One of the options lets the user change the denominations 
of the bills the machine dispenses -- exactly as the Virginia thief did.

A numeric password is required to perform the operation, but the default 
factory-set password is listed in the manual. Kwon acknowledged Thursday 
that ATM owners don't always change the password from that default.

"Raising this type of awareness is very important," said Kwon. "We've 
been trying, and are continuously trying, to talk to our customers and 
operators.… A very high percentage change their passwords."

The manual includes a note that: "Tranax Technologies, Inc. highly 
recommends changing your passwords from default as soon as possible."

Kwon said the company first heard of the denomination-change hack a few 
years ago, when its ATMs had only a single passcode to access all the 
management functions. That meant the person who performs routine 
servicing of the machine had more privileges than he needed, and could 
leak the passcode to accomplices or hack the machine himself.

Tranax responded by changing its software to incorporate a hierarchy of 
three levels of access, so "the average guy who puts the money into it 
and services the ATM can work without accessing the denomination changes 
and other things," Kwon said. The company thought that ended the 
push-button heists, until news of the Virginia Beach caper broke last 

When CNN's video showed a Tranax Mini-Bank at the heart of the crime, 
the company began exploring its options, said Kwon, and decided to make 
the password change mandatory in a new firmware release.

The patch will be ready "in weeks, not months," he said, and will be 
installed in all new ATMs the company sells. Tranax has no way to force 
the upgrade onto existing machine operators, however. They'll have to 
choose to install it.

The company has 75,000 Mini-Bank ATMs in service. They are sold through 
distributors, either to independent operators like gas stations and 
convenience stores, or to companies that run a number of machines in a 
geographic area.

Kwon said the service manual should not have been published on the web, 
but he defended the company's practice of including the default 
passcodes in its pages. "It's almost the industry standard practice,"  
he said.

Indeed, a manual for a line of retail ATMs made by Tranax-competitor 
Triton reveals that company's cash machines also contain a special key 
sequence to gain control of the ATM. A default passcode is listed in the 
manual. Triton didn't immediately return a phone call for comment.

The Tranax machines will dispense at most 40 bills at a time, which puts 
an $800 dollar cap on a fraudulent withdrawal from a machine loaded with 

It's unclear whether the Virginia incident was an isolated case, or part 
of a broad scheme, exposed only because the crook neglected to change 
the ATM back to its proper configuration before leaving with his cash. 
Kwon said he hasn't heard of a similar crime in years, and believes they 
are exceedingly rare.

"However the chances are there ... (and) going up."

Visit the InfoSec News store!

This archive was generated by hypermail 2.1.3 : Thu Sep 21 2006 - 22:35:01 PDT