A few years ago, we discussed how bank ATM's just aren't very secure, despite the belief by many that they were. That discussion revolved around the fact that many people often compare bank ATMs to e-voting (in part because Diebold was a big player in both businesses). It looks like more and more folks are realizing the same thing. Some security researchers are about to release their evidence on just how easy it is to hack bank ATMs. And, of course, if security researchers are talking about it now, you can be pretty sure that hackers already figured this out a while ago.

Diebold is pretty well known for being in two separate, though similar, businesses: ATMs and e-voting machines. Its e-voting machines have always had a terrible reputation, with security flaws and bugs galore (the company recently has tried to hide from all the negative publicity by renaming the e-voting division as Premier Election Solutions). However, many people kept asking how the company could get so many things so wrong when it came to e-voting, but still get its ATMs working properly. Of course, as has been noted in the past, the way ATMs work is quite different, and mistakes are likely to be spotted quickly.

However, it's now coming out that Diebold's ATMs also have security problems. Slashdot alerts us to the news that Diebold has issued a patch after discovering that some scammers have been able to install "card sniffing" software on a variety of Diebold ATMs allowing the scammers to get all your card details. Is that Premier Banking Solutions I hear knocking?

A few years back, there were some stories about how some scammers had found online manuals for popular ATMs, which included a default password, which was rarely changed (yes, that's an amazingly stupid design). This meant that it was fairly easy to program the ATM to believe that it held different denomination bills. For example, you could program it to think that it held $5 bills when it actually held $20s -- and then if you took out "$40" you would be given 8 bills -- or $160. Not surprisingly, other hackers have replicated this scam a bunch of times -- aided in large part by ATM owners who still haven't changed the default password.

Still, if you were a scammer pulling such a scam, you might think that it would make sense not to pull it at the same store multiple times. But, that's exactly what two guys did last year, where they tried to hit a local restaurant's ATM for the fourth time. By that point, the manager had been alerted to look out for them, and called the police on them when they came in again. There was a bit of a mess after that, as the manager tried to pull a gun on the scammers, and there was some sort of scuffle, a gunshot, and then a car chase... but eventually the guys were arrested. So, once again: ATM makers: stop offering machines with default passwords. ATM owners: change the default password on your machines. Scammers: don't be so dumb as to try to rip off the same place multiple times (or, maybe that's what we want, since it makes them easier to catch... but it's still dumb).

Nearly two years ago, we posted a story about how easy it was to find the user manuals for certain automatic teller machines online, and then use the default passwords listed in them to reprogram the machines so they'd give out $20 bills when they thought they were giving out $5s or $1s. The fix for this was easy -- change the default passcode -- but apparently it wasn't hard to find machines whose owners' hadn't changed them. Somehow, it really isn't too surprising to find out that, despite the publicity, some ATM owners still haven't bothered to change them, and are getting hit by the same scam. The owner of the machine in question this time, at a market in Pennsylvania, says that he was never told he needed to change the master passcode from "123456", and says it's not his job to know the technical ins and outs of the ATM he owns (despite, of course, owning it and the money inside); the ATM's manufacturer disagrees. As is the case with most things, there's probably enough blame to go around here. So, to the ATM company: it might be a good idea to reinforce the need for owners to change their machines' passwords. And ATM owners: change the default passwords.