Reprogramming Your ATM For Fun And For Profit (Mainly For Profit)

from the not-so-hard-at-all dept

There was some buzz last week after CNN showed a video of an ATM machine that had been programmed to believe it had $5 bills instead of $20s (so any withdrawal actually gave you 4X the money you asked for). The guy who did this just walked in and knew the code to reprogram the ATM. He then left the ATM programmed that way, and the ATM gave a lot of people extra money for nine days before someone pointed out the problem. So how easy would it be for anyone else to do this? Apparently it’s ridiculously easy. With a bit of hunting online, it’s not too hard to obtain a copy of the manual for the type of ATM machine used, including instructions on how to switch it to diagnostic mode. You do need a password, but the manual lists the typical default passwords that it seems likely many of these ATM owners failed to switch. Hopefully, this new burst of publicity over the issue will encourage owners of the machines to change their passwords — but if you happen to see certain ATMs with unusually long lines in the near future (and don’t mind committing fraud), you might want to withdraw some money.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Reprogramming Your ATM For Fun And For Profit (Mainly For Profit)”

Subscribe: RSS Leave a comment
dorpus says:

Turning $20's into Orange Jumpsuits

You mean a little basic algebra by the bank won’t allow them to figure out when the machine started giving out too many $20’s?

Nothing like the long arm of the law, when thugs in black body armor come smashing through your door, so you get to wear an orange uniform for the rest of your life.

Anonymous Coward says:

Re: But who is really at fault

Duh, both.

The Bank is guilty of not taking adequate measures to secure their assets, and they will be judged and punished by whatever activity is responsible for making sure they are taking adequate measures to protect their assets, be it their insurance companies, board of directors… yada yada. But they have not done anything criminally wrong, not to my knowledge, at least (IANAL).

The jackass who is tampering with the atm is responsible for stealing from the bank. Every dollar that the ATM gave out “extra” is given out because the tamperer caused the machine to give out extra. HE effectively stole the money, whether or not he ever touched it or benefited from it. His crime was a criminal act. I jsut hope no dumbass judge thinks this case is somehow different because it involved technology.

Charlie says:

I bet a lot of people get letters

While they don’t seem to have a good lead to trace the criminal (prepaid debit card), the vast majority of people using the ATM used personal checking accounts and they know exactly when/where. I would almost certainly bet the ATM owner will be able to have the bankds deduct the extra money from these accounts, and at least a few people will get hit with nasty overdraft charges.

Failure to secure ones assets doesn’t excuse criminal behavior. If I see someone drop cash I am going to give it back to them. To simply take the cash would be dishonest.

Guru80 says:

Re: I bet a lot of people get letters

Had something similiar happen when my girlfriend worked for one of the companies that serviced the machines a couple years back. For whatever reason the machine was giving out 20’s like they where 10’s and was nearly 2 weeks before it was caught. As far as my knowledge though they never did go after the people who withdrew from it but I am assuming they very easily could have. I think in this case it was company negligence however so they decided to bite the bullet.

four00100 says:

Re: Re: I bet a lot of people get letters

“Bank error in your favor, collect $200.” That’s probably how those people from the nine days afterwards felt. How often is the error in the customers’ favor anyway?

Taking all that additional money out of ppls accounds and charging them overdrafts would cause more trouble to the bank than its worth. Those customers would go from pleased to pissed real quick with a simple mindset of “How are they gonna make a mistake and then charge me for it?”

And while the argument is that these customer has an obligation to inform the bank, most wouldn’t. Would you? Honestly.

Rick Bunker says:

Re: I bet a lot of people get letters

I certainly agree. The most disappointing part of the article to me had nothing to do with the bank not being careful with passwords, nor with one aberrant soul reprogramming the machine. It is that not a single person who was given too much money reported the issue to the bank for more than a week. This must be several hundred people who have no problem stealing someone else’s money. And not ONE who did not. This is terrifically shameful.

kbj says:

What about those who stole the money?

Everyone who used it is guilty of theft, they new they were getting more than they were supposed to and no one said anything? “They gave me too much, ah well their problem not mine.” If the machine was giving out 4x too little – now that would have been reported right away.

Sad state of the world – honesty is now considered a handicap not a necessity.

Teilo says:

The ATM manufacturer is at fault

for not forcing the installer to change the default password. I mean honestly, that’s just a basic security measure, and why an ATM manufacturer would allow the machine to operate WITHOUT a password change is beyond me. Unless of course it’s made by Diebold, in which case no one should be surprised.

No way! (profile) says:

Re: The ATM manufacturer is at fault

My friend, you could NOT BE MORE WRONG! It’s a sign of this current “someone else to blame” culture to say something so dumb. Why should anyone FORCE anybody to do anything? It is ABSOLUTELY not the manufacturer’s fault or responsibility to FORCE the installer to this. Any fool working in IT who does not immediately think to change a password to a device as security-critical as an ATM should be fired for professional incompetence, and as this was most unlikely to have been someone under the age of 18, they are, quite correctly, responsible for their own actions, and the bank employing them is by extension liable for their employees’ actions. Still NOT the fault of the manufacturer.

Corey says:

Nine Days??

I just can’t believe a) That it took nine days for the bank to figure out something was askew. b) That it took nine days for a customer to report that they got more money than requested. Maybe I’m being naive but I would have had more faith that my fellow human beings would do the right thing in a case such as this. I guess I can always take solace in the likely fact that the bank will likely have logs of the transactions, account for them and debit accordingly. But then again, it did take the bank nine days to realize that something was wrong. I have officially lost all faith in the cognitive abilities of human kind entirely.

Jim says:

Re: Nine Days??

The issue isn’t that the bank will be out of money, it will be the owner of the ATM. The owner of ATMs are not always banks, but often, in this situation, the owner of the ATM is the owner of the gas station. What happens is the person requested to withdraw $20, and the misprogrammed ATM spit out 4 $20 bills. The user’s back only got a request to transfer $20 from the user’s account to the account of the owner of the ATM. The bank deducted $20, the owner recieved $20. However, it cost the owner $100 worth of cash. The user’s bank doesn’t care how much cash was actually released to the user. It was asked for $20, and obliged. The owner of the ATM will be the one that is out the money. It took 9 days for someone to report it to the gas station. The person/company that stocks the ATM just gets a request to stock the machine with the standard bills. The stack of bills cost the owner x amount, but the cost of the bills and the income from the transfers from the user’s bank would probably only be reconciled once a month. Until the reconcilliation the owner would probably not notice something was wrong.

tiki toc toc says:

Good for you...

i quess you really can find anything online now a days… i think thats funny.. ok if you got back four times the money an it didnt show up on your account that it was missing?? you wouldnt keep it??? come on!!! everyone now a days its about money and so on an so on…… evil take the money… you could do great things with it like buy me stuff… and plus if there stupid enough not to change the codes there fault….. how safe are they being then…

Informed white male says:

Re: Good for you...

You’re an idiot nigger.
1.) kill yourself for using “q” for “g”
2.) don’t say “like buy me stuff”. That makes your race seem even more ignorant.
3.) please for the love of god don’t get an idea from this thread. Knowing you jiggaboos. You’ll probably try it and get caught.

Anonymous Coward says:

the guy who programmed is a criminal. the bank is at fault for not ensuring the security of their systems.

the “users” aren’t at fault. when you see 5 bucks on the ground, do you take it to the cops, or do you pocket it? when you go to your local burger joint and order 2 cheesburgers, and get 3, do you take one back? does the burger place come after you for the extra $1.50 for the “extra” burger? what’s the difference if you go to a human teller and withdraw $200, but the 20s are stuck together and you get 300? you drive home, or go shopping or on vacation or what not, not realizing the extra you have. you take it from the bank envolope, and place in your purse/wallet and go on your way. now, the teller is out thte extra money, and has no way of tracking it. you use your money, and have no record there (threw away cash reciepts) so what’s going to happen now?

Burger their says:

Re: Honesty

“He that is faithful in what is least is faithful in what is greatest.” ie, honest is honest, dishonest is dishonest, I agree. Some situations allow for some thought, though: Your illustration of an extra burger… you can’t give it back, they have to trash it if you do, because they can’t re-stock food another customer has touched (sigh because people are freaky and do weird things), so in that case, yes, I might give it back if I noticed it immediately, but not if I noticed later.
Your teller giving out $300 instead of $200 is incompetent and will be fired (I did this job: You have to be REALLY bad or stupid not to notice 5 stuck bills. But, yes, I’ve given back a few cents given in error. Once, to give $196 back to a bank for six months, finally gave up & kept it – they wouldn’t take it!

John says:

Re: The difference is

If you seen someone drop a bill, pick it up and take it then you’re comitting a crime. You know where it belongs (not in your wallet) but you don’t give it back. If you find a bill on the ground, having not seen who dropped it, there’s no one you can give it to. Plus your choosen denomination is irrelevant, $5??? The Pope wouldn’t turn in $5 to the police. Now, $500 or $5,000 that should go to the police, no one claims it and it’s yours by right.

Jamfish says:

Re: Users aren't at fault?

Excuse me, but in this case they are. Whether you knowingly or unknowingly remove more money than authorized, you are responsible. What’s going to happen now? You can make it right and return the item/amount/equivalent in $$ (eaten/spent or not) to the bank/burger joint/etc.

It’s called honesty and restitution. I know… two concepts slowly becoming foreign here in the land of the free and the home of the brave.

Comboman says:

Get off your high horse.

From reading the responses here, I must assume that everyone in the world is a crook with the exception of Techdirt commenters.
I’m not at all surprised that it took 9 days to discover the error and I don’t question the honesty of the customers that used the machine. Do you actually count the cash that comes out every time you use an ATM? Do you look at the printed recept? Based on the number of times I’ve seen recepts from previous customers still in the slot when I go to use an ATM and the number of people that just grab their money and toss the recept without looking at it, I’d say the majority of people fall into this category. Even if they did notice the extra bills, they probably just assumed that they pressed the wrong key on the machine at withdrew more than they wanted to. Twenty years ago, people were distrustful of ATMs and double-checked everything, but this is a mature technology now and people take it for granted that it always works. Kinda like UPC scanners at the grocery store; everyone complains about the little old who holds up the line by double-checking her bill but have you ever checked yours? They are frequently in error (usually in the store’s favor).

kbob88 says:

Who's at fault?

If the ATM is owned by a bank, they may be unwilling to go after the customers for the money. It’s at least partially their fault, and banks are usually very publicity-shy. They won’t want to draw attention to the fact that they screwed up. A bank’s primary asset is its image as a secure place to store money after all. An article in the local paper about how their ATM gave away money is not in their best interest.

If the ATM is owned by someone else (as most of the small ones at convenience stores are), they may have no way of retrieving the money. They’d have to get the individual’s contact information from the customers’ banks, because all they’re likely to have is the account number and the bank’s routing/ABA number. The bank, for privacy concerns, may be unwilling to hand over their customers’ information (unless subpoenaed).

Then, what’s their claim? The customer asked for $100. The bank authorized them to give out $100. They gave out $200. And can they prove it? The machine’s logs all state that it gave out $100! What’s their proof that it actually gave out $200? The customer can insist that he received $100, and I’m not sure how the machine owner can prove otherwise. He may have a log from the armored car service that fills the machine showing that they only put $20s in. Then we have the battle of the conflicting logs and the customer’s version of events.

chris (profile) says:

re: both at fault

that’s an easy question to settle, ask any insurance company. if you are negligent, they won’t cover your loss. insurance companies aren’t exactly pillars of morality, but the reality of the situation is that of you don’t take every measure to protect yourself, then you are out of luck.

it seems pretty stupid to not take every measure there is to protect it since someone is going to try to crack it. it’s a little bank that no one is guarding. people rob these machines all the time. or just steal the machines outright.

this is a game being played between the people that make the machines and the people that break into them. it’s been going on since some guy in the 50’s figured out how to get a payphone to give him money.

anna says:

If a cashier or teller hands me the wrong change I will point out the error. That’s another human being who could lose their job or get the overage taken out of their measly paycheck at the end of the week.

If a Brinks truck crashed in my neighborhood, and bundles of money flew out, I’ll be damned if I’d turn in the cash. Ironically I wasn’t always this way. I once believed that honesty pays. The ONLY reason that I would give money back from an ATM mistake in my favor is that I know damned well the bank always wins and I’m not going to wear the proverbial orange jumpsuit or take part in the initiation of old Martha Stewart.

Temporarily Rich says:

ATM Story

About twenty five years ago, an ATM gave me $20 too much. I parked the can and walked into the bank to try to give it back to them and they denied that it happened. A week later, I received a terse letter from the bank telling me that it was going to debit my account for the $20. No mention of the fact that I had tried to immediately fix the problem.

Slightly OT: I just heard a commedian talk about how he used an ATM to buy $20 of his own money for $1.50…

You gotta love progress!

Beth says:

Who got Screwed?

that’s the real question. Everyone keeps talking about banks. kbob88 points out that often in convience stores it is not a banks’ ATM, it is a privately-owned ATM. I worked for a bar that didn’t take credit cards so they got a lease-to-own ATM. We were responsible for setting it up and putting money in ourselves. There was not an armoured Briggs truck from MegaBank coming to fill it up. When the machine was empty every week or so, we opened the bar safe and put more money in in the machine. Every month we would get a percentage of the service charge deposited into the bar’s checking account. It would take a long time for us to realize that we were going through an abnormal abount of money (assuming people were coming back for more). Who would get screwed in this case? The company that was putting money into the machine, not the bank, they don’t own the machine and are not responsible if it gets reprogrammed. Does screwing a convience store owner change anyone’s opinion if it’s wrong or not?

Anonymous Coward says:

Re: Who got Screwed?

In that special case, I would say the restaurent would be guilty of not accepting credit cards, and forcing people to do things the absurdly difficult way.

For their punishment, they would be out the money.

(Also, if a bar-type restaurant didnt “hear” the customers getting all excited over free money, then they should be punished for that stupid mistake as well)

ReaderRick says:

Looking at the manual [section 3.28-3.29], you can easily see that if someone wanted to they could have changed the $20’s slot to “25 free coupons” ($500) and emptied the ATM. They could have also reset the password which – if he wanted to make a point, would have been the “proper” thing to do. Telling the owner that you can reprogram their ATM would likely end with you in handcuffs, but reset their pwd and a change the rotating advert to announce the owner’s ignorance…priceless.

Is the guy a criminal for accessing a public machine and playing with it’s settings? Yes, his crime would be criminal mischief. Although intent of damage is not apparent, pecuniary (monetary) loss has occurred. Whoever set up the machine is negligent and also shares in the guilt.

Anonymous Coward says:

Re:9 days?

If the atm is not owned by the bank, the customers might not even have known who to contact. We have no way of knowing how many customers called to report an atm error to their bank, or possibly the company who made the machine or whatever company whose name happened to be on the machine somewhere. Those companies don’t care and discard the report and it never gets to the owner.

Anonymous Coward says:

well, when i get money from the bank teller, they count it out infront of me, making nice stacks of 100 or so. if 2 20s are stuck together, we both miss it because we both can’t see it. then, i think i have the right ammount because it was counted for me so i spend.

what about if it wasn’t a bank teller, but a cashier from a retail store. i sold my books baack in colege and was supposed to get 45 bucks. i ended up getting close to 70 because the girl just anded me an extra 20. did i tell her? nope. if they are gonna rape me on text book prices, i’m gonna let them rape themselves with refunds.

Ex NCR ATM Guy says:

It's the ATM Manufacturers Fault

Unless there is a hardware interlock on the money safe door, safe door has to be in the “OPEN” position before ANY passwords will work to get into the ATM configuration, the Manufacturer is at fault. Now if someone has the combination to the safe, now that’s another issue. Can you say “Inside Job” or “let’s read the combination off of the wall”

As far as ATM’s in general dispensing the wrong denomination of cash, it can be the fault of the Teller, ATM machine, or the Network.

The New NCR and Diebold ATM’s are Overpriced Microsoft Windows Boxes. That should make you feel REAL secure.

Rabid Wolverine says:

ATM Theft, You bunch of morons...

Gee, lets see now, who is at fault, the bank or the crook?

One my favorite little test of friendship, especially someone I’ve just met, is to leave a $20 bill laying out on the kitchen table or somewhere that I know my new ‘friend’ will notice it.

I then leave them alone with it for about 10 to 20 minutes and come back. If the bill is still there then they have passed the test. If not I don’t confront them about it, I just never have anything to do with them again. It’s worth the $20 to find out up front whether or not they are a thief and/or they have that much disrespect for me.

Now, whose fault is it, mine for leaving the $20 laying around or theirs for taking it?

The same with the bank, whoever reprogrammed their ATM is at fault and should be prosecuted.

buckminster futt says:

Do you people honestly believe....

for one minute that this bullshit ATM story is true!?

Oh yeah, your brother-in-law that works at the corner store sez he saw it happen. Or rather he knows someone who saw it or something similar…. Sure.

Maybe we should go check on, the urban ledgends and see what they have on it

mark says:

First – the guy prob cant be caught because he prob did not withdraw from the bank but only change the configuration.

2nd – the bank would need to prove you got that money and that is something they cannot do. They have no witnesses, the cameras do not take pics of the bills, so they can only speculate that the machine gave out more money than the paper trail shows relative to a specific withdrawal.

Noldo says:

They DO know who you are, but pretty much all banks have a limit as to how much you can actually withdraw, and we all know its not that much money so I think the bank evaluated this case, and dismissed it probably because it will be more expensive to identify and rebalance accounts, than the actual loss they had through the ATM.

Another thing, I used to work in a bank for about 4 years, and I noticed sometimes people get overcharged for some reason (system error they said) the accounts balance only had a difference of no more than a dollar, but if you think about this same situation happening on I don’t know 40,000 ppl?
Now THATS stealing, so I guess there wouldn’t be that much guilt in stealing from a bank through ATMs… it would be somehow like a Robin Hood situation. Steal from Thieves

ReaderRick says:

Re: Shaving pennies

A college friend was exiled from NYC because he was basically doing what the banks do themselves – shaving the half-pennies. Banks round account balances to the nearest penny by default. My friend was doing this but instead of the percentage going towards the bank, he had it diverted to his account. After a month or two of his program running he’d racked up over $100k (this was back in the late ’80’s). As a minor, he was offered jail time or exile. He was allowed back in NY several years later.

The point is that yes, banks do steal from customers on a daily basis. Most people consider it trivial, but spread out over 100,000 or more accounts it adds up. So, yes customers often feel justified when a bank error favors them.



Just a few days ago a guy at my local townhall literally emptied two cashmachines with some funny software card. He simply placed the card in a magnetic and chip reader of some kind and downloaded a malicious software and it emptied the cash machines….does anyone happen to know what the hell he did coz i am stone broke and if i see this guy again god…lets jus say i will be one rich S>O>B

paris says:

Here is what I make of the whole situation, fuck banks and their initiative. You would think they are there to help, like loan you money and whatever, however as soon as you go over on your account they stick you with a 35 dollar overdraft fee. There is always some kind of fee that you have to pay monthly, and the only one it is benefitting is the bank. So, if an ATM were to give me a lil extra… fuck it, I’m gonna spend it as soon as possible, and tell the bank to eat shit. They should pay closer attention.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...