If You Own An ATM, You Probably Want To Change The Default Password

from the 123456-really-isn't-very-secure dept

Nearly two years ago, we posted a story about how easy it was to find the user manuals for certain automatic teller machines online, and then use the default passwords listed in them to reprogram the machines so they’d give out $20 bills when they thought they were giving out $5s or $1s. The fix for this was easy — change the default passcode — but apparently it wasn’t hard to find machines whose owners’ hadn’t changed them. Somehow, it really isn’t too surprising to find out that, despite the publicity, some ATM owners still haven’t bothered to change them, and are getting hit by the same scam. The owner of the machine in question this time, at a market in Pennsylvania, says that he was never told he needed to change the master passcode from “123456”, and says it’s not his job to know the technical ins and outs of the ATM he owns (despite, of course, owning it and the money inside); the ATM’s manufacturer disagrees. As is the case with most things, there’s probably enough blame to go around here. So, to the ATM company: it might be a good idea to reinforce the need for owners to change their machines’ passwords. And ATM owners: change the default passwords.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “If You Own An ATM, You Probably Want To Change The Default Password”

Subscribe: RSS Leave a comment
79 Comments
Enrico Suarve says:

Can't they force them to on new machines?

I admit if I owned an ATM I’d want to be damn sure it was working properly, and would definitely be reading the manual cover-to-cover regarding anything which dispenses money on my premises

However in order to just simply get around this and avoid all the arguments, surely it would be a simple thing for manufacturers of new ATM machines to have a reset password step in the initial setup process

Nothing fancy just a “now enter a new password”, and have the machine refuse to complete setup until one is entered (and obviously refuse 123456, 111111 etc as too weak)

Sort of lead the owner to water and force them to drink…. ;0)

Enrico Suarve says:

Re: And then what happens is...

True but I imagine this type of thing happens all the time, along with all the other “I dunno Frank set it up and he’s left the company” type scenarios. I would also imaging that inside the box there is some sort of hardware reset button

The point of this is just to stop people casually reprogramming the machine from the normal keypad as this guy did

Perhaps a load “beeeep, warning admin password entered, danger Will Robinson, awooooga awooooga” type of alarm would also deter this type of sneak thief

Dunno – just ideas, but reducing exposure to this problem would be simple for ATM manufacturers in my opinion

Fran says:

Re: And then what happens is...

People who can’t manage passwords should not be operating equipment that requires a password. Next you’ll say that it’s too complicated for him to keep track of his keys.

And the ATM should do something like this, the first time you plug it in: “Hello, new ATM owner. Here is your new password, randomly generated. Please make a note of it, or change it now”.

There’s plenty of blame for everyone involved here.

Fran says:

Re: And then what happens is...

Lost passwords could be reset with some horrendously involved procedure involving a key to a lock buried deep inside the unit only accessible after using several other keys to open the unit itself, accompanied by a phone call, the exchange of passcodes, and entering magic numbers into the unit as dictated by the remote tech. Or better yet, the service guy has to come out to reset the machine. Charge ’em $100, or even $1000, for the procedure, and they won’t forget their passwords very often.

Chronno S. Trigger says:

From PA, there's your problem

Most people up here won’t change their ways no matter how many times you tell them. Even when it hits them in their wallets.

For example: A friend of mine will not lock the doors on his car. He figures that since he has nothing of value in the car it won’t temp anyone. Well one day he got all of his school books stolen. He had to pay around $500 to get them replaced. (College books) To this day, he still will not lock his doors.

From what I understand, most people in this state are the same way. Probably a good place to get some easy cash.

joebarone says:

Re: From PA, there's your problem

about the car door: i had an iPod stolen from my car that wasn’t visible from outside the vehicle. My doors were locked, but they came in via a brick through my window. I guess what I’m saying is if i left the door open I wouldn’t have had to claim a broken window with my car insurance because the thiefs would have just opened the door ๐Ÿ™‚

Gary says:

Re: Re:

You have luggage with 1 million possible combinations??? That’s a pretty serious combination lock for luggage!!!

Ultimate responsibility for ATM password is the owner. Partial responsibility is the ATM maker and installer for telling the owner how critical it is to change and remember this important password. A convenience store owner cannot be expected to think of all these complex technical details(sarcasm). It should be up to the ATM maker to “idiot proof” the maintenance/management of the ATM.

John in Baton Rouge says:

Not a "scam"

From the article: “…some ATM owners still haven’t bothered to change them, and are getting hit by the same scam.” Sorry, taking advantage of an ATM’s owner’s lack of proper security protocol is not a scam; that would imply that some deceit was involved. This is just a case of one unethical party seizing upon an opportunity presented by an ignorant or lazy party.

TheDock22 says:

Does it matter?

Every ATM I’ve seen has a camera pointed at it. It would be pretty easy to pick out the suspects; people trying to use the machine for a long period of time.

I don’t feel bad for this ATM owner, it’s his own fault. At least change the password to 654321, chances of a thief spending time to figure out any password other than the default is very small.

Dan says:

Forget the whole password changing thing, the real question is why does the ATM allow you to reprogram the amount that it dispenses ($20 bills for $5 or $1s)?

Is there any reason to even allow this at all, even to the owner of the ATM? It’s not like the owner will ever set up a buy-one-get-one-free deal on cash from the ATM.

This is a bug in the ATMs if I’ve ever seen one. All the admin password should let you do is modify the welcome text and fee.

AVonGauss says:

Re: Re:

Most ATM machines still work with an internal clip system, you have to tell the ATM what type of clip is in the slot. You could make a smart clip that would automatically tell the ATM that you have a $20 clip installed, but that only solves that one particular problem – there are worse things a smarter thief could do to the ATM machine.

The problem is elementary to solve, change the software to refuse to operate if the password is still the default password.

the spuzz says:

Re: Re:

Agreed.

Its a pretty stupid option to even have in the settings.
“hmmm, today I feel like giving a customer $20.00 for every dollar he withdraws” Yeah that makes sense.
Sounds like the ATM company is asking for scams like this to happen when they put things like that in their program.

Tony says:

Re: Re: Re:

It’s not a stupid setting that ATM’s have. Most ATM’s have plastic cartridges and you need to tell the ATM what denomination is in each cartridge. If the first bay has $20’s, the second $10’s, and the third $5’s, and someone wants $25, the ATM will pull one bill from bay 1 and one bill from bay 3. The only thing the ATM will verify is the thickness of the bills to ensure you’re only getting one from each. But if you say you want $50 in 5’s, but it thinks the 5’s are really the 20 cartridge, you’ll get $200 in 20’s.

But yeah, do it at night and don’t come back for a few hours. Watch out for cameras, and go somewhere you’ll never be at again.

Dr. Brian says:

Re: Re:

Umm… it’s not that it lets you reprogram the values of money, it’s that the machine holds only one denomination of bill and it lets you define what that number is. It’s a cheap ATM, not bank quality. If you put in stacks of 20’s, you set it to $20 to tell the machine that it’s 20’s in there. To scam it, you tell it that it has $1 bills in there when it really has 20’s.

So you pop your ATM card in, tell it you want to withdrawl $20, and 20 bills come out because the machine thinks that it is filled with $1 bills. Lo and behold, you get 20 $20 bills.

Bill says:

Re: Re:

an ATM owner can determine what type of bills to dispense. most just dispense $20 bills, but there are ATMs that dish out $10’s, $5’s & $1’s. it’s probably just a matter of telling the machine that it’s dispensing $1’s. the machine can’t look at the bills to verify their type so it follows your orders.

aiden says:

Re: Re:

the reason this is allowed is to designate multiple slots for the same denomination. For example in Canada they do not have a $1.00 bill and machines do not give out $5.00 bills anymore. Some machines will dispense $50.00 bills up here in high traffic locations that tend to have higher withdraw per transaction amounts.

Lorry says:

The only reason I wouldn’t reprogram the ATM is that I value my freedom, and in the end, The Man always wins. If a bank teller handed me extra cash by mistake, I would immediately give it back to her, because that’s a human being who might lose her job.

If an ATM gave me the wrong amount of money, would I report the error? Fuck no! But I would hold onto the money and not spend it right away, knowing that rule #1 is that The Man always wins.

Tin Ear says:

Dumb, dumb dumb.

If I buy an ATM and put MY money in it to dispense, I am certainly going to make sure that I am the ONLY person with access to the workings of the machine.

I personally use what I call “roll five” for most of my passcodes. For instance, I take a number that I use every day. Phone number, SSN, birth date or even street address, and add five to each digit. (Think of the digits as being on a wheel-type lock like a briefcase) In this case, 12345 would become 67890 and no longer closely resembles your ‘clue number’.

Anonymous Coward says:

i’ve seen atms that dispense 100s, 50s, 20s, 10s, 5s, 1s, and even coinage.

but those are usually located at a bank.

these 7-11 atms are little things, with enough for one or two clips.

i can see why you’d want the ability to change denominations. but not always the case.

so yes, it’s on the owner to know their equipment, but like every other product made, it has to be “idiot” proofed.

that’s a big lession i learned while getting my engineering degree

Charles Stricklin (user link) says:

It's not as easy as it sounds

Since I install ATMs for a living, believe me when I tell you that this may not be such a great idea.

Not only does every ATM maintain a local journal of transactions, maintenance actions, errors, etc., so does the remote network which the ATM uses. Once they realize there’s been a security breach they’ll use both those logs to determine at what point they occurred and adjust everyone’s accounts accordingly. Also, it stands to reason that the first person who uses the ATM after the breach is likely to be the same person who altered the ATM’s configuration, and since they’ll have your card information, you can expect a visit from the local police.

Also, nearly every ATM in service today has some sort of video recording of everyone who uses them. This is assuredly the case if the ATM is located at a branch of a financial institution, but even if the ATM is located inside of a gas station or convenience store. They will use those images also to form a case against whomever abuses the ATM.

pengd0t says:

Wouldn’t it be smarter to change it at an infrequently used machine, then come back maybe 8 hours or so later… maybe even the next day, making sure that you look a lot different.

That way maybe only one or two lucky souls had used the thing before you, and your transaction would appear to be something done by chance.

intheknow says:

This doesn’t work on newer ATMs. Each cassette contains a series of magnets to identify the denomination of bill it is carrying, so no matter which slot the cassette was placed into, the picker would still dispense the correct amount. *Although* you could possibly put the ATM into a diagnostic menu and make it perform a test dispense, and depending on the ATM type it will either dispense the tested bills into its own reject bin, or actually allow them to exit the dispense device.

Roger Wilco says:

ATM setups

I used to repair/install ATM’s. In most cases, probably 99% of the time, the ATM is installed by an outsourced company who are given a guided setup process to follow. They are not allowed to deviate from the process, this includes not taking the liberty to change the default password. It is not the outsourced technician’s job to train the purchaser of the ATM on how to administer the ATM, this should be requested in the original purchase agreement by the purchaser.

Someone else mentioned that the ATM should not need to be programmed for different amounts of cash etc… Judging by that statement I’ll assume it was made by a typical Yank who thinks that ATM’s are only made for the good old USA. Companies design their ATM’s to work with notes from many different countries, different size bills, etc…. Creating separate hardware/software for each country would cost way too much.

And as Charles mentioned, it would be very hard to get away with this sort of scam. The bills are audited at many points along the way before they even are loaded in to the ATM, and they are also audited when they are removed and compared to the journal entries etc…

Good luck to any idiot willing to try this and believe he/she would get away with it for very long.

Anonymous Coward says:

Why not have a "special card" instead?

Why don’t the ATM manufacturers supply a card that permits the machine to enter admin mode, instead of using a special passcode? I can’t imagine that it’d cost that much, and it’d be easier for a store owner to find and dig out their old key card, than remember a passcode. The manufacturer could even supply new ones to verified owners when the cards are lost or stolen.

Solomon Ford says:

Wow, a million references to Spaceballs. Yipes!

I would imagine not all ATM machines have currency cartridges that automatically indicate the denomination of currency, especially these made mostly of plastic, gas station & quickie mart types.

To answer the question of a few of you: This is why there is a denomination setting in software. If there are three currency cartridge slots in the machine, the owner could choose to dispense fives, tens, and twenties, giving customers more denominations for withdrawal. An ATM owner would more likely want all slots to dispense twenties, however, since that way they would have to service the machine less often, and the machine would be able to take the weekend rush for cash. (The owner wants their two dollars; they could care less if you’d prefer to withdrawal less than twenty bucks, and they want to make damned sure they have cash in the machine when you want to use it.)

Mr. Smith says:

Atm Maint. Mode

First off, The maintenance mode for both Diebold and NCR atm’s cannot be accessed without first accessing the service switch located inside the top part of the atm. The top part is where the printer, monitor, card readreader, etc are located. You have to have a key to access this part. If you can access the top part you can hit the switch to put the machine into maintenance mode. Then you have to enter the password.
Secondly, there are no software changes you can make that would tell the machine to dispense 20.s in place of 5’s or 10’s. In both Diebold and NCR atm’s the cassettes that hold the currency are programmable in that on Diebold cash cassettes there are 2 rows of buttons accross the front. By removing all of the little buttons except certain ones determines what currency is in which cassette and the dispenser in which the cassettes fit read the buttons no matter which slot the cassettes are inserted into. On the Ncr cassettes there are a row of four small magnets on the side. The currency amount is determined by which magnets are left in place. The dispenser reads the magnets and knows which currence is in that cassette

satan says:

geroucha!!!!

How can anyone think that 1-2-3-4-5-6 is a bad combination for luggage…it’s not like some one can put it through a password cracker.
I mean a combination is only as good as the person trying to break in to it in the first place.
Most people would not even think of anyone using such a simple combination, so would not even bother.

But on the other hand, some criminals would just try that one first just to see if someone used such a simple code, and make their life a whole lot easier. I agree a more complex pass word would be better (ie: 123466 or 123455 or 124456 or 111112 or 111115 or infinity)

My point is though, with over a million possible combos, there really is NO BAD combination.

I own you (user link) says:

Your all idiots! Your stupidity runs amuck

What a bunch of tools you morons are. Change the password from simple 123456 to something harder. Do this Do that. Your so fucking smart why don’t you go make an ATM and impose all your script language and ingenious ideas and see how fast they sell. ATMs can still be broke into even if you don’t have the access code or password. I use a crowbar, sometimes a truck. Get in my way and I’ll mow you over! You tools don’t have the first idea of ATM management and/or ownership yet you spout off that you have the answer. Everyone one of you are complete losers and will never amount to more then a typical keyboard commando.

Bah who needs one (user link) says:

In the next world war, a traditional commando might do a lot less damage than the “keyboard commando” whose keyboard includes a certain big red button marked “Launch ICBMs”. So I’d be careful about dissing “keyboard commandos” if I were you. Your back yard bomb shelter won’t save you from a “stray” MIRV dropping directly on top of your house from orbit. ๐Ÿ™‚

— A keyboard commando.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ยป

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...