If You Own An ATM, You Probably Want To Change The Default Password
from the 123456-really-isn't-very-secure dept
Nearly two years ago, we posted a story about how easy it was to find the user manuals for certain automatic teller machines online, and then use the default passwords listed in them to reprogram the machines so they’d give out $20 bills when they thought they were giving out $5s or $1s. The fix for this was easy — change the default passcode — but apparently it wasn’t hard to find machines whose owners’ hadn’t changed them. Somehow, it really isn’t too surprising to find out that, despite the publicity, some ATM owners still haven’t bothered to change them, and are getting hit by the same scam. The owner of the machine in question this time, at a market in Pennsylvania, says that he was never told he needed to change the master passcode from “123456”, and says it’s not his job to know the technical ins and outs of the ATM he owns (despite, of course, owning it and the money inside); the ATM’s manufacturer disagrees. As is the case with most things, there’s probably enough blame to go around here. So, to the ATM company: it might be a good idea to reinforce the need for owners to change their machines’ passwords. And ATM owners: change the default passwords.
Comments on “If You Own An ATM, You Probably Want To Change The Default Password”
Can't they force them to on new machines?
I admit if I owned an ATM I’d want to be damn sure it was working properly, and would definitely be reading the manual cover-to-cover regarding anything which dispenses money on my premises
However in order to just simply get around this and avoid all the arguments, surely it would be a simple thing for manufacturers of new ATM machines to have a reset password step in the initial setup process
Nothing fancy just a “now enter a new password”, and have the machine refuse to complete setup until one is entered (and obviously refuse 123456, 111111 etc as too weak)
Sort of lead the owner to water and force them to drink…. ;0)
Re: Can't they force them to on new machines?
should that not be lead the owner to water and make them THINK.
Re: Can't they force them to on new machines?
DO ATMS HAVE CAMERA’S, CAN THEY SEE WHO IS DEBITING TOO MUCH MONEY. CAN YOU CATCH THE PERSON WHO TOOK THE DEBITS OUT? CAMERAS? I KNOW OUTSIDE YOUR BRANCH THEY HAVE CAMERA IN THE ATMS BUT IM NOT SURE ABOUT THE ATMS INSIDE CASINOS? YOU? LET ME KNOW.
Re: Can't they force them to on new machines?
The physicist Richard Feynman was well-known as a safecracker. His secret was that he learned the default factory combinations for most filecabinet and safe manufacturers and took advantage of the fact that almost nobody changed the combo from the default.
And then what happens is...
Whoever is setting up the machine chooses a password on the spur of the moment, doesn’t choose one that they can remember and voila, we have the reverse problem – no administration of the machine is possible.
Re: And then what happens is...
True but I imagine this type of thing happens all the time, along with all the other “I dunno Frank set it up and he’s left the company” type scenarios. I would also imaging that inside the box there is some sort of hardware reset button
The point of this is just to stop people casually reprogramming the machine from the normal keypad as this guy did
Perhaps a load “beeeep, warning admin password entered, danger Will Robinson, awooooga awooooga” type of alarm would also deter this type of sneak thief
Dunno – just ideas, but reducing exposure to this problem would be simple for ATM manufacturers in my opinion
Re: And then what happens is...
People who can’t manage passwords should not be operating equipment that requires a password. Next you’ll say that it’s too complicated for him to keep track of his keys.
And the ATM should do something like this, the first time you plug it in: “Hello, new ATM owner. Here is your new password, randomly generated. Please make a note of it, or change it now”.
There’s plenty of blame for everyone involved here.
Re: And then what happens is...
Lost passwords could be reset with some horrendously involved procedure involving a key to a lock buried deep inside the unit only accessible after using several other keys to open the unit itself, accompanied by a phone call, the exchange of passcodes, and entering magic numbers into the unit as dictated by the remote tech. Or better yet, the service guy has to come out to reset the machine. Charge ’em $100, or even $1000, for the procedure, and they won’t forget their passwords very often.
face it
most people are dorks when it comes to technology matters
Re: face it
i would think that being a “dork” when i comes to technology would be a knowlegable person. as in “computer dork”.
most people are retards when it come to technology matters
From PA, there's your problem
Most people up here won’t change their ways no matter how many times you tell them. Even when it hits them in their wallets.
For example: A friend of mine will not lock the doors on his car. He figures that since he has nothing of value in the car it won’t temp anyone. Well one day he got all of his school books stolen. He had to pay around $500 to get them replaced. (College books) To this day, he still will not lock his doors.
From what I understand, most people in this state are the same way. Probably a good place to get some easy cash.
Re: From PA, there's your problem
about the car door: i had an iPod stolen from my car that wasn’t visible from outside the vehicle. My doors were locked, but they came in via a brick through my window. I guess what I’m saying is if i left the door open I wouldn’t have had to claim a broken window with my car insurance because the thiefs would have just opened the door 🙂
Re: From PA, there's your problem
You understand wrong. Your friend is just a moron.
1, 2, 3, 4, 5, 6… That’s the combination on my luggage!
Re: Re:
“What kind of idiot would have 1-2-3-4-5 as their combination?”
Re: Re: Re:
an idiot
Re: Re:
You have luggage with 1 million possible combinations??? That’s a pretty serious combination lock for luggage!!!
Ultimate responsibility for ATM password is the owner. Partial responsibility is the ATM maker and installer for telling the owner how critical it is to change and remember this important password. A convenience store owner cannot be expected to think of all these complex technical details(sarcasm). It should be up to the ATM maker to “idiot proof” the maintenance/management of the ATM.
Re: Re: Re:
So the combination is one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! The kind of thing an idiot would have on his luggage!
Re: Use the Schwartz
nice nice nice
Re: Re:
You are not supposed to lock your luggage.
Re: Movie Reference
Please get the reference correct. The combination was 1..2..3..4…5
Re: Re: Movie Reference
The combonaion was infact 1..2..3..4..5..6.. so yea
and lolz
Re: luggage
Your what a theif calls an easy day my friend!!
Not a "scam"
From the article: “…some ATM owners still haven’t bothered to change them, and are getting hit by the same scam.” Sorry, taking advantage of an ATM’s owner’s lack of proper security protocol is not a scam; that would imply that some deceit was involved. This is just a case of one unethical party seizing upon an opportunity presented by an ignorant or lazy party.
Well, anyone who forgets to change something like that, should consider the first robbery ‘Tuition’ for the school of hard lessons.
I’m sure it’s a course they won’t forget the second time around – but then, you never know.
Does it matter?
Every ATM I’ve seen has a camera pointed at it. It would be pretty easy to pick out the suspects; people trying to use the machine for a long period of time.
I don’t feel bad for this ATM owner, it’s his own fault. At least change the password to 654321, chances of a thief spending time to figure out any password other than the default is very small.
Re: Does it matter?
Not only do they have cameras but in order to receive money from an ATM, you have to have a bank account. Can’t they look at who withdrew money at the time of the change and immediately bust in the doors of their home?
Heh
Movie references to Spaceballs, priceless.
“Hey, thats the combination to my luggage!”
Forget the whole password changing thing, the real question is why does the ATM allow you to reprogram the amount that it dispenses ($20 bills for $5 or $1s)?
Is there any reason to even allow this at all, even to the owner of the ATM? It’s not like the owner will ever set up a buy-one-get-one-free deal on cash from the ATM.
This is a bug in the ATMs if I’ve ever seen one. All the admin password should let you do is modify the welcome text and fee.
Re: Re:
Most ATM machines still work with an internal clip system, you have to tell the ATM what type of clip is in the slot. You could make a smart clip that would automatically tell the ATM that you have a $20 clip installed, but that only solves that one particular problem – there are worse things a smarter thief could do to the ATM machine.
The problem is elementary to solve, change the software to refuse to operate if the password is still the default password.
Re: Re:
Agreed.
Its a pretty stupid option to even have in the settings.
“hmmm, today I feel like giving a customer $20.00 for every dollar he withdraws” Yeah that makes sense.
Sounds like the ATM company is asking for scams like this to happen when they put things like that in their program.
Re: Re: Re:
It’s not a stupid setting that ATM’s have. Most ATM’s have plastic cartridges and you need to tell the ATM what denomination is in each cartridge. If the first bay has $20’s, the second $10’s, and the third $5’s, and someone wants $25, the ATM will pull one bill from bay 1 and one bill from bay 3. The only thing the ATM will verify is the thickness of the bills to ensure you’re only getting one from each. But if you say you want $50 in 5’s, but it thinks the 5’s are really the 20 cartridge, you’ll get $200 in 20’s.
But yeah, do it at night and don’t come back for a few hours. Watch out for cameras, and go somewhere you’ll never be at again.
Re: Re:
Umm… it’s not that it lets you reprogram the values of money, it’s that the machine holds only one denomination of bill and it lets you define what that number is. It’s a cheap ATM, not bank quality. If you put in stacks of 20’s, you set it to $20 to tell the machine that it’s 20’s in there. To scam it, you tell it that it has $1 bills in there when it really has 20’s.
So you pop your ATM card in, tell it you want to withdrawl $20, and 20 bills come out because the machine thinks that it is filled with $1 bills. Lo and behold, you get 20 $20 bills.
Re: Re:
an ATM owner can determine what type of bills to dispense. most just dispense $20 bills, but there are ATMs that dish out $10’s, $5’s & $1’s. it’s probably just a matter of telling the machine that it’s dispensing $1’s. the machine can’t look at the bills to verify their type so it follows your orders.
Re: Re:
the reason this is allowed is to designate multiple slots for the same denomination. For example in Canada they do not have a $1.00 bill and machines do not give out $5.00 bills anymore. Some machines will dispense $50.00 bills up here in high traffic locations that tend to have higher withdraw per transaction amounts.
The owner “…says it’s not his job to know the technical ins and outs of the ATM he owns…?” That’s true. It is, however, his job to hire somebody who DOES know the technical aspects of his equipment. If he doesn’t, ignorance is not a good starting point in litigation. What an idiot.
The only reason I wouldn’t reprogram the ATM is that I value my freedom, and in the end, The Man always wins. If a bank teller handed me extra cash by mistake, I would immediately give it back to her, because that’s a human being who might lose her job.
If an ATM gave me the wrong amount of money, would I report the error? Fuck no! But I would hold onto the money and not spend it right away, knowing that rule #1 is that The Man always wins.
Re: Re:
correction: rule #1 is always “Fuck the man”… followed closely by #2 “The man always wins” 🙂
And I am old enough to remember when certain ATMs dispensed $10 bills. There weren’t very many of them, not even twenty years ago, but there were a few, so maybe that’s why there’s still a feature allowing for a machine owner to have the option of dispensing out bills in varying amounts of money.
Dumb, dumb dumb.
If I buy an ATM and put MY money in it to dispense, I am certainly going to make sure that I am the ONLY person with access to the workings of the machine.
I personally use what I call “roll five” for most of my passcodes. For instance, I take a number that I use every day. Phone number, SSN, birth date or even street address, and add five to each digit. (Think of the digits as being on a wheel-type lock like a briefcase) In this case, 12345 would become 67890 and no longer closely resembles your ‘clue number’.
i’ve seen atms that dispense 100s, 50s, 20s, 10s, 5s, 1s, and even coinage.
but those are usually located at a bank.
these 7-11 atms are little things, with enough for one or two clips.
i can see why you’d want the ability to change denominations. but not always the case.
so yes, it’s on the owner to know their equipment, but like every other product made, it has to be “idiot” proofed.
that’s a big lession i learned while getting my engineering degree
I changed my combination to 12 , 34 , 56
I hope to fool everyone 🙂
These weren’t Diebold ATMs, by any chance, were they? You know — the same company whose voting machines can be physically opened for administrative access with a common hotel-minibar key that can be ordered online?
Re: Re:
Diebold (and NCR) ATM are encoded at the cassete level and are not changeable at any menu to change the coding of the cassette you have to be inside the vault where the money is.The ATM’s that allow the change in the denomination are the inexpensive mom and pop type.
a lot of college campuses will have ATMs that give out 5s and 20s… so yeah
It's not as easy as it sounds
Since I install ATMs for a living, believe me when I tell you that this may not be such a great idea.
Not only does every ATM maintain a local journal of transactions, maintenance actions, errors, etc., so does the remote network which the ATM uses. Once they realize there’s been a security breach they’ll use both those logs to determine at what point they occurred and adjust everyone’s accounts accordingly. Also, it stands to reason that the first person who uses the ATM after the breach is likely to be the same person who altered the ATM’s configuration, and since they’ll have your card information, you can expect a visit from the local police.
Also, nearly every ATM in service today has some sort of video recording of everyone who uses them. This is assuredly the case if the ATM is located at a branch of a financial institution, but even if the ATM is located inside of a gas station or convenience store. They will use those images also to form a case against whomever abuses the ATM.
Re: It's not as easy as it sounds
What about those gift cards? the ones you can get at my local bank without any account? cant you use them at other banks atms and still have no way of being traced?
Plasma
When I used to donate plasma you could get out $5, $10 and $20 depending on what you got from your blood/plasma, which varies on your weight. It’s the only ATM machine I’ve seen like that though.
re: It's not as easy as it sounds
oh yes it is. if i remember correctly part of the “genius” of the original scam is they used pre-paid visa gift cards that you have a pin number and can use them just like cash. you can even buy one with cash in the first place. the only hard part is not getting on camera
Passwords
It’s stupid to use 123456. Smart people use 000000. Really smart people use P-a-s-s-w-o-r-d
Wouldn’t it be smarter to change it at an infrequently used machine, then come back maybe 8 hours or so later… maybe even the next day, making sure that you look a lot different.
That way maybe only one or two lucky souls had used the thing before you, and your transaction would appear to be something done by chance.
Re: Re:
This doesn’t work on newer ATMs. Each cassette contains a series of magnets to identify the denomination of bill it is carrying, so no matter which slot the cassette was placed into, the picker would still dispense the correct amount. *Although* you could possibly put the ATM into a diagnostic menu and make it perform a test dispense, and depending on the ATM type it will either dispense the tested bills into its own reject bin, or actually allow them to exit the dispense device.
meh
The ATM up here at one of the Apple campuses can do any denomination, including change. I could pull out $.01, if it wouldn’t cost me $2.00 in ATM fees. Mainly for those “paycard” things that companies seem to be doing these days.
Also, the magnet configuration on newer ATMs is hard coded into the machine software so it cannot be manipulated ie. if the box is config’d for $20s, you can’t make it think that box contains $5s
ATM setups
I used to repair/install ATM’s. In most cases, probably 99% of the time, the ATM is installed by an outsourced company who are given a guided setup process to follow. They are not allowed to deviate from the process, this includes not taking the liberty to change the default password. It is not the outsourced technician’s job to train the purchaser of the ATM on how to administer the ATM, this should be requested in the original purchase agreement by the purchaser.
Someone else mentioned that the ATM should not need to be programmed for different amounts of cash etc… Judging by that statement I’ll assume it was made by a typical Yank who thinks that ATM’s are only made for the good old USA. Companies design their ATM’s to work with notes from many different countries, different size bills, etc…. Creating separate hardware/software for each country would cost way too much.
And as Charles mentioned, it would be very hard to get away with this sort of scam. The bills are audited at many points along the way before they even are loaded in to the ATM, and they are also audited when they are removed and compared to the journal entries etc…
Good luck to any idiot willing to try this and believe he/she would get away with it for very long.
Yikers!
Most banks have this changed, it’s only in the boondocks and rural areas that they don’t change the key.
Why not have a "special card" instead?
Why don’t the ATM manufacturers supply a card that permits the machine to enter admin mode, instead of using a special passcode? I can’t imagine that it’d cost that much, and it’d be easier for a store owner to find and dig out their old key card, than remember a passcode. The manufacturer could even supply new ones to verified owners when the cards are lost or stolen.
It’s been some time since I’ve used an ATM that dispensed anything BUT twenties…
Re: Re:
I withdrew $100 from an ATM in a casino in Vegas and one bill came out. I used it to pay for my $6 breakfast and the waitress didn’t even pause.
Wow, a million references to Spaceballs. Yipes!
I would imagine not all ATM machines have currency cartridges that automatically indicate the denomination of currency, especially these made mostly of plastic, gas station & quickie mart types.
To answer the question of a few of you: This is why there is a denomination setting in software. If there are three currency cartridge slots in the machine, the owner could choose to dispense fives, tens, and twenties, giving customers more denominations for withdrawal. An ATM owner would more likely want all slots to dispense twenties, however, since that way they would have to service the machine less often, and the machine would be able to take the weekend rush for cash. (The owner wants their two dollars; they could care less if you’d prefer to withdrawal less than twenty bucks, and they want to make damned sure they have cash in the machine when you want to use it.)
Atm Maint. Mode
First off, The maintenance mode for both Diebold and NCR atm’s cannot be accessed without first accessing the service switch located inside the top part of the atm. The top part is where the printer, monitor, card readreader, etc are located. You have to have a key to access this part. If you can access the top part you can hit the switch to put the machine into maintenance mode. Then you have to enter the password.
Secondly, there are no software changes you can make that would tell the machine to dispense 20.s in place of 5’s or 10’s. In both Diebold and NCR atm’s the cassettes that hold the currency are programmable in that on Diebold cash cassettes there are 2 rows of buttons accross the front. By removing all of the little buttons except certain ones determines what currency is in which cassette and the dispenser in which the cassettes fit read the buttons no matter which slot the cassettes are inserted into. On the Ncr cassettes there are a row of four small magnets on the side. The currency amount is determined by which magnets are left in place. The dispenser reads the magnets and knows which currence is in that cassette
Surely you’d need internal physical access to enter admin mode. ATM’s may look look Arcade Cabinets, but even most of them required an internal dip switch to be flicked. Though I once found an Arcade machine that would enter admin mode by holding the joystick in the upper left when the attract cycle looped.
On a side note...
Don’t you hate it when someone calls the ATM, an ATM Machine? Don’t they know that that the M is Machine?
Don’t most ATMs have a camera which takes a photo of every user?
Better than an ATM
One Man. One Year. $100,000 online. Not even an ATM puts out that kind of green.
http://www.oneyeargoal.com
Diebold sucks
And these ATM’s are made by the same people who make the electronic voting booths. Anybody see a problem here?
geroucha!!!!
How can anyone think that 1-2-3-4-5-6 is a bad combination for luggage…it’s not like some one can put it through a password cracker.
I mean a combination is only as good as the person trying to break in to it in the first place.
Most people would not even think of anyone using such a simple combination, so would not even bother.
But on the other hand, some criminals would just try that one first just to see if someone used such a simple code, and make their life a whole lot easier. I agree a more complex pass word would be better (ie: 123466 or 123455 or 124456 or 111112 or 111115 or infinity)
My point is though, with over a million possible combos, there really is NO BAD combination.
Robin Hood
I wonder if it’s legal to change the settings but not take any money out? Just let everyone else reap the benefits.
Seriously?
Even when people setup things way less serious than a box of money they create a password a little harder to figure out than 123456. You’d think they ATM companies would be smarter than that.
passcodes
Say, here’s a novel Idea….when you install the machine, prior to it going into service, put a script that requires the base passcode to be reset before the machine will start doling out the money? I dunno, must make a bit too much sense….
Your all idiots! Your stupidity runs amuck
What a bunch of tools you morons are. Change the password from simple 123456 to something harder. Do this Do that. Your so fucking smart why don’t you go make an ATM and impose all your script language and ingenious ideas and see how fast they sell. ATMs can still be broke into even if you don’t have the access code or password. I use a crowbar, sometimes a truck. Get in my way and I’ll mow you over! You tools don’t have the first idea of ATM management and/or ownership yet you spout off that you have the answer. Everyone one of you are complete losers and will never amount to more then a typical keyboard commando.
Re: Your all idiots! Your stupidity runs amuck
Roflsburger
In the next world war, a traditional commando might do a lot less damage than the “keyboard commando” whose keyboard includes a certain big red button marked “Launch ICBMs”. So I’d be careful about dissing “keyboard commandos” if I were you. Your back yard bomb shelter won’t save you from a “stray” MIRV dropping directly on top of your house from orbit. 🙂
— A keyboard commando.
my question is how do u get to the damn screen were u can change that info like how do u get to the reprogram page on an atm
I think they should just leave a bucket full of money so we can make change from that. They can trust us! 🙂
Most ATM’s nowadays use magnets on the cassettes themselves. They have to be set properly and the cassette type and denominations must be configured in the machine as well. Combine that with a decent password and someone will have their work cut out for them in order to try and reprogram an ATM for ill-willed purposes.
Most ATM’s nowadays use magnets on the cassettes themselves. They have to be set properly and the cassette type and denominations must be configured in the machine as well. Combine that with a decent password and someone will have their work cut out for them in order to try and reprogram an ATM for ill-willed purposes.
ATM Machines
I manage a few atm machines, and they all have different passwords. None of them are “123456.” The last thing I want is a security breach.
ATM Security
Thanks for this! I just bought an ATM from Legacy ATM Link and I’ll make sure to change the password once it gets here.