Security WHAT? 75,000250,000 Hackable ATM's- and the manuals are ONLINE!

"if we were all meant to get along, there would be no people who wait until all the groceries are rung up before starting to look for their damn debit card." -- Dexter Dotnetsky



I just had to laugh at how incredibly stupid people can be after reading this Wired story about how some schmuck got the "Administrator" Keypad password (which you can get right out of the PDF manual, which you can search for, find, and download online -- and that's not the only ATM model you can do this with).



The password basically allows you to reconfigure the machine to think it is holding $5 bills instead of twenties and dispense four times the amount of money you ask for. Use an untraceable prepaid debit card to get the cash, and you got some fun times. Nine days went by until some Good Samaritan customer informed the store owner that she had gotten more money out of the ATM than she asked for. The crook had never reset the Admin password back to "normal".

The lesson here is similar to the one we learn (hopefully) about outwitting terrorists, only it's not as dangerous. It's not enough for the manual to say it's "highly recommended" to change the Administrator 4 - digit passcode -- most owners never bother to do it.

With 75,000 of these boxes out there (and that's just this one brand of ATM) that company better be scrambling big time to get out their "Fix". There are gonna be BIG TIME lawsuits on this one!



Erm, maybe it's time for an in depth security review by a highly qualified OUTSIDE consultant? Naww, that could never happen to us! Better think again corptard!

UPDATE 9/22/2006: Whoa! It's getting worse! Now they've identified a Quarter of A Million of these susceptible boxes from at least three manufacturers. Can people be reallyreallydumb? Erm, I guess so....

I leave you with this gem along these very lines:

"Boy, those Paypal people must need to get some new databases. They've been sending me like 5 emails every week asking me to update my account information!" -- anonymous

Comments

Post a Comment

Popular posts from this blog

FIREFOX / IE Word-Wrap, Word-Break, TABLES FIX

One of the most annoying things a developer (who would normally delight in writing code, not futzing with markup) can have is getting rendering issues between different browsers. The two biggest players are of course Internet Exploder and Firefart (as I lovingly like to refer to each). In most cases that's going to take care of 98 percent of your total site traffic. IE has had a proprietary "word-break" style attribute for a long time, and this made it into the CSS 3.0 spec. But that doesn't necessarily help you with Firefox right now. Firefox literally - (and I consider this completely idiotic, since it's been in their bug database for FIVE YEARS) does not have a reliable CSS style element to force table cell content to break in the middle of a word in order to stop the content from expanding your table / div off the page or over other content on the page. Here's a partial fix, which will work for most tables and browsers. The style declaration (I call it m
Read more

Some observations on Script Callbacks, "AJAX", "ATLAS" "AHAB" and where it's all going.

I've taken a more than cursory interest in the whole Remote Scripting (.NET species) vs. AJAX and now ATLAS discussion, mostly because I started using Remote Scripting since Microsoft first released it, and because I continued to refine it after seeing Brent Ashley's excellent work with JSRS, which was one of the first "real" cross-browser solutions back in 2000 (that's the turn of the Century for you history buffs). Now Bertrand Leroy, a Microsoft guy whose work I like , has authored some very interesting ASP.NET 2.0 script callback stuff that he points to on his blog, and he is obviously (at least, to me he is) involved quite heavily in the development of this new ATLAS infrastructure that they'll preview at PDC. Leroy's most recent post brings to the surface what I agree are the major differences between the "AJAX a - la .NET" approach as popularized by Michael Swartz with his AJAX.NET library, and Leroy's RefreshPanel, the ASP.NET 2.0 b
Read more

IE7 - Vista: "Internet Explorer has stopped Working"

Image
This one was a bitch. All of a sudden for no reason at all, out of the blue, I get this dialog "internet Explorer has stopped working". I didn't install any new software, crap- I didn't do anything! So here I am using FIREFART to go on the internet and find out what to do! Damn! Good thing I've got the sucker on the same machine (I'm not "anti-Firefox", i just don't use it that much except to check my page renderings). The Fix The fix (at least for me): 1) Go into Control Panel, and choose "Internet Options". 2) Under the "Advanced" tab, press the "RESET" button at the lower right: Don't ask me why this happens, or why the fix works. That's a BUG, D00D - I don't care how you slice it!
Read more