9/22/2006

Security WHAT? 75,000250,000 Hackable ATM's- and the manuals are ONLINE!

"if we were all meant to get along, there would be no people who wait until all the groceries are rung up before starting to look for their damn debit card." -- Dexter Dotnetsky



I just had to laugh at how incredibly stupid people can be after reading this Wired story about how some schmuck got the "Administrator" Keypad password (which you can get right out of the PDF manual, which you can search for, find, and download online -- and that's not the only ATM model you can do this with).



The password basically allows you to reconfigure the machine to think it is holding $5 bills instead of twenties and dispense four times the amount of money you ask for. Use an untraceable prepaid debit card to get the cash, and you got some fun times. Nine days went by until some Good Samaritan customer informed the store owner that she had gotten more money out of the ATM than she asked for. The crook had never reset the Admin password back to "normal".

The lesson here is similar to the one we learn (hopefully) about outwitting terrorists, only it's not as dangerous. It's not enough for the manual to say it's "highly recommended" to change the Administrator 4 - digit passcode -- most owners never bother to do it.

With 75,000 of these boxes out there (and that's just this one brand of ATM) that company better be scrambling big time to get out their "Fix". There are gonna be BIG TIME lawsuits on this one!



Erm, maybe it's time for an in depth security review by a highly qualified OUTSIDE consultant? Naww, that could never happen to us! Better think again corptard!

UPDATE 9/22/2006: Whoa! It's getting worse! Now they've identified a Quarter of A Million of these susceptible boxes from at least three manufacturers. Can people be reallyreallydumb? Erm, I guess so....

I leave you with this gem along these very lines:

"Boy, those Paypal people must need to get some new databases. They've been sending me like 5 emails every week asking me to update my account information!" -- anonymous