This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; charset=UTF-8
By Kevin Poulsen
Sept 21, 2006
The maker of a popular line of automated teller machines is planning a
software upgrade that forces operators to change a default
administrative pass code, after a surveillance tape showed a high-tech
thief successfully hacking one of its ATMs in a Virginia gas station.
"If we can make them change this default password, the security will be
infinitely greater," said Hansup Kwon, CEO of California-based Tranax
Last week, news and video reports circulated of a swindler who strolled
into a Virginia Beach, Virginia, gas station and, with no special
equipment, reprogrammed a mini ATM to act as if it had $5 bills in its
dispensing tray instead of $20 bills.
Using a pre-paid debit card, the crook then made a withdrawal and
casually strolled off with a 300 percent profit. The ATM stayed
misprogrammed for nine days -- presumably to the delight of other
customers -- before a good Samaritan reported the issue and exposed the
caper. The thief was not caught.
Details on how the swindle worked were scant until Wednesday, when Dave
Goldsmith, a computer security researcher at Matasano Security in New
York, analyzed CNN's report on the crime and identified the ATM as a
Tranax Mini-Bank 1500 series.
He then set out to see if he could obtain a copy of the manual for the
apparently vulnerable ATM and find out how the crime was pulled off.
Fifteen minutes later, he reported success on both counts.
Wired News located a copy of the manual on a Tranax distributor's
website. The manual reveals a special key sequence that puts the
Mini-Bank ATM into "Operator Mode," from which the machine can be
reconfigured. One of the options lets the user change the denominations
of the bills the machine dispenses -- exactly as the Virginia thief did.
A numeric password is required to perform the operation, but the default
factory-set password is listed in the manual. Kwon acknowledged Thursday
that ATM owners don't always change the password from that default.
"Raising this type of awareness is very important," said Kwon. "We've
been trying, and are continuously trying, to talk to our customers and
operators.=C2=85 A very high percentage change their passwords."
The manual includes a note that: "Tranax Technologies, Inc. highly
recommends changing your passwords from default as soon as possible."
Kwon said the company first heard of the denomination-change hack a few
years ago, when its ATMs had only a single passcode to access all the
management functions. That meant the person who performs routine
servicing of the machine had more privileges than he needed, and could
leak the passcode to accomplices or hack the machine himself.
Tranax responded by changing its software to incorporate a hierarchy of
three levels of access, so "the average guy who puts the money into it
and services the ATM can work without accessing the denomination changes
and other things," Kwon said. The company thought that ended the
push-button heists, until news of the Virginia Beach caper broke last
When CNN's video showed a Tranax Mini-Bank at the heart of the crime,
the company began exploring its options, said Kwon, and decided to make
the password change mandatory in a new firmware release.
The patch will be ready "in weeks, not months," he said, and will be
installed in all new ATMs the company sells. Tranax has no way to force
the upgrade onto existing machine operators, however. They'll have to
choose to install it.
The company has 75,000 Mini-Bank ATMs in service. They are sold through
distributors, either to independent operators like gas stations and
convenience stores, or to companies that run a number of machines in a
Kwon said the service manual should not have been published on the web,
but he defended the company's practice of including the default
passcodes in its pages. "It's almost the industry standard practice,"
Indeed, a manual for a line of retail ATMs made by Tranax-competitor
Triton reveals that company's cash machines also contain a special key
sequence to gain control of the ATM. A default passcode is listed in the
manual. Triton didn't immediately return a phone call for comment.
The Tranax machines will dispense at most 40 bills at a time, which puts
an $800 dollar cap on a fraudulent withdrawal from a machine loaded with
It's unclear whether the Virginia incident was an isolated case, or part
of a broad scheme, exposed only because the crook neglected to change
the ATM back to its proper configuration before leaving with his cash.
Kwon said he hasn't heard of a similar crime in years, and believes they
are exceedingly rare.
"However the chances are there ... (and) going up."
Content-Type: text/plain; charset="us-ascii"
Visit the InfoSec News store!