I was reading a story on Reuters about a security expert who highlighted the point that ATMs (Automated Teller Machines) have certain security flaws that help hackers hit the jackpot. Certainly an intriguing story as I thought ATMs were among the most secure systems in the world since their owners have everything to lose, from money to reputation to ultimately their business.
Barnaby Jack, the security expert testing the ATMs, said (amongst his claims) that some ATMs could be attacked via their communications ports which are sometimes available from the outside. I couldn’t fathom that an ATM could allow administrative access to the machine from the outside where anyone would be able to gain access to the machine – there had to be a mistake! Alas it’s true, as the article goes on to say that some ATM designers didn’t have a basic sense of physical security and placed the administrative port on the outside where it would be accessible by anyone.
Such an administrative port could be used to reconfigure the machine. Imagine swapping the $2 tray with the $100 tray – if you withdraw $4, the machine gives you two $2 notes, but now the machine thinks that the $2 notes reside in the $100 tray thus you’re presented with $200 instead of $4. Obviously if not reconfigured back the person withdrawing $100 will not be very happy when presented with $2.
I searched but couldn’t find any other mention of ATM communication ports exposed, neither images; however, I did find other disturbing security stories. I came across a story by Bruce Schneier about a guy who reprogrammed a Tranax Mini bank 1500 ATM at a gas station to think $5 were sitting in the $20 tray. How did he manage this? Very easily it seems, as he got hold of the ATM manual which listed instructions and the default password to get the machine in administrator mode. This same brand of ATM was also targeted by Thor Alexander Morris whose plan was foiled when he enlisted the help of a genuinely reformed ex-con who went to the FBI. The article claims that this ATM, as well as another manufactured by Triton, was well known by criminals. The default codes and instructions to these ATMs were apparently easy to find online.
One positive thing resulting from these stories is that both Tranax and Triton learned their lessons and now oblige the user to change his secret code on first boot up.
Something to learn from these stories is to never assume that something is secure no matter if one expects it to be. Obviously always change any default password since having a default password is equivalent to having no password at all. If you are either a developer or create security sensitive equipment, do not assume your clients will do their due diligence.
Tranax and Triton may be excused for not forcing their customers to change the default password when they released their product since it’s a basic security step and was likely extensively documented; however, there are users and administrators whose sole goals are to get a system up and running and, if they’re not very security proficient they may be afraid to properly configure it out of fear that they might break it. Ultimately it’s important to never ignore or forget the importance of physical security as in most cases that would be your first line of defence.