On the heals of our post on ATM skimmer photos, MSNBC has a comprehensive article on how ATM machines are called ‘unsafe’.

A U.S. Secret Service memo obtained by MSNBC.com indicates that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN codes. (Will Burgess / Reuters file)

They have images describing ATM PIN attacks and a great paper titled, “The Unbearable Lightness of PIN cracking” [PDF] (a takeoff on the Czech novelist Milan Kundera).

Popularity: 29% [?]

Times Online (UK) has an article about a fraudster who used an MP3 player between the ATM and the phone line to record, and then later decode, credit card informaiton being sent to the bank.

The phone line running from the machine to an ordinary BT white socket was unplugged and a two-way adaptor inserted. The MP3 player was then placed between the ATM machine’s output cable and the phone socket.

The player would record the tones, which resemble the kind of sound emitted by a fax machine.

These were then interpreted using a modem line tap, or MLT, acquired from Canada, or passed through a computer software program bought illicitly in Ukraine.

Popularity: 18% [?]

Check out the images of ATM skimmers on Flickr and even more on Google. I found these while reading about yet another ATM faux-facade attack.

Popularity: 28% [?]

The Register is reporting a story about people that are reprogramming ATM machines to dispense four times the amount of money you request.

Last week CNN screened a video (already 87k views) of a man suspected of reprogramming an ATM to dispense $20 bills that it thought were $5 notes, so fraudsters and the unscrupulous were able to withdraw four times more money than was debited from their accounts.

The suspect used a pre-paid debit card to make withdrawals, making it harder for police to track him down.

The hack was far from sophisticated. Security researchers have discovered that ATM manuals for the Tranax Mini-Bank 1500 Series, the machine involved in the Virginia scam, can be easily located online using nothing more fancy than a Google search query, eWeek reports. These manuals explain how to switch ATMs into diagnostic mode, where its possible to reprogram ATMs in the way carried out in the Florida gas-station hack, for example.

Would-be fraudsters would still need a PIN code in order to be able to access functions normally only available to installation engineers but the manual lists typical factory-set default passwords.

Here’s a copy of the manual in case you want to change the default password and prevent someone from committing this fraud.

Entering Key Management requires two 6-digit passwords. By default these will be
“000000” for part #1 and “000000” for part #2.

The ATM uses three passwords to provide security to the operator menu system. These are Operator, Service and Master.

* Operator Password (allows access to basic menu structure)
* Service Password (allows access to basic and diagnostic menus)
* Master Password (allows access to all menus including setup parameters)

The operator password can be changed by anyone with the current operator password. The service and operator passwords can be changed by anyone with the service password. The master password can only be changed by someone with the current master password. Any password can be changed using the master password.

To change a password, press the button for the appropriate password and you will be prompted to enter the “current” password. After entering the current password you will be prompted to enter the new password and then enter it a second time to verify. If you forget your password please contact your dealer or distributor for service.

Wired News says:

“If we can make them change this default password, the security will be infinitely greater,” said Hansup Kwon, CEO of California-based Tranax Technologies.

Also, check here for a list of other ATMs and their default passwords.

Popularity: 22% [?]