Comments on: PINs hacked from ATM transaction processing software http://www.crunchgear.com/2008/07/03/pins-hacked-from-atm-transaction-processing-software/ Gadgets, gear and computer hardware. Fri, 05 Dec 2008 10:29:36 +0000 http://wordpress.org/?v=2.6.5 By: SomeUser http://www.crunchgear.com/2008/07/03/pins-hacked-from-atm-transaction-processing-software/#comment-756194 SomeUser Thu, 03 Jul 2008 15:24:28 +0000 http://www.crunchgear.com/?p=29193#comment-756194 I've read several accounts of crackers discovering that the encryption modules on a disturbingly large number of ATMs are left at the default settings - they never change or update the key or passphrase, OR the management/superuser passphrase. This means that if you find out what one is, you can monitor the transactions of many, many others, let alone get into the administrator's console on the machine itself. I don't know for certain that's what happened here, but I can say I've never trusted an ATM the same way again. Banks themselves realize they scrutiny they're under, but the contract agencies or clearinghouses that participate in the flow of our personal banking information (from the bank, across a clearinghouse, over the internet, and to the ATM, rented by the 7-11 down the road provided by the 3rd party ATM distributor) should be under equal protection, audit, and scrutiny. Most of what I've heard/read tells me that the people who set up the equipment and maintain/manage it are severely undertrained, and don't take into account the high level of sensitivity that should be mandatory. I’ve read several accounts of crackers discovering that the encryption modules on a disturbingly large number of ATMs are left at the default settings - they never change or update the key or passphrase, OR the management/superuser passphrase. This means that if you find out what one is, you can monitor the transactions of many, many others, let alone get into the administrator’s console on the machine itself. I don’t know for certain that’s what happened here, but I can say I’ve never trusted an ATM the same way again.

Banks themselves realize they scrutiny they’re under, but the contract agencies or clearinghouses that participate in the flow of our personal banking information (from the bank, across a clearinghouse, over the internet, and to the ATM, rented by the 7-11 down the road provided by the 3rd party ATM distributor) should be under equal protection, audit, and scrutiny. Most of what I’ve heard/read tells me that the people who set up the equipment and maintain/manage it are severely undertrained, and don’t take into account the high level of sensitivity that should be mandatory.

]]>