Feeds

Online manuals enable ATM reprogramming scam

Money for nothing and your gas for free

Using blade systems to cut costs and sharpen efficiencies

Reprogramming an ATM to dispense more cash than it ought to is far easier than anyone imagined.

Last week CNN screened a video of a man suspected of reprogramming an ATM to dispense $20 bills that it thought were $5 notes, so fraudsters and the unscrupulous were able to withdraw four times more money than was debited from their accounts.

The suspected perp didn't reprogram the Virginia gas station machine after he pulled off the scam, so it continued to dispense more money than it should have for nine days, until some honest individual pointed out the problem. The suspect used a pre-paid debit card to make withdrawals, making it harder for police to track him down. These difficulties prompted investigators to go public on the scam, which was carried out last month, in the hope of identifying the suspect from CCTV footage.

The hack was far from sophisticated. Security researchers have discovered that ATM manuals for the Tranax Mini-Bank 1500 Series, the machine involved in the Virginia scam, can be easily located online using nothing more fancy than a Google search query, eWeek reports. These manuals explain how to switch ATMs into diagnostic mode, where its possible to reprogram ATMs in the way carried out in the Florida gas-station hack, for example.

Would-be fraudsters would still need a PIN code in order to be able to access functions normally only available to installation engineers but the manual lists typical factory-set default passwords. So unless machines have been set up properly, they are wide open to abuse. It seems the hack is limited to Tranax's line of mini-bank terminals, though that's unclear. Tranax has delivered 70,000 ATMs, self-service terminals and kiosks across the US. Many of these installations involve the Mini-Bank 1500 machine that was the target of the Virginia hack, so the potential for abuse is clearly high.

We can only hope that the wave of publicity over the scam will prompt Tranax into action so that the scam is nipped in the bud. At the very least it ought to pull the copies of its manual offline. In theory these manuals are only available to authorised distributors or service providers though at least one Canadian-based reseller of Tranax terminals has left this information easily available to all and sundry. The Virginia hack shows at least some crooks already have their hands on this information. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.