Over at Matasano, they've been talking about the recent Tranax ATM discovery. Their blog was the first that I'd heard of it, and Dave was excited that he legally obtained the User Manual that had the default passwords in it in less than 15 minutes.
What's scary is how trivial it is to obtain the appropriate user manual. And not only does the user manual have the default passwords in it, it has the default SAFE combination. And this is stupidly easy - unlike what some people are saying, it does not appear to require access to a swipe card to enter the machine.
So, what can you do from the screen with the default password? Hmm... change the denomination of the bills that the ATM thinks it's dispensing? (You can change it from $20 to $1... so, if you take out $100, the machine gives you 100 $20 bills). How about just removing the surcharge so the owner makes no money? Or perhaps (as a competitor) jacking up the price so that nobody would ever use the ATM (would you use an ATM with a $30 surcharge?)
It baffles me that these "DIY" ATM companies are trying to make the system so utterly turn-key that they manage to create massive risks for their customers. Especially when most customers aren't going to be tech savvy enough to change many of these passwords or combinations. Perhaps they figured that these manuals would be "kept in a secure place". I don't know, but if Dave from Matasano and I can both read them, I'd say that they're not so secure.
I've been around long enough that this shouldn't surprise me. But I'm an idealist, and I guess I really am surprised when people do something this utterly stupid.
Now, if you'll excuse me, I have some banking to do and a vacation in Tahiti to take.