The Fremont, Calif., automated teller machine manufacturer Tranax Technology Inc. plans to issue a software security patch that would require ATM deployers to change their machines’ default master passwords.
The plan is a response to an incident in which a criminal allegedly used a master password to configure a Tranax ATM to give out too much money. Many of the passwords are easily available online, and some experts say that many deployers never change them.
Hansup Kwon, the president and chief executive of Tranax, said in an interview last week that it would issue the patch in a few weeks. When installed on an ATM that uses the default password, the patch would require that the passcode be changed, “at least at the highest level,” Mr. Kwon said. “Otherwise, we put a warning screen on it, or we don’t activate it at all. We haven’t decided which way we’ll go.”
Last month a man was captured on a surveillance video apparently using a master passcode to reset a Tranax ATM at a Virginia Beach gas station. The machine, stocked with $20 bills, apparently was told it had $5 bills and gave out four times the proper amount for each withdrawal. The criminal allegedly used a prepaid debit card to withdraw money, which was untraceable. Nine days later a customer informed the gas station that the machine was giving out too much money.
Mr. Kwon said the incident is a lesson to ATM distributors and operators on the importance of password security. Tranax contacted several customers to determine the extent of the problem. “Most of the people do change their passcode,” he said. Tranax has “sold 75,000 ATMs in the United States and Canada, and this type of incident is fairly rare.”
Tranax has identified the distributor whose ATM was involved in the Virginia incident, though Mr. Kwon would not name it. “We are trying to get the electronic journal and find out what sequence of events happened from the machine’s point of view,” he said.
The ATM’s owner is liable for the loss, because the root cause was the owner’s “carelessness of not changing their password,” he said. However, all the transactions were recorded, so it is possible that the people who received too much money can be identified, he said.
Installing the patch on ATMs that are already in the field will be optional, but it will be included in all new merchant machines that Tranax sells.
Tranax also sells through-the-wall ATMs to banks, but they can be reconfigured only by someone with access to a rear service panel, so the owners would not receive the patch, Mr. Kwon said.
Distributors will be able to download the update from Tranax’s Web site, but they must update each machine individually, he said.
Some ATM companies post user manuals online, including the default master password. Tranax makes its manuals available online only for distributors, Mr. Kwon said. “We know who they are, what they are, and what they do.”
One of its distributors posted its manual online, but Tranax has asked the distributor to take it down, he said.
Despite the attention the incident has received — and the availability of a Tranax manual online — Mr. Kwon said he has not seen a rash of copycat crimes.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said Tranax should do much more to improve ATM security. For example, she said that the machines could require technicians to use both a password and a magnetic stripe card to reconfigure a machine.
“It’s pretty hypocritical, actually, that they require customers to use two-factor authentication” — both a card and a PIN — “but they don’t require the staff who maintain the machines that dispense money to have two-factor authentication,” she said.
Not only would a master ATM card improve security, but it also would be relatively easy to set up the machines to do so, Ms. Litan said, because they “are already built to handle it.”
However, Mr. Kwon said that it is unlikely that Tranax will make any other security additions to its retail line beyond the patch. He also said that a card may not be an effective security measure. “If the operator’s intention to protect the machine is not there, if I give them a card, they’re going to pass it around” and negate its security effect.
Ms. Litan said that such a change likely would come at the urging of a card association, rather than an individual manufacturer. For example, Visa U.S.A. could mandate that ATM manufactures follow its Payment Application Best Practices standard, a voluntary set of security guidelines for makers of point of sale software. These standards are part of the card industry’s Payment Card Industry security standards, which payments software vendors will be required to meet by 2008.
“The market’s starting to demand it,” she said, and more incidents like the Virginia one will only spark further demands. “Here’s a blatant example of machines being tampered with. What could be worse?”
If more criminals copy this tactic, this incident could end up being more significant that the February breach in which PIN and magnetic stripe data was stolen from a retailer and used to create cloned cards that were used to withdraw cash from ATMs in several foreign countries, Ms. Litan said.
She noted that the PIN breach at least required the crooks to write the data to blank cards — a method called white-carding, because the cards are often blank. Banks were able to identify the compromised cards quickly and block withdrawals on the accounts.
But in last month’s incident, the fraud was not linked to any specific card or account, and the ATMs’ passwords cannot be reset from a central server. “This makes white-carding look difficult,” Ms. Litan said. “This is a gold mine.”
