Default Passwords aren’t safe?

I just read a Wired news article that illustrates yet another case of blatant security stupidity. It turns out that some ATM’s used by a specific vendor were configured without changing the default passwords. This allows you to essentially reprogram the ATM machine using nothing more than the ATM screen and a copy of the manual.

As yet undiscovered crook programmed the ATM machine to recognize the $20 bill tray as $5 bills, used a prepaid credit card, and walked away with a 300% profit. Most ATM machines allow you to withdraw up to about $300 per day. That means you could theoretically make $900 per day from a single machine. Within about 2 hours, you could probably hit 10 different ATM machines and walk away with about $9,000 in profit. I make good money as a consultant, but I certainly don’t make $4,500/hour!

All of this is assuming you’re never caught. If you’re caught, well it’s because you’re an idiot and didn’t realize there are cameras in the ATM machines these days, or you left your fingerprints on the card and threw it away in the basket right next to that ATM, or you didn’t wear glasses, a fake mustache, hoodie, and 70’s style sunglasses a la the Unibomber. It’s very stylish these days. You should try it.

In fact, just walking around a major city you’re likely caught on anywhere from from five to fifty surveilance cameras from gas stations, ATM machines, convenience stores, traffic lights, etc. Chances are you can’t be positively identified from any one of these sources, but if “the man” knows you were in a location at a given time, just looking at all the surveilance tapes of the surrounding areas would show where you had been recently and give a good idea of where you’re headed.

But I digress. The point of this is about security stupidity. These people run ATM machines. They deal with cash transactions. Isn’t there a security policy in place? Don’t these people audit their ATM machines for strong password sequences? Security isn’t exactly new. Electronic passwords have been around for some 30 years now. Yet as you can see, people are still not changing default passwords. Save us Obi-wan Kenobi. You’re our only hope!