More Default passwords?

A young queenslander has been charged with hacking* offences after 'hacking' several ATMs to withdraw $30,000 dollars in cash.

The article is short on detail about how these 'hacks' occured, but they do suggest he "found information on the internet and in an ATM manual that allowed him to change the machines' settings so he could make huge withdrawals of cash"

What sort of information in a product manual would allow you to do something like this? I'm betting it was some kind of default password.

It isn't stated what bank owned the ATMs or if they were all from the same bank - I'm guessing they may have been. After all if you have a trick to do something like this it probably only works on one model of ATM, and if it worked on one ATM from a particular bank, it probably works on another!

Default passwords and misconfigured devices are unfortunately all too common. I suspect the practice is even worse when people are with specialized, unusual devices like an ATM. This seems to be an example of security by obscurity at work, the incorrect assumption that the default password didn't need changing because only authorized personnel have access to the product manual. A quick google for ATM Manuals and default passwords shows plenty of results!

Security by obsucurity can be a controversial topic in security circles. At it's core is the idea of being secure by design, rather than secure because of secrecy. In a recent discussion I was part of with a group of security professionals from different backgrounds there were mixed opinions on the topic. Should your security design have no secrets? Should you publish it on the internet? Well to me the common sense answer there is no, as obscurity or secrecy does have a place in security design and implementation. The important thing is your security should not rely on the design being kept secret.

While I'm certainly not condoning or encouraging this type of crime and there is a degree of supposition on my behalf to assume default passwords were the cause, it would seem to fit. While the young man deserves the punishment for the crime, what about the failure of duty of care on behalf of the bank? The lax security procedures?

*I don't know if being able to google for an ATM manual makes you a 'hacker'....

0 comments:

Post a Comment