hen Hansup Kwon, Chief Executive Officer of Fremont, Calif.-based Tranax Technologies Inc., heard that one of his company's ATMs was the target of fraud, he quickly went into action.

Kwon was enjoying a California evening on Aug. 19, the same day an unidentified man walked into a Virginia Beach, Va., Crown gas station and reprogrammed a Tranax Mini-Bank 1500 Series ATM. The man tricked the machine into dispensing twenties instead of fives and used a prepaid card to withdraw an undisclosed amount of cash.

The reprogrammed ATM dispensed those funds for nine days.

One month later, Dave Goldsmith, Founder and President of New York City-based Matasano Security, highlighted a potential part of the problem.

Referencing a YouTube video of the Virginia Beach incident, Goldsmith logged on to Google and, within 15 minutes, found a Tranax ATM manual online. Tranax' default passwords were listed in the manual, which also offered a comprehensive user's guide.

Tranax has 75,000 ATMs deployed worldwide. The company sends out a user's manual for each machine. But Kwon said the manual Goldsmith found was never intended for general viewing. (It was posted by a distributor in Canada.)

Doug Sholes, Marketing Director for Long Beach, Miss.-based Triton Systems, said the problem is relatively easy to fix, but it will affect public perception. "Once [the information] got out there [in the media], it got out there with the false context that all you have to do is Google to access any ATM," he said. "I don't want to sound like we're underplaying it, but from my point of view, having a default password is standard for any technology company."

Sholes said he didn't think the Virginia Beach incident was unusual "but we'd certainly like to preserve consumer confidence."

Maintaining consumer confidence is an industry focus. New security measures and compliance issues are impacting everyone associated with ATMs, said Jason Kuhn, Vice President of Operations for Willoughby, Ohio-based WRG Services Inc. "A lot of these changes are necessary and important, not only for the betterment of the industry, but to protect cardholder confidence," he said.

The industry reacts

As word spread about the Aug. 19 breach, the industry sprang into action. Kwon categorized the crime as more of an operational issue than a security problem.

It is unknown whether the criminal, who changed the password on the Virginia Beach ATM to reprogram it, had inside information. But in response to the incident, Kwon said Tranax is developing a software patch that will make default password changes mandatory on all of its new ATMs. The patch is expected to hit the market in a few weeks.

"We are emphasizing changing the password, but what we are trying to do is improve the operational issue and mak[e] it more secure," Kwon said. Providing additional security means working with ATM manufacturers, such as Triton, to come up with an industry solution, Kwon said.

In a Sept. 21 Wired magazine article, the author claims to have found an operating manual for a line of Triton ATMs online. Triton has since password-protected its ATM manuals on its Web site. Following the Aug. 19 incident, the company sent a security bulletin to each of its customers telling them to change their passwords. Triton also has plans to launch its own software soon, making it mandatory for ATM deployers to change their passwords after installation. Sholes said changing a default password is simple, but some deployers are reluctant to do it.

Wayne Vandekraak, President of Portland-based ATM service company Solvport, said time and money are the main reasons why, especially if a distributor has a large ATM portfolio. "It can be very expensive," he said. "You can hire a service company or an armored service, but either way someone has access to the passwords. Any third party having access to those passwords would increase the risk."

WRG's Kuhn said using default passwords is dangerous, and every deployer should take the time to change them, regardless of the expense. "Not changing your default passcode is the same as leaving your vault door open," he said. "You are simply asking for trouble."

Mike Hudson, the General Manager of Carrollton, Texas-based NCR EasyPoint ATM LLC, said there are no hard "requirements" when it comes to changing default passwords, but most, if not every, manufacturer recommends distributors change them. Hudson said Tidel is unique because it requires no default passwords; a programmer must enter his own code when accessing the machine.

"This provides yet an additional level of security, in that anyone attempting fraud would actually have to open the top part of the ATM to reprogram it. Presumably, even in a busy retail location, a clerk or manager would become suspicious of that type of activity if the service person hadn't first checked in with them," Hudson said.

A closer look

At the Sept. 13 - 15, 2006, ATM Industry Association's Security in the Americas conference, a committee was established to further review the password-hack concern.

Lana Harmelink, ATMIA's Director of International Operations, said the committee is expected to analyze ways to eliminate the problem as well as how the use of technology and safety nets, rather than human vigilance, can improve the security issue. ATMIA recommends best practices for changing default passwords. To learn more about ATMIA's best practices, visit the association's Web site, www.atmia.com

Link to original article: www.atmmarketplace.com/research.htm?article_id=26677&pavilion=4&step=story