Once again, ATMs have been “hacked” by individuals taking advantage of default, factory-set passcodes.
This time the passcode hasn’t been guessed, or ended up online for everyone to know because it was printed in the ATM’s service manual – the individual who, with the help of an accomplice, managed to cash out $400,000 in 18 months was a former employee of the company that operated the kiosk ATMs they targeted.
Tennessee-based Khaled Abdel Fattah had insider knowledge of the code that, when typed in, set the machines into Operator Mode, which allowed him and accomplice Chris Folad to reconfigure the ATM to dispense $20 bills when asked for $1 dollar ones.
They would do this, then ask the machine to dispense, for example, $20, and they would get away with $400. After this, they would revert back the change so that the theft would go unnoticed.
And it took 18 months for this to happen – the owner of one the businesses where one of these kiosk ATMs was set up noted that there was a problem when the machine was running out of money.
What ultimately led the Secret Service to the two fraudsters was the fact that their faces were captured by surveillance cameras and they used their own debit cards to make withdrawals. They also stuck to a rather limited set of ATMs, all located in Nashville.
According to Wired, both men have been charged with 30 counts of computer fraud and conspiracy.
This is not the first time that ATM heists like this happened. Around 2005, service manuals of ATMs manufactured by Tranax and Trident ended up online, and contained the passcodes that allowed anyone to access their Operator Mode.
Street crooks began taking advantage of the fact, but it took over 18 months for the wider public to discover it. This forced the ATM vendors in question to make it mandatory for operators to change this default password when installing the machine.
But unfortunately, there are many ATMs with the old system still out there, and still vulnerable.