The Hacker, the Con Man, the ATM -- and You

Last month, the FBI arrested a 19-year-old grocery store employee for trying to steal hundreds of thousands of dollars from ATMs. He planned to use default passwords he found online to reprogram the ATMs, convincing them they held $1 bills instead of $20 bills.

Moral of the story:Change your default passwords.

Wait -- did that advice come a little too soon? After all, there's a lot more to the story of Thor Alexander Morris, according to the affidavit from the FBI agent who led the investigation.

It seems Morris got the idea from a YouTube video that showed how to hack a widely deployed ATM made by Tranax Technologies. And the manual for those machines was available online, laying out all the information for adjusting an ATM so it gives out more money than it should -- including the default maintenance passwords.

An ATM programmed to give out $1 bills when it actually held twenties would respond to a request for $500 by counting out 500 $20 bills, or $10,000. At that rate, hitting just 30 ATMs would net $300,000. At least, that was Morris' plan.

Moral of the story:No kidding, change those default passwords.

So Morris flew to Texas, after making contact online with a Houston con man who said he could find dozens of Tranax ATMs. Morris bought a prepaid debit card, just as he'd seen online. He found an unsecured Wi-Fi signal and activated the card using the name "Barack Obama," then asked a friend of the con man to drive him to a flea market that had the right kind of ATM, where Morris put on a wig and fake beard and set to his task.

Unfortunately for Morris, the con man was feeding information to the FBI. The "friend" was an undercover agent. And the ATM was under surveillance. Oops.

Moral of the story:Really, change those default passwords. And pray you get an attacker this hapless.

Maybe you're thinking another moral should be: Curse the Internet for making it easy for crooks to find things like default passwords.

But the Internet made it much easier for the FBI, too. The law enforcement agency had clear photos of Morris, straight from his Facebook page. And his e-mails and instant messages to the con man let investigators know pretty much everything he planned to do.

Oh, yeah -- and the con man let FBI agents use his online identity to contact Morris directly. On the Internet, nobody knows you're a fed.

(Besides, your help desk probably saves itself a lot of work by pulling manuals from the Internet instead of searching among shelves, boxes and piles of documentation. Of course manuals are on the Internet -- along with tips, how-to's and dirty tricks. That's what the Internet is for.)

As it turned out, Morris' scheme was probably doomed from the start. That YouTube video was based on an ATM heist that took place in Virginia in 2006. After that, Tranax patched its software so installers had to change the default passwords before ATMs went into service. Morris never had a chance.

Make sure the would-be thief who goes after your systems doesn't do any better.

Moral of the story:Honest, you should change your default passwords. And apply your vendors' security patches. And when in doubt, call the FBI.

And never, ever get your security advice from YouTube.

Frank Hayes has been covering the intersection of business and IT for three decades. Contact him at cw@frankhayes.com .

Read more about management and careers in Computerworld's Management and Careers Knowledge Center.

Subscribe to the Security Watch Newsletter

Comments