ATM Maker Publishes Password; Thief Appreciates The Courtesy

The popular IT directive to "RTFM" was taken to heart by one cyberthief, who read the manual from an ATM manufacturer to learn its machines' default password and the key sequence to access that machine's programming. Having gained that access, according to an FBI affidavit, the cyberthief was going to tell the machine it was loaded with one-dollar bills—instead of the 20s it really held—which would allow him to boost his original investment 20-fold.

The man arrested, Thor Alexander Morris, said he worked at a Food Lion in North Carolina as a manager. Morris used Wal-Mart Green Dot Pre-Paid cards ($400 each) and a false ID to purchase those cards.

The FBI said Morris' plan was to attach GPS tracking devices on the vehicle of an ATM maintenance person working for ATM manufacturer Tranax and hit some 35 ATMs in Houston while wearing a wig, a goatee and different clothing as a disguise. For added protection, he was using a police scanner to get an early heads-up if Houston police patrols got too close.

As if this scenario isn't already too James Bond-like, Morris had a suit jacket altered "with the pocket deepened to conceal large amounts of money," the federal affidavit said.

By the way, the false name he successfully gave to Wal-Mart for the Green Dot cards? Barack Obama. Morris also used the actual White House address. He even accessed the site—to complete the form—from someone else's unsecured wireless Internet connection for added security. The connection Morris chose was from an apartment building, having bypassed open wireless access points at Wal-Mart, McDonald's, Pizza Hut and the International House Of Pancakes, among others.

If Morris hadn't been plotting this attack with an FBI informant and an undercover FBI agent, the plan would likely have resulted in a more profitable outcome.

With the government along for the show, Morris approached his first ATM and pressed the Enter, Clear and Cancel buttons and then the 1, 2 and 3 keys before typing in the default password. But bank officials, tipped off by the feds, had already changed the password.

The frightening thing about this hack attempt—beyond the fact that this ATM approach could be tweaked for many other retail devices—is that all the GPS tracking, goatee-wearing and scanner-monitoring tactics would have done nothing had Morris not had the machine's default password and access sequence. And that information was generously provided to all who bothered to read the manual. Granted, this courtesy needed to be matched by another courtesy from the retailers and banks housing the ATMs: namely that they not change the default password. Fortunately for thieves everywhere, there's not much chance of that happening.