Man charged in US for reprogramming cash machines

The US public prosecutor has charged a 19-year old man with attempting to reprogram cash machines. The man planned to exploit configuration options on cash machines manufactured by Tranax, which allow note denomination settings to be altered after entering a specific key sequence from the keypad (Tranax 1700: Enter, Clear, Cancel, 1,2,3) and a (default) password.

By changing the recorded denomination for the cassette holding £20 notes to only $1 notes, the machine can be persuaded to give more cash than apparently requested. Once the settings are changed, requesting $20 in one dollar notes would, for example, yield a sum of $400. The ATMs support three different passwords for accessing different service levels: operator, service and master.

According to a report by Wired magazine US, the 19-year old started out by contacting an ex-con he hoped would be able to supply him with a list of locations with vulnerable cash machines. His contact, however, passed this information on to the FBI, who arrested him as soon as he attempted to pull the scam.

The scam is not new and similar cases have previously been reported from the US. In all cases, fraudsters have taken advantage of cash machine operators' carelessness in not changing default (and documented) passwords. Cash machines supplied by Tranax now force administrators to change the password.

Although cash machines from manufacturers such as NCR, Wincor Nixdorf and Diebold also have a maintenance mode which allows them to be reconfigured from the customer keypad, it can only be accessed by opening the machine and manually switching to this mode. There have been no official reports of this type of fraud being carried out on cash machines installed in the UK or Germany.

See also:

• Indictment for cloned debit card fraud, a report from The H.
• An alarming increase in ATM crime, a report from The H.
• Windows Trojan on Diebold ATMs, a report from The H.

(crve)