ATM Maker Tranax Pushes For More Password Changes

  In September, someone who had an unchanged master password for a Tranax Mini-Bank 1500 ATM accessed the machine at a Virginia Beach, Va., store, and programmed it to dispense $20 bills instead of $5 bills. He used a prepaid debit card to get his cash, and press reports say the machine kept dispensing more than it should have for nine days until a customer reported the problem.
  Hansup Kwon, president and CEO of Tranax Technologies, a Fremont, Calif.-based ATM manufacturer, has a simple message for ISOs and other resellers of its ATMs: Change the password.
  When Tranax called the owner of the ATM at the Virginia store, the owner said he did not know if the password had been changed, Kwon says, so the owner shut down the machine.
  Later, Kwon learned someone posted on a blog that he found a Tranax manual online that contained a default master password. Those manuals are supposed to be available only to ATM distributors.
  Now, Kwon wants to get the word out to ISOs, who make up the majority of Tranax ATM distributors, that a patch is coming that will force the user to change the default password. Tranax has sold more than 75,000 of its ATMs in the United States and Canada.
  "The patch will not only tell the user to change the password, but it stops the ATM from operating until it is changed," Kwon says. The patch, which should be issued in the coming weeks, will be available from a secure page on Tranax's Web site.
  "That has a guarantee of a password change," he says. "We believe it will protect the ATM."
  Alternatively, Tranax can access machines via its remote management system if the owner has subscribed to the service, Kwon says. Tranax also has a configuration service, used for setting up phone numbers for the ATM to dial and other purposes, that can be used to change the master password.
  Kwon says the fraud that occurred in September could have been prevented had the master password been changed. The owner's manual contains a warning to change the master password, he says.
  In the meantime, Kwon says, ATM owners can change the password anyway. "In a few weeks," he says, "they won't have a choice."
  ISOs may want to pay particular attention to this, Kwon says. "This kind of incident hits the bottom line of ISOs," he says.
  The ATM owner takes the loss when master passwords are compromised because the fraud stems from not changing the password, Kwon says.
  NEW PATCHES
  But those consumers who got too much money from the altered machine in September may also face financial or other penalties. Tranax has contacted the ATM owner and is trying to get the machine's record of events during those nine days.
  Besides issuing a patch, Tranax says it will install the patch in all new machines when they ship.
  Tranax machines actually will have two passwords besides the master. One password is used for maintenance access. Another is used when cash is added to the ATM, and the third, the master, is for changing the machine's operating parameters.
  Gaining access to an ATM through the devious use of its default password is rare, Kwon says. But poor ATM security holds a lesson.
  "It's just like a notebook computer," Kwon says, alluding to several well-publicized cases where identity and payment information was exposed. "If it has very sensitive data on it, and you're not protecting it with a strong password, basically you're exposed."
  Industry analyst Tim Sloane, director of the debit practice at Mercator Advisory Group, says this type of security failure is a systemic one.
  "Any weak link along the entire value chain can blow away the best plans for security," Sloane says.
  But the blame for the password-related fraud does not all reside with Tranax, Sloane says. "The fact is, whoever installed the device should have been checked out and qualified, and changed the password," he says.
  ISOs are part of the security plan, too. Sloane says to get more ATMs into low-transaction locations, ISOs are pushing the maintenance and installation responsibilities onto merchants.
  "As units have been shipped further and further down market, ISOs have been relying on merchants, which changes the (security) process," he says. "So, this vulnerability all of a sudden springs into being."
  This incident is a wake-up call about the vulnerability, Sloane says. "It's a problem that clearly is both easily fixed and catches the eye of every participant in the industry."
  (c) 2006 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
  http://www.cardforum.com http://www.sourcemedia.com