A security researcher has managed to find the master passwords for the Tranax Mini-Bank ATM unit on the Internet after doing a search on Google.
Last week CNN screened a surveillance video of a man suspected of reprogramming the Tranax ATM to dispense $20 notes when he requested a $5 note using a pre-paid card. But the suspect didn't re-program the unit so it continued to dispense more money than it should have for nine days until the problem was reported by a customer.
Following the report, Dave Goldsmith, founder of Matasano Security, found master passwords to the Tranax Mini-Bank ATM along with other sensitive information in a PDF of the 102-page manual on a reseller Web site.
In his blog, Goldsmith says he first looked on Tranax's Web site and found a knowledge base article that stated that the ATM is programmed with passwords that can be found in the operator's manual.
Goldsmith managed to find a copy of the manual withing 15 minutes. The document includes instructions on how to enter the diagnostic mode, default passwords and default combinations for the safe.
According to press reports Tranax is planning a software upgrade that forces operators to change a default administrative passcode following the scam.