ATM Default Passwords

ATM Default Passwords




An excerpt from “A Multi-layered Approach to ATM Security”, a PDF available on [] (Warning, PDF link)

Password administration helps lock the front doors. Obviously, securing all access to the ATM is critical. And sometimes the least complicated efforts pay off with immeasurable benefits, such as consistent password management. Every ATM is delivered from the manufacturer with two passwords. The restricted user account has a hardened, random password not known by the manufacturer. The second account is the administrative account, which has a known default password that should be changed immediately by the financial institution. Unfortunately, leaving the administrative default password in place is a common practice although highly unsafe: it’s comparable to leaving the store unlocked after everyone leaves for the night.  And using default passwords is the easiest way for a hacker to access the ATM’s internal network. Diebold strongly recommends that the default administrative password be immediately changed when the ATM is put into service and that passwords are changed on a continuing basis at least every 90 days. A professional services provider such as Diebold’s Professional Services team can assist financial institutions in implementing effective password management by connecting the ATM to an active directory environment.

So to sum that up – yes, we know shipping default passwords on our machines is stupid, easily fixed, and creates a critical hole in ATM security. We do it anyways. And we know most of our customers don’t change it, so we wrote up a PDF and slapped it on our website.

Problem solved?

Submit a Comment

Your email address will not be published. Required fields are marked *