Last month, the FBI arrested a 19-year-old grocery store employee for trying to steal hundreds of thousands of dollars from ATMs . He planned to use default passwords he found online to reprogram the ATMs , convincing them they held $1 bills instead of $20 bills.
Moral of the story:Change your default passwords.
Wait — did that advice come a little too soon? After all, there’s a lot more to the story of Thor Alexander Morris, according to the affidavit from the FBI agent who led the investigation.
It seems Morris got the idea from a YouTube video that showed how to hack a widely deployed ATM made by Tranax Technologies. And the manual for those machines was available online, laying out all the information for adjusting an ATM so it gives out more money than it should — including the default maintenance passwords.
An ATM programmed to give out $1 bills when it actually held twenties would respond to a request for $500 by counting out 500 $20 bills, or $10,000. At that rate, hitting just 30 ATMs would net $300,000. At least, that was Morris’ plan.
Moral of the story:No kidding, change those default passwords.
So Morris flew to Texas, after making contact online with a Houston con man who said he could find dozens of Tranax ATMs. Morris bought a prepaid debit card, just as he’d seen online. He found an unsecured Wi-Fi signal and activated the card using the name “Barack Obama,” then asked a friend of the con man to drive him to a flea market that had the right kind of ATM, where Morris put on a wig and fake beard and set to his task.
Unfortunately for Morris, the con man was feeding information to the FBI. The “friend” was an undercover agent. And the ATM was under surveillance. Oops.
Moral of the story:Really, change those default passwords. And pray you get an attacker this hapless.
Maybe you’re thinking another moral should be: Curse the Internet for making it easy for crooks to find things like default passwords.
But the Internet made it much easier for the FBI, too. The law enforcement agency had clear photos of Morris, straight from his Facebook page. And his e-mails and instant messages to the con man let investigators know pretty much everything he planned to do.
Oh, yeah — and the con man let FBI agents use his online identity to contact Morris directly. On the Internet, nobody knows you’re a fed.