You're probably familiar with the Virginia Beach trickster who reprogrammed an ATM to shoot out 300% more money than was debited from his account, but now it seems his "discovery" might have been widely available all along. Dave Goldsmith, a computer security researcher at Matasano Security, began to dig a little deeper once the news broke, and thanks to the oh-so-disclosing CNN video, secured the machine's model and maker: a Tranax Mini Bank 1500 series. Reportedly, he then acquired a (legal) copy of the ATM's user's manual, which conveniently spelled out "how to enter the diagnostic mode, default passwords, and default combinations for the safe." Once the cash-spewing gizmo is in "Operator" mode, the only thing standing between you and illegitimate funding (aside from your conscience) is a password, and since default passwords are plainly listed in the manual, it's up to the installation crew to actually insert a more secretive alternative. While we assume Tranax has been hastily sending memos to stores who (currently, at least) use its machines, you'll probably notice the unmodified machines by the insanely long lines preceding them (or a mysterious lack of cash available to disperse).
Update: It looks like Tranax Technologies is stepping to the plate and planning a "software update" that forces installers to change the default password before it goes into service. The company has stated that the patch should be ready "in a matter of weeks," but it can't "force operators of currently installed ATMs to install it".
[Via Wired Blogs]