

Police in Derry, Pennsylvania are baffled by a June ATM robbery in which an unidentified man wearing flip flops and shorts strolled into Mastrorocco's Market and reprogrammed the cash machine to think it was dispensing dollar bills instead of twenties.

Along with a female accomplice, the crook netted $1,540 in two visits on June 19 and 20, according to store owner Vince Mastrorocco. "They came in, they hit me the first day – a man and a woman – and they cleaned me out," Mastrorocco told THREAT LEVEL. "Then they came back the next day and cleaned me out again."

A sergeant with the Derry Borough Police Department they're still investigating the crime, and no arrests have been made.

Of course, THREAT LEVEL readers know exactly what happened. The machine was a Triton 9100, and like competitor Tranax, Triton printed its default administrative passcodes in its ATM service manuals, which have been widely available online. We reported on this last September after a Virginia Beach gas station ATM (a Tranax) got hit with the same hack.

The ATM in the Derry heist was owned by the store, but operated by a company called Cardtronics. COO Mike Clinard says in a statement that it was Mastrorocco's responsibility to change the passcode from its default, which is (I kid you not) 123456.

The ATM in question is owned and maintained by the merchant who is responsible for loading cash and performing basic maintenance functions. The service menu on this particular ATM model can be accessed using an administrative password that is set by the owner of the ATM, in this case Mastrorocco's Market. As with all password-accessible computer systems, it is necessary for the password-holders to secure any and all passwords to ensure the integrity of the system. ... No consumer monies or personal information were lost, or can be lost, in this type of attack, which is rare and easily thwarted through the use of robust passwords kept secure by the ATM owner."

But Mastrorocco says he couldn't be expected to know the ins and outs of the ATM.

"I'm not a technical person," he says. " I cut meat and I sell groceries. That's my job. I don't know anything about an ATM. I put money into it, people take it out, and I get a reading at the end of the day."

The Triton ATMs have two levels of password: an administrative passcode for routine daily operations, and a "master passcode" that also lets you change the cash machine's basic configuration. Mastrorocco says he changed the administrative code when he got the machine three years ago, but Cardtronics never told him to change the master passcode, which he didn't normally use.

But he acknowledges that he knew the simple passcode was in there. A year-and-a-half ago, Mastrorocco wanted to change the transaction surcharge on the ATM, and found his administrative code didn't give him the required access. A Cardtronics support tech gave him the default master passcode over the phone, but neglected to urge him to change it to something else while he was at it, he says.

"They never told me anything about changing my password. They would tell me to use 123456."

Has he changed it now? "Oh yeah. I've change it twice since then. I'm paranoid now. I'll probably do it again tonight."

\——

Police Search For Thieves Who Reprogrammed ATM (The Pittsburgh Channel)

Criminals' ATM trick: Reprogram, swipe cash (Pittsburgh Post-Gazette)

Previously:

ATM Maker Readies Anti-Hack Patch

ATM Hack Round-Up: Report From the Field

ATM Crime Spree Imminent?