Kevin Beaver's Security Blog

Not surprised by the Wells Fargo ATM outage based on what I see

Here’s an interesting story about the widespread Wells Fargo ATM outage that occurred last week. There’s speculation around the cause of the outage. Was it a hack? Was the system inadvertently taken down during system upgrades? Who knows…

What I can say is that virtually every ATM I’ve come across in my work performing internal security assessments in/around the financial industry has been riddled with security holes. I’ve seen weak OS passwords, missing patches dating back 8+ years (many of which are easily exploitable via Metasploit to boot) open network shares and so on. Not long ago, I came across an ATM controller system (the big system typically running UNIX that controls all the ATMs across the bank) that had a blank password for the root account. How’s that for accountability?

Seeing what’s going on with ATMs it’s no surprise to me that this Wells Fargo outage occurred. I’m not saying a vulnerability was exploited in this situation, but you never know. I am surprised these types of outages don’t occur more often. When these types of security holes are present in ATMs, all it takes is a rogue insider with a little bit of technical sense to take everything offline, and more.

Remember if it’s got an IP address, anything’s fair game.