Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"

Not surprising.

[Z00L00K]

I'm not even mildly surprised that this was possible.

Hacked?

[Anonymous Coward]

So....
they had the manual with passwords....

this is hacked.... how?

In the US they'd have been charged

[JohnnyComeLately]

Here lately, seems their day at school would have been moot as they are led to a waiting black SUV. Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?

Not hacking this term is thrown so loosely

[Anonymous Coward]

Reading a manual and following step by step instructions which tell you how to get into operator mode is NOT HACKING.. UGH.

Re:In the US they'd have been charged

[Anonymous Coward]

They also probably would have shot any of their pets on the way in. Dude isn't joking; this place is a fucking terror state and does this to people every day.

Relax, folks.

[Anonymous Coward]

This is Canada. As long as they don't try to link good science to administrative policy, the government probably won't care.

The real crime is...

[g01d4]

Their first random guess at the six-digit password worked. They used a common default password.

When does incompetence become criminal neglect?

Re:Hacked?

[TheCarp]

A better question is: This is secured.....how?

Having access to a manual shouldn't provide access to the machine if it has been configured properly. Any passwords in the manual should sure as shit not work after the machine is installed and open to the public.

It may be fair to say these kids are not really much of hackers....but if that is the case then there are a few things the ATM designers or bank administrators (or both) are not either.

Re:Kids these days.

[Ionized]

they were inquisitive, did some research, and experimented on a system, and succeeded in gaining unauthorized access. they then responsibly reported their findings to the device owner.

what these kids did, while perhaps not quite on par with hacking the gibson, still very much represents the (white hat) hacker ethos at work.

you, on the other hand, represent the asshat ethos, for downplaying what they did and trying to fiddle fart around with semantics.

Re:Too dangerous to keep digitally now?

[schwit1]

If security through obscurity was worthless the military would be wearing fluorescent orange uniforms.

security through obscurity = camouflage

Re:Hacked?

[Yakasha]

True, it's a "hack" but it's a pretty trivial hack.

They are the ultimate script kiddies. Kids, using a script published by the manufacturer.
Even putting "trivial" in front diminishes the glory of hacking.

Re:Hacked?

[rogoshen1]

because if they use the verb 'hacked' the authorities will be able to get the absolute maximum penalty, and throw the book at these kids.
Oh, Canada -- right, never mind. (Stuff like this would be punishable by 20+ years in the US more than likely.)

Re:Hacked?

[PopeRatzo]

I cant tell you how many coke machines out there can be taken over by simple keypresses.

I notice you're not sharing the password with us thirsty readers.

C'mon, bro.

Re:Not surprising.

[PRMan]

It's Canada, not the US.

Re: In the US they'd have been charged

[nmoore]

Before they did anything beyond twisting the doorknob (entering the default password), they got permission.

"He said that wasn't really possible and we don't have any proof that we did it.

"I asked them: 'Is it all right for us to get proof?'

"He said: 'Yeah, sure, but you'll never be able to get anything out of it.'"

That said, twisting the doorknob is probably an offense under the CFAA.

Re: Not surprising.

[fustakrakich]

Exactly, they took a big chance there. Honesty does not go unpunished in this business. The only safe way is to report it anonymously, and then take some money if they ignore the report and don't fix the problem. The point is to make sure it remains their problem, not yours.

Re: Not surprising.

[mfh]

Canada doesn't do stupid shit like that. They probably will get an internship out of it and become security experts for the banking industry.

Re: Not surprising.

[Lumpy]

If this was in the USA, the kids would have been shot several times by cops and the bodies taken to Gitmo for waterboarding.

Kids in the USA, DO NOT try and be a white hat unless you can do it untraceable and anonymously. You will be severely punished for doing something good here.

Re: Not surprising.

[Bitbyte]

Wouldn't go about using the media's term "hacking" the kids followed the operating manual the bank was just silly in not restricting their end devices properly It would be hacking if they ran some kind of exploit and found a zero day but they didn't they just followed easy to obtain documents

Re: Not surprising.

[zeugma-amp]

Kids in the USA, DO NOT try and be a white hat unless you can do it untraceable and anonymously. You will be severely punished for doing something good here.

Damn. I had mod points yesterday. This is absolutely true, and I would hope that everyone understand that by now. Sadly, many don't see the police state until it's boot is stomping them.

Re: Not surprising.

[rioki]

I would disagree with you, the classical term hacking is used for any mode penetration. The difference between the late 80s/early 90s and today is that companies have started to implement reasonable procedures, like changing default passwords... Remember most hacks are still done through some sort of social engineering.

Re: Not surprising.

[mcvos]

+1 for hacking although I'm surprised they didn't make withdrawals first

They'd definitely go straight to prison in that case. It's hard enough to warn about serious security leaks these days without getting treated like a criminal.

These are good kids. Let's hope they get rewarded and not punished.

Re: Not surprising.

[pjt33]

Having the interest to look for the operating manual, read it, and test it, all with the aim of learning and having fun rather than under any obligation, seems rather close to the Jargon File definition of a hacker.

Re: Not surprising.

[CaptainLard]

and then take some money if they ignore the report and don't fix the problem.

This sterling nugget of wisdom would accomplish the opposite of:

The point is to make sure it remains their problem, not yours.

I'll add your sig is not short on irony (not sure if its the ./ approved or the Alanis Morrisette variety) given the content of your post. Good luck with your internal conflicts!