Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM" 378
An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"
Not surprising. (Score:5, Insightful)
I'm not even mildly surprised that this was possible.
Hacked? (Score:3, Insightful)
So....
they had the manual with passwords....
this is hacked.... how?
In the US they'd have been charged (Score:5, Insightful)
Not hacking this term is thrown so loosely (Score:2, Insightful)
Reading a manual and following step by step instructions which tell you how to get into operator mode is NOT HACKING.. UGH.
Re:In the US they'd have been charged (Score:5, Insightful)
They also probably would have shot any of their pets on the way in. Dude isn't joking; this place is a fucking terror state and does this to people every day.
Relax, folks. (Score:5, Insightful)
This is Canada. As long as they don't try to link good science to administrative policy, the government probably won't care.
The real crime is... (Score:4, Insightful)
When does incompetence become criminal neglect?
Re:Hacked? (Score:4, Insightful)
A better question is: This is secured.....how?
Having access to a manual shouldn't provide access to the machine if it has been configured properly. Any passwords in the manual should sure as shit not work after the machine is installed and open to the public.
It may be fair to say these kids are not really much of hackers....but if that is the case then there are a few things the ATM designers or bank administrators (or both) are not either.
Re:Kids these days. (Score:5, Insightful)
they were inquisitive, did some research, and experimented on a system, and succeeded in gaining unauthorized access. they then responsibly reported their findings to the device owner.
what these kids did, while perhaps not quite on par with hacking the gibson, still very much represents the (white hat) hacker ethos at work.
you, on the other hand, represent the asshat ethos, for downplaying what they did and trying to fiddle fart around with semantics.
Re:Too dangerous to keep digitally now? (Score:3, Insightful)
If security through obscurity was worthless the military would be wearing fluorescent orange uniforms.
security through obscurity = camouflage
Re:Hacked? (Score:5, Insightful)
True, it's a "hack" but it's a pretty trivial hack.
They are the ultimate script kiddies. Kids, using a script published by the manufacturer.
Even putting "trivial" in front diminishes the glory of hacking.
Re:Hacked? (Score:4, Insightful)
because if they use the verb 'hacked' the authorities will be able to get the absolute maximum penalty, and throw the book at these kids.
Oh, Canada -- right, never mind. (Stuff like this would be punishable by 20+ years in the US more than likely.)
Re:Hacked? (Score:5, Insightful)
I notice you're not sharing the password with us thirsty readers.
C'mon, bro.
Re:Not surprising. (Score:5, Insightful)
Re: In the US they'd have been charged (Score:3, Insightful)
That said, twisting the doorknob is probably an offense under the CFAA.
Re: Not surprising. (Score:3, Insightful)
Exactly, they took a big chance there. Honesty does not go unpunished in this business. The only safe way is to report it anonymously, and then take some money if they ignore the report and don't fix the problem. The point is to make sure it remains their problem, not yours.
Re: Not surprising. (Score:4, Insightful)
Canada doesn't do stupid shit like that. They probably will get an internship out of it and become security experts for the banking industry.
Re: Not surprising. (Score:5, Insightful)
If this was in the USA, the kids would have been shot several times by cops and the bodies taken to Gitmo for waterboarding.
Kids in the USA, DO NOT try and be a white hat unless you can do it untraceable and anonymously. You will be severely punished for doing something good here.
Re: Not surprising. (Score:5, Insightful)
Re: Not surprising. (Score:5, Insightful)
Kids in the USA, DO NOT try and be a white hat unless you can do it untraceable and anonymously. You will be severely punished for doing something good here.
Damn. I had mod points yesterday. This is absolutely true, and I would hope that everyone understand that by now. Sadly, many don't see the police state until it's boot is stomping them.
Re: Not surprising. (Score:5, Insightful)
I would disagree with you, the classical term hacking is used for any mode penetration. The difference between the late 80s/early 90s and today is that companies have started to implement reasonable procedures, like changing default passwords... Remember most hacks are still done through some sort of social engineering.
Re: Not surprising. (Score:4, Insightful)
+1 for hacking although I'm surprised they didn't make withdrawals first
They'd definitely go straight to prison in that case. It's hard enough to warn about serious security leaks these days without getting treated like a criminal.
These are good kids. Let's hope they get rewarded and not punished.
Re: Not surprising. (Score:4, Insightful)
Having the interest to look for the operating manual, read it, and test it, all with the aim of learning and having fun rather than under any obligation, seems rather close to the Jargon File definition of a hacker.
Re: Not surprising. (Score:5, Insightful)
and then take some money if they ignore the report and don't fix the problem.
This sterling nugget of wisdom would accomplish the opposite of:
The point is to make sure it remains their problem, not yours.
I'll add your sig is not short on irony (not sure if its the ./ approved or the Alanis Morrisette variety) given the content of your post. Good luck with your internal conflicts!