Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM" 378
An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"
Hacked? (Score:3, Informative)
It's "hacked", because they did something that (in theory) only administrators are supposed to be able to do. That's really all the definition anyone needs.
Similarly, if an admin leaves the root passwords as "admin:admin", and someone logs in, that someone has hacked the system.
No charges (Score:2, Informative)
They had permission from an employee. Whether the employee had the authority to grant that permission is another issue altogether, but they were acting with the bank's permission.
Re:Hacked? (Score:5, Informative)
The definition of hacking, the legal one, in many places at least in europe is defined pretty much as the following: Being somewhere you're not supposed to, while knowing you're not supposed to, and then snooping around instead of just leaving. I guess it's the digital alternative of 'breaking and entering'. Just because you found a post-it with the lock of the front door on the ground, it doesn't make it right to go in. Common sense should kick in at some point, so if you do it anyways, justice assumes common sense did kick in and you entered willfully. THAT makes it illegal.
That's pretty much common sense.
Re: Not surprising. (Score:5, Informative)
If the ATM is anything like what was at the various gas stations I worked at, they wouldn't be able to make any withdrawals. Yes we could get into Admin mode with just a code that was punched into the keypad. There was an option to test the bill dispenser, but the bill that got pulled from the cartridge during the test never left the inside of the safe, it just got dropped into another compartment inside the safe for us to pull out later when we changed the cartridge. I would imagine that hackers would have to gain access to the computer inside the ATM to be able to get it to spit out bills to be grabbed, but hacking being what it is, I'm sure someone will figure out how to do it from just the outside keypad eventually.
Re: Not surprising. (Score:5, Informative)
There was a post on here several years ago about this same issue on Tritan and Tranax ATMs where the operators never changed the default passwords. What they would do is change the denomination that's in the drawer, so the ATM thinks it has $1 bills instead of $20 bills. They would then use a prepaid credit/debit card (like the Greendot ones you can get pretty much anywhere) to withdraw say $200. Rather than giving 10 $20 bills like it's supposed to, the machine would spit out 200 $20 bills.