Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"

Not surprising.

[Z00L00K]

I'm not even mildly surprised that this was possible.

Re:

[Penguinisto]

I'm not even mildly surprised that this was possible.

Not at that I'm not... what I am surprised at is the fact that the bank didn't immediately have the kids locked-up and headed for a lifetime of prison.

Re:Not surprising.

[PRMan]

It's Canada, not the US.

Re:Not surprising.

[NotDrWho]

Okay, a lifetime of prison with the signs also in French.

Re:Not surprising.

[Minwee]

Not just in French, but with the French on top and in a larger typeface so that it is markedly predominant.

It's the law.

Re:Not surprising.

[Darinbob]

We need some moderation to mark a post Sad instead of Funny.

Re:

[TheTerseOne]

The day I knew this was inevitable was the day I saw "Made in China" written in Spanish on something from a US company. (Yeah - I could have looked up "Made in China" and put it on here in Spanish, but I don't really care.)

Re:

[theshowmecanuck]

Any other province a business can put ANY language they want on their signs at any size they want. In Richmond B.C. there are blocks where there are only Chinese signs. In Quebec one is not free to conduct business in the language of your choice, so you are not allowed to put anything except French on the outside of your business and can only put very small non-French words on interior signs (under larger French words). The government forces employees of companies to speak French, and children are not allow

Re:

[theshowmecanuck]

I actually read the news. No recess from French as Montreal schools to scan playground chatter [nationalpost.com]. You need to stop drinking the cool aide. Free speech is free speech. One of the worst excuses for regulating speech and other civil liberties is "to keep our culture pure." It has slippery slope written all over it.

Re:Not surprising.

[vic-traill]

[ ... Snorts Repeatedly ... ] That is the funniest gdamn post I've read in quite a while. Maybe you have to be Canadian for it to be funny. Even worse, maybe you have to a Canadian in Ontario (which I am). But that was damn funny. Thanks for the Laugh of the Day.

Re:Not surprising.

[alexo]

It's Canada, not the US.

Yet...

Re:Not surprising.

[PPH]

It's Canada, not the US.

Well that explains them reading the manual. Or anything, for that matter.

Re:

[ThatsNotPudding]

It's Canada, not the US.

Good for them, as in the US they would have shot on sight or would already be in Gitmo.

Re:

[nospam007]

"I'm not even mildly surprised that this was possible."

I'm surprised that teens RTM, the ones I know, don't ever!

Re: Not surprising.

[Pieroxy]

I'm actually surprised they're not yet in jail...

Re:

[fustakrakich]

Exactly, they took a big chance there. Honesty does not go unpunished in this business. The only safe way is to report it anonymously, and then take some money if they ignore the report and don't fix the problem. The point is to make sure it remains their problem, not yours.

Re: Not surprising.

[CaptainLard]

and then take some money if they ignore the report and don't fix the problem.

This sterling nugget of wisdom would accomplish the opposite of:

The point is to make sure it remains their problem, not yours.

I'll add your sig is not short on irony (not sure if its the ./ approved or the Alanis Morrisette variety) given the content of your post. Good luck with your internal conflicts!

Re: Not surprising.

[StrangeBrew]

Jail would only have been a concern if they weren't in Quebec and changed the default language to english, as part of their 'proof'.

Re: Not surprising.

[StrangeBrew]

What a shame that Slashdot spent so much time on a 'beta' site instead of adding an option to retract or edit a comment. I saw further down that someone made the same joke, and don't want to get sued for infringement.

Re: Not surprising.

[ls671]

> and don't want to get sued for infringement.

No problems. You can only be accused of ignorance since Winnipeg is a little far from Quebec.

Re: Not surprising.

[mfh]

Canada doesn't do stupid shit like that. They probably will get an internship out of it and become security experts for the banking industry.

That's why we have 'extraordinary renditions'

[dcooper_db9]

By which I mean sanctioned kidnapping. I know; you were picturing 200 lumberjacks drunk on maple whiskey, performing a line dance while singing 'O Canada'.

Re:

[stealth_finger]

Canada does indeed do that stupid shit. The people who call the shots up here want to be just like america in every way possible.

The Canadian gov even has a copyright on it's own flag, they can and will issue a takedown if you use it in a way they don't like.

Re: Not surprising.

[Lumpy]

If this was in the USA, the kids would have been shot several times by cops and the bodies taken to Gitmo for waterboarding.

Kids in the USA, DO NOT try and be a white hat unless you can do it untraceable and anonymously. You will be severely punished for doing something good here.

Re: Not surprising.

[zeugma-amp]

Kids in the USA, DO NOT try and be a white hat unless you can do it untraceable and anonymously. You will be severely punished for doing something good here.

Damn. I had mod points yesterday. This is absolutely true, and I would hope that everyone understand that by now. Sadly, many don't see the police state until it's boot is stomping them.

Re: Not surprising.

[Anonymous Coward]

If the ATM is anything like what was at the various gas stations I worked at, they wouldn't be able to make any withdrawals. Yes we could get into Admin mode with just a code that was punched into the keypad. There was an option to test the bill dispenser, but the bill that got pulled from the cartridge during the test never left the inside of the safe, it just got dropped into another compartment inside the safe for us to pull out later when we changed the cartridge. I would imagine that hackers would have to gain access to the computer inside the ATM to be able to get it to spit out bills to be grabbed, but hacking being what it is, I'm sure someone will figure out how to do it from just the outside keypad eventually.

Re: Not surprising.

[Ingenium13]

There was a post on here several years ago about this same issue on Tritan and Tranax ATMs where the operators never changed the default passwords. What they would do is change the denomination that's in the drawer, so the ATM thinks it has $1 bills instead of $20 bills. They would then use a prepaid credit/debit card (like the Greendot ones you can get pretty much anywhere) to withdraw say $200. Rather than giving 10 $20 bills like it's supposed to, the machine would spit out 200 $20 bills.

Re: Not surprising.

[Bitbyte]

Wouldn't go about using the media's term "hacking" the kids followed the operating manual the bank was just silly in not restricting their end devices properly It would be hacking if they ran some kind of exploit and found a zero day but they didn't they just followed easy to obtain documents

Re: Not surprising.

[rioki]

I would disagree with you, the classical term hacking is used for any mode penetration. The difference between the late 80s/early 90s and today is that companies have started to implement reasonable procedures, like changing default passwords... Remember most hacks are still done through some sort of social engineering.

Re: Not surprising.

[pjt33]

Having the interest to look for the operating manual, read it, and test it, all with the aim of learning and having fun rather than under any obligation, seems rather close to the Jargon File definition of a hacker.

Re: Not surprising.

[mcvos]

+1 for hacking although I'm surprised they didn't make withdrawals first

They'd definitely go straight to prison in that case. It's hard enough to warn about serious security leaks these days without getting treated like a criminal.

These are good kids. Let's hope they get rewarded and not punished.

Hacked?

[Anonymous Coward]

So....
they had the manual with passwords....

this is hacked.... how?

Re:

[Shatrat]

The default passwords shouldn't be used, and without a key someone shouldn't be able to gain management access to the device.

Re:

[ganjadude]

it is insane how many devices out there are still using default passwords. It seems to me that th eonly items im seeing ship with unique PWs by default these days are cheap WIFI routers surprisingly. I cant tell you how many coke machines out there can be taken over by simple keypresses. My best friend was a cooke distributer, and none of their machines were on a different default PW, always made getting a coke trivial for him however

Re:Hacked?

[PopeRatzo]

I cant tell you how many coke machines out there can be taken over by simple keypresses.

I notice you're not sharing the password with us thirsty readers.

C'mon, bro.

Re:

[mythosaz]

I've seen one discussion after another discussing passwords and button press combinations on soda machines, but have never, ever, seen one work.

I call shenanigans.

Soda machines are mostly electro-mechanical rather than computer controlled. Either the switch is active to allow button presses to dispense soda, or they're not. You don't program them from the outside. You set the DIPs to the vend prices per column (if it's multi-price) and lock it back up.

Re:

[Jarik C-Bol]

Which is interesting, because even the old "electromechanical" machines would suffer from hiccups. There was an old machine at my school that, quite reliably, after you paid for one, would give you two Dr. Peppers when you pushed the button for it. It also would give you as many diet cokes as you cared to own, assuming you kept pressing the button as quickly as possible after you fed it your change; if you stopped, it would reset and lock out. If you pushed the Dr Pepper button and the Diet Coke button at

Re:

[JaredOfEuropa]

I'm surprised such changes can be made from the front panel of the machine. I'd say that any administrative mode should only be accessible by a switch or keypad inside the machine's strongbox.

Re:

[Jarik C-Bol]

Exactly.
This is another device, but the principles involved are the same. Where I work we have a coin sorting machine, sort of like a coin star. This particular model dispenses cash instead of a receipt that you take to the counter to cash in, the way a lot of the bigger chains are. With our machine, there is a keyed lock that opens a little flipper door that houses a separate physical keypad that controls all the admin functions. Public user access to the machine is restricted to a touch screen with a ex

Hacked?

[Anonymous Coward]

It's "hacked", because they did something that (in theory) only administrators are supposed to be able to do. That's really all the definition anyone needs.

Similarly, if an admin leaves the root passwords as "admin:admin", and someone logs in, that someone has hacked the system.

Re:Hacked?

[Richy_T]

That's the password on my luggage.

Re:

[laird]

True, it's a "hack" but it's a pretty trivial hack.

Re:Hacked?

[Yakasha]

True, it's a "hack" but it's a pretty trivial hack.

They are the ultimate script kiddies. Kids, using a script published by the manufacturer.
Even putting "trivial" in front diminishes the glory of hacking.

Re:

[unrtst]

True, it's a "hack" but it's a pretty trivial hack.

They are the ultimate script kiddies. Kids, using a script published by the manufacturer.

Even putting "trivial" in front diminishes the glory of hacking.

Isn't this all very similar to the phreaking of the 70's/80's, or hacks resulting from simply reading IBM manuals or the rainbow series? Or is everyone too old to remember that?
FWIW, I do think this is trivial, and it's simply a poorly setup ATM, but taking advantage of obscure weaknesses is a time honored tradition AFAIK, and I bet the kids even learned a fair bit from doing this (unlike a script kiddie that just downloads and blindly executes other peoples work).

Re:

[meerling]

The neither hacked nor cracked it, they used the built in an approved method as outlined in the Operators Manual. The only questionable part was that they were not authorized to do so, except maybe when they demonstrated it to the bank personnel because they were requested to by an authorized person.

Re:Hacked?

[Pieroxy]

The definition of hacking, the legal one, in many places at least in europe is defined pretty much as the following: Being somewhere you're not supposed to, while knowing you're not supposed to, and then snooping around instead of just leaving. I guess it's the digital alternative of 'breaking and entering'. Just because you found a post-it with the lock of the front door on the ground, it doesn't make it right to go in. Common sense should kick in at some point, so if you do it anyways, justice assumes common sense did kick in and you entered willfully. THAT makes it illegal.

That's pretty much common sense.

Re:Hacked?

[TheCarp]

A better question is: This is secured.....how?

Having access to a manual shouldn't provide access to the machine if it has been configured properly. Any passwords in the manual should sure as shit not work after the machine is installed and open to the public.

It may be fair to say these kids are not really much of hackers....but if that is the case then there are a few things the ATM designers or bank administrators (or both) are not either.

Re:

[geekoid]

You have 100s of machines, dozens of employees, who need legitimate access. How do you share the passwords on all those machine?
Is your solution cost effective? Does it account for areas with bad reception?
Plus, if you made 10K a week keeping your front door open, but you spent 30K a year replacing any stolen item, would you lock your door?

wrong and trivial solutions

[raymorris]

First, dozens of people shouldn't have administrative access to a particular ATM at once. Where I work, most systems have one or two people with passwords. If both people get hit by a bus, you can boot from a USB stick and proceed from there, but only two people have admin accounts.

Regarding the logistics of controlling who has access to what, every organization with more than a very few employees needs to manage who has access to what, and that's been true for thousands of years. It's very much a solved problem. Most companys use Active Directory for this purpose. Since ATMs already have card readers, an obvious answer for routine maintenance is to have the employee swipe their employee ID card. The ATM then uses its existing network connection to authorize access via AD. Back in the days of Benjamin Franklin, the solution was a key rack held by a designated employee. Other remployees would check out the keys they needed to use that day. It's kind of an interesting problem, but one that has been solved since roughly the Roman empire or so.

Re:

[matria]

When I was in the Navy, there was a key rack in the wachstander's office (barracks watch). Oncoming watchstanders called in to base security to report status, including the presence of all keys, at regular intervals. One petty officer who was a good friend of the barracks chief kept the keys to the barracks back door in her room so she could let her boyfriends in. I was always getting in trouble when I stood watch because I refused to falsify my reports. I would report the key missing, and base security wou

Re:

[AK Marc]

How do you share the passwords on all those machine?

The same way they do for WiFi routers (and have done for 10+ years). You put it on the machine. There are doors locked with keys, and you expect them to have the keys to the ATM, so have the password on the inside of the door. Only if someone is already inside can they see it.

Is your solution cost effective?

Yes.

Does it account for areas with bad reception?

Yes

Plus, if you made 10K a week keeping your front door open, but you spent 30K a year replacing any stolen item, would you lock your door?

And if it cost $0 to prevent all theft, how stupid would you have to be to not secure it?

The typical Slashdot response. "I can't think of an easy way to fix the problem so it must be impossible." No, you are just stupid.

Re:

[Jarik C-Bol]

Hell, the company can use the same password on all the machines, as long as its not the default password sure, its not great security, but its better than leaving all the machines on the password in a publicly available book.

Re:Hacked?

[Yakasha]

So.... they had the manual with passwords....

this is hacked.... how?

Same way I hacked my VCR so it doesn't flash 12:00 anymore!

Re:Hacked?

[ThatsDrDangerToYou]

So.... they had the manual with passwords....

this is hacked.... how?

Same way I hacked my VCR so it doesn't flash 12:00 anymore!

Wait.. what? You can do that?

Re:

[sound+vision]

You have a Blockbuster?

Re:Hacked?

[rogoshen1]

because if they use the verb 'hacked' the authorities will be able to get the absolute maximum penalty, and throw the book at these kids.
Oh, Canada -- right, never mind. (Stuff like this would be punishable by 20+ years in the US more than likely.)

Re:

[Jeremy Erwin]

I recently read Clifford Stoll's Cuckoo's egg and a good many of "Hunter's" exploits were based on nothing more than known service passwords. You'd think that things would have changed since 1989, but apparently the same mistakes are being made.

Let's do the math, shall we?

[justthinkit]

8B T/yr [hitachiconsulting.com], times $2.22/T [howstuffworks.com].

I think a problem with a potential downside of $17,760,000,000 is, well, a problem.

In the US they'd have been charged

[JohnnyComeLately]

Here lately, seems their day at school would have been moot as they are led to a waiting black SUV. Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?

Re:In the US they'd have been charged

[Anonymous Coward]

They also probably would have shot any of their pets on the way in. Dude isn't joking; this place is a fucking terror state and does this to people every day.

Re:

[cdrudge]

Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?

Of course you are. Why would they leave things that don't plug into a wall and/or have Ethernet capabilities? Take everything. Toaster, tooth brush, pet rock...it's all evidence of the crime and/or hacking tools. They'd probably search the houses of your friends, family, and the guy you looked at walking down the street a week ago too.

1984 eleventyoneone!!!!

[Hognoxious]

Could be worse. In Britain they'd have been fimed with cameras!

And other stuff

[tekrat]

For example, if they find bleach AND draino under the sink, you're also charged with "Chemical Weapons Possession" if they find candles and matches and charcoal, you have "bomb making materials". The spooks can get you for anything.

Re:

[SuricouRaven]

Usually they'll use that to threaten the suspect into a plea bargin. Either admit guilt and go to jail for five years, or fight it and they'll do the best they can to send you for fifty.

Re:

[CanHasDIY]

... only assholes totally trying to stretch laws way past stupid over-reach will try to arrest someone on something that flimsy.

Have you ever met an American LEO?

"Assholes trying to stretch laws" is a fitting description.

Three reasons for this behavior

[ub3r n3u7r4l1st]

1. LEO have a case "quota" to meet.
2. Government attorneys who are thinking of running for an elected political office, want to appear to be "tough on crime" (which is apparently want most voters want, unfortunately.)
3. The top 1% wants to suppress any tiny indication of an uprising. An citizenry that is armed with biological, chemical or nuclear capabilities threatens the existence of the elite class.

Re:

[ColdWetDog]

Which is a sad (if a bit hyperbolic) reflection of things these days. In the early 1970's, we had a time sharing terminal at our high school. I noted the manuals for the system in my father's office at Boeing, 'borrowed' the manuals and we proceeded to have a fun couple of hours screwing around in admin land. We then got a nice little reply on said terminal to please stop doing that.

So we stopped.

The school got a phone call that asked them to supervise the children a bit better and that was that. No muss

Re:

[Jeremy Erwin]

That was Jerry Pournelle's excuse [art.net], too.

Re:

[mark-t]

They weren't caught in the act... they voluntarily came forward to state what they had done... if they had not done this, nobody would have been the wiser, and the kids would know how to unlock admin mode on said atms without anyone else knowing that they knew how to do that.

Re:

[nmoore]

Before they did anything beyond twisting the doorknob (entering the default password), they got permission.

"He said that wasn't really possible and we don't have any proof that we did it.

"I asked them: 'Is it all right for us to get proof?'

"He said: 'Yeah, sure, but you'll never be able to get anything out of it.'"

That said, twisting the doorknob is probably an offense under the CFAA.

Re:

[idontgno]

You're advocating against millennia of moral teaching and (perhaps genetic) altruism: the willingness to personally endanger one's self in order to help someone else.

I'd argue these youngsters, and other white hats, are modern Good Samaritans. Everyone familiar with the Parable of the Good Samaritan picks up on how the Samaritan was socially unlikely to help the Jew, and under no real obligation to do so, and therefore a moral exemplar. But one of the subtexts of the story is that the Samaritan put himself

No Good Deed Goes Unpunished

[Tokolosh]

In the USA anyway, the kids are looking at adult jail time.

Re:

[CrimsonAvenger]

Did "Bank of Montreal" not clue you in that this wasn't in the USA?

Re:

[CrimsonAvenger]

In the USA (and Canada, and the UK, and pretty much the rest of the world), we have something called "tenses".

Specifically, there are tenses that apply to counterfactual but hypothetical cases. For instance, if you're trying to say that in the USA someone would be subject to thus and so, one might say "in the USA, they WOULD BE charged".

Or one might add as a prequel to your statement that standard word for hypothetical but counterfactual "if"...Nevermind. I forgot this was /., where literacy is never an

Re:

[rogoshen1]

then nancy grace would run a story about how al'qaeda has started recruiting sleeper agents out of the local grade schools.
we must clamp down on our schools, your kid might be a terrorist and you wouldn't even know.. until it's too late.

Too dangerous to keep digitally now?

[coastwalker]

Does anyone else think that its getting too dangerous to keep some information in a digital form? Is some information destined to forever be kept in a printed form?

Re:

[infogulch]

With that sentiment, you'd never put *anything* online. This whole thing is just some asshat ATM admins leaving stuff in the *default configuration*. This is the equivalent of buying a home router and not changing the default password (though nowadays routers come with individualized passwords, but they didn't used to).

Re:Too dangerous to keep digitally now?

[cdrudge]

though nowadays routers come with individualized passwords, but they didn't used to

When Verizon FiOS first came to my area, the autogenerated WEP password was based on a 5 character SSID. There were online tools [whatsmyip.org] that you could use to lookup what the default password would be and almost no one, relatively speaking, bothered to change it from the default. Came in handy on more than a few occasions to get free wifi as just about anywhere you go you were in range of someone that had FiOS.

Another brand used the wireless MAC as the WEP key. shm

Re:

[geekoid]

NO, it is not worthless. It is a layer of security, and a valid one.

Any single layer security process is foolish.
Risk, costs, effort these are all factor that need to be mitigated.

Re:

[schwit1]

If security through obscurity was worthless the military would be wearing fluorescent orange uniforms.

security through obscurity = camouflage

Re:

[lars_stefan_axelsson]

Sure, the warning should really be against "Security only though obscurity." But that doesn't scan. Or something.

Then again, there are times when obscurity will hinder your security. I.e. it's a better trade-off to publish your new crypto algorithm to try and attract the experts to tell you where you got it wrong, rather than relying on your own expertise. Unless you'er a government signals intelligence organisation you probably don't have it.

Also. Keeping a well defined secret, is not "obscurity". So havin

In other news...

[Anonymous Coward]

In other news, domestic terrorist ringleaders Matthew Hewlett and Caleb Turon were arrested today in what Department of Homeland Security spokesman Peter Atriot called "a blow for freedom against Jihadists". The two men are believed to diverted funds vital to global banking, thereby aiding and assisting worldwide terror organisations.

Not hacking this term is thrown so loosely

[Anonymous Coward]

Reading a manual and following step by step instructions which tell you how to get into operator mode is NOT HACKING.. UGH.

Re:

[Cro Magnon]

Is it considered hacking if the admin password is "123456"?

Relax, folks.

[Anonymous Coward]

This is Canada. As long as they don't try to link good science to administrative policy, the government probably won't care.

I want to be shocked, but I just can't be.

[Ghostworks]

Back before the internet, it was common practice to put hard-coded admin passwords in documentation, in case anyone should forget the real password. In some industries (say, construction road signs) it just never occurred to them that anyone would ever care to look it up for a prank. In other industries, like ATMs, the assumption was that documentation was obscure and difficult to lay hands on without writing to a real person who then had to mail a manual to a real address of an existing customer.

The fact that they still do this is depressing, but doesn't surprise me in the least.

Re:

[Darinbob]

They thought Mitnick was some sort of super genius, like Lex Luthor.

What it really comes down to is money. It's more expensive to make things secure than to accept a 2% estimated loss per year. This is basically a convenience fee.

Kids these days.

[Rodness]

By "hacked" you mean "followed printed instructions from a user's manual". If that's the new "hacking" then I weep for mankind.

Re:Kids these days.

[Ionized]

they were inquisitive, did some research, and experimented on a system, and succeeded in gaining unauthorized access. they then responsibly reported their findings to the device owner.

what these kids did, while perhaps not quite on par with hacking the gibson, still very much represents the (white hat) hacker ethos at work.

you, on the other hand, represent the asshat ethos, for downplaying what they did and trying to fiddle fart around with semantics.

The real crime is...

[g01d4]

Their first random guess at the six-digit password worked. They used a common default password.

When does incompetence become criminal neglect?

Re:

[Wain13001]

When it uses the same combination as my luggage!

Demo Disks

[Ronin Developer]

Years ago, when ATMs were first becoming available, someone I know worked as a security exec for a large bank. Seems back then, each ATM came with a demo disk hat, when inserted into a floppy disk port inside the ATM's housing (but, easily accessed) placed the machine into demo mode and allowed the operator full control of the device. The sales operator could then fully demonstrate ALL the features of the ATM - including the automatic dispensing of cash.

With furled eyebrows, he asked whatever became of all the demo disks after the ATM was installed..nobody knew...just assumed they were thrown out. He asked if they considered this a problem. And, he was told 'No'. At the time, stealing the ATM was all the rage and his concerns were discounted...until one day when money just started disappearing from ATMs. Seems, somebody else found or had one of those disks and realized what they had.

Pretty scary these kids could find a manual online and that the command sequence to place it into admin mode could be done from the user console vs a separate terminal. One has to wonder if they could have dispensed cash like a Pez dispensor like was possible with the old demo disks.

Stop Assuming Appliances Can DropIn Without Config

[infogulch]

From this to Highway Sign Hacking [slashdot.org] to that researcher that made a botnet of home routers with default config to ping the whole of ipv4, I really hope admins are getting the point that you can't just drop appliances in public places without adjusting the default configuration. What critical infrastructure is left out there just begging for someone with an operator's manual to wreck it, or even worse, exploit it? Can we get a wake-up call to the administrators of these appliances?

Re:

[Anonymous Coward]

Honestly, I don't think even a wake-up call would do anything. Prime example from my life:

I went to a community college for a few years to get gen-eds out of the way cheap before going to a real college. In one of the buildings, there was a break room that was really popular with students despite not really being anything special - some tables and chairs, and that was about it. I had no idea why it was so popular when there were other break rooms on campus that had TVs and better Wi-Fi access and the like.

Re:Stop Assuming Appliances Can DropIn Without Con

[shadowrat]

The owner of the machine was probably a genius. The markup on soda is so astronomical that he could probably sell 7 or 8 each time and still come out ahead. He was just shrewdly undercutting his competition on campus.

Kids?

[meta-monkey]

Kids?! More like cybercriminal financial terrorists! Time for a no-knock SWAT raid! Flashbangs, go go go and shoot the dog, too!

Feynman lives on

[Deadstick]

Seems like an echo of Richard Feynman's famous "I can open your safe" hobby at Los Alamos. Same method: guessing at obvious combinations like birthdates, in the 50% of cases where the lock wasn't still on the factory combination.

And yet

[Hamsterdan]

When there's an ATM fraud in a customer's account, the customer is accounted responsible for his own account.

Re:

[mythosaz]

C'mon. Even the Canadians know to use h0ckey.

Re:

[Bob the Super Hamste]

Well it has been done before [schneier.com] and this seems like something that would be accessible when in operator mode.