Slashdot Mirror
Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"
An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"
I'm not even mildly surprised that this was possible.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
So....
they had the manual with passwords....
this is hacked.... how?
Here lately, seems their day at school would have been moot as they are led to a waiting black SUV. Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?
that they didn't scam the bank and bought a few nice gadgets. ;))
(or may be they have and nobody noticed
In the USA anyway, the kids are looking at adult jail time.
Prove anything by multiplying Huge Number times Tiny Number
Breaking news!
Does anyone else think that its getting too dangerous to keep some information in a digital form? Is some information destined to forever be kept in a printed form?
Facts are history now plebs have politics for religion on social media.
It's "hacked", because they did something that (in theory) only administrators are supposed to be able to do. That's really all the definition anyone needs.
Similarly, if an admin leaves the root passwords as "admin:admin", and someone logs in, that someone has hacked the system.
In other news, domestic terrorist ringleaders Matthew Hewlett and Caleb Turon were arrested today in what Department of Homeland Security spokesman Peter Atriot called "a blow for freedom against Jihadists". The two men are believed to diverted funds vital to global banking, thereby aiding and assisting worldwide terror organisations.
Reading a manual and following step by step instructions which tell you how to get into operator mode is NOT HACKING.. UGH.
This is Canada. As long as they don't try to link good science to administrative policy, the government probably won't care.
Back before the internet, it was common practice to put hard-coded admin passwords in documentation, in case anyone should forget the real password. In some industries (say, construction road signs) it just never occurred to them that anyone would ever care to look it up for a prank. In other industries, like ATMs, the assumption was that documentation was obscure and difficult to lay hands on without writing to a real person who then had to mail a manual to a real address of an existing customer.
The fact that they still do this is depressing, but doesn't surprise me in the least.
By "hacked" you mean "followed printed instructions from a user's manual". If that's the new "hacking" then I weep for mankind.
When does incompetence become criminal neglect?
I wonder what actually is accessible via operator mode. Changing text and the fees is one thing, but can it actually give the 'operator' any money by either changing the account where fees are deposited and/or by directly 'withdrawing' the money on the spot (without a bank account).
Could be worse. In Britain they'd have been fimed with cameras!
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Obviously, they did nothing wrong, but they are going to end up in jail anyway. I find that very sad.
Criminal charges pending in 3 ... 2 ... 1 ....
For example, if they find bleach AND draino under the sink, you're also charged with "Chemical Weapons Possession" if they find candles and matches and charcoal, you have "bomb making materials". The spooks can get you for anything.
If telephones are outlawed, then only outlaws will have telephones.
Years ago, when ATMs were first becoming available, someone I know worked as a security exec for a large bank. Seems back then, each ATM came with a demo disk hat, when inserted into a floppy disk port inside the ATM's housing (but, easily accessed) placed the machine into demo mode and allowed the operator full control of the device. The sales operator could then fully demonstrate ALL the features of the ATM - including the automatic dispensing of cash.
With furled eyebrows, he asked whatever became of all the demo disks after the ATM was installed..nobody knew...just assumed they were thrown out. He asked if they considered this a problem. And, he was told 'No'. At the time, stealing the ATM was all the rage and his concerns were discounted...until one day when money just started disappearing from ATMs. Seems, somebody else found or had one of those disks and realized what they had.
Pretty scary these kids could find a manual online and that the command sequence to place it into admin mode could be done from the user console vs a separate terminal. One has to wonder if they could have dispensed cash like a Pez dispensor like was possible with the old demo disks.
I had to read this a few times to figure out what was going on. Why do I care about "kids with operators"? How does one "manual alert" someone? Then I realized that we were talking about an Operator's (or Operators') Manual, and that the submitter and editors were just illiterate.
From this to Highway Sign Hacking to that researcher that made a botnet of home routers with default config to ping the whole of ipv4, I really hope admins are getting the point that you can't just drop appliances in public places without adjusting the default configuration. What critical infrastructure is left out there just begging for someone with an operator's manual to wreck it, or even worse, exploit it? Can we get a wake-up call to the administrators of these appliances?
because I didn't think kids today read anything more complex than the Twilight and Shades of Gray books.
They had permission from an employee. Whether the employee had the authority to grant that permission is another issue altogether, but they were acting with the bank's permission.
n/t
I swear to God...I swear to God! That is NOT how you treat your human!
Oh. Canada.
First, dozens of people shouldn't have administrative access to a particular ATM at once. Where I work, most systems have one or two people with passwords. If both people get hit by a bus, you can boot from a USB stick and proceed from there, but only two people have admin accounts.
Regarding the logistics of controlling who has access to what, every organization with more than a very few employees needs to manage who has access to what, and that's been true for thousands of years. It's very much a solved problem. Most companys use Active Directory for this purpose. Since ATMs already have card readers, an obvious answer for routine maintenance is to have the employee swipe their employee ID card. The ATM then uses its existing network connection to authorize access via AD. Back in the days of Benjamin Franklin, the solution was a key rack held by a designated employee. Other remployees would check out the keys they needed to use that day. It's kind of an interesting problem, but one that has been solved since roughly the Roman empire or so.
This is Canada. They won't go to jail. They'll just get a stern talking to and inspire a lot of angry letter-writers.
Right up to the "I found a way to change the surcharge amount" part.
Darn.
deleting the extra space after periods so i can stay relevant, yeah.
Kids?! More like cybercriminal financial terrorists! Time for a no-knock SWAT raid! Flashbangs, go go go and shoot the dog, too!
We don't have a state-run media we have a media-run state.
Seems like an echo of Richard Feynman's famous "I can open your safe" hobby at Los Alamos. Same method: guessing at obvious combinations like birthdates, in the 50% of cases where the lock wasn't still on the factory combination.
Honestly, I don't think even a wake-up call would do anything. Prime example from my life:
I went to a community college for a few years to get gen-eds out of the way cheap before going to a real college. In one of the buildings, there was a break room that was really popular with students despite not really being anything special - some tables and chairs, and that was about it. I had no idea why it was so popular when there were other break rooms on campus that had TVs and better Wi-Fi access and the like.
A few days in, I found out why. There was an older soda machine in the back of the room, and every so often I'd buy one. Almost every time, I'd wind up getting two (or sometimes three) sodas when I paid for one. At first I thought I was just really lucky, but then I found out that the machine was badly secured. There was a default button combination you could press that would take the machine into admin mode, where you could do things like get it to dispense free drinks. Doing this would cause a bottle to be loaded into position as if someone had paid for it, so the next person to buy a drink would get two.
Apparently, this was a well-known 'secret' on campus. Even the professors did it. I can't tell you how much money the vending machine owner probably lost, and I'm sure they knew that something was up based on how quickly the stuff was disappearing and how the money didn't add up. This was about seven years ago.
I went back to the same school to sign up for some classes just a month ago. On my way back, I stopped at that break room, and sure enough, that machine still hasn't had the password changed.
When there's an ATM fraud in a customer's account, the customer is accounted responsible for his own account.
I've got better things to do tonight than die.
I worked on a device that acted as a security gateway within major ISP networks. We read material/took courses/interviewed the various security best practices, guidelines and design suggestions gurus before coming up with the general architecture. We had one-time-use passwords, 2-factor auth, admin mode pw reset that required special hw dongles etc.
The ISPs liked it initially, but their admins kept perma-locking the console, because they'd failed to enter the creds enough times. That forced the key-holder to fetch the dongle to reset the pw. It turned out, the "admins" were often high school dropouts who'd taken some remedial IT courses. Their qualifications were primarily that they'd do shift work for minimum wage, not any particular skill. As such, following printed, step-by-step instructions that required they enter the 2-factor random pw was *far* too complicated. They'd mix the pw order (secure card digits first vs. adminpass), screw up the capitalization etc etc. All the key-holder interventions st them too much downtime and paid overtime
In the end, we ended up implementing the industry standard, 6-8 character alphanumeric + !@#...) fixed string password. No 2-factor, no admin lockout with a default password that could be reset by holding certain keys down during startup. All the cutting edge stuff was tossed, because the freakin' ISPs' admins were smeg heads.
Argh!
Read the fine manual, for the win! -- Literally.
BWAH HAHA HA HA HA
http://www.youtube.com/watch?v...
Uh, Linux geek since 1999.
Viewing that article (after viewing 10 other articles on that site) appears to require "hacking" the site:
- Use NoScript. .visuallyhidden { clip:auto; position:static !important; }
- Use a User Style with:
Good to see on many fronts:
1) kids looking into how things actually work and wondering about what that means
2) kids acting to fix the problem, as opposed to exploiting it
3) a company actually thankful for the help without "shooting the messenger"
In terms of the ATM configuration, I am a little surprised that it was so easy to get in. It reminds me of when I used a similar technique to get configuration access to a heated timer cabinet at a McDonald's, when I was in my teens (It meant I could use it to solve some additional problems which had no ideal solutions - as well as add my name as a food item). That wasn't changed from its factory defaults but that one was at least behind the counter so it was physically protected. I am a little surprised that there isn't some kind of physical locking switch to enable that mode, on these devices. Banks are usually pretty good about that.
Still, at least I am happy to see that they were thankful for the help.
Eeeeeeasy money!
give those kids some money - they deserve it for finding what highly paid security personell did not
1. LEO have a case "quota" to meet.
2. Government attorneys who are thinking of running for an elected political office, want to appear to be "tough on crime" (which is apparently want most voters want, unfortunately.)
3. The top 1% wants to suppress any tiny indication of an uprising. An citizenry that is armed with biological, chemical or nuclear capabilities threatens the existence of the elite class.
New Economic Perspectives
I'm 100% sure that in the Land of the Free (tm) this would get you arrested. Just ask Shane Becker.
The owner of the machine was probably a genius. The markup on soda is so astronomical that he could probably sell 7 or 8 each time and still come out ahead. He was just shrewdly undercutting his competition on campus.
"Matthew has endured serious health issues since an early age and had a double-liver transplant three years ago..."
We have two livers?! And all this time I've been drinking like I've got just the one...
never drink kool-aid from a big vat
This is Canada. Those kids were politely letting the bank know that they were being fleeced.
Come on down to australia, where our criminal banks are charging up to $4.00 to use a competing bank's ATM.
You know what must be done. Fix our ATMs for us, would you kids?
Ift his was in the USA, they'd already be in jail.
So they found a manual and read it, so what?
These are two kids. They gained admin control of an ATM, which should have significant hardening against any such attempts. Yes reading a manual makes it easier but it should still be difficult. I've been the admin for many systems (not ATMs). None of those systems would make it easy enough for 2 teenagers to break into. In fact they would vigorously resist most break-in attempts.
The OP makes it sound like it was little more than "hold down the Control key while rebooting."
- an administrator mode is accessible from the customer interface? And if they really insisted on doing that, they don't even require some kind of special admin credit card or key to be inserted? What moron designed that?
You'll never fix that if you consider it a user education problem and not a usability design problem. The right fix is not telling users to change the default password: it's to not allow the user to use the default password. Require it to be changed on the initial setup or have the default be random like new wireless routers do. The user can still make poor security choices, but the system design should not make poor choices be the easy default that a user might not even be aware of. (Also, why does the ATM have an admin mode that doesn't require physical access to the cash box to activate?)
internship in juvenile detention if lucky if not they may goto the full adult prison.
if that had happened in america they would have been prosecuted 6 ways across time, thats not shit you tell the bank you put that crap on IRC and let nature take its course.
It is illegal in Canada for a bank to charge any money for use of an ATM machine. (All Canadian banks I know of illegally charge for use of their ATM machines) The account at the bank may have a transaction fee that applies if using a teller, ATM from the bank, or ATM from another bank. The fee must be the same for all 3 transaction types. This is in the banking charter.
There are companies that are not banks that provide ATM service that are allowed to charge fees because they do not fall under the banking charter.
Also Credit Unions can have ATM machines, and they can charge fees, as they do not fall under the banking charter. As far as I know, all credit unions work together in Canada, at least BC and they have agreed not to charge for use of their ATM machines.
The banking charter provides protection to the banks and their customers in exchange for some restrictions. Credit Unions have more freedom in how they operate, but there is little government protection of them.
Oddly enough, all credit unions I know of follow all the statues of the banking charter, so that they have the option of applying for bank status. Banks are supposed to loose their bank status and charges laid on the people responsible for breaking the law. That being said, I read though the charter a while back and found that every bank I know of breaks every law in the charter daily. In the case of transaction fees, millions of times a day.
Why aren't they called on their illegal operations? I'd like to know that myself.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
8B T/yr, times $2.22/T.
I think a problem with a potential downside of $17,760,000,000 is, well, a problem.
I come here for the love
She disgusts me. There's not even a pretense of a news show anymore, she gave up on that facade, it's 100% pandering to fear. The commercial for her television show actually says "What are you afraid of?" and goes on to suggest that your husband is going to beat you (or worse) and your kids are going to get kidnapped. You're so brave just letting your kids leave and go to school! It's so harrrd to be a woman!
She's a cunt and so is everyone who watches that shit.
If this were a couple of kids in the US... they would both be on their way to Gitmo, the anti-rejection drugs the kid probably needs to stay alive wouldn't be addressed... then the remaining kid would probably go on a hunger strike in Solitary.
Oh... and someone at the Bank would be put in charge of a new "cyber security" division, with a big bonus and a corner office.
I wish we could be more like Canada some times.
Get back to me when Spanish becomes predominent in florida and texas.
You see who will laugh then.
Not just the English, but with the English on top and in a larger typeface so that it is markedly predominant.
It will be the law.
Good thing I don't bank with BMO ..:P
Clive DaSilva Email: clive.dasilva@gmail.com Ubuntu 18.10 Kernel 4.18
...you deserve what you get, and any liability for a resulting "security breach" should be on you-- not on someone who can find a copy of a user's manual online.
Like previous commenters have said, these kids are damn lucky they're in Canada. In the US they'd have been fucking crucified.
by default you need door open on coke machines to do any thing like get free stuff / change prices / run tests.
by default with door closed you can only look at some error codes / other stats.
Now that are settings that let you make changes with door closed also can change the code as well.
They did not have the passwords from the manual. They guessed the password and said it was a standard six character password that should not have been used.
"Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked. They used a common default password."
techs / armored car people are outside party's so they may not have an employee ID card with swipe and or an AD log on.
Im sad for these kids... Usual corporate response in such is shoot the messenger instead fix the damn problem...
Any bets how long until these two kids are charged by FBI for what ever they can think of them being guilty of...
When I serviced DVD kiosks you needed a card and a PIN to enter the service mode so a random person who found the manual online could enter service mode.
If were going to have the same stories after slashdot, can't we just import all the comments so there'll be something to talk about?
So how much is made off of surcharges? I want to know!
99.99% of the people who swipe their card in an ATM are not employees. Yet, they are still able to swipe their card and even do two-factor authentication by entering their pin.
If you have a contract with First Bank to maintain their ATMs, your techs carry their First Bank card to do so. How hard is that? Remembering of course that the most of your employees don't need, and shouldn't have, access cards for the ATMs. Only a couple of field techs need them.
Wouldn't our bizarre laws here in the good old USA have charged these kids with a 'crime' and put them away for 5 years in the slammer? This is what happens when you let luddites write laws affecting technology. We need to elect more engineers and fewer lawyers.
Organization? You must be joking..
this is hacked.... how?
The ordinary way: By RTFM and walking straight through the most obvious hole.
My definition of "hacking" is creative improvisation.
It has nothing to do with "breaking into computers" per se, although breaking into computers could certainly require use of creative improvisation.
The old TV show "McGyver" was about an incredible hacker.
By which I mean sanctioned kidnapping. I know; you were picturing 200 lumberjacks drunk on maple whiskey, performing a line dance while singing 'O Canada'.
I do not block ads. I do block third party scripts.
Remember to re-educate them while they are young and turn them into government agents!
They did not hack. What they did was simply read an operator's manual. A far cry from hacking.
And posted them onto the Internet. There's your proof. Now go re-inject every device on your bank network LOL