Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

← Back to Stories (view on slashdot.org)

Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

Posted by samzenpus on Monday June 9, 2014 @07:45AM from the protect-ya-neck dept.

An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"

24 of 378 comments (clear)

Min score:

Reason:

Sort:

Not surprising. by Z00L00K · 2014-06-09 07:48 · Score: 5, Insightful

I'm not even mildly surprised that this was possible.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
1. Re:Not surprising. by PRMan · 2014-06-09 08:29 · Score: 4, Insightful
  
  It's Canada, not the US.
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
2. Re: Not surprising. by fustakrakich · 2014-06-09 08:59 · Score: 3, Insightful
  
  Exactly, they took a big chance there. Honesty does not go unpunished in this business. The only safe way is to report it anonymously, and then take some money if they ignore the report and don't fix the problem. The point is to make sure it remains their problem, not yours.
  
  --
  “He’s not deformed, he’s just drunk!”
3. Re: Not surprising. by mfh · 2014-06-09 09:15 · Score: 3, Insightful
  
  Canada doesn't do stupid shit like that. They probably will get an internship out of it and become security experts for the banking industry.
  
  --
  The dangers of knowledge trigger emotional distress in human beings.
4. Re: Not surprising. by Lumpy · 2014-06-09 11:01 · Score: 5, Insightful
  
  If this was in the USA, the kids would have been shot several times by cops and the bodies taken to Gitmo for waterboarding.
  Kids in the USA, DO NOT try and be a white hat unless you can do it untraceable and anonymously. You will be severely punished for doing something good here.
  
  --
  Do not look at laser with remaining good eye.
5. Re: Not surprising. by Bitbyte_x · 2014-06-09 12:38 · Score: 5, Insightful
  
  Wouldn't go about using the media's term "hacking" the kids followed the operating manual the bank was just silly in not restricting their end devices properly It would be hacking if they ran some kind of exploit and found a zero day but they didn't they just followed easy to obtain documents
6. Re: Not surprising. by zeugma-amp · 2014-06-09 16:11 · Score: 5, Insightful
  
  Kids in the USA, DO NOT try and be a white hat unless you can do it untraceable and anonymously. You will be severely punished for doing something good here.
  Damn. I had mod points yesterday. This is absolutely true, and I would hope that everyone understand that by now. Sadly, many don't see the police state until it's boot is stomping them.
  
  --
  This is an ex-parrot!
7. Re: Not surprising. by rioki · 2014-06-09 20:31 · Score: 4, Insightful
  
  I would disagree with you, the classical term hacking is used for any mode penetration. The difference between the late 80s/early 90s and today is that companies have started to implement reasonable procedures, like changing default passwords... Remember most hacks are still done through some sort of social engineering.
8. Re: Not surprising. by mcvos · 2014-06-09 20:41 · Score: 3, Insightful
  
  +1 for hacking although I'm surprised they didn't make withdrawals first
  They'd definitely go straight to prison in that case. It's hard enough to warn about serious security leaks these days without getting treated like a criminal.
  These are good kids. Let's hope they get rewarded and not punished.
9. Re: Not surprising. by pjt33 · 2014-06-09 23:16 · Score: 3, Insightful
  
  Having the interest to look for the operating manual, read it, and test it, all with the aim of learning and having fun rather than under any obligation, seems rather close to the Jargon File definition of a hacker.
10. Re: Not surprising. by CaptainLard · 2014-06-10 02:11 · Score: 4, Insightful
  
  and then take some money if they ignore the report and don't fix the problem.
  This sterling nugget of wisdom would accomplish the opposite of:
  
  The point is to make sure it remains their problem, not yours.
  I'll add your sig is not short on irony (not sure if its the ./ approved or the Alanis Morrisette variety) given the content of your post. Good luck with your internal conflicts!
Hacked? by Anonymous Coward · 2014-06-09 07:48 · Score: 3, Insightful

So....
they had the manual with passwords....
this is hacked.... how?
1. Re:Hacked? by TheCarp · 2014-06-09 07:59 · Score: 3, Insightful
  
  A better question is: This is secured.....how?
  Having access to a manual shouldn't provide access to the machine if it has been configured properly. Any passwords in the manual should sure as shit not work after the machine is installed and open to the public.
  It may be fair to say these kids are not really much of hackers....but if that is the case then there are a few things the ATM designers or bank administrators (or both) are not either.
  
  --
  "I opened my eyes, and everything went dark again"
2. Re:Hacked? by Yakasha · 2014-06-09 08:17 · Score: 5, Insightful
  
  True, it's a "hack" but it's a pretty trivial hack.
  They are the ultimate script kiddies. Kids, using a script published by the manufacturer.
  Even putting "trivial" in front diminishes the glory of hacking.
3. Re:Hacked? by rogoshen1 · 2014-06-09 08:17 · Score: 3, Insightful
  
  because if they use the verb 'hacked' the authorities will be able to get the absolute maximum penalty, and throw the book at these kids.
  Oh, Canada -- right, never mind. (Stuff like this would be punishable by 20+ years in the US more than likely.)
4. Re:Hacked? by PopeRatzo · 2014-06-09 08:29 · Score: 4, Insightful
  
  I cant tell you how many coke machines out there can be taken over by simple keypresses.
  I notice you're not sharing the password with us thirsty readers.
  C'mon, bro.
  
  --
  You are welcome on my lawn.
In the US they'd have been charged by JohnnyComeLately · 2014-06-09 07:50 · Score: 4, Insightful

Here lately, seems their day at school would have been moot as they are led to a waiting black SUV. Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?
1. Re:In the US they'd have been charged by Anonymous Coward · 2014-06-09 07:54 · Score: 5, Insightful
  
  They also probably would have shot any of their pets on the way in. Dude isn't joking; this place is a fucking terror state and does this to people every day.
2. Re: In the US they'd have been charged by nmoore · 2014-06-09 08:41 · Score: 3, Insightful
  
  Before they did anything beyond twisting the doorknob (entering the default password), they got permission.
  
  "He said that wasn't really possible and we don't have any proof that we did it.
  "I asked them: 'Is it all right for us to get proof?'
  "He said: 'Yeah, sure, but you'll never be able to get anything out of it.'"
  
  That said, twisting the doorknob is probably an offense under the CFAA.
Not hacking this term is thrown so loosely by Anonymous Coward · 2014-06-09 07:53 · Score: 2, Insightful

Reading a manual and following step by step instructions which tell you how to get into operator mode is NOT HACKING.. UGH.
Relax, folks. by Anonymous Coward · 2014-06-09 07:54 · Score: 5, Insightful

This is Canada. As long as they don't try to link good science to administrative policy, the government probably won't care.
The real crime is... by g01d4 · 2014-06-09 07:59 · Score: 3, Insightful

Their first random guess at the six-digit password worked. They used a common default password.
When does incompetence become criminal neglect?
Re:Kids these days. by Ionized · 2014-06-09 08:09 · Score: 5, Insightful

they were inquisitive, did some research, and experimented on a system, and succeeded in gaining unauthorized access. they then responsibly reported their findings to the device owner.
what these kids did, while perhaps not quite on par with hacking the gibson, still very much represents the (white hat) hacker ethos at work.
you, on the other hand, represent the asshat ethos, for downplaying what they did and trying to fiddle fart around with semantics.
Re:Too dangerous to keep digitally now? by schwit1 · 2014-06-09 08:17 · Score: 2, Insightful

If security through obscurity was worthless the military would be wearing fluorescent orange uniforms.
security through obscurity = camouflage