Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"

Not surprising.

[Z00L00K]

I'm not even mildly surprised that this was possible.

Re:Not surprising.

[PRMan]

It's Canada, not the US.

Re:Not surprising.

[NotDrWho]

Okay, a lifetime of prison with the signs also in French.

Re: Not surprising.

[Pieroxy]

I'm actually surprised they're not yet in jail...

Re:Not surprising.

[Minwee]

Not just in French, but with the French on top and in a larger typeface so that it is markedly predominant.

It's the law.

Re: Not surprising.

If the ATM is anything like what was at the various gas stations I worked at, they wouldn't be able to make any withdrawals. Yes we could get into Admin mode with just a code that was punched into the keypad. There was an option to test the bill dispenser, but the bill that got pulled from the cartridge during the test never left the inside of the safe, it just got dropped into another compartment inside the safe for us to pull out later when we changed the cartridge. I would imagine that hackers would have to gain access to the computer inside the ATM to be able to get it to spit out bills to be grabbed, but hacking being what it is, I'm sure someone will figure out how to do it from just the outside keypad eventually.

Re: Not surprising.

[StrangeBrew]

Jail would only have been a concern if they weren't in Quebec and changed the default language to english, as part of their 'proof'.

Re: Not surprising.

[StrangeBrew]

What a shame that Slashdot spent so much time on a 'beta' site instead of adding an option to retract or edit a comment. I saw further down that someone made the same joke, and don't want to get sued for infringement.

Re:Not surprising.

[Darinbob]

We need some moderation to mark a post Sad instead of Funny.

Re: Not surprising.

[ls671]

> and don't want to get sued for infringement.

No problems. You can only be accused of ignorance since Winnipeg is a little far from Quebec.

Re:Not surprising.

[alexo]

It's Canada, not the US.

Yet...

Re:Not surprising.

[PPH]

It's Canada, not the US.

Well that explains them reading the manual. Or anything, for that matter.

Re: Not surprising.

[Lumpy]

If this was in the USA, the kids would have been shot several times by cops and the bodies taken to Gitmo for waterboarding.

Kids in the USA, DO NOT try and be a white hat unless you can do it untraceable and anonymously. You will be severely punished for doing something good here.

Re: Not surprising.

[Ingenium13]

There was a post on here several years ago about this same issue on Tritan and Tranax ATMs where the operators never changed the default passwords. What they would do is change the denomination that's in the drawer, so the ATM thinks it has $1 bills instead of $20 bills. They would then use a prepaid credit/debit card (like the Greendot ones you can get pretty much anywhere) to withdraw say $200. Rather than giving 10 $20 bills like it's supposed to, the machine would spit out 200 $20 bills.

Re: Not surprising.

[Bitbyte_x]

Wouldn't go about using the media's term "hacking" the kids followed the operating manual the bank was just silly in not restricting their end devices properly It would be hacking if they ran some kind of exploit and found a zero day but they didn't they just followed easy to obtain documents

Re: Not surprising.

[zeugma-amp]

Kids in the USA, DO NOT try and be a white hat unless you can do it untraceable and anonymously. You will be severely punished for doing something good here.

Damn. I had mod points yesterday. This is absolutely true, and I would hope that everyone understand that by now. Sadly, many don't see the police state until it's boot is stomping them.

Re: Not surprising.

[rioki]

I would disagree with you, the classical term hacking is used for any mode penetration. The difference between the late 80s/early 90s and today is that companies have started to implement reasonable procedures, like changing default passwords... Remember most hacks are still done through some sort of social engineering.

Re: Not surprising.

[CaptainLard]

and then take some money if they ignore the report and don't fix the problem.

This sterling nugget of wisdom would accomplish the opposite of:

The point is to make sure it remains their problem, not yours.

I'll add your sig is not short on irony (not sure if its the ./ approved or the Alanis Morrisette variety) given the content of your post. Good luck with your internal conflicts!

In the US they'd have been charged

[JohnnyComeLately]

Here lately, seems their day at school would have been moot as they are led to a waiting black SUV. Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?

Re:In the US they'd have been charged

They also probably would have shot any of their pets on the way in. Dude isn't joking; this place is a fucking terror state and does this to people every day.

In other news...

In other news, domestic terrorist ringleaders Matthew Hewlett and Caleb Turon were arrested today in what Department of Homeland Security spokesman Peter Atriot called "a blow for freedom against Jihadists". The two men are believed to diverted funds vital to global banking, thereby aiding and assisting worldwide terror organisations.

Relax, folks.

This is Canada. As long as they don't try to link good science to administrative policy, the government probably won't care.

I want to be shocked, but I just can't be.

[Ghostworks]

Back before the internet, it was common practice to put hard-coded admin passwords in documentation, in case anyone should forget the real password. In some industries (say, construction road signs) it just never occurred to them that anyone would ever care to look it up for a prank. In other industries, like ATMs, the assumption was that documentation was obscure and difficult to lay hands on without writing to a real person who then had to mail a manual to a real address of an existing customer.

The fact that they still do this is depressing, but doesn't surprise me in the least.

And other stuff

[tekrat]

For example, if they find bleach AND draino under the sink, you're also charged with "Chemical Weapons Possession" if they find candles and matches and charcoal, you have "bomb making materials". The spooks can get you for anything.

Demo Disks

[Ronin+Developer]

Years ago, when ATMs were first becoming available, someone I know worked as a security exec for a large bank. Seems back then, each ATM came with a demo disk hat, when inserted into a floppy disk port inside the ATM's housing (but, easily accessed) placed the machine into demo mode and allowed the operator full control of the device. The sales operator could then fully demonstrate ALL the features of the ATM - including the automatic dispensing of cash.

With furled eyebrows, he asked whatever became of all the demo disks after the ATM was installed..nobody knew...just assumed they were thrown out. He asked if they considered this a problem. And, he was told 'No'. At the time, stealing the ATM was all the rage and his concerns were discounted...until one day when money just started disappearing from ATMs. Seems, somebody else found or had one of those disks and realized what they had.

Pretty scary these kids could find a manual online and that the command sequence to place it into admin mode could be done from the user console vs a separate terminal. One has to wonder if they could have dispensed cash like a Pez dispensor like was possible with the old demo disks.

Re:Hacked?

[Richy_T]

That's the password on my luggage.

Re:Kids these days.

[Ionized]

they were inquisitive, did some research, and experimented on a system, and succeeded in gaining unauthorized access. they then responsibly reported their findings to the device owner.

what these kids did, while perhaps not quite on par with hacking the gibson, still very much represents the (white hat) hacker ethos at work.

you, on the other hand, represent the asshat ethos, for downplaying what they did and trying to fiddle fart around with semantics.

Re:Too dangerous to keep digitally now?

[cdrudge]

though nowadays routers come with individualized passwords, but they didn't used to

When Verizon FiOS first came to my area, the autogenerated WEP password was based on a 5 character SSID. There were online tools that you could use to lookup what the default password would be and almost no one, relatively speaking, bothered to change it from the default. Came in handy on more than a few occasions to get free wifi as just about anywhere you go you were in range of someone that had FiOS.

Another brand used the wireless MAC as the WEP key. shm

Re:Hacked?

[Yakasha]

So.... they had the manual with passwords....

this is hacked.... how?

Same way I hacked my VCR so it doesn't flash 12:00 anymore!

Re:Hacked?

[Yakasha]

True, it's a "hack" but it's a pretty trivial hack.

They are the ultimate script kiddies. Kids, using a script published by the manufacturer.
Even putting "trivial" in front diminishes the glory of hacking.

wrong and trivial solutions

[raymorris]

First, dozens of people shouldn't have administrative access to a particular ATM at once. Where I work, most systems have one or two people with passwords. If both people get hit by a bus, you can boot from a USB stick and proceed from there, but only two people have admin accounts.

Regarding the logistics of controlling who has access to what, every organization with more than a very few employees needs to manage who has access to what, and that's been true for thousands of years. It's very much a solved problem. Most companys use Active Directory for this purpose. Since ATMs already have card readers, an obvious answer for routine maintenance is to have the employee swipe their employee ID card. The ATM then uses its existing network connection to authorize access via AD. Back in the days of Benjamin Franklin, the solution was a key rack held by a designated employee. Other remployees would check out the keys they needed to use that day. It's kind of an interesting problem, but one that has been solved since roughly the Roman empire or so.

Re:Hacked?

[PopeRatzo]

I cant tell you how many coke machines out there can be taken over by simple keypresses.

I notice you're not sharing the password with us thirsty readers.

C'mon, bro.

Re:Hacked?

[Pieroxy]

The definition of hacking, the legal one, in many places at least in europe is defined pretty much as the following: Being somewhere you're not supposed to, while knowing you're not supposed to, and then snooping around instead of just leaving. I guess it's the digital alternative of 'breaking and entering'. Just because you found a post-it with the lock of the front door on the ground, it doesn't make it right to go in. Common sense should kick in at some point, so if you do it anyways, justice assumes common sense did kick in and you entered willfully. THAT makes it illegal.

That's pretty much common sense.

Re:Hacked?

[ThatsDrDangerToYou]

So.... they had the manual with passwords....

this is hacked.... how?

Same way I hacked my VCR so it doesn't flash 12:00 anymore!

Wait.. what? You can do that?