Canadian Teens hack ATM during school lunch period

[unokitty]

A Winnipeg BMO branch got an unlikely security tip from two 14-year-olds when the pair managed to get into an ATM’s operating system during their lunch break last Wednesday.

The Grade 9 students, Matthew Hewlett and Caleb Turon, used an ATM operators’ manual they found online to get into the administrator mode of an ATM at a Safeway grocery store. They saw how much money was in the machine, how many transactions there had been and other information usually off-limits for the average bank customer.

“We thought it would be fun to try it, but we were not expecting it to work,” Hewlett told the Winnipeg Sun. “When it did, it asked for a password.”

They managed to crack the password on the first try, a result of BMO’s machine using one of the factory default passwords that had apparently never been changed...

The teens even changed the machine’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”

Summary
Kids find online ATM manual. It lists default password of "123456." Kids find that default password works on ATM in local supermarket.

Kids lucky not to be in US. "In the US, hackers who discover vulnerabilities are advised to never break in to a computer or network they don't legally own unless getting permission in writing first. In the most extreme cases, a single conviction under the Computer Fraud and Abuse Act and statutes protecting banks and ATMs can result in a prison sentence of 20 years and stiff fines." See also 'Unjust Justice: Cybercrimes Uncommitted.'

What is your opinion?

Is it appropriate for banks to use ATM's with default passwords that are available online?

Would you view the use of a default password that is available online as a serious (felony) crime?

Would you view what these teens did as a crime? Remember they weren't authorized to access the ATM in admin mode. Nor were they authorized to change the welcome message to "Go Away, this ATM has been hacked?"


Uno

 

[Knowing]

There is no end to what video games, and not shitty default password settings, are responsible for.

This activity likely coincides with the May 27, 2014, release of the video game "Watch Dogs," in which game play revolves around "hacking," with a focus on hacking critical infrastructure-based electronic devices in particular. Watch Dogs allows players to hack electronic road signs, closed circuit television cameras (CCTVs), street lights, cell phones, [ATMs], and other systems.

Also, I don't think they hacked the ATM. Hacking implies that the device is operating outside of it's intended purpose - granting access to the administrator menu when the administrator password is provided is exactly the intended behavior.

 

[ch33zw1z]

What is your opinion?

Is it appropriate for banks to use ATM's with default passwords that are available online?

Would you view the use of a default password that is available online as a serious (felony) crime?

Would you view what these teens did as a crime? Remember they weren't authorized to access the ATM in admin mode. Nor were they authorized to change the welcome message to "Go Away, this ATM has been hacked

I don't view this as a crime. Safeway should concede that they set themselves up for failure, thank the kids for bringing this breached security to their attention, and fix they're lazy administration problem.

 

[ultimatebob]

I don't view this as a crime. Safeway should concede that they set themselves up for failure, thank the kids for bringing this breached security to their attention, and fix they're lazy administration problem.

But why would they admit to system administrator incompetence when you have an "evil" hacking related video game to blame?

 

[Subyman]

No hack found. Guessing a password is not hacking.

 

[realibrad]

No hack found. Guessing a password is not hacking.

Its been expanded to that in the media. Sara P had her email "Hacked" because someone got her password.

 

[Kadarin]

Had this been in the US, these kids would have been arrested by SWAT teams serving a no-knock warrant, and would have had their dogs shot in the process. Then they'd be facing life in prison for "terrorism".

 

[iGas]

The admins for those BMO machines should be fire for such incompetence.

Awesome policy the US has. Stop their citizens for pointing out their vulnerabilities so that the vulnerable systems are there for the enemies to exploits.

 

[ch33zw1z]

But why would they admit to system administrator incompetence when you have an "evil" hacking related video game to blame?

I know, it's really lackluster in comparison.

 

[Sonikku]

Watchdogs just came out, then this happened.

Clearly the two are linked.

 

[NetWareHead]

Its not legal on the kid's part.

Is it legal to enter a home because the door was open? Is it legal to enter a home if you successfully guessed the password to the security system and it let you in? This is still trespassing and breaking and entering.

 

[Knowing]

Its not legal on the kid's part.

Is it legal to enter a home because the door was open? Is it legal to enter a home if you successfully guessed the password to the security system and it let you in? This is still trespassing and breaking and entering.

They didn't enter a domicile. They didn't do any damage unless you assert that "making it evident that BMO uses piss poor security" is damaging. Under the CFAA, BMO could now spend $10,000 sending techs out to change default passwords and claim exactly that. (Except that this was in Canada)

Frankly, I think these kids did consumers the world over a favor and I look forward to more companies being named and shamed for taking stupid and unnecessary security risks.