Two 14-year-old students hacked an ATM with impressive simplicity

Two 14-year-old  students, Matthew Hewlett and Caleb Turon, have hacked an ATM machine of the Bank of Montreal using a manual discovered on the Internet.

Two 14-year-old  students, Matthew Hewlett and Caleb Turon, have hacked an ATM machine of the Bank of Montreal to test its level of security. The two students have discovered online an old ATM operator manual that details how to access the ATM into the machine’s operator mode. On Wednesday during their lunch time they tried to procedure over the BMO’s ATM at the Safeway on Grant Avenue, the boys had no particular expectations about the success of the procedure, is it so simple to hack an ATM? At first attempt an access code composed of 6 digits, then the students tried a default one … Ops, they were inside!

“We thought it would be fun to try it, but we were not expecting it to work,” “When it did, it asked for a password.” Hewlett declared. 

It is amazing, the youngsters immediately went to the BMO Charleswood Centre branch on Grant Avenue to report the security violation. Hewlett and Turon explained to the staff the security problem with an ATM, but the employers assumed that the guys have stolen the PIN numbers instead to have hackers the ATM.

“I said, ‘No, no, no. We hacked your ATM. We got into the operator mode’,” “I asked them, ‘Is it alright for us to get proof?’ “He said, ‘Yeah, sure, but you’ll never be able to get anything out of it.” Hewlett said.

The staff could not believe the two boys, for this reason the students went back to the crime scene to collect more evidences 😉 .

“So we both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it’s made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.” Hewlett added.

Hewlett to demonstrate the complete control over the ATM also changed the ATM’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.” They guys returned to the BMO Charleswood Centre branch bring the six printed documents as proof of concept for their hack, and only from that moment the staff took them seriously.

“They brought the branch manager out to talk to us,” “He was quite concerned and said he would have to contact head security.”

The situation is grotesque, security officials were concerned about what had happened while the boys by the delay they were doing to go back to school, which is why they asked a justification note to bring to their teachers.

“Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting BMO with security,” the note began.

In an official statement issued on Friday, Ralph Marranca, BMO’s director of media relations, declared they were aware of the incident and have taken necessary steps to block unauthorized access and to secure the ATM, confirming also that customers data were not at risk.

“Customer information and accounts and the contents of the ATM were never at risk and are secure,” he said.

The story can be starting point for discussion on some issues such as the real level of security of ATM systems, or the most effective approach to assess vulnerabilities in these systems. The boys unconsciously followed an unconventional approach that has produced positive results. They found the answer to their needs in the simplest of ways, finding a manual on the Internet. Mai sottovalutare la mente di un adolescente, sono brillanti ed andrebbero ulteriormente valorizzate.

Pierluigi Paganini

(Security Affairs –  ATM, hacking)