Kids With Operator’s Manual Alert Bank Officials: ‘We Hacked Your ATM’
Dan writes about yet another example of why you should never install anything as plug and play in business or mission critical transaction environments — everything from admin account names to port numbers must be customized to harden things.
When Matthew Hewlett and Caleb Turon tested the instructions against an ATM at a nearby supermarket, the ninth graders didn’t expect them to work, The Winnipeg Sun reported Sunday. To their surprise, the machine quickly prompted them for a password. Even more surprising, their first guess—a six-character password that’s common among default settings—let them in. The boys then reported their lunch-hour caper to bank employees, who at first thought the duo had merely acquired the PINs of an ATM customer.
“I said: ‘No, no, no. We hacked your ATM. We got into the operator mode,’” Hewlett was quoted as saying. Then, the bank employees asked for proof.
“So we both went back to the ATM and I got into the operator mode again,” Hewlett said. “Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it’s made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.”