Join 3,424 readers in helping fund MetaFilter (Hide)


That's amazing. I've got the same combination on my luggage!
June 17, 2014 4:03 PM   Subscribe

Two 14 Year Olds Hack Winnipeg ATM. "Matthew Hewlett and Caleb Turon, both Grade 9 students, found an old ATM operators manual online that showed how to get into the machine's operator mode.... Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked. They used a common default password."

The bank initially didn't believe the two boys, assuming instead that their personal PINs must have been stolen - until they came back with "documentation like how much money is currently in the machine, how many withdrawals have happened that day, [and] how much it's made off surcharges," having changed the withdraw surcharge to 1 cent. What came of the two young hackers who turned themselves in to bank authorities? Don't worry - the manager sent them back to school with a note reading "Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting [Bank of Montreal] with security."
posted by Joey Buttafoucault (28 comments total) 24 users marked this as a favorite

 
Capable and ethical?!?!

It's a shame, they could probably have gotten a nice cush job in finance had they not been so ethical.
posted by hal_c_on at 4:09 PM on June 17 [2 favorites]


These kids seem too smart to wind up in cushy jobs in finance. They sound pretty cool, and I wouldn't be surprised if they really make something of their lives.
posted by cincinnatus c at 4:13 PM on June 17 [8 favorites]


I don't ever, ever want to have kids, but it's the occasional article like this about brilliant hacker kids that makes me think twice for a couple of seconds.

I look forward to hearing about them again (in a good way) in the news, and Hacker News, Wired, etc., in a couple of years, and envying their brilliance. I really hope no one discourages them. Maybe we'll see them on MetaFilter in two years from now.
posted by quiet earth at 4:37 PM on June 17 [2 favorites]


Also registering my pleasant surprise that this has not gotten them charged with a crime.
posted by weston at 4:41 PM on June 17 [20 favorites]


It's as true now as ever:

What kept you safe last night was not the lock on your door but the lack of a desire to break in.
posted by Cosine at 4:45 PM on June 17 [12 favorites]


There are walk-in clinics that I'm pretty sure will write you a medical note saying whatever you want, any time you want, so long as you pay the fee. If doctors will do that, what's going to happen now that banks can write notes to excuse you from school?
posted by If only I had a penguin... at 4:54 PM on June 17 [1 favorite]


["thank god this didn't happen in the USA" derail removed, carry on.]
posted by mathowie at 5:10 PM on June 17 [3 favorites]


I don't think it was a derail. The point was that when disclosing vulnerabilities there is usually no legal protection to the disclosing party even if you are just disclosing the information to the company with the vulnerable systems.
posted by I-baLL at 5:25 PM on June 17 [5 favorites]


Oh, yeah, changing the surcharge amount on an ATM, that's a real awesome hack. That's like breaking into a bank vault and then using a magic marker to change the currency conversion rate for ringits on the big board (that they probably have in the bank vault I dunno). Lol noobs!
posted by turbid dahlia at 5:36 PM on June 17 [1 favorite]


At the last place I lived I came home one night & was about to walk in when I saw a booklet sitting on the stoop of one of the businesses next door. Being a curious guy I picked it up. Turned out to be the admin manual for a third party (ie non-bank) ATM. It included the default password for entering admin mode. I could view & change an array of settings including what denominations were in each tray. If I'd wanted I could've changed the twenties tray into ones, withdrawn 20 bucks & scored $400 then change it all back in less than 30 seconds, at any of dozens of ATMs of that brand in the area. But I didn't and don't regret it. Well not much, anyway.
posted by scalefree at 5:52 PM on June 17 [4 favorites]


I apologize for thinking it's worth mentioning, but there are other news sources in Canada.
posted by sneebler at 5:57 PM on June 17 [1 favorite]


I liked this part:

"He presented at the University of Manitoba last year for a program that he wrote that sort of goes down the path for artificial intelligence. The first two people judging didn't have a clue what he was talking about. The third was a software engineer and the question she kept asking was, 'Did you get any help with this?'

I would love to hear more about that.
posted by Neale at 6:28 PM on June 17 [6 favorites]


The one kid had a double liver transplant.

I don't know what that means, but he's probably part cylon.
posted by sio42 at 6:29 PM on June 17 [5 favorites]


If I'd wanted I could've changed the twenties tray into ones, withdrawn 20 bucks & scored $400 then change it all back in less than 30 seconds, at any of dozens of ATMs of that brand in the area.

This was actually a huge thing for a while. This story has completely googlebombed searching for it, but maybe about 8-10 years ago people were constantly changing 3rd party atm passwords and emptying them out, generally right on camera and very quickly. Quickly enough that it was often really hard to figure out who had done it since each person who came after that would also get a huge stack of 20s, and almost no one was reporting it.

I remember seeing tons of stories about it on slashdot/boinboing type sites back when it was a big deal. It pretty much only worked with those super cheap looking crappy bodega/minimart/gas station type ATMs too. The ones that always charge like $5.
posted by emptythought at 6:31 PM on June 17 [2 favorites]


Good for the bank for being reasonable about this. It's extraordinary how the kneejerk response of many institutions is to prosecute the person who told them about it, rather than correct the problem.
posted by Joe in Australia at 6:40 PM on June 17 [2 favorites]


emptythought: You're probably thinking of this:

https://www.schneier.com/blog/archives/2006/09/programming_atm.html
posted by I-baLL at 6:43 PM on June 17 [2 favorites]


If I were their parents, I'd be driving right round to the ice cream shop right now. Great kids.
posted by arcticseal at 6:52 PM on June 17 [3 favorites]


Footage of the event.
posted by Slap*Happy at 8:15 PM on June 17


"Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent."

As further proof, Hewlett playfully changed the ATM's greeting from "Welcome to the BMO ATM" to "Go away. This ATM has been hacked."


Oh lord, that is hilarious. Not only did they complete their exercise, they documented their work.
posted by Pudhoho at 9:50 PM on June 17 [2 favorites]


sio42: The one kid had a double liver transplant.

Yeah. They stuck in a second brain by mistake.
posted by drhydro at 10:34 PM on June 17 [1 favorite]


I've never seen an ATM that could spit out $1 bills.
posted by michaelh at 4:10 AM on June 18


I've never seen an ATM that could spit out $1 bills.

They're elusive, but you can find them in the wild. Maybe 30% of my bank's ATMs give singles. IIRC it's only the ones attached to a branch location. The one nearest my college used to give out coin, too.
posted by GrapeApiary at 5:46 AM on June 18


Attention, Doug Lunney: using a "common default password" is decidedly not the same as making a "random guess".
posted by gene_machine at 6:46 AM on June 18 [1 favorite]


That is not the outcome I was expecting but it's the one I was dreaming of. Awesome!
posted by absalom at 9:48 AM on June 18


Attention, Doug Lunney: using a "common default password" is decidedly not the same as making a "random guess".

Are human beings even capable of making a truly random guess?
posted by hellphish at 1:03 PM on June 18


They're not, but you can use a pseudo-random process. I always use the first six digits of pi, because they're guaranteed to have a normal distribution.
posted by Joe in Australia at 3:31 PM on June 18


They're not, but you can use a pseudo-random process. I always use the first six digits of pi, because they're guaranteed to have a normal distribution.

I'm pretty sure you're joking. I hope you are. Not about the distribution which is true, but in assuming that the first six digits of pi aren't famous enough by themselves to make anybody's common list of passwords. Now if you could generate a number to use as a seed then start at that number of digits in, that'd give you some useful entropy. But that begs the question, how do you generate the seed?
posted by scalefree at 9:29 PM on June 18


This story has left me wondering what six-letter default password I've forgotten.
posted by Chaussette and the Pussy Cats at 10:58 PM on June 18


« Older Celsus...  |  Peter Frampton was a GOD durin... Newer »


This thread has been archived and is closed to new comments