14 DAY TRIAL // Two 9th-grade students managed to bypass the security measures of an automated teller machine of the Bank of Montreal (BMO) in Canada after finding an old operator’s manual for the system online.
Instead of spending their lunch hour like most other kids their age, Matthew Hewlett and Caleb Turon (both 14 years old) decided to put into practice the information in the manual, which showed how to enter into the operator mode of the machine.
This level of privilege is password-protected, but the two provided the right six-digit countersign on the first attempt. It was a common default password that should have been changed by the administrators.
Seeing the success of their attempt, the two children, now considered computer whizzes, went to a branch of the bank and reported the security problem to the staff there. What they got in return was disbelief and the permission to bring proof of the breach, which they soon produced.
By alerting the administrators of the issue and asking for permission to bring evidence of the security flaw, the two teenagers ensured that their actions were within legal limits.
The kids made sure that their story wouldn’t be ignored and entered the operator mode of the ATM once more, this time printing inside details.
“So we both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges.”
Hewlett then found a way to change the surcharge amount to one cent and changed the greeting message of the machine to “Go away. This ATM has been hacked.”
With such undeniable proof in hand, the staff at the bank couldn’t but take them seriously and initiated the procedures for correcting the security problem.
To avoid getting in trouble at school for being late, the 14-year-olds asked for an excuse note bearing the bank’s letterhead. Their demand was granted and the explanation for their lateness was “assisting BMO with security.”
A statement from the bank’s media relations director, Ralph Marranca, informed that customer and accounts details or the contents of the ATM were never at risk and that steps have been taken to avoid future unauthorized access.
Matthew Hewlett achieved his computer skills on his own and, according to his father, his talents spread towards physics and chemistry, too.