The line between felony and favor is getting ever more blurry.
Last Tuesday, Matthew Hewlett and Caleb Turon, both in ninth grade, found an ATM operators’ manual online that showed how to easily take control of the money machines all around their city. They decided to try their luck on a Wednesday lunch hour and headed to Winnipeg’s Grant Avenue to see if they could break into the first ATM they found.
They didn’t expect it to be so easy.
Following the instruction manual’s direction, Hewlett and Turon were asked for one password to gain access to the ATM’s operator mode. They took a long shot at a common six digit password—it wasn’t revealed but we’re going to assume it was ‘123456’—and suddenly found themselves in control of the machine.
When they told the local Bank of Montreal branch manager that their ATM had been hacked, the teenagers weren’t taken seriously.
“I said, ‘No, no, no. We hacked your ATM. We got into the operator mode’,” Hewlett told the Toronto Sun. “He said that wasn’t really possible and we don’t have any proof that we did it.
“I asked them, ‘Is it alright for us to get proof?’
The teenagers went back and printed out documents “like how much money is currently in the machine, how many withdrawals have happened that day, how much it’s made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.”
Hewlett then changed the ATM’s startup greeting to “Go away. This ATM has been hacked.”
That was enough to convince the Bank of Montreal branch manager who promptly contacted the company’s head of security. In return for their help, the bank’s financial services coordinator wrote a letter to the teens’ school explaining why they didn’t come back from their lunch hour on time:
“Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting BMO with security.”
The Bank of Montreal insisted on Friday that no customer information was ever at risk.
ATM operators’ manuals are extremely easy to find online—a simple Google search will do the trick—and then potentially use to exploit the money machines in various ways.