ATM security is so lax a 14-year-old could beat it

Security

by Jimmy Nicholls| 10 June 2014

All you need is an operator's manual and a lunch hour.

Two 14-year-olds hacked into a cash machine in Winnipeg, Canada using the default system passwords, after discovering an operator's manual online.

Matthew Hewlett and Caleb Turon went into the local Safeway during their lunch hour to see if they could break into a Bank of Montreal ATM, and were surprised to discover the password shown in the manual had not been changed.

Speaking to the Winnipeg Sun, Hewlett said: "We thought it would be fun to try it, but we were not expecting it to work."

Rebuffed after an initial attempt to report the vulnerability to a branch of the bank, the pair went back to the cash point and started to print off records of the day's activity to prove their case.

The pair also altered to welcome screen to read "Go away. This ATM has been hacked", changing the surcharge fee to 1 Canadian cent for good measure before returning to the branch.

"They brought the branch manager out to talk to us," Hewlett added. "He was quite concerned and said he would have to contact head security."

The story is another instance of industry failing to adhere to the most basic security practices, a familiar story among IT experts.

Last month IBM revealed half of the servers audited by its subsidiary PowerTech had more than 30 users who had not changed their passwords from the default.

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

742 people like this.
0 people follow this.

Security Intelligence

Suppliers Directory

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.