Two 14-year-olds are making headlines today for hacking into an ATM machine in Winnipeg using a programming manual they found online.
“The Grade 9 students, Matthew Hewlett and Caleb Turon, used an ATM operators’ manual they found online to get into the administrator mode of an ATM at a Safeway grocery store,” wrote Canada.com. “They saw how much money was in the machine, how many transactions there had been and other information usually off-limits for the average bank customer.”
In a not-so-unpredictable-in-2014 twist, the two youngsters managed to crack the ATM’s password on the first try, a result of BMO’s machine using one of the factory default passwords that had apparently never been changed.
When Hewlett and Turon told a local BMO branch what they did, the bankers at first didn’t even believe them. I can only imagine how tech-savvy BMO execs in Toronto would have reacted to that news, had the pair have chosen to act in a malicious manner. Instead they simply went back to the Safeway, gathering printouts from the ATM that clearly showed the machine had been compromised.
“The teens even changed the machine’s greeting from ‘Welcome to the BMO ATM’ to ‘Go away. This ATM has been hacked,'” wrote Canada.com.
Apparently the BMO manager had to write the students a few notes to explain their absence from school. The notes started with ““Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting BMO with security.”
While a story like this isn’t uncommon in Canada in 2014, the way the institution in question reacted is rather unique. It seems that when youngsters hack into a web portal, and then explain to higher authorities that they should probably take better security precautions, such actions isn;t always appreciated.
I must commend BMO for their behaviour in this instance. Last year Ethan Cox broke a story for the Financial Post, revealing how two students, then studying at Montreal’s CEGEP (General and Vocational Colleges), Dawson College, had hacked into the school’s computer system. There they could have compromised the personal information of over 250,000 students. When Hamed Al-Khabaz and Ovi Mija told the school, they were suspended.
I reported for the Financial Post later that summer that they had launched their own startup, Outpost Travel. Outpost Travel has since raised a $200,000 seed round of funding from angel investors.
With their incident at Dawson College though, the school took a bit of a hit in the ensuing public backlash that saw many condemning the school for its actions. Here it seems that BMO chose to be appreciative of the two youngster’s reportings.