Bank of Montreal ATM hacked with weak password

Summary:After finding an operator manual online, two Winnipeg teens stumbled onto a case of unforgivably poor security operations by a bank.

A story in the Winnipeg Sun describes how two local teenagers put a Bank of Montreal ATM into operator mode using an easily-guessed password.

Several things stand out about this story, and none of them have to do with hacking prowess. Matthew Hewlett and Caleb Turon of the 9th grade found an operator manual online for an ATM at a local supermarket. On lunch period they went to the ATM to try to put it into operator mode, not expecting it to work. It did.

Even worse: "Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked. They used a common default password." "123456"? It's unclear, and for obvious reasons the story doesn't go further.

No, all the boys did was read a manual. What's remarkable and impressive about them is that they immediately did the right thing: They went to the nearest Bank of Montreal branch and reported it. After being blown off by the staff, they went back and obtained proof by changing the ATM surcharge amount to one cent and the greeting from "Welcome to the BMO ATM" to "Go away. This ATM has been hacked."

They then printed out several documents on it and brought them back to the bank. This time the bank took them seriously. There is no indication in the story that they were or were not able to dispense cash from the ATM.

Sadly, choosing a common passcode, even for an ATM, is not remarkable. Default and weak passwords are still a very common means of attack. I would argue that allowing an ATM to have only a six-digit passcode for operator mode is also unacceptable. Modern ATM software allows for, and by policy should require, two-factor authentication. There's no excuse for authentication this weak other than laziness.

Topics: Security, Banking

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.