Bank of Montreal ATM hacked with weak password

Bank of Montreal ATM hacked with weak password

Summary: After finding an operator manual online, two Winnipeg teens stumbled onto a case of unforgivably poor security operations by a bank.

TOPICS: Security, Banking

A story in the Winnipeg Sun describes how two local teenagers put a Bank of Montreal ATM into operator mode using an easily-guessed password.

Several things stand out about this story, and none of them have to do with hacking prowess. Matthew Hewlett and Caleb Turon of the 9th grade found an operator manual online for an ATM at a local supermarket. On lunch period they went to the ATM to try to put it into operator mode, not expecting it to work. It did.

Even worse: "Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked. They used a common default password." "123456"? It's unclear, and for obvious reasons the story doesn't go further.

No, all the boys did was read a manual. What's remarkable and impressive about them is that they immediately did the right thing: They went to the nearest Bank of Montreal branch and reported it. After being blown off by the staff, they went back and obtained proof by changing the ATM surcharge amount to one cent and the greeting from "Welcome to the BMO ATM" to "Go away. This ATM has been hacked."

They then printed out several documents on it and brought them back to the bank. This time the bank took them seriously. There is no indication in the story that they were or were not able to dispense cash from the ATM.

Sadly, choosing a common passcode, even for an ATM, is not remarkable. Default and weak passwords are still a very common means of attack. I would argue that allowing an ATM to have only a six-digit passcode for operator mode is also unacceptable. Modern ATM software allows for, and by policy should require, two-factor authentication. There's no excuse for authentication this weak other than laziness.

Topics: Security, Banking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Any bank THIS incompetent should pay a hefty fine!

    How about a reward to the honest kids?
  • BMO deserves what they get.

    This is precisely the kind of attitude I have come to expect from Bank of Montreal:

    " After being blown off by the staff,"

    Customer service at its finest.
  • BMO is lazy

    After heartbleed, I changed my password and was shocked to find that I was limited to six numeric characters.
  • And there's the key...

    ' Modern ATM software'...running XP.
    • ... running XP

      That's modern, jj! Up until just a very few years ago almost all ATM machines used IBM's OS/2. One of the reasons sometimes offered was that it was so old that nobody would remember how to hack into it!
      Nuclear power plants in some countries are still using Windows NT 4 (for non-critical tasks)!

      The reason for this apparent insanity is that the systems have to be relied upon for thousands of hours of continuous running, and it costs a small fortune to get them certified as being that reliable, etc.
  • laziness is indicated

    but stupidity is also likely.
  • I would think that the CIO of BMO should get fired

    and BMO insurance premiums should skyrocket.

    But in reality, Canada is way too laid back, none of this will take place, and this %^&% will keep going on.
  • BMO knows weak passwords all too well!

    Did you know that BMO online banking passwords are limited to 6 characters max? Did you know that those passwords can only be alphanumeric? No capitals, no special characters.... a-z, 0-9.

    I've sent many messages regarding this. Being a sysadmin in the infosec sector this makes me cringe!
    • being a taxpayer, it should get you cringe even more

      because the bank is insured, and probably when accounts get hacked, the price of customer reimbursement is covered by insurance.

      not being a Canadian, i do not know for sure, but i have a bad feeling that ultimately it is the Canadian government that insures the banks, and therefore it is Canadian citizens who take the hit.

      If I were a Canadian, I would be sending my elected representative a letter asking to investigate on who's dime BMO is flanking its security.
      • CIDC

        For Canadian Deposit Insurance Corporation. A crown corporation. Means that it runs like a private company where the Federal Government is the sole share holder. Profits if any go into government coffers, any short fall is covered by the Feds. The banks pay an annual premium based on deposits to the corporation. In return IF the bank should fail the deposits are covered to a limit to its costumers. Not all banks are covered, the main 5 are but some S&L's and credit unions are not and those must clearly post signs that they are not and your depsoits are not protected. All power utilities are crown corporations, the Post Office and until recently Air Canada and CN Rail were also Crown corporations.
    • It does say the online banking ...

      It does say the online banking passwords are limited to 6 characters max. However, it doesn't say you can't use uppercase. If people knows how to hack your password, there isn't much difference if you password is 123456 or 1234567890. I once purposely typed the password wrong 3 times and I was out of it and had to call the 1-800- toll free number to reset it. They do have second level graphic and question and answer pass phrase protection, something like what is the maiden name of your mother-in-law? If you are are smart you wouldn't give them the real name. You should have some passphrase that only you know or your neighbour's pooch's name in place instead.