Bank of Montreal ATM hacked with weak password

After finding an operator manual online, two Winnipeg teens stumbled onto a case of unforgivably poor security operations by a bank.

A story in the Winnipeg Sun describes how two local teenagers put a Bank of Montreal ATM into operator mode using an easily-guessed password.

Several things stand out about this story, and none of them have to do with hacking prowess. Matthew Hewlett and Caleb Turon of the 9th grade found an operator manual online for an ATM at a local supermarket. On lunch period they went to the ATM to try to put it into operator mode, not expecting it to work. It did.

Even worse: "Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked. They used a common default password." "123456"? It's unclear, and for obvious reasons the story doesn't go further.

No, all the boys did was read a manual. What's remarkable and impressive about them is that they immediately did the right thing: They went to the nearest Bank of Montreal branch and reported it. After being blown off by the staff, they went back and obtained proof by changing the ATM surcharge amount to one cent and the greeting from "Welcome to the BMO ATM" to "Go away. This ATM has been hacked."

They then printed out several documents on it and brought them back to the bank. This time the bank took them seriously. There is no indication in the story that they were or were not able to dispense cash from the ATM.

Sadly, choosing a common passcode, even for an ATM, is not remarkable. Default and weak passwords are still a very common means of attack. I would argue that allowing an ATM to have only a six-digit passcode for operator mode is also unacceptable. Modern ATM software allows for, and by policy should require, two-factor authentication. There's no excuse for authentication this weak other than laziness.