This post could have also been titled: BMO is not smarter than a ninth-grader.
It will probably surprise all of no one that there’s at least one version of your typical ATM’s user manual floating around the internets. It’ll probably also surprise all of no one that–at least as of last check–a lot of them are still running Windows XP, which presents its own security issues by itself. So fast forward to the year of the adventurous teen, and what you run up against is exactly the kind of thing that would land you in federal jail on the wrong side of the border.
Matthew Hewlett and Caleb Turon were bored on a lunch break. And, as anyone who knows kids can probably figure out, lunchtime boredom plus access to the internet equals this can only end badly. In this case, it ended with a copy of an ATM user manual. So, the kids did what kids do best–they decided, hey, I wonder if any of this junk actually works. So they show up at a grocery store with a Bank of Montreal ATM, flip open their copy of the manual, and start testing things. They manage to bypass the standard program John Q. Customer sees when he wants to yoink money from the machine, and get into the actual machine OS. Well, or rather, they get to the point where the machine asks them for the OS password.
Now, if these guys are security conscious, the story ends here. They probably guess at a couple different passwords, get told to buz off, and away they go back to class with nothing having been upset. But that would be boring, and if there’s anything I’ve learned it’s that major corporations don’t do boring very well. In this case, major corporations also don’t do security very well.
The manual had a list of possible default passwords for the machine. The kids, because hey, they got this far, decided it’d be fun to just cruise on down the list. And wouldn’t you know, on that list of default passwords would be–surprise surprise–the very one that gave them access.
“We thought it would be fun to try it, but we were not expecting it to work,” Hewlett told the Winnipeg Sun. “When it did, it asked for a password.”
They managed to crack the password on the first try, a result of BMO’s machine using one of the factory default passwords that had apparently never been changed.
They took this information to a nearby BMO branch, where staff were at first skeptical of what the two high-schoolers were telling them. Hewlett and Turon headed back to the Safeway to get proof, coming back with printouts from the ATM that clearly showed the machine had been compromised.
The teens even changed the machine’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”
Give BMO credit, though–this could have ended a lot worse than it actually did. Rather than, say, jump the gun and haul both kids before a judge (I’m looking directly at you, about 95% of US corporations), they did the smart thing–though perhaps not as smart as, say, changing that damned default password.
The BMO branch manager called security to follow up on what the teenagers had found, and even wrote them a note to take back to school as explanation for why they were late getting back to class.
According to the Sun, the note started with: “Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting BMO with security.”
BMO has apparently learned from a couple 14-year-olds exactly how important being allergic to default passwords actually is. And from the looks of things, they may or may not have actually done something useful with it–at least one would hope, since given people know this kind of thing’s out there, it’s only a matter of time.
So if your local geek, geek for hire, or tech support employee is standing in the room glaring daggers at either you or your computer monitor while potentially contemplating the quickest way of separating you from your career without getting his hands dirty, stop for 5 seconds and think. “Did I change that standard issue password?” Because odds are pretty freaking good one of you already knows.