ATM security is so lax a 14-year-old could beat it

Two 14-year-olds hacked into a cash machine in Winnipeg, Canada using the default system passwords, after discovering an operator’s manual online.

Matthew Hewlett and Caleb Turon went into the local Safeway during their lunch hour to see if they could break into a Bank of Montreal ATM, and were surprised to discover the password shown in the manual had not been changed.

Speaking to the Winnipeg Sun, Hewlett said: "We thought it would be fun to try it, but we were not expecting it to work."

Rebuffed after an initial attempt to report the vulnerability to a branch of the bank, the pair went back to the cash point and started to print off records of the day’s activity to prove their case.

The pair also altered to welcome screen to read "Go away. This ATM has been hacked", changing the surcharge fee to 1 Canadian cent for good measure before returning to the branch.

"They brought the branch manager out to talk to us," Hewlett added. "He was quite concerned and said he would have to contact head security."

The story is another instance of industry failing to adhere to the most basic security practices, a familiar story among IT experts.

Last month IBM revealed half of the servers audited by its subsidiary PowerTech had more than 30 users who had not changed their passwords from the default.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing