|Caleb Turon (left) and Matthew Hewlett (Right)|
Matthew Hewlett and Caleb Turon both Grade 9 students chanced upon a old operators manual for the BMO ATM while surfing on the net. Having found the manual,. while they were not even sure if they’d actually be able to put the ATM into “operators mode” they thought of giving it a whiz.
“We thought it would be fun to try it, but we were not expecting it to work,” Hewlett told The Sun. “When it did, it asked for a password.”
They were surprised to find out that their first random guess of a six-digit password happened to be correct. This random password, which is commonly used as “default password” for any electronic/technological gadget was correctly guessed by the lads. The password has not been revealed by the Bank but experts do believe it to be “123456”.
The boys immediately went to BMO Charleswood Centre Branch on Grant Avenue to notify the Bank of the loop hole. When they informed the staff about a security problem with an ATM, the bank officials assumed one of their PIN numbers had been stolen, Hewlett said.
“I said: ‘No, no, no. We hacked your ATM. We got into the operator mode,'” Hewlett said.
“He (the bank official) said, that wasn’t really possible and we don’t have any proof that we did it.”
“I asked them: ‘Is it all right for us to get proof?’
“He (the bank official) said: ‘Yeah, sure, but you’ll never be able to get anything out of it.’
“So we both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much the ATM collected for different surcharges.
“Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.” Hewlett said.
As further proof, Hewlett playfully changed the ATM’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”
They returned to BMO with six printed documents and naturally this time the bank officials took them seriously.
“They brought the branch manager out to talk to us,” he said. “He was quite concerned and said he would have to contact head security.”
After calling head office to report the security flaw, the branch manager even wrote a note on Turon’s request, a letter to the school management explaining why the students were late returning to the school after the lunch.
“Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting BMO with security,” the note began, according to the Sun.
BMO spokesperson confirmed that no customer information was exposed when Turon and Hewlett probed the ATM’s system.
Luckily for Bank of Montreal, these kids did not have any evil intention in their mind or all hell would have broke loose for the bank. It would be seeming to visualise a situation where hackers and cyber criminals would have chanced upon this manual instead of these school going kids.