While most teenage boys are out playing football or sniffing glue, Canadians Matthew Hewlett and Caleb Turon have an altogether more disturbing pastime: reading ATM manuals.
After reading the chapter that demonstrated how to get into the machine's operator mode, they used their school lunch hour last week to trot over to a Bank of Montreal (BMO) ATM in Winnepeg to test out what they'd learnt.
"We thought it would be fun to try it, but we were not expecting it to work," Hewlett told the Winnipeg Sun newspaper. "When it did, it asked for a password."
That password, just six characters long, was the first one they guessed [presumably, 1-2-3-4-5-6 - they are too IT savvy to reveal it, even if BMO isn't]. Yet, when they reported it to the nearest BMO branch, they were told to go away and come back with some proof.
"So we both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent," said Hewlett.
As further proof, Hewlett changed the ATM's greeting from "Welcome to the BMO ATM" to "Go away. This ATM has been hacked".
While in the UK, that sort of thing – under idiotic proposed laws introduced during the Queen's speech – would get them sent to prison for life, instead BMO asked them to spend the afternoon with the bank's "security" staff.
Ralph Marranca, BMO's director of media relations, said they were aware of the incident and have taken steps that block unauthorised access. "Customer information and accounts and the contents of the ATM were never at risk and are secure," he said.
Although Marranca's in PR so what would he know?
Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes
Focus on cost efficiency, simplicity, performance, scalability and future-readiness when architecting your data protection strategy