The 9th-graders tell the Winnipeg Sun that they’d found the old manual online and found information on accessing the ATM’s operator mode.
And so it was off to their local Safeway, where BMO has an ATM.
“We thought it would be fun to try it, but we were not expecting it to work,” said one of the youngsters.
At some point in the process, the ATM required a password from the operator, so the teens used a “common default password” with six digits (we’re guessing “123456” or the always classic “123123”) and got into the system on their first try.
Rather than use their newfound access to crash the Canadian banking system or launch a global thermonuclear war, the whippersnappers went over to a nearby BMO branch to alert them to just how easily the machine had been violated.
But, being teens, the bank staffer assumed they had done something teen-like and lost their PIN.
“”No, no, no. We hacked your ATM. We got into the operator mode,” one of the mini MacGyvers told the employee. “He said that wasn’t really possible and we don’t have any proof that we did it.”
The boys then asked if it was okay for them to demonstrate what they’d done, to which the bank staffer allegedly replied, “Yeah, sure, but you’ll never be able to get anything out of it.”
So it was back to the ATM, where the teens were able to access info about how much money was in the machine, how many withdrawals happened that day, and how much it had earned in surcharges.
“Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent,” says one teen, who claims they also changed the ATM greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”
With this evidence in hand, they returned to the bank where they were no longer dismissed as pranksters or morons. The branch manager took the issue to bank security.
In a statement to the Sun, a BMO rep tries to downplay the severity of the problem.
“Customer information and accounts and the contents of the ATM were never at risk and are secure,” says the bank, which also says that it’s instituted a fix to the exploit.
We’re going to assume that means the password has been changed to “654321.”
Our favorite part is that these kids did this all during their school lunch hour. They even got the bank to write them a note when they realized they would be tardy in returning to the school on time.