Teens demonstrate ATM security issues


Having spent time in several banks over the years I am well aware of some of the security issues as they relate to ATM machines. I recall back in the 90s how the Russian mob in Toronto would use digital audio tape to record the transactions on ATM machines and then create duplicate cards. This was a lesson that helped in the move to the adoption of encryption for traffic in ATM systems. 

That being said, there is still a long way to go. This weekend an article about a pair of teens finding an old Bank of Montreal ATM manual online was forwarded to me by a friend (h/t Jackie). The kids in the story thought, “this would be neat to try”. So, they wandered out to find an ATM. They were stunned when they discovered that the username and password which they guessed first worked. 

From Winnipeg Sun:

When they told staff about a security problem with an ATM, they assumed one of their PIN numbers had been stolen, Hewlett said.

"I said: 'No, no, no. We hacked your ATM. We got into the operator mode,'" Hewlett said.

"He said that wasn't really possible and we don't have any proof that we did it.

"I asked them: 'Is it all right for us to get proof?'

"He said: 'Yeah, sure, but you'll never be able to get anything out of it.'

"So we both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges.

"Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent."

I’m very happy to see that the kids thought to ask for permission from the bank before attempting to get proof rather than trying to change anything of their own volition. This sort of thing doesn’t happen enough as teens don’t often have the understanding of the implications of their actions. I thought it was a stroke of genius that they asked for a note from the bank, on bank letterhead, to excuse them being late for school.

While it is a problem that default, or easily guessed passwords, exist on these systems it should also be noted that the vast majority of these systems still run on Windows XP. The larger problem is brewing.


(Image used under CC from William Grootonk)

New! Download the State of Cybercrime 2017 report