Two Kids Hack Into ATM — But it’s Not What You Think


For hackers everywhere the prospect of carrying out an ATM attack is like finding the holy grail. Such an incursion presents direct access to money, allowing cybercriminals to bypass any other channels and get right to the good stuff.

One would assume that a breach of an ATM would be malicious, focused on extracting quick cash and disappearing back into the dark recesses of the cybersphere. One may also assume that such an attack would be carried out by an adult, or at least someone old enough to manage his or her own (criminal) finances.

But a recent breach of an ATM in Montreal undermined those two suppositions, since it was neither malicious nor conducted by adults. In this case, the hackers were a couple of high schoolers on lunch break, and their motive was better enterprise security for the bank.

A Rather Productive Lunch Break With Some Great Food For Thought
According to The Winnipeg Sun, Montreal ninth graders Matthew Hewlett and Caleb Turon recently decided that they’d have a unique adventure on a recent lunch break. While the rest of their peers presumably crowded into local restaurants or walked the school halls with brown paper bags in tow, Hewlett and Turon did something entirely different: They went to an ATM operated by the Bank of Montreal. Their goal was simple: Crack the code and gain administrative access to the machine.

But Hewlett and Turon weren’t heading into their hack ill-prepared. Before reaching the ATM, they’d surfed the Web and found an ATM operational guide that described how to get access to the administrative mode of the exact machine they stood in front of during this fateful lunch hour.

It was unclear to the boys if the guide they’d found online would work for the bank’s ATM or if it was outdated.

“We thought it would be fun to try it, but we were not expecting it to work,” Hewlett said later.

Yet after following the instructions from the online printout, they were met with an encouraging sign: A screen, on the ATM, asking them for a password. The only downside was that they had no idea what the password could be. So they typed in 6 common digits — think something along the lines of “123456” or “654321.”

Whatever combination they typed in — according to ZDNet, the exact password isn’t being released to the public — it worked, and the two boys found themselves with administrative access not only to the ATM but also, by extension, to privileged information at the bank.

But then the boys did something that sets them apart from all the malicious hackers out there: They went right to the bank and reported the problem. It took some convincing of the bank staff, but once they did the staff was grateful to the young men for helping expose a major security flaw.

There was only one problem: The boys were late for school.

The bank fixed that by sending them back with a note: “Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting BOM with security,”

The message of this story is clear: If a couple of (admittedly enterprising) high schoolers can break into your business’ system, it’s probably time for some better security.


Entrust provides identity-based security solutions that empower enterprises, consumers, citizens and websites in more than 5,000 organizations spanning 85 countries. Entrust's identity-based approach offers the right balance between affordability, expertise and service. With more than 125 patents granted and pending, these world-class solutions include strong authentication, physical and logical access, credentialing, mobile security, fraud detection, digital certificates, SSL and PKI.


Add to the Conversation