Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

samzenpus posted about 5 months ago | from the protect-ya-neck dept.

Security 378

An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"

Sorry! There are no comments related to the filter you selected.

Not surprising. (5, Insightful)

Z00L00K (682162) | about 5 months ago | (#47197351)

I'm not even mildly surprised that this was possible.

Re: Not surprising. (1)

Anonymous Coward | about 5 months ago | (#47197467)

Way to go kids

+1 for hacking although I'm surprised they didn't make withdrawals first

Re:Not surprising. (2)

Penguinisto (415985) | about 5 months ago | (#47197775)

I'm not even mildly surprised that this was possible.

Not at that I'm not... what I am surprised at is the fact that the bank didn't immediately have the kids locked-up and headed for a lifetime of prison.

Re:Not surprising. (4, Insightful)

PRMan (959735) | about 5 months ago | (#47197847)

It's Canada, not the US.

Re:Not surprising. (5, Funny)

NotDrWho (3543773) | about 5 months ago | (#47197867)

Okay, a lifetime of prison with the signs also in French.

Re:Not surprising. (0)

Anonymous Coward | about 5 months ago | (#47197875)

Montreal is in Canada...

Hacked? (3, Insightful)

Anonymous Coward | about 5 months ago | (#47197355)

So....
they had the manual with passwords....

this is hacked.... how?

Re:Hacked? (2)

Shatrat (855151) | about 5 months ago | (#47197391)

The default passwords shouldn't be used, and without a key someone shouldn't be able to gain management access to the device.

Re:Hacked? (2)

ganjadude (952775) | about 5 months ago | (#47197485)

it is insane how many devices out there are still using default passwords. It seems to me that th eonly items im seeing ship with unique PWs by default these days are cheap WIFI routers surprisingly. I cant tell you how many coke machines out there can be taken over by simple keypresses. My best friend was a cooke distributer, and none of their machines were on a different default PW, always made getting a coke trivial for him however

Re:Hacked? (4, Insightful)

PopeRatzo (965947) | about 5 months ago | (#47197845)

I cant tell you how many coke machines out there can be taken over by simple keypresses.

I notice you're not sharing the password with us thirsty readers.

C'mon, bro.

Hacked? (3, Informative)

Anonymous Coward | about 5 months ago | (#47197393)

It's "hacked", because they did something that (in theory) only administrators are supposed to be able to do. That's really all the definition anyone needs.

Similarly, if an admin leaves the root passwords as "admin:admin", and someone logs in, that someone has hacked the system.

Re:Hacked? (4, Funny)

Richy_T (111409) | about 5 months ago | (#47197539)

That's the password on my luggage.

Re: Hacked? (0)

Anonymous Coward | about 5 months ago | (#47197669)

12345

Re:Hacked? (1)

cheesybagel (670288) | about 5 months ago | (#47197779)

Last time I traveled to the US I left my luggage unlocked but the lovely people at the TSA - hi folks - still had to break them open by force probably for 'inspecting' my aftershave.

Re:Hacked? (2)

laird (2705) | about 5 months ago | (#47197589)

True, it's a "hack" but it's a pretty trivial hack.

Re:Hacked? (5, Insightful)

Yakasha (42321) | about 5 months ago | (#47197695)

True, it's a "hack" but it's a pretty trivial hack.

They are the ultimate script kiddies. Kids, using a script published by the manufacturer.
Even putting "trivial" in front diminishes the glory of hacking.

Re:Hacked? (2)

meerling (1487879) | about 5 months ago | (#47197737)

The neither hacked nor cracked it, they used the built in an approved method as outlined in the Operators Manual. The only questionable part was that they were not authorized to do so, except maybe when they demonstrated it to the bank personnel because they were requested to by an authorized person.

Re:Hacked? (3, Insightful)

TheCarp (96830) | about 5 months ago | (#47197491)

A better question is: This is secured.....how?

Having access to a manual shouldn't provide access to the machine if it has been configured properly. Any passwords in the manual should sure as shit not work after the machine is installed and open to the public.

It may be fair to say these kids are not really much of hackers....but if that is the case then there are a few things the ATM designers or bank administrators (or both) are not either.

Re:Hacked? (2)

geekoid (135745) | about 5 months ago | (#47197529)

You have 100s of machines, dozens of employees, who need legitimate access. How do you share the passwords on all those machine?
Is your solution cost effective? Does it account for areas with bad reception?
Plus, if you made 10K a week keeping your front door open, but you spent 30K a year replacing any stolen item, would you lock your door?

Re:Hacked? (0)

Anonymous Coward | about 5 months ago | (#47197675)

How about telling your employees to change the password when they install it, and update a master list at the bank it's installed at for future maintenance issues. What about after installing it the tech makes the password follow a set pattern that all techs use, like the default password+last four digits of the machine serial number? It doesn't seem too difficult a task to accomplish, but YMMV.

Re:Hacked? (1)

rickb928 (945187) | about 5 months ago | (#47197701)

1. The solution is cost effective if it costs substantially less than the losses, both immediate and cumulative.

2. How many times would I be anticipating replacing that $30k item? More than 17 times a year, I lose. That's more than once a month. Indeed, if I take just 2 weeks to replace the item, I may come out ahead, but I don;'t have the item for almost 50% of the time, so why do I bother replacing it? Oh, actually, I lock the door the second time the item is taken. My effort replacing items is worth it.

3. That was a stupid analogy. Lax security due to cost is an argument to discontinue the service and shut down the business.

Re:Hacked? (1)

Anonymous Coward | about 5 months ago | (#47197709)

These are banks we're talking about. Using a real system like physical or physical-digital keys would cost money, yes, but it would simply mean that greedy fuck execs can get paid a billion dollars minus one. More likely though, it would just mean they pay their underlings less.

wrong and trivial solutions (4, Interesting)

raymorris (2726007) | about 5 months ago | (#47197747)

First, dozens of people shouldn't have administrative access to a particular ATM at once. Where I work, most systems have one or two people with passwords. If both people get hit by a bus, you can boot from a USB stick and proceed from there, but only two people have admin accounts.

Regarding the logistics of controlling who has access to what, every organization with more than a very few employees needs to manage who has access to what, and that's been true for thousands of years. It's very much a solved problem. Most companys use Active Directory for this purpose. Since ATMs already have card readers, an obvious answer for routine maintenance is to have the employee swipe their employee ID card. The ATM then uses its existing network connection to authorize access via AD. Back in the days of Benjamin Franklin, the solution was a key rack held by a designated employee. Other remployees would check out the keys they needed to use that day. It's kind of an interesting problem, but one that has been solved since roughly the Roman empire or so.

Re:Hacked? (5, Funny)

Yakasha (42321) | about 5 months ago | (#47197673)

So.... they had the manual with passwords....

this is hacked.... how?

Same way I hacked my VCR so it doesn't flash 12:00 anymore!

Re:Hacked? (3, Insightful)

rogoshen1 (2922505) | about 5 months ago | (#47197699)

because if they use the verb 'hacked' the authorities will be able to get the absolute maximum penalty, and throw the book at these kids.
Oh, Canada -- right, never mind. (Stuff like this would be punishable by 20+ years in the US more than likely.)

Re:Hacked? (2)

Jeremy Erwin (2054) | about 5 months ago | (#47197769)

I recently read Clifford Stoll's Cuckoo's egg and a good many of "Hunter's" exploits were based on nothing more than known service passwords. You'd think that things would have changed since 1989, but apparently the same mistakes are being made.

In the US they'd have been charged (4, Insightful)

JohnnyComeLately (725958) | about 5 months ago | (#47197367)

Here lately, seems their day at school would have been moot as they are led to a waiting black SUV. Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?

Re:In the US they'd have been charged (5, Insightful)

Anonymous Coward | about 5 months ago | (#47197407)

They also probably would have shot any of their pets on the way in. Dude isn't joking; this place is a fucking terror state and does this to people every day.

Re:In the US they'd have been charged (0)

Anonymous Coward | about 5 months ago | (#47197415)

Here lately, seems their day at school would have been moot as they are led to a waiting black SUV. Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?

I agree!

Re:In the US they'd have been charged (1)

cdrudge (68377) | about 5 months ago | (#47197421)

Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?

Of course you are. Why would they leave things that don't plug into a wall and/or have Ethernet capabilities? Take everything. Toaster, tooth brush, pet rock...it's all evidence of the crime and/or hacking tools. They'd probably search the houses of your friends, family, and the guy you looked at walking down the street a week ago too.

Re:In the US they'd have been charged (0)

Anonymous Coward | about 5 months ago | (#47197451)

They will be, soon enough.

1984 eleventyoneone!!!! (1)

Hognoxious (631665) | about 5 months ago | (#47197497)

Could be worse. In Britain they'd have been fimed with cameras!

Re:1984 eleventyoneone!!!! (0)

Anonymous Coward | about 5 months ago | (#47197543)

They aren't using film anymore, pappaw.

And other stuff (4, Interesting)

tekrat (242117) | about 5 months ago | (#47197519)

For example, if they find bleach AND draino under the sink, you're also charged with "Chemical Weapons Possession" if they find candles and matches and charcoal, you have "bomb making materials". The spooks can get you for anything.

Re:And other stuff (2)

SuricouRaven (1897204) | about 5 months ago | (#47197635)

Usually they'll use that to threaten the suspect into a plea bargin. Either admit guilt and go to jail for five years, or fight it and they'll do the best they can to send you for fifty.

Re:And other stuff (1)

meerling (1487879) | about 5 months ago | (#47197809)

Back when I was a kid in school, we used a lot of things for explosives in science class. Including flour and sugar. You'd also be amazed what you can do with steel wool and aluminum wool or powder.
Your entire house is composed of nothing but potential chemical weapons and explosive components. Face it, they are all chemicals and most of them can burn, only assholes totally trying to stretch laws way past stupid over-reach will try to arrest someone on something that flimsy.

Re:In the US they'd have been charged (1)

geekoid (135745) | about 5 months ago | (#47197553)

seems. yes, seems. based on your echo chamber.
Not really likely.

Re:In the US they'd have been charged (2)

ColdWetDog (752185) | about 5 months ago | (#47197629)

Which is a sad (if a bit hyperbolic) reflection of things these days. In the early 1970's, we had a time sharing terminal at our high school. I noted the manuals for the system in my father's office at Boeing, 'borrowed' the manuals and we proceeded to have a fun couple of hours screwing around in admin land. We then got a nice little reply on said terminal to please stop doing that.

So we stopped.

The school got a phone call that asked them to supervise the children a bit better and that was that. No muss. No fuss. No SWAT teams. Ah, the 70's.

Re:In the US they'd have been charged (1)

rickb928 (945187) | about 5 months ago | (#47197745)

Damn. I got kicked off a timesharing system because I disagreed with the sysadmins over politics. They booted an entire state off the system until I promised to go away and never come back.

I came back 12 years later. They had been sold off.

Re:In the US they'd have been charged (1)

meerling (1487879) | about 5 months ago | (#47197835)

In the early 80s, a bunch of us taught ourselves how to use the computers using only their manuals and experimentation. We then had to teach the teachers, since they didn't know anything. Ironically, 3 years later those same computers were reserved for the teachers only.

Re:In the US they'd have been charged (1)

Ravaldy (2621787) | about 5 months ago | (#47197715)

For some reason I don't doubt that.

Same goes for the 24 year old who killed 3 federal officers last week in Moncton. In the US they probably would have shot him and asked questions later.

Re: In the US they'd have been charged (1)

pchasco (651819) | about 5 months ago | (#47197749)

And they should be charged. What if they were caught in the act or otherwise before they had an opportunity to report the vulnerability? "No, officer. We weren't going to do anything malicious! We were just trying to help! I swear!" is not going to get them out of trouble. So if that excuse wouldn't fly, then any white hat hacker who isn't hacking with authorization runs the risk of getting caught and getting in deep shit. There's just no way to know who's got malicious intent and letting anyone off the hook who pinky swears they were just trying to help is just daft.

Re: In the US they'd have been charged (2)

pchasco (651819) | about 5 months ago | (#47197829)

Let's use a different example. What if you came home one day from work to find a brochure on your kitchen table advertising security and lock systems along with a business card and a note informing you that your house is insecure because you left your back bedroom window unlocked. Should yoga call the cops on the guy? He didn't steal or harm the residence in any way. He is just trying to help.

Only surprise is,.. (1)

Selur (2745445) | about 5 months ago | (#47197373)

that they didn't scam the bank and bought a few nice gadgets.
(or may be they have and nobody noticed ;))

No Good Deed Goes Unpunished (1)

Tokolosh (1256448) | about 5 months ago | (#47197377)

In the USA anyway, the kids are looking at adult jail time.

Re:No Good Deed Goes Unpunished (1)

CrimsonAvenger (580665) | about 5 months ago | (#47197517)

Did "Bank of Montreal" not clue you in that this wasn't in the USA?

Re:No Good Deed Goes Unpunished (1)

Tokolosh (1256448) | about 5 months ago | (#47197581)

Did "In the USA anyway..." not clue you in.... Nevermind.

Re:No Good Deed Goes Unpunished (2)

CrimsonAvenger (580665) | about 5 months ago | (#47197783)

In the USA (and Canada, and the UK, and pretty much the rest of the world), we have something called "tenses".

Specifically, there are tenses that apply to counterfactual but hypothetical cases. For instance, if you're trying to say that in the USA someone would be subject to thus and so, one might say "in the USA, they WOULD BE charged".

Or one might add as a prequel to your statement that standard word for hypothetical but counterfactual "if"...Nevermind. I forgot this was /., where literacy is never an expectation of the technically inclined.....

Re:No Good Deed Goes Unpunished (0)

Anonymous Coward | about 5 months ago | (#47197609)

Indeed. Just the fact that kids went to the bank and told them, and the bank politely followed them back to an ATM and waited while they demonstrated, should clue you in that this was Canada.

Hell the bank employees probably gave them a hearty hand shake and took them to Tim Hortons afterwards as a thank you. It'd be impolite not to.

Re:No Good Deed Goes Unpunished (1)

meerling (1487879) | about 5 months ago | (#47197863)

Yeah, in the USA they'd have probably called the cops afterward, pressed charges, and give interviews to the news station that they stopped a pair of bank robbers that might be linked to terrorists.

Kids Guess Default Password "123456" (1)

horm (2802801) | about 5 months ago | (#47197381)

Breaking news!

Re:Kids Guess Default Password "123456" (2)

OS2toMAC (1327679) | about 5 months ago | (#47197817)

We're talking Canada. Password was probably "hockey".

Too dangerous to keep digitally now? (1)

coastwalker (307620) | about 5 months ago | (#47197383)

Does anyone else think that its getting too dangerous to keep some information in a digital form? Is some information destined to forever be kept in a printed form?

Re:Too dangerous to keep digitally now? (1)

ClownPenis (1315157) | about 5 months ago | (#47197417)

No. Security through obscurity is worthless.
Keeping the default administrator password default is the problem.

Re:Too dangerous to keep digitally now? (2)

geekoid (135745) | about 5 months ago | (#47197569)

NO, it is not worthless. It is a layer of security, and a valid one.

Any single layer security process is foolish.
Risk, costs, effort these are all factor that need to be mitigated.

Re:Too dangerous to keep digitally now? (2, Insightful)

schwit1 (797399) | about 5 months ago | (#47197689)

If security through obscurity was worthless the military would be wearing fluorescent orange uniforms.

security through obscurity = camouflage

Re:Too dangerous to keep digitally now? (1)

infogulch (1838658) | about 5 months ago | (#47197447)

With that sentiment, you'd never put *anything* online. This whole thing is just some asshat ATM admins leaving stuff in the *default configuration*. This is the equivalent of buying a home router and not changing the default password (though nowadays routers come with individualized passwords, but they didn't used to).

Re:Too dangerous to keep digitally now? (5, Interesting)

cdrudge (68377) | about 5 months ago | (#47197645)

though nowadays routers come with individualized passwords, but they didn't used to

When Verizon FiOS first came to my area, the autogenerated WEP password was based on a 5 character SSID. There were online tools [whatsmyip.org] that you could use to lookup what the default password would be and almost no one, relatively speaking, bothered to change it from the default. Came in handy on more than a few occasions to get free wifi as just about anywhere you go you were in range of someone that had FiOS.

Another brand used the wireless MAC as the WEP key. shm

Re:Too dangerous to keep digitally now? (1)

Seranfall (680430) | about 5 months ago | (#47197455)

And what exactly are you using to create that printed document? Unless you typed it out on an old school typewriter it is already in digital form.

Re:Too dangerous to keep digitally now? (0)

Anonymous Coward | about 5 months ago | (#47197461)

Some things are better to just forget than record in any form.

In other news... (5, Funny)

Anonymous Coward | about 5 months ago | (#47197397)

In other news, domestic terrorist ringleaders Matthew Hewlett and Caleb Turon were arrested today in what Department of Homeland Security spokesman Peter Atriot called "a blow for freedom against Jihadists". The two men are believed to diverted funds vital to global banking, thereby aiding and assisting worldwide terror organisations.

Not hacking this term is thrown so loosely (2, Insightful)

Anonymous Coward | about 5 months ago | (#47197401)

Reading a manual and following step by step instructions which tell you how to get into operator mode is NOT HACKING.. UGH.

Re:Not hacking this term is thrown so loosely (1)

Anonymous Coward | about 5 months ago | (#47197473)

Reading a manual and following step by step instructions which tell you how to get into operator mode is NOT HACKING.. UGH.

I dunno, FTFA:
Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked.

They guessed the admin password. Sounds like hacking to me.

Re:Not hacking this term is thrown so loosely (1)

Cro Magnon (467622) | about 5 months ago | (#47197537)

Is it considered hacking if the admin password is "123456"?

Re:Not hacking this term is thrown so loosely (1)

ColdWetDog (752185) | about 5 months ago | (#47197655)

Is it considered hacking if the admin password is "123456"?

No, it's considered packing. As in 'packing your luggage'.

Re:Not hacking this term is thrown so loosely (1)

Charliemopps (1157495) | about 5 months ago | (#47197733)

The AT&T hack was considered a hack and all the dude did was go to an url that was something like:
att.com/account/1234
and change the number at the end to: 1235
etc...
He got... 10yrs was it?

Re:Not hacking this term is thrown so loosely (1)

X0563511 (793323) | about 5 months ago | (#47197781)

Yes, but it's a stupid and easy one.

Re:Not hacking this term is thrown so loosely (0)

Anonymous Coward | about 5 months ago | (#47197585)

If guessing '123456' is hacking then I fear for computer security in the future. It said hacking is a loosely used term and that perspective is still unchanged.

Re:Not hacking this term is thrown so loosely (0)

Anonymous Coward | about 5 months ago | (#47197799)

I would still fear for future computer security even if guessing 123456 wasn't hacking. Might even fear it more.

Two kids could have stolen an ATM's worth of money, without even hacking it.

Car analogy time: How would you feel if some random kid could disable your cars brakes just by asking it to?

Re:Not hacking this term is thrown so loosely (1)

ThePackager (562279) | about 5 months ago | (#47197843)

So we need a new term that refers to the, non-malicious sensible demonstration of system vulnerabilities. Hacking is a violent term and dredges up connotations of evil, or at least intense coughing. How about 'Slacking' - 'Door Pointing' - or 'Hewlett-Turoning' (give the kids some fame!)

Relax, folks. (5, Insightful)

Anonymous Coward | about 5 months ago | (#47197413)

This is Canada. As long as they don't try to link good science to administrative policy, the government probably won't care.

I want to be shocked, but I just can't be. (4, Interesting)

Ghostworks (991012) | about 5 months ago | (#47197435)

Back before the internet, it was common practice to put hard-coded admin passwords in documentation, in case anyone should forget the real password. In some industries (say, construction road signs) it just never occurred to them that anyone would ever care to look it up for a prank. In other industries, like ATMs, the assumption was that documentation was obscure and difficult to lay hands on without writing to a real person who then had to mail a manual to a real address of an existing customer.

The fact that they still do this is depressing, but doesn't surprise me in the least.

Re:I want to be shocked, but I just can't be. (1)

TubeSteak (669689) | about 5 months ago | (#47197565)

These aren't hard coded admin passwords, just default passwords that were never changed.

Re:I want to be shocked, but I just can't be. (1)

X0563511 (793323) | about 5 months ago | (#47197791)

You'd think watching Mitnick do what he did to the telcos would have cured them of that assumption.

Guess not..

Kids these days. (1)

Rodness (168429) | about 5 months ago | (#47197453)

By "hacked" you mean "followed printed instructions from a user's manual". If that's the new "hacking" then I weep for mankind.

Re:Kids these days. (5, Insightful)

Ionized (170001) | about 5 months ago | (#47197587)

they were inquisitive, did some research, and experimented on a system, and succeeded in gaining unauthorized access. they then responsibly reported their findings to the device owner.

what these kids did, while perhaps not quite on par with hacking the gibson, still very much represents the (white hat) hacker ethos at work.

you, on the other hand, represent the asshat ethos, for downplaying what they did and trying to fiddle fart around with semantics.

Re:Kids these days. (1)

X0563511 (793323) | about 5 months ago | (#47197815)

He didn't fiddle-fart around with it... he just shat on it directly. At least he didn't screw around, and just came to the purpose without delay...

The real crime is... (3, Insightful)

g01d4 (888748) | about 5 months ago | (#47197481)

Their first random guess at the six-digit password worked. They used a common default password.

When does incompetence become criminal neglect?

Re:The real crime is... (2)

Wain13001 (1119071) | about 5 months ago | (#47197503)

When it uses the same combination as my luggage!

Re:The real crime is... (1)

Obfuscant (592200) | about 5 months ago | (#47197637)

Their first random guess at the six-digit password worked. They used a common default password.

When does incompetence become criminal neglect?

The Sun article was written by a moron. If they're using a common default password then it wasn't a random guess.

I'd be more impressed if they played the tune "Take Me Down to the Basement..." (sounds like 'Take me out to the ballgame") on the keypad and it gave them $400.

I think it becomes criminal neglect once a law is passed saying that forgetting to set a password on a device is a crime. You'd have a hard time getting from "human mistake" to "it's a crime!" otherwise.

Where the kids need a bit of education is in what they did to the machine after they "hacked" it. Setting the surcharge to 1 cent and changing the welcome message to tell people to go away was irresponsible. It didn't fix the problem, it didn't educate the bank, it just cost them money.

Operator Mode (1)

Destined Soul (1240672) | about 5 months ago | (#47197495)

I wonder what actually is accessible via operator mode. Changing text and the fees is one thing, but can it actually give the 'operator' any money by either changing the account where fees are deposited and/or by directly 'withdrawing' the money on the spot (without a bank account).

Re:Operator Mode (1)

Bob the Super Hamste (1152367) | about 5 months ago | (#47197579)

From what I understand you can change what the machine believes it is loaded with. So if it is physically loaded up with $20 bills then you tell it is loaded with $1 bills and let people make withdrawals. The person goes and makes a withdrawal for $40 dollars, so $40 gets subtracted from their account but instead they get $800 physical dollars because they got 40 $20 bills.

It's really sad that they'll go to jail (0)

Anonymous Coward | about 5 months ago | (#47197501)

Obviously, they did nothing wrong, but they are going to end up in jail anyway. I find that very sad.

It's really sad that they'll go to jail (0)

Anonymous Coward | about 5 months ago | (#47197753)

This is Canada. They won't go to jail. They'll just get a stern talking to and inspire a lot of angry letter-writers.

Just wait ... (1)

Xciton (84642) | about 5 months ago | (#47197507)

Criminal charges pending in 3 ... 2 ... 1 ....

Demo Disks (5, Interesting)

Ronin Developer (67677) | about 5 months ago | (#47197521)

Years ago, when ATMs were first becoming available, someone I know worked as a security exec for a large bank. Seems back then, each ATM came with a demo disk hat, when inserted into a floppy disk port inside the ATM's housing (but, easily accessed) placed the machine into demo mode and allowed the operator full control of the device. The sales operator could then fully demonstrate ALL the features of the ATM - including the automatic dispensing of cash.

With furled eyebrows, he asked whatever became of all the demo disks after the ATM was installed..nobody knew...just assumed they were thrown out. He asked if they considered this a problem. And, he was told 'No'. At the time, stealing the ATM was all the rage and his concerns were discounted...until one day when money just started disappearing from ATMs. Seems, somebody else found or had one of those disks and realized what they had.

Pretty scary these kids could find a manual online and that the command sequence to place it into admin mode could be done from the user console vs a separate terminal. One has to wonder if they could have dispensed cash like a Pez dispensor like was possible with the old demo disks.

It's a (c)apostrophe! (1)

necro81 (917438) | about 5 months ago | (#47197541)

I know that proper spelling and grammar don't mean shit to most people these days, but would it really have been so difficult for the submitter or editors to include an apostrophe here and there.

Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

I had to read this a few times to figure out what was going on. Why do I care about "kids with operators"? How does one "manual alert" someone? Then I realized that we were talking about an Operator's (or Operators') Manual, and that the submitter and editors were just illiterate.

Re:It's a (c)apostrophe! (1)

Anonymous Coward | about 5 months ago | (#47197765)

I know that proper spelling and grammar don't mean shit to most people these days, but would it really have been so difficult for the submitter or editors to include an apostrophe here and there.

Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

I had to read this a few times to figure out what was going on. Why do I care about "kids with operators"? How does one "manual alert" someone? Then I realized that we were talking about an Operator's (or Operators') Manual, and that the submitter and editors were just illiterate.

I know that proper spelling and grammar don't mean shit to most people these days, but would it really have been so difficult for this commentator to include a question mark at the end of his rhetorical question?

Stop Assuming Appliances Can DropIn Without Config (3, Interesting)

infogulch (1838658) | about 5 months ago | (#47197603)

From this to Highway Sign Hacking [slashdot.org] to that researcher that made a botnet of home routers with default config to ping the whole of ipv4, I really hope admins are getting the point that you can't just drop appliances in public places without adjusting the default configuration. What critical infrastructure is left out there just begging for someone with an operator's manual to wreck it, or even worse, exploit it? Can we get a wake-up call to the administrators of these appliances?

Re:Stop Assuming Appliances Can DropIn Without Con (3, Interesting)

Anonymous Coward | about 5 months ago | (#47197807)

Honestly, I don't think even a wake-up call would do anything. Prime example from my life:

I went to a community college for a few years to get gen-eds out of the way cheap before going to a real college. In one of the buildings, there was a break room that was really popular with students despite not really being anything special - some tables and chairs, and that was about it. I had no idea why it was so popular when there were other break rooms on campus that had TVs and better Wi-Fi access and the like.

A few days in, I found out why. There was an older soda machine in the back of the room, and every so often I'd buy one. Almost every time, I'd wind up getting two (or sometimes three) sodas when I paid for one. At first I thought I was just really lucky, but then I found out that the machine was badly secured. There was a default button combination you could press that would take the machine into admin mode, where you could do things like get it to dispense free drinks. Doing this would cause a bottle to be loaded into position as if someone had paid for it, so the next person to buy a drink would get two.

Apparently, this was a well-known 'secret' on campus. Even the professors did it. I can't tell you how much money the vending machine owner probably lost, and I'm sure they knew that something was up based on how quickly the stuff was disappearing and how the money didn't add up. This was about seven years ago.

I went back to the same school to sign up for some classes just a month ago. On my way back, I stopped at that break room, and sure enough, that machine still hasn't had the password changed.

This is surprising... (1)

Anonymous Coward | about 5 months ago | (#47197621)

because I didn't think kids today read anything more complex than the Twilight and Shades of Gray books.

Re:This is surprising... (1)

rickb928 (945187) | about 5 months ago | (#47197759)

Let's they don't read any more Slender Man stories.

No charges (2, Informative)

Anonymous Coward | about 5 months ago | (#47197643)

They had permission from an employee. Whether the employee had the authority to grant that permission is another issue altogether, but they were acting with the bank's permission.

Is that really hacking? (1)

GodfatherofSoul (174979) | about 5 months ago | (#47197653)

n/t

How are they not in prison? (1)

Anonymous Coward | about 5 months ago | (#47197703)

Oh. Canada.

Almost the perfect non-crime (1)

rickb928 (945187) | about 5 months ago | (#47197755)

Right up to the "I found a way to change the surcharge amount" part.

Darn.

Kids? (3)

meta-monkey (321000) | about 5 months ago | (#47197767)

Kids?! More like cybercriminal financial terrorists! Time for a no-knock SWAT raid! Flashbangs, go go go and shoot the dog, too!

Feynman lives on (2)

Deadstick (535032) | about 5 months ago | (#47197797)

Seems like an echo of Richard Feynman's famous "I can open your safe" hobby at Los Alamos. Same method: guessing at obvious combinations like birthdates, in the 50% of cases where the lock wasn't still on the factory combination.

And yet (2)

Hamsterdan (815291) | about 5 months ago | (#47197871)

When there's an ATM fraud in a customer's account, the customer is accounted responsible for his own account.

Admin control is usually a customer requirement (2, Interesting)

Anonymous Coward | about 5 months ago | (#47197881)

I worked on a device that acted as a security gateway within major ISP networks. We read material/took courses/interviewed the various security best practices, guidelines and design suggestions gurus before coming up with the general architecture. We had one-time-use passwords, 2-factor auth, admin mode pw reset that required special hw dongles etc.

The ISPs liked it initially, but their admins kept perma-locking the console, because they'd failed to enter the creds enough times. That forced the key-holder to fetch the dongle to reset the pw. It turned out, the "admins" were often high school dropouts who'd taken some remedial IT courses. Their qualifications were primarily that they'd do shift work for minimum wage, not any particular skill. As such, following printed, step-by-step instructions that required they enter the 2-factor random pw was *far* too complicated. They'd mix the pw order (secure card digits first vs. adminpass), screw up the capitalization etc etc. All the key-holder interventions st them too much downtime and paid overtime

In the end, we ended up implementing the industry standard, 6-8 character alphanumeric + !@#...) fixed string password. No 2-factor, no admin lockout with a default password that could be reset by holding certain keys down during startup. All the cutting edge stuff was tossed, because the freakin' ISPs' admins were smeg heads.

Argh!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?