Two teenagers in Winnipeg Canada somehow got the idea to see if the default password on a Bank of Montreal ATM machine was still valid. The got the default password after finding the operators manual for the ATM online. As is often the case the default had not ben changed and was still valid. Instead of taking all the money they could carry and running away the kids instead went to the bank to let them know. Of course being fourteen-year-old kids they went to their local branch, and where, being fourteen-year-old kids, no one believed them. The kids had to go back to the ATM and get it to print out stats like how much money was still in the ATM before the bank branch manager believed them enough to notify the banks security department.

There are a lot of things that can be learned from this story, or actually should have already been known. If these kids had tried this in the United States, despite their good intentions, they may have been charged with a violation of the CFAA (Computer Fraud and Abuse Act). If the bank manager had not been so understanding I am sure they could have been charged with the Canadian equivalent. Testing for default passwords on bank owned ATMs is probably not the smartest way to utilize your free time.

The branch manager should have taken the allegation seriously the first time, regardless of how old the people with the information were. Instead the branch manager evidently told the kids that what they initially reported was impossible. This shows a serious lack of security awareness training for Bank of Montreal employees.

What about the bank itself? Why did the Bank of Montreal leave a default six-digit password on an ATM machine? It is unlikely that only one machine out of several hundred ATMs was configured with the default password. I hope BMO gets around to changing all those defaults before someone is able to make off with the cash.

The worst part about this story I think is that all of this has happened before. A lot of people have heard about the presentation at the Blackhat conference in 2010 by the late great Barnaby Jack where he made an ATM spit out money on stage. That was sort of sensational and required access to the back of the machine. But what about the arrest of two people in Lincoln, Nebraska in 2008 when they used default passcodes to steal money from an ATM? Or the thefts in Derry, PA in 2007 from Triton 9100 model ATM after the default passcodes were found online? Or again in Virginia Beach, VA in 2006, this time using default passcodes in the Tranax 1500 also found online in the operators manuals.

So in this one story we have default passcodes that aren’t changed, people who do not take security alerts seriously, people not learning from history and the possibility of innocent kids running afoul of the law. Of course all of this has happened before and unfortunately all of this will happen again.