If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Edmonton Journal)   Bank's "hiding in plain sight" plan foiled when kids break into an ATM using the default admin password   (edmontonjournal.com) divider line 41
    More: Amusing  
•       •       •

5266 clicks; posted to Geek » on 09 Jun 2014 at 2:06 PM (6 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



41 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2014-06-09 10:42:51 AM
They took this information to a nearby BMO branch

I guess they don't read the news...
Most people who come forward end up getting prosecuted.

Of course, their first mistake was farking with banking hardware.
 
2014-06-09 10:49:45 AM

Honest Bender: They took this information to a nearby BMO branch

I guess they don't read the news...
Most people who come forward end up getting prosecuted.

Of course, their first mistake was farking with banking hardware.


They didn't profit from it. In fact, they showed their intent not to profit from it by telling customers that the ATM had been hacked.
 
2014-06-09 10:55:57 AM

ArkAngel: They didn't profit from it. In fact, they showed their intent not to profit from it by telling customers that the ATM had been hacked.


I've read article after article about people who did similar things.
"Oh, you breached our security? And now you want to be nice about it and let us know? PRESS CHARGES!"

No good deed goes unpunished and all that.
 
2014-06-09 12:19:10 PM
FTA:

"The BMO branch manager called security to follow up on what the teenagers had found, and even wrote them a note to take back to school as explanation for why they were late getting back to class.
According to the Sun, the note started with: "Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting BMO with security."


That was a classy and sensible way to respond BMO.  Nicely done.
 
jbc [TotalFark]
2014-06-09 12:22:25 PM
Those metric passwords are easier to crack.
 
2014-06-09 12:23:01 PM

Honest Bender: ArkAngel: They didn't profit from it. In fact, they showed their intent not to profit from it by telling customers that the ATM had been hacked.

I've read article after article about people who did similar things.
"Oh, you breached our security? And now you want to be nice about it and let us know? PRESS CHARGES!"

No good deed goes unpunished and all that.


You're forgetting, this was in Canada.
 
2014-06-09 12:48:09 PM

Honest Bender: ArkAngel: They didn't profit from it. In fact, they showed their intent not to profit from it by telling customers that the ATM had been hacked.

I've read article after article about people who did similar things.
"Oh, you breached our security? And now you want to be nice about it and let us know? PRESS CHARGES!"

No good deed goes unpunished and all that.


This took place in Canada, so they got a polite note to their school from the bank apologizing for their missing class, and a box of Tim Hortons.
 
2014-06-09 12:52:19 PM
Those kids are true hackers. They found an easy breach in security and brought it to the attention of the bank. They should give them jobs.
 
2014-06-09 01:26:09 PM
i236.photobucket.com

The bank's Security Director, Mr Skroob refused our request for an interview.
 
2014-06-09 02:12:15 PM
In the US these kids would have been dealt with harshly.  Common sense is in short supply in 21st century merica
 
2014-06-09 02:14:58 PM
Subby could have had an epic thread if the headline included "ATM machine"
 
2014-06-09 02:20:13 PM

EdNortonsTwin: In the US these kids would have been dealt with harshly.


And the CEO would get a bonus.
 
2014-06-09 02:27:23 PM
I'd be interested in how many customers went ahead and used the ATM even after seeing the "Go away. This ATM has been hacked" message.
 
2014-06-09 02:28:06 PM
They didn't hack it, nor break in.

They logged in.
 
2014-06-09 02:31:04 PM

jaylectricity: Those kids are true hackers. They found an easy breach in security and brought it to the attention of the bank. They should give them jobs.


Honestly, in my experience, "go around putting default passwords into everything and let managers know when their IT guys are dumbshiats that should be fired" probably  should be an official job, every company should have at least one guy doing it.
 
2014-06-09 02:39:47 PM

Jim_Callahan: Honestly, in my experience, "go around putting default passwords into everything and let managers know when their IT guys are dumbshiats that should be fired" probably should be an official job, every company should have at least one guy doing it.


I blame the vendors.

If you're designing system security for a machine who's sole reason to exist is to hand out cash, there should be no such thing as a default password.

When you unpack it and plug it in for the 1st time, the only prompt should be "Enter new password >"
 
2014-06-09 02:51:54 PM

jst3p: Subby could have had an epic thread if the headline included "ATM machine"


It would've been better if he wrote ATM correctly but then swapped out password for "PIN number"
 
2014-06-09 02:52:33 PM

Eddie Adams from Torrance: Jim_Callahan: Honestly, in my experience, "go around putting default passwords into everything and let managers know when their IT guys are dumbshiats that should be fired" probably should be an official job, every company should have at least one guy doing it.

I blame the vendors.

If you're designing system security for a machine who's sole reason to exist is to hand out cash, there should be no such thing as a default password.

When you unpack it and plug it in for the 1st time, the only prompt should be "Enter new password >"


And the vendor validates the installation by ... praying to the genie in the pcb? Adding an easy way to roll the ATM back to the default, please enter your password state, after the ATM has been programmed?
 
2014-06-09 02:57:11 PM
heartsandlaserbeams.com

/ Hunch Hunch!
/ What What!
/ Buh Bo!
 
2014-06-09 03:04:41 PM

ko_kyi: They didn't hack it, nor break in.

They logged in.


And what do they call unauthorized access? It matters not that they had a password.
 
2014-06-09 03:06:33 PM

ko_kyi: They didn't hack it, nor break in.

They logged in.


They weren't supposed to be in there. They were. It is hacking.
 
2014-06-09 03:08:29 PM

SumJackass07: And the vendor validates the installation by ... praying to the genie in the pcb? Adding an easy way to roll the ATM back to the default, please enter your password state, after the ATM has been programmed?


Easily solved. The only path back to the default 'enter password' state is to erase the entire configuration.
 
hej
2014-06-09 03:09:48 PM
Was it the same password they used for their luggage?
 
2014-06-09 03:49:29 PM
Why is there an administrator mode accessible from the standard ATM screen and keypad?  That sort of thing should be reserved for a serial or ethernet port kept under lock and key along with the money dispenser.  Sounds like dumb design all around.
 
2014-06-09 03:58:01 PM

jst3p: Subby could have had an epic thread if the headline included "ATM machine"


Indeed, Fark has been robbed of a flimsy excuse to bust out the zinger "well your mom/sister/wife is an ATM machine"
 
2014-06-09 04:03:41 PM
There's a default access code to most coke machines, but it doesn't get deep enough to make the machine dispense.

Did these kids get deeper than a diagnostic messages code?

I've come to wonder about how sanitized the magstripe reader input is. A few loops of wire on a card and an Android phone with tge right app, then your read to start feeding a Windows machine data it's not expecting.
 
2014-06-09 04:15:19 PM

jst3p: EdNortonsTwin: In the US these kids would have been dealt with harshly.

And the CEO would get a bonus.


And someone would blame racism.
 
2014-06-09 04:15:50 PM

wildcardjack: There's a default access code to most coke machines, but it doesn't get deep enough to make the machine dispense.

Did these kids get deeper than a diagnostic messages code?

I've come to wonder about how sanitized the magstripe reader input is. A few loops of wire on a card and an Android phone with tge right app, then your read to start feeding a Windows machine data it's not expecting.


I just went and searched and there are a surprising number of ATM owner manuals online. And after reading one, if seems like the same information that these kids used was available. And yes the diagnostic codes are in the manual and it seems that from at least the one I read, you can get the machine to dispense money from the machine to test the dispensing system. Off to give it the good old college try. Just kidding.
 
2014-06-09 04:48:27 PM
There are banks of these things now!??

img.fark.net

Ok, cool.
 
2014-06-09 05:57:09 PM

Honest Bender: ArkAngel: They didn't profit from it. In fact, they showed their intent not to profit from it by telling customers that the ATM had been hacked.

I've read article after article about people who did similar things.
"Oh, you breached our security? And now you want to be nice about it and let us know? PRESS CHARGES!"

No good deed goes unpunished and all that.


This was in Canada where people still have little things like ethics and decency.

/and after all it only equals 1/2 a hack in the US
 
2014-06-09 06:38:23 PM

Kimyo: This was in Canada where people still have little things like ethics and decency.


Having worked for Canada's largest bank for two years I can ensure you that they give their American counterparts a run for their money on the lack of ethics and common decency.

/also smugness
 
2014-06-09 07:00:30 PM
FYI folks, once logged in, you cannot get an ATM to do anything more than test dispense - which sends bills to an internal reject bin.

There is no way to get money out of an ATM by logging in to the software.
 
2014-06-09 07:13:28 PM
tctechcrunch2011.files.wordpress.com

Ha. Amateurs...
 
2014-06-09 07:50:55 PM

Beebolini: There is no way to get money out of an ATM by logging in to the software.


Ah no.  Depends on the vendor.  And the bank.

/ATM projects were the most boring projects I ever worked on
 
2014-06-09 08:01:27 PM

General50: [tctechcrunch2011.files.wordpress.com image 600x492]

Ha. Amateurs...


Came for this, leaving with a T-1000 size grin.
 
2014-06-09 08:52:41 PM

gingerjet: Kimyo: This was in Canada where people still have little things like ethics and decency.

Having worked for Canada's largest bank for two years I can ensure you that they give their American counterparts a run for their money on the lack of ethics and common decency.

/also smugness


Perhaps RBC has few that can come close to our cartoonish level of villany, but I'll bet you they're still polite aboot it.
 
2014-06-09 08:54:33 PM

gingerjet: Beebolini: There is no way to get money out of an ATM by logging in to the software.

Ah no.  Depends on the vendor.  And the bank.

/ATM projects were the most boring projects I ever worked on


Personally I loved seeing some of the anti-theft ideas and tech for ATMs that came out of Mexico.
 
2014-06-09 11:01:48 PM
Thank god they didn't sink a bunch of oil tankers around the world.
 
2014-06-10 02:54:49 AM
To many secrets.
 
2014-06-10 04:32:18 AM
I don't trust banks so I keep my money on the porch in a big bag that has a dollar sign on it.
 
2014-06-10 05:00:05 AM
And those kids would have gotten away with it, if it weren't for those meddling bankers!
 
Displayed 41 of 41 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report