
customer information was not compromised
but we didn't do an awful lot to prevent it happening. It's ok you can trust us. Really.
Two Canadian kids have made a mockery of bank security by hacking into an automatic teller machine during a break between classes. The 14 year old duo Caleb Turon and Matthew Hewlett broke into a Bank of Montreal ATM during school lunch by following an online manual for accessing the machine's administrator functions. The …
"....AC posts 7 word USA bitchslap. Gets 21 upvotes...." Haters got to hate. Unfortunately, since the Reg started posting more social interest and less technical articles, more and more of the haters have started visiting the forums, and to them that constituted an eloquent and insightful comment.
>"....AC posts 7 word USA bitchslap. Gets 21 upvotes...." Haters got to hate.
Right, it's just "hating" to make fun of America for our completely out-of-proportion punishment for most crimes, where pirating an MP3 might get you more jail time than murdering a person. I guess anybody who complains about this is just in a bad mood?
"....where pirating an MP3 might get you more jail time than murdering a person...." LOL, obviously one of the skiddie pirates. If you really want to pretend the US has the worst legal system or sentences in the World then you either have a lot to learn or are just retarded.
This post has been deleted by its author
I've got to say: Top marks to the bank for asking the kids how they did it and not setting the law on them.
As for 'haters got to hate', are you 12 years old? I disagree with a lot of things and find many things to be quite barmy but that doesn't mean I hate them. The American legal system is one of those barmy things, if you can't see that I suggest you get out in the world a bit more.
@Matt Bryant I don't mind social comments, even if they are daft. It is putting them in the wrong forum that is annoying. AC thinks: "I don't have anything to say on the ATM story, but I sure fancy raging about <whatever>, so I will just do it here". Finds an almost-empty forum and curls one off. ACers please don't go to the toilet in The Register, use YouTube forums like everybody else.
I re-read the article looking for where it specified the OS of the ATM and I couldn't find it. Maybe it is outed in some other article. However embedded XP is run on the vast majority of ATMs currently, and is being supported until Dec 2015 iirc. That being said, is your little whine just due to being a sheep and baa-ing every time you comment about any security compromise or did you actually know something not stated?
This instructional intrusion was solely capable because of poor security habits/philosophy not the OS. I don't care what door you have, if you leave it propped open it isn't going to deter a thief.
Was this done via the customer-facing keypad?!
When I maintained ATMs (as a bank-drone, not techy) the PC in the back had a separate inward-facing display inside the same safe where the cash was with fold out keyboard etc
so WHY would an engineer ever need to do it from the unsecure pad on the front?
To save costs.
In those "small" ATMS, it is difficult to put a keyboard... BAD IDEA to allow the use of the "client" keyboard.
As we all know, the admin part should be both secure, and without access.. that way if one of the security levels fails, it is still secure..
Using the default administrator's password from a downloaded manual is not hacking, it's exploiting poor security practices. Whilst the bank should still be fined to the eyeballs for such poor practices, the only 'skill' these two demonstrated was using a browser. Kudos to them for having the moral gumption to tell the bank, and kudos to the bank manager for not immediately just closing up shop and playing at denial, but please do not call them 'hackers'.
We seem to have different definitions of 'hack'. For me, an 'hack' is a tool coded as one part of an attack, just as social engineering is another technique or tool. You seem to refer to hack as the overall task, as in all the work done with whatever tools to get to the desired objective, which others might refer to as the 'job', 'trick' or 'operation'. For me the 'hack' also needs to entail some original coding rather than just downloading pre-coded toolz from the Web. It is probably because I would accord more respect to those that can code their own tool. Toe-mae-to, toe-mar-to.
"....stop moving the goalposts....." Seriously? I thought I was rather generously ignoring your lack of insight into the technical side of hacking. I suppose for someone of your limited capabilities the idea of downloading a manual and trying the default password is a great technical achievement. Forgive me for not realising you considered the use of a browser 'leet skillz'.
" I thought I was rather generously ignoring your lack of insight into the technical side of hacking"
HAHAHAHAHAHAHAAAAA!!!
Your 'insight into the technical side of hacking', judging from your previous comments, comes probably from a few Hollywood flicks and TV shows. And pulling straight from your arse some 'definitions' nobody else agrees with doesn't help to raise your credibility either. As for your 'generosity' part... see icon.
'So how do you distinguish between a "hack" and a "crack"?'
Firstly, I was addressing the part of MB's comment where he claimed that "(what the kids did) is not hacking". Which is totally bollocks, in my opinion.
To me, computer 'cracking' is a subset of computer 'hacking' and both can be often carried out without coding a single line. Hell, sometimes both can be carried out without even touching a computer (through 'social engineering').
".... manual....." Careful, old Mephhead will be so incensed by your logic that he'll call you an idiot for using the word 'manual' - "It was a service engineer guide, dammit, not a manual!" It's probably not too good for his blood pressure to get him too excited.
' "Hack" is not the first word I would reach for to describe somebody reading a password from the manual and typing it in'
Jim, my comment was an answer to the first sentence in Master Bollocks'* previous comment, where he stated that "Using the default administrator's password from a downloaded manual is not hacking, it's exploiting poor security practices". Now, Merriam Webster's 11th Collegiate Dictionary seems to support my opinion by giving these definitions for the verb(emphasis mine) hack:
"4 a : to write computer programs for enjoyment b : to gain access to a computer illegally"
You may have noticed that these definitions -similar to most definitions of 'hacking' in other dictionaries- imply clearly that what the lads did is 'hacking', totally thrashing MB's arguments. He could also have stated that what the kids did "is not hacking, because they weren't chopping timber with an axe" and that statement would be as true as his original statement, that is, totally false. It's just logic and semantics. I know that MB nitpicking and using elementary fallacies to support his funny worldview is not exactly breaking news, but it saddens me to see how MB sometimes gets away with using such tactics in Elreg forums, where, supposedly, commenters are more skilled and intelligent than those on, say, the Daily Mail forums.
Note:*: Yes, that's an 'ad hominem'. Now count the ad hominems in this thread and you'll notice that -at the time of writing this comment, at least-, most of them were made by our friend MB. I'm just trying to balance the scales a little. :-)
"....Merriam Webster's 11th Collegiate Dictionary...." LOL, such a well-known technical tome! Why am I so surprised little Mephhead doesn't have any technical books to use as a resource? Oh, I'm not actually surprised. And, of course, he's far too young (and ill-read) to know that hacking in the computing industry has ALWAYS referred to coding, even when applied to security, going right back to MIT in the '60s. Maybe when he graduates kindergarten he'll learn.
"....totally thrashing MB's arguments...." Wow, someone really needs to loosen up their panties! I'm beginning to think some of the sheeple have so little going on in their herd-life that they have dedicated their time to Proving Matt Bryant Wrong At Least Once - more than a little creepy! Such a shame for Mephhead that he still has a long way to go on that one, it's probably not healthy for him to be so obsessive.
"....it saddens me to see how MB sometimes gets away with using such tactics...." You mean you got your panties in a bunch because you hate it when your fellow sheeple can't disprove the facts and points I post. I really think someone should get Mephhead some professional help.
/need a 'stalker' icon, please!
" LOL, such a well-known technical tome!"
Oh, so you can point us to another dictionary or 'technical tome' that agrees with your funny exclusive definition of 'hacking', aren't you? We're waiting, Matt.
...hacking in the computing industry has ALWAYS referred to coding...
ROFLMAO. More falsehoods straight from your backside, Matt, haven't you emptied yourself already?
"...panties!... sheeple ... herd life ..."
Exactly how does this paragraph disprove my point? Please, Matt, use your superior intellect and explain to us. Take your time.
On a side note, that obsession of yours with sheep and herds and such doesn't seem too healthy. Perhaps you should be getting professional help, unless you yourself are a sheep, of course. ;-)
"Proving Matt Bryant Wrong At Least Once"
LOL. Just LOL. You have been proved wrong in these forums so often that 'Proving Matt Bryant Wrong At Least Once' sounds as difficult as 'farting just once' or 'beating the crap out of a tetraplegic midget just once'. But keep on, Matt, your comments' lack of logic is often compensated by their -unintended- comedic value.
"...panties in a bunch... sheeple ... "
Again? Yep, I have to agree with you that there is someone in these forums who has an unhealthy obsession with sheep and panties and probably needs professional help ASAP.
/need a 'stalker' icon, please!
Sorry, Matt, but most Elreg readers agree that we don't need avatar icons. ;-)
".....so you can point us to another dictionary or 'technical tome' that agrees with your funny exclusive definition of 'hacking',...." How about Richard Stallman? Oh, you have at least heard of Stallman, right? As Stallman once put it whilst recalling the original 'hacks' from the MIT AI Lab:
"....Around 1980, when the news media took notice of hackers, they fixated on one narrow aspect of real hacking: the security breaking which some hackers occasionally did. They ignored all the rest of hacking, and took the term to mean breaking security, no more and no less. The media have since spread that definition, disregarding our attempts to correct them. As a result, most people have a mistaken idea of what we hackers actually do and what we think. You can help correct the misunderstanding simply by making a distinction between security breaking and hacking—by using the term "cracking" for security breaking. The people who do it are "crackers". Some of them may also be hackers, just as some of them may be chess players or golfers; most of them are not....."
Now, technical merit of Richard Stallman vs Merriam's - not even close! Looks like you'll have to continue your Quest To Prove Matt Bryant Wrong Just Once for a while longer, that is unless your sheeple denial means you really want to argue Stallman's position as suitable to comment on 'hacking'. Please do, just for the comedy value.
I have made similar statements -in these same forums- except for a little twist, i.e. that this is -and has been for a long time- a lost battle, as mass media has already had its say on the matter and the meaning of the verb 'hack' is already fixed. The best we can do nowadays is to add some qualifiers to it to distinguish different kinds of hacking, e.g. Black Hat or White Hat. And there is no law against synonyms or quasi synonyms, like 'Black Hat Hacking' and 'Cracking'.
The situation was generally considered quite irreversible already circa 2000 AD, when RMS wrote this piece you quoted. It hasn't changed since then.
I'd also like to point out that in that same article you quoted, RMS talks about a 'hack' he did using exclusively six chopsticks, which seem to clash with your bullsh former statement that "...hacking in the computing industry has ALWAYS referred to coding...". Yes, one of those points in my comments you cunningly dodged, without anyone noticing it, seriously!. Perhaps you should read your own references before posting them here, Matt. :-)
And, FYI, Matt, RMS is not a dictionary nor a technical tome and a few of his opinions are not shared by a big part -or even by the majority- of the technical community. So again, Matt, please point us to some 'technical tome' or technical dictionary where 'coding' is defined as necessary for hacking. Still waiting.
And regarding the Quest To Prove Matt Bryant Wrong Just Once*, hur hur, that happened years ago and happens quite often (without the 'Just Once' part, of course). Perhaps things will improve for you if you ever finish your Quest To Find Your Own Arse Without Using Both Hands, A Torchlight, A GPS And A Phone Support Hotline. Or they won't, who knows, and, frankly, who cares?
Note*: Dude, aren't you full of yourself!
"....RMS is not a dictionary nor a technical tome....." OMGeez you really DO want to argue over whether Stallman is qualified to define hacking/cracking?!? You are beyond splitting hairs, you have invented a whole new level of denial! If you weren't so comic it would be tragic.
".....that happened years ago...." Yeah, and you can show that? No, you can't. Just more desperate denial. Enjoy!
Since you don't like Merriam Webster, I suggest you look up "hack" in the OED; you will find (amongst all sorts of definitions to do with chopping or beaking up) the definition " an act of gaining unauthorized access to a computer system." Since the language used in this forum is English, it's a reasonable presumption that the OED is the most reliable dictionary. Just to preclude any stupidity about "that's the wrong sort of English) I point out that it covers all sorts of English - English English, Scottish English, Irish, American, Australian, and so forth - so even if you don't realise that you are responding on a UK website you should recognise that it's the most appropriate dictionary to use.
Of course you may wonder why I feel the need to make that last point; the cause is your recent posts in this forum.
"...For me, an 'hack' is a tool coded as one part of an attack..."
Perhaps this escapade falls more into the M.I.T. definition of a "hack":
http://hacks.mit.edu
"The word hack at MIT usually refers to a clever, benign, and 'ethical' prank or practical joke, which is both challenging for the perpetrators and amusing to the MIT community (and sometimes even the rest of the world!). Note that this has nothing to do with computer (or phone) hacking (which we call 'cracking')."
The bank wrote the pair a lunch late note excusing them as they were "assisting BMO with security".
That is, the hackers (in the proper use of the word) were not arrested and thrown legal book at them, instead the bank assisted them by providing an excuse note.
This is big news indeed, because it means that (some) banks' approach to security is changing for the better. Perhaps universities and others will follow (one can only hope)
Well, yes. But while anyone who can read can get the information, only criminals can use it because using it is the crime.
Kudos to the bank for issuing the kids with an excuse note, but I can't imagine how it went down with the school. "Please excuse X and Y for being late into school this afternoon. They were here with us at the Bank of Montreal, trying to explain why we shouldn't call the cops on them."
How long have we been working on security? I mean, I remember using BS 7799 when it was in draft form, and that is *quite* a while back, so it's not like there isn't enough process and awareness by now.
It also bears repeating that any test process should involve kids. By default. And not just because they're cool, also *precisely* because they find new ways of breaking things.
No ... actually, kids learn early that to reset the parental controls on the bluray player they have to read the user manual .... to access hidden options in an ATM, follow the instructions you found online.
Adults don't usually care about manuals, they just try three times, then give up ...
This is a well know hack, it was on the BBC a few years ago with the small ATMs in shops.
To make money you simply swap the £$€10 draw to the £$€50 draw, then withdraw as much as you can from your own account.
Walk to the bank and deposit it..
Rince and Repeat
Works best if you have lots of account at different banks to use.
You must have one of those special cards which is not linked to your account, then, right ? Do you really think you can get away with that ???
ATM operator: We have 2000 quid missing, lets see, who withdrew large sums of money in small bills ... Shit, this guy has been withdrawing 500 quid in 10 quid notes, there lets get him ...
What you wanna do is copy cards or hack the system to spit out money, neither of which you can do by entering the operator menu.
...to NOT punish these kids for breaking and entering. Now you know why hackers hack - because they rarely get punished properly. These kids were intend on hacking. They were not intent on helping the bank inprove security. That ruse came as a secondary response to being caught hacking.
What could the bank have done?
The kids didn't interfere with the standard hardware or software to gain access. The didn't steal passwords in any underhand manner. All they did was follow instructions from a publicly available manual, quite possibly from the ATM manufacturer's website (e.g. Triton ATM have them on their site for their machines).
Really all they could say is 'mea culpa' as they didn't take prwcautions to change the password from the default.
"What could the bank have done?....all they could say is 'mea culpa' as they didn't take prwcautions to change the password....." Again, that depends on the setup. We have a standard legal phrase that pops up when you get the login screen to ALL our systems, it says something along the lines that only authorised people are allowed to log into our systems, that continuing means you accept you have been warned, and that unauthorised access will be prosecuted. "Unauthorised" means without permission, even if you have somehow gained access to login details. If the bank's ATM had a similar warning then the boys would have been knowingly making an unauthorised access to the system and could be prosecuted. Their only counter would have been that the bank manager gave them permission, though the bank's CIO (who is probably a bit red-faced) and their legal department might not view it that way.