A couple of 14-year-old computer whizzes have the Bank of Montreal upgrading their security measures after they hacked an ATM machine.
Matthew Hewlett and Caleb Turon, both Grade 9 students, found an old ATM operators manual online that showed how to get into the machine’s operator mode. On Wednesday over their lunch hour, they went to the BMO’s ATM at the Safeway on Grant Avenue to see if they could get into the system.
“We thought it would be fun to try it, but we were not expecting it to work,” Hewlett said. “When it did, it asked for a password.”
Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked. They used a common default password. The boys then immediately went to the BMO Charleswood Centre branch on Grant Avenue to notify them.
When they told staff about a security problem with an ATM, they assumed one of their PIN numbers had been stolen, Hewlett said.
“I said: ‘No, no, no. We hacked your ATM. We got into the operator mode,'” Hewlett said.
“He said that wasn’t really possible and we don’t have any proof that we did it.
“I asked them: ‘Is it all right for us to get proof?’
“He said: ‘Yeah, sure, but you’ll never be able to get anything out of it.’
“So we both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it’s made off surcharges.
“Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.”
As further proof, Hewlett playfully changed the ATM’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”
They returned to BMO with six printed documents. This time, staff took them seriously.
“They brought the branch manager out to talk to us,” he said. “He was quite concerned and said he would have to contact head security.”
Hewlett and Turon had a concern of their own — they were late for school. So Turon asked for a note on BMO letterhead explaining their tardiness. His request was granted by the bank’s financial services co-ordinator.
“Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting BMO with security,” the note began.
Not surprisingly, the note raised eyebrows when it was presented at the school.
“The secretary read it over and asked: ‘What kind of security were you assisting them with?'” Hewlett said.
In an email statement Friday, Ralph Marranca, BMO’s director of media relations, said they were aware of the incident and have taken steps that block unauthorized access.
“Customer information and accounts and the contents of the ATM were never at risk and are secure,” he said.
Matthew’s father, Brad Hewlett, said he and his wife are proud of their son’s remarkable skills, but sometimes they have to act as his moral compass. Matthew has endured serious health issues since an early age and had a double-liver transplant three years ago, but it hasn’t slowed him down, Brad said.
“He’s self-taught and into more than just computers — it’s physics and chemistry, everything,” he said.
“He presented at the University of Manitoba last year for a program that he wrote that sort of goes down the path for artificial intelligence. The first two people judging didn’t have a clue what he was talking about. The third was a software engineer and the question she kept asking was: ‘Did you get any help with this?’
“And he sure didn’t get it from me.”