According to the two boys, they accidentally came across an ATM operator’s manual while they were surfing the Internet. After studying the manual, the two tried using what they learned from it on one of the local ATMs during their school’s lunch break.
“We thought it would be fun to try it, but we were not expecting it to work,” Hewlett said.
The two were instantly surprised after the machine accepted a default password they got from the manual. But instead of withdrawing cash, Hewlett and Turon went to the bank‘s branch on Grant Avenue. They then notified the tellers about the security problem they had just discovered.
At first, the bank’s employees did not believe their story. But when they returned to the same ATM, the staff members were surprised at what they saw, according to Forbes.
“We went back to the ATM and I got into the operator mode again,” Hewlett said. “Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it’s made off surcharges.”
“Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent,” he added.
To warn other ATM users about the vulnerability of the machine, the boys changed the opening message displayed on its screen to “Go away. This ATM has been hacked.”
The bank’s staff thanked the two boys for informing them about the security issue and for being upstanding citizens.
The incident was immediately reported to Ralph Marranca, the director of media relations for BMO.
“Customer information and accounts and the contents of the ATM were never at risk and are secure,” Marranca said in a statement.
Because of the incident, Hewlett and Turon returned late for their class. However, the two didn’t get in trouble with their teachers because the bank gave them an excuse letter.
“Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting BMO with security,” the note read.