“Hack” is the wrong word here, as it implies they did something highly technical and unusual. What they did was to use the formal documentation for the ATM and demonstrate that the installer had failed to change the default administrator password:
Matthew Hewlett and Caleb Turon, both Grade 9 students, found an old ATM operators manual online that showed how to get into the machine’s operator mode. On Wednesday over their lunch hour, they went to the BMO’s ATM at the Safeway on Grant Avenue to see if they could get into the system.
“We thought it would be fun to try it, but we were not expecting it to work,” Hewlett said. “When it did, it asked for a password.”
Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked. They used a common default password. The boys then immediately went to the BMO Charleswood Centre branch on Grant Avenue to notify them.
When they told staff about a security problem with an ATM, they assumed one of their PIN numbers had been stolen, Hewlett said.
“I said: ‘No, no, no. We hacked your ATM. We got into the operator mode,'” Hewlett said.
“He said that wasn’t really possible and we don’t have any proof that we did it.
“I asked them: ‘Is it all right for us to get proof?’
“He said: ‘Yeah, sure, but you’ll never be able to get anything out of it.’
“So we both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it’s made off surcharges.
“Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.”
As further proof, Hewlett playfully changed the ATM’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”
They returned to BMO with six printed documents. This time, staff took them seriously.
A lot of hardware is shipped with certain default security arrangements (known admin accounts with pre-set passwords, for example), and it’s part of the normal installation/configuration process to change them. A lazy installer may skip this, leaving the system open to inquisitive teens or more technically adept criminals. These two students were probably lucky not to be scapegoated by the bank’s security officers.