Banking Blog

Finance Blogs » Banking Blog » ATM security threat: 14-year-olds?

ATM security threat: 14-year-olds?

By Allison Ross ·
Tuesday, June 17, 2014
Posted: 6 am ET

The Bank of Montreal got a surprise security breach earlier this week in the form of two 14-year-old kids.

The Canadian ninth graders found an old ATM manual online and decided to use their lunch break at school to see if they could hack into an ATM, according to a story in the Winnipeg Sun.

Short answer: yes.

© sanjagrujic/

The teens apparently were able to get into operator mode and easily guess the password. They showed branch employees, even changing the greeting on the ATM to "Go away. This ATM has been hacked," according to the Sun.

The bank has said it is working on security upgrades in light of the hack.

Hacking ATMs

Banks and other ATM owners have to be on the constant lookout for those trying to hack their money machines.

For instance, in April, the Federal Financial Institutions Examination Council issued a notice warning about the "Unlimited Operations" scam where hackers get around caps set on ATMs.

The agency's statement said one such attack was able to net more than $40 million, using just 12 debit-card accounts.

Other security threats more concerning

But hacking attacks are often not the biggest concern facing ATM operators, says David Tente, executive director of the ATM Industry Association.

Indeed, a recent survey of ATMIA members showed that skimming attacks and "ram raids" -- where an ATM is ripped out of the wall so thieves can get to the cash -- were considered higher security threats than cybersecurity attacks.

Tente says hacking an ATM "is not an easy kind of fraud," which is why other forms of stealing money are more common. The ATMIA survey found that both burglaries of customers at ATMs and "gas and explosive attacks" were just about as worrisome as cyberattacks.

Tente says there's actually been an increase in gas and explosive attacks of ATMs in the past year. He also says that "cash trapping" -- where a fraudster uses a device to make cash get stuck inside the device in the ATM and then the fraudster later removes the device and the cash -- continues to be an issue.

"They get creative," he says of fraudsters and thieves. "The fraudsters are always trying to stay a step ahead. There's lots of ways they do things."

Updating systems

Still, Tente says operators need to make sure ATM security is kept up to date and that includes the struggle to update ATMs' operating systems from Windows XP.

Meanwhile, Tente says ATMs will soon have to upgrade to be able to handle EMV (Europay, MasterCard and Visa) cards, but he suspects the ATM industry has a little breathing room before it has to start tackling that in earnest.

For more

Stay with Bankrate for more on the EMV card migration, and ATM security.

Follow me on twitter: @allisonsross.

Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.
albert ortega
June 22, 2014 at 11:41 am


June 22, 2014 at 10:31 am

I'm really grad you posted this so everybody should learn how to do this that's scary'

William Walker
June 22, 2014 at 9:51 am

nit picking: Don, "irregardless" is a non-word!

June 22, 2014 at 9:08 am

Those kids did a good thing. They alerted the bank of the problem. We need more kids like that. We need an army to fight all the hackers in Russia and Eastern Europe. That's where all the criminal hackers are (the people who steal from 80 year old grandmas).

June 21, 2014 at 11:57 pm

Missing the point people: A couple of kids were able to hack into a "secure" ATM over lunch. Yet there's no mention of why the bank hadn't taken security steps in light of (many) recent financial security issues.

These kids were doing a white hat exercise, notified the bank of the issue, didn't abuse the situation, etc. If anything, give them a cash bonus and hire them in the security department.

June 21, 2014 at 10:00 pm

Who would be stupid enough to put an old ATM manual on line in the first place?

June 21, 2014 at 8:02 pm

Maybe if hacking a financial institution carried MANDATORY jail sentence of 10 yrs with no parole irregardless of age, people might think twice

June 21, 2014 at 4:26 pm

Indian creek does not neither does Hogwarts (my friend told me that Indian creek has not 1)so HA HA

June 19, 2014 at 8:11 pm

@homer They may be able to leave school for lunch, we were allowed to leave for lunch provided we had an acceptable grade average and no current detentions.

June 17, 2014 at 11:04 pm

And what school has an ATM in the first place, if its the fees the school wants, should of just stuck with the 7 vending machines all the schools have