Bank of Montreal ATM hacked with weak password

A story in the Winnipeg Sun describes how two local teenagers put a Bank of Montreal ATM into operator mode using an easily-guessed password.
Several things stand out about this story, and none of them have to do with hacking prowess. Matthew Hewlett and Caleb Turon of the 9th grade found an operator manual online for an ATM at a local supermarket. On lunch period they went to the ATM to try to put it into operator mode, not expecting it to work. It did.
Even worse: "Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked. They used a common default password." "123456"? It's unclear, and for obvious reasons the story doesn't go further.
No, all the boys did was read a manual. What's remarkable and impressive about them is that they immediately did the right thing: They went to the nearest Bank of Montreal branch and reported it. After being blown off by the staff, they went back and obtained proof by changing the ATM surcharge amount to one cent and the greeting from "Welcome to the BMO ATM" to "Go away. This ATM has been hacked."
They then printed out several documents on it and brought them back to the bank. This time the bank took them seriously. There is no indication in the story that they were or were not able to dispense cash from the ATM.
Sadly, choosing a common passcode, even for an ATM, is not remarkable. Default and weak passwords are still a very common means of attack. I would argue that allowing an ATM to have only a six-digit passcode for operator mode is also unacceptable. Modern ATM software allows for, and by policy should require, two-factor authentication. There's no excuse for authentication this weak other than laziness.

Banking sector moves to shore up cyber defences

The UK banking industry will be backed by a new cybersecurity testing environment that could protect its institutions from current and future threats.
The network was introduced by the British Bankers' Association (BBA) and is dubbed CBEST. The BBA said that the testing environment has been built with support from the security industry.
The BBA said that the system could be used to test a bank's ability to withstand a range of security attacks. Earlier this year, the Bank of England expressed concerns about local institutions and their ability to cope with crime.
Executive director for resolution at the Bank of England, Andrew Gracie said: ""The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests, within a controlled testing environment.
"The results should provide a direct readout on a firm's capability to withstand cyber-attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability."
This is hugely encouraging progress and something that organisations in other sectors should be emulating according to Ross Brewer, vice president and managing director for international markets at LogRhythm.
"Unfortunately we've reached a point where it is a case of when, not if, an organisation suffers a breach, and spending time and money trying to prevent it from happening is verging on useless. While cyber attackers are merrily making their way into our networks, we're far too focussed on updating anti-virus and tweaking firewalls to notice," he said.
"It's now time to accept this as fact and focus on detecting and responding to the threats when they occur. The financial sector is certainly upping the ante in the fight against cybercrime and once the right tools are in place, all businesses will hopefully start following its lead."
According to the security firm McAfee cybercrime costs industry as much as £266bn a year as the threats posed to businesses in all sectors rises all the time as witnesses by a spat of recent hacks on well-known businesses.