Two 14-year-old Canadians hacked a Bank of Montreal ATM after finding an operator's manual online. The manual showed how to gain administrative control of the device, according to a media report published over the weekend.

When Matthew Hewlett and Caleb Turon tested the instructions against an ATM at a nearby supermarket, the ninth graders didn't expect them to work, The Winnipeg Sun reported Sunday. To their surprise, the machine quickly prompted them for a password. Even more surprising, their first guess—a six-character password that's common among default settings—let them in. The boys then reported their lunch-hour caper to bank employees, who at first thought the duo had merely acquired the PINs of an ATM customer.

"I said: 'No, no, no. We hacked your ATM. We got into the operator mode,'" Hewlett was quoted as saying. Then, the bank employees asked for proof.

"So we both went back to the ATM and I got into the operator mode again," Hewlett said. "Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent."

Graciously, the bank officials typed a letter on bank letterhead asking the boys' school to excuse their tardiness. The note was remarkable. Under US laws, and most likely under Canadian law as well, the unauthorized access of an ATM is a violation of a variety of statutes, regardless of the intentions or ages of those who do it.

Whitehat hackers who discover vulnerabilities are advised to never break in to a computer or network they don't legally own unless getting permission in writing first. In the most extreme cases, a single conviction under the Computer Fraud and Abuse Act and statutes protecting banks and ATMs can result in a prison sentence of 20 years and stiff fines. Other would-be hackers should consider this outcome a fluke rather than the norm.