The night we stole $6,614.47

In News /

By Brad Whitehouse
Associate News Editor

I kicked off the holidays by stealing $6,614.47 from Ryerson University. And it only took me five minutes.

Shortly before 10 p.m. on Nov. 29, the Eyeopener broke into the Tim Horton’s cash register in Kerr Hall to prove how easily a student could swipe thousands of dollars from right under Ryerson’s nose.

It all started late one night as I was walking back from the library. The hallway lights were already out, but the cash register’s screen glowed blue.

I wondered how easy it would be to break in. I tapped the register’s touch screen and the BlackBoard operating system came to life. It asked for a login number, so I punched in the most basic combination possible: 1, 2, 3, 4. It accepted.

Next, it asked me for a password. After a couple failed attempts, I punched in 9, 8, 7, 6.

Bingo! I was logged into the Ryerson Computing and Communications Services (CCS) account.

Weeks later, three Eyeopener editors and a photographer set out to see just how much access one student could get to the cash register system.

Faces masked, we snuck up to the Kerr Hall South Tim Horton’s.

I punched in the same code as before and, in a matter of seconds, I was back in.

I clicked the multiply button and ordered 5003 small coffees. No one needs that much java, so I tapped the return button, entered my student number and refunded my OneCard for $6,614.47 that I never spent.

Cash registers can refund a maximum of $9,999.99, but with six grand in hand, it’s hard to be greedy. We slunked away, leaving a small note in the till: “Guess Who?”

The next morning, I called Imre Juurlink, Ryerson security supervisor, to turn myself in. She said the cash registers had never been broken into before. “We’ve had a few break-ins at the Tim Horton’s kiosks but it’s mostly been aimed at people going into the cupboards…There hasn’t been much stolen,” Juurlink said.

The break-in was brought to her attention when someone reported the notes planted in the tills. Tuesday evening, Darcy Flynn, manager of the OneCard office, was working overtime in CCS’s basement office to help boost the security features.

“We’re just really having a bad day,” he said.

Brian Lesser, director of CCS, admitted the password was too easy.

“In this case they never should have used that password whether it was a default that was left in or because it was easy to remember,” he said.

Lesser said Ryerson Food Services came to CCS Tuesday morning to ask why one of their sales centres had a negative balance. By about 9 a.m. my OneCard had been frozen, and the account used to transfer the money was disabled.

CCS is changing the machines so that cashiers will need a keyboard and a more complex username and password to log in.

“It’s a weakness that there’s these machines sitting out there and all you need is a four-digit number to get into,” Lesser said. “We’re basically scrambling to make sure that, in the morning, you couldn’t repeat the performance.”

Photo: Marta Iwanek

Comments

  1. Wow, you’re so 31337. Fine and dandy, but what exactly was the point of the prank? How does this piece manage to not provide any insight or motive for said bout of self-styled “investigation”? Further, how is it that the piece then fails to put these incendiary revelations (LOL) in the broader context of our reliance on such systems, or the nature of security and trust in today’s world, or the ongoing failure of large organizations to engage in rudimentary readiness? Could this story not have provided a handy platform for any number of broader commentaries?

    I was under the impression Ryerson had a journalism program …

  2. “Fine and dandy, but what exactly was the point of the prank?”

    It’s really not that hard to figure out, the point is to prove that the security systems are woefully lacking and any random person can steal thousands of dollars. That’s a problem which needs to be publicized.

  3. It’s a problem only if it is actually a problem. Meaning, has anyone actually stolen from these registers? They may be easy to steal from, but it seems that the writer did this because it is unprecedented. Therefore what he’s proven is that some people decided to trust that students wouldn’t become thieves, and up until this “investigative report” they were correct. Just because it’s easy to do doesn’t mean people will do it.

    What ended up happening to the guy after he turned himself in? Was he charged with theft? He should have been.

    All he proved was that mechanically it was possible. He didn’t prove that there was any actual threat of theft.

  4. But Caroline, you don’t know if there’s a threat of theft until someone actually does it. Much better to be preventative.

    This is classic Eyeopener, living up to the good side of your reputation. Great, great work guys.

  5. Am very pleased with this report. As an ITM student, I wonder sometimes why arnt school projects given to students. This way, Ryerson gets to see first hand the academic leverage students posses, plus allows students to gain some first hand experience.
    I know some programs are already taking part of similar programs, but a situation like this, where wear and breakable systems exist, and ryerson has a plethora of ITM students + comp sci students. I’m pretty sure a small team of us is capable of fixing small issues like this throughout the school.

    Also… the comment that states that “Meaning, has anyone actually stolen from these registers?”.
    If it hasnt happened in the past, doesnt mean it might not happen in the future. For example, if i knew about this stunt, and i was a student on the verge of getting expelled/ kicked out/ temporary leave. 1000$ sounds like quite the bonus for me. know what i mean?

    Anyhow, great investigation. makes me appreciate the eyeopener even more.

  6. Interesting story. I’m also an ITM student and I have some experience regarding to developing POS systems .I was very surprised by this story. This is a tremendous security (but not technical) breach. In general, you should not be able to receive the refunded amount in a different form of payment. For example, you can’t pay by you credit card and then return the item and get your money back in cash. The government has put these laws in place to protect money flow and prevent money laundry.
    What I believe is that Tim Horton’s POS system treats Ryerson’s OneCard as a gift card. Gift cards are exceptions and you can pay cash and purchase credit.
    So here is what happened.
    1. you bought fifty something small coffees.
    2. You payed in cash.(you never did)
    3. You received a six thousand dollars cash refund.
    4. You purchased six thousand dollars credit on your OnCard.
    It’s great that you notified the security.

    p.s. Tim Horton’s staff are to blame for choosing easy and predictable passwords.

  7. But Caroline, you don’t know if there’s a threat of theft until someone actually does it. Much better to be preventative. This is classic Eyeopener, living up to the good side of your reputation. Great, great work guys.

  8. Wow, you’re so 31337. Fine and dandy, but what exactly was the point of the prank? How does this piece manage to not provide any insight or motive for said bout of self-styled “investigation”? Further, how is it that the piece then fails to put these incendiary revelations (LOL) in the broader context of our reliance on such systems, or the nature of security and trust in today’s world, or the ongoing failure of large organizations to engage in rudimentary readiness? Could this story not have provided a handy platform for any number of broader commentaries? I was under the impression Ryerson had a journalism program …

  9. But Caroline, you don’t know if there’s a threat of theft until someone actually does it. Much better to be preventative. This is classic Eyeopener, living up to the good side of your reputation. Great, great work guys.

  10. It’s good to see that a couple years after graduating that Ryerson student newspaper is running the same “excellent reporting.”

    I guess it’s better than the propaganda for Toby Whitfield or the vote for the next RSU puppet story.

Leave a Reply to Graduate Cancel reply