

How I 'stole' $14 million from a bank: A security tester's tale - donretag
http://money.cnn.com/2013/05/15/technology/security/bank-heist/index.html

======
Zenst
On a not so unrelated experience from many years back, pick a large bank, find
the training room. Pick your flavour of thumb/floppy image unix/linux and boot
of that and run tcpdump, then realise scary how some training rooms not as
isolated from the real network/systems as training for many are live systems
with training accounts/logins :(.

Another common issue is find a fire exit with disgarded cigerrete butt's and
odds are somebody has taped over the door sensor or disabled it and you can
just break into the building that way without an alarm going of. Done the
going in as weekend to do a cleaning job which was covert security audit and
found we could of just gone up the external staircase and in via a fire exit
thanks to smokers and there adictions.

Also was common on trading floors to find unapproved modems so the blessed
keeness could catch up from home or at weekends, nowadays how many end up
trojaning there own pc's so they can remotly work without official sanction
from IT and the security department.

Biggest fault in most systems will be the staff, one way or another, intended
or not.

Like I said, more you look into it the more you store under your matress :).

------
adastra
_'Rather than steal money from depositors' accounts, Bhalla just invented a
new account for himself. "We went into the database where the accounts are and
set up an account with $14 million," Bhalla explained. "We just created $14
million out of thin air."_

I remember the first time I discovered this is how banks operate when I was a
kid. It's really pretty mind-blowing when you think about it. And knowing how
full of bugs most software is it really made me question the entire banking
system. (My mind has still yet to be put at ease on that...)

~~~
maratd
Oh, absolutely. People think of money in very concrete terms. Like physical
currency.

But that hasn't been the case for a long time. Today, money is just a few bits
in a database here and there. And of course, making yourself a millionare (or
billionare) is as easy as inserting a row into a database.

Here is the important part: While the article insinuates this creation of
money out of thin air as a victim-less crime, it is not!

Even worse, the bank does _not_ lose a penny from this type of criminal
activity. The ones who pay for it? We all do. By creating money out of thin
air, you are increasing the money supply, which pushes up inflation due to
higher demand for goods, which in turns reduces the value of the currency.

In other words, when you create money out of thin air like this, you are
taking a tiny bit from everybody who uses the currency! Theft on an absolutely
universal and massive scale!

~~~
DanHulton
To kind of play devil's advocate here, then does this mean that every time the
government prints money, they're stealing on "an absolutely universal and
massive scale"?

I'm not trying to discredit you, it's just kind of an interesting thought.

~~~
lmkg
Essentially, yes. The government printing more currency is roughly equivalent
to levying a tax on all holders of that currency, in proportion to the amount
held.

~~~
tomsaffell
..which is interesting when you consider the uproar in Cyprus over the taxing
of savings accounts. "Taxing savings" sounds so much worse than "printing
money", but in fact it was better in some ways, because the tax could be
applied progressively[1], so that wealthier individuals were taxed
proportionately higher. It's probably worse in other ways, for example it
probably does more to erode confidence in the banking system overall, which is
perilous.

* - I realize this wont seem 'better' to everyone, but at-least taxing savings has the option of selective application. Printing money hits everyone the same.

------
Shenglong
I feel like there should be secondary checks for things like this. When I was
running a MMORPG, I was terrified of duplication bugs ( _dupes_ ). In many
ways, _dupes_ have the same effect on a game economy as this type of theft has
on the real economy: it can go unnoticed for a long time, and the victims are
primarily the masses (money supply) until someone finds out.

Since we didn't have any network security professionals on our team, I was
especially worried. What we realized though, was that we kept a detailed log
of all item/money creations/deletions, where trades were just a
creation/deletion pair. Thus, we wrote a script to learn what the most
expensive items (and thus most costly, if duplicated) were at any given time,
and match creations to deletions with a frequency increasing with item value.
Whenever there was a discrepancy, we were alerted.

I suppose banks could do something similar. If they separate the money
transfer system from the account creation system, they could add an additional
layer of security. I haven't really thought out the details, but it makes
sense at first glance. Perhaps they already do something like this?

~~~
umsm
Adding another system to the mix is just another system that can be vulnerable
to an attack. Once someone is in and they understand how everything works,
there is no stopping them.

~~~
TikiTDO
I wouldn't say he's describing "adding another system to the mix," at least
not in a traditional sense; it's more along the lines of two distinct systems
working towards a similar goal.

What he described is an auditing system with some particular policies of
interest to a specific use case. Such a system should not have any direct
access to the main system, and should ideally live in a fully segregated
environment with tightly controlled read-only access to a copy of the data
being audited.

The whole idea is that this system would not announce its presence on the
network in any way so that the attacker is more likely to miss it. Even if the
attacker does know that it's present, he should not know all the checks and
validations that such a system uses to detect suspicious behaviour. Hell, you
could air-gap the entire thing and just copy over data dumps by using USB
sticks.

Granted, even in that situation you could get something like Stuxnet which may
compromise the machines. However, if you have the resources to build another
Stuxnet, chances are you don't really need to get into a bank network.

------
dlhavema
I talked to a guy a few years back that used to do this as his full time job,
but the constant law-suits that ensued drove him to stop doing this kind of
pen-testing altogether. most companies just hired them to check off a list and
when the security firm actually found something the client would try to sue
the pants off of them for "violating there systems" even they they had full
knowledge, signed forms, etc... too much hassle for them...

i personally would love to do this kind of work, legally breaking into a
system to see if it could happen would be very entertaining.

~~~
PwdRsch
I used to do this same thing and never heard about pen testing firms being
sued by their client. Most likely he was spinning a yarn.

It is more likely that a security consulting firm will be sued if they report
no issues and the bank is later compromised.

------
drucken
I really do not understand how cybercriminals sophisticated enough to conduct
these sort of heists would then go and deposit all the physical cash into the
nearest bank account in the same country?

Or perhaps we only hear of the _unsuccessful_ heists...

~~~
Zenst
Oh he was testing and seperate compliance system should (legal remit in many
countries) highlight any transactions over a certain amount, £10k I believe in
the UK. So yes it would of stuck out like a sore thumb in audit checks.

If he was serious it would of been many different accounts/transaction and
then gets into the arts of money laudering/avoiding the first like
auditors/checks.

Yes you do only hear about unseccessful heists, though the times are changing
with regards to being more open.

In short he was testing the security of the bank and not the auditing and
laudering aspects, which is when you need somebody with some accounting
knowledge and banking knowledge.

~~~
drucken
I was referring to the actual heist at the bottom of the article.

------
danielrm26
It's fascinating to think about how overall economy might be affected by
simply adding a row to a database. Did that money actually become real when
that row was created? If the money was withdrawn and spent, wouldn't it be
real then?

Makes you wonder about the regulation of money in general.

~~~
ef4
No, hacking one bank doesn't really impact the wider money supply. The Federal
Reserve serves as the bank's bank. It knows how much each bank has, and the
individual banks are limited as to how much new money they can create in
relation to their credit at the Fed.

But if you hacked the Fed itself, yes, you'd be creating new money.

~~~
rthomas6
True, BUT because banks operate on a fractional reserve system, it's quite
likely that banks have available credit for lending (or creating, in the event
of an error such as this) for such a small amount without exceeding their
fractional reserve. In other words, banks only have to hold 10% [1] of the
money in everyone's account. The rest is loaned or otherwise invested to
generate returns.

So in a sense the money created IS real. At least, as real as any other money
in a bank account.

[1]:
[http://en.wikipedia.org/wiki/Reserve_requirement#United_Stat...](http://en.wikipedia.org/wiki/Reserve_requirement#United_States)

~~~
ef4
True, in that sense you're essentially forcing the bank to make a loan they
didn't intend to make (which does indeed expand the broad money supply).

If the bank had sufficient excess reserves, other banks would honor the new
money. And today most banks do have big excess reserves (which is historically
unusual).

------
Zenst
Oh the perception people have on security is varied and TV and hollywood makes
it look easy, we think banks are hard and professional and reallity is a mix
of the two. Some good, some exceptional and some fall short of expectations.
Been many clever and not so clever ways of stealing from banks and also been
some amazing and clever ways banks have stole of customers and non-customers
as proven in times recent. Sad part is you steal from bank, then you break the
law and if a bank steals from you, it is usualy goverment sanctioned as in the
case of Greece.

Though any tester who did pentesting on banks would of signed a NDA and if
not, somebody really messed up and how are we reading about this within 10
years of it happening!

~~~
greedo
While sanctions for violating an NDA during an assessment aren't usually
defined explicitly in the contract, most security firms would never divulge
methods and results even in a sanitized account like this. Security firms rely
upon their reputation since they're get a good look under the kimono.

That leads to either the bank approving of this article or Security Compass
having loose lips. I can't imagine a bank signing off on releasing this info,
as it paints bank security in a bad light.

I expect that somewhere, someone is contacting their internal IT staff to find
the SOW for this pentest, and then contacting their legal dept.

~~~
Zenst
Well said and you have to laugh about the security of security companies now,
but as you said it is reputation and trust is earned slowly and lost easily.

------
nikcub
> His client gave him access to the bank's internal network.

That's just making it too easy.

------
VMG
If only Security Compass was an anagram of Setec Astronomy...

