
BofA Programmer Heads to Prison After Coding ATMs to Spit Out Free Cash - privacyguru
http://www.securityweek.com/programmer-heads-prison-after-planting-cash-spitting-malware-atms
======
encoderer
On a related note: The Bank Of America ATMs are really, really great. Their
ATMs and their online bill pay service are some great banking tech. They're
the only reason I'm a BoA customer for my checking and cashflow accounts.

With their BillPay service, I can have BoA download e-bills from, say, credit
card companies or utilities, and pay the amount of the bill on its due date. I
never have to worry about it. I can set rules like "Pay my electric bill its
full amount on its due date unless it's over $200" so I'm protected from crazy
billing errors draining my account.

This guy was just a dumbass.

~~~
zach
And yet they still use the Windows "ding" for everything, because of course
there's no budget for sound design in an ATM project.

I hear those weirdly-out-of-place Windows sounds everywhere. It grates on me
the same way Comic Sans grates on those who appreciate type.

Someone who does sound design could pick up this banner and impress everyone
with set of free UI sounds that are classic and usable.

~~~
leviathant
Ha! The New Jersey Transit ticket kiosks at 8th street station in Philly make
the same Windows ding noise. It sounds like a program is stuck on an error,
and it's like a dog whistle to me.

That said, about your comment "Someone who does sound design could pick up
this banner and impress everyone with set of free UI sounds that are classic
and usable." -- I'm betting that's exactly what MS was trying to do. They
commissioned Brian Eno to do the Windows 95 startup sound, and brought on
Robert Fripp for Vista's startup sound (along with Tucker Martine and Steve
Ball). Mind you, I'm not sure who's responsible for the various system sounds.

It's very easy to say "make classic, usable, impressive UI sounds" but
incredibly difficult to actually do that.

~~~
zach
Good point. I suppose the ubiquity of the sounds themselves helps to make them
disconcerting.

Then again, maybe using Windows isn't a terribly positive association for some
to have either.

------
bhavin
One would wonder if there were any code reviews in place or not? Any code that
has monetary effects has to go through a series of code reviews (saying from
my experience working with a client in banking industry) and tests. I would be
curious as to how the 'bug' went undetected until deployment!

~~~
bdunbar
_Any code that has monetary effects has to go through a series of code
reviews_

The article reported that he installed malware on select ATMs.

I acknowledge that this leaves a great deal to the imagination, but one
suspects a code review would not catch the problem. The code was clean, the
implementation on certain machines went awry.

~~~
AndyKelley
In other words, he did some kind of internal hacking to install his code -
illegally bypassing the code review process.

~~~
bdunbar
Maybe? I can only speculate that the hack wasn't in the code at all, but
something he installed on the individual ATM.

"Oh, look: you can login to the ATM after installing the code. Hey what if I
..."

If so he didn't bypass the code review so much as skip around it, whistling a
jaunty 'nope nothing illegal here' tune.

------
ck2
People in charge of the BofA mortgage signature fraud should go to prison too.

[http://www.cbsnews.com/8301-504803_162-20049744-10391709.htm...](http://www.cbsnews.com/8301-504803_162-20049744-10391709.html)

But I guess it's a lot easier to prosecute people who can't afford expensive
lawyers.

~~~
anigbrowl
Prosecuting financial fraud is usually a great deal slower and more complex
because it's more difficult to prove intent (compared to both incompetence and
pursuit of legitimate profit), because it can involve so many more people
(many of whom may not have been doing anything wrong at the individual level,
but whose actions taken together were wrong at an institutional level), and
because the rewards are more diffuse and indirect (unit profits lead to pay
rises or career advancement for those involved, rather than bags of cash or
deposits into secret accounts).

That's not to say that people can't or shouldn't be prosecuted, just that it's
a more difficult undertaking. A recent example:
[http://www.housingwire.com/2011/04/19/ex-tbw-ceo-lee-
farkas-...](http://www.housingwire.com/2011/04/19/ex-tbw-ceo-lee-farkas-
convicted)

~~~
ck2
Signing someone else's name at the behest of a department head is pretty clear
fraud (and more obvious when it's 1000's of documents being signed with
someone else's name and backdated). Watch the 60 Minutes segments.

Prosecutors don't want to take on the financial sector because it ruins their
achievement record if they lose or it takes too long because the defendant can
afford good lawyers. They stick to the people who cannot afford a defense.

No-one has been prosecuted for the financial crisis, I mean the economy was
DESTROYED, we are years into it now.

~~~
anamax
> No-one has been prosecuted for the financial crisis, I mean the economy was
> DESTROYED, we are years into it now.

Why should they be proscecuted? We re-elected Barnie Frank.

------
Killah911
I'm just dying to know how exactly he did it and how they tracked him down.
I've joked about this type of thing with friends, but it would be absolutely
hilarious if he did something to the effect of putting his information within
the malware which led cops right to his doorsteps. I have a feeling, this may
be something at the level of a burglar leaving footprints in the snow right to
his home... I mean, wouldn't they have locked him up and thrown away the keys
if it were more of an Oceans 11 type plan & they had to chase him down
spending tons of federal money? 400k & 27 months for what essentially is
equivalent to bank robbery?

~~~
itgoon
My guess is that when the money in the ATMs didn't reconcile.

It may be normal for a set of ATMs to be off by a few hundred a year, but
anything higher than the norm would be enough to set off alarms.

After that, it just involves reviewing code checkins and camera footage.

Just a guess, though. Hell, maybe he used ATM card first before each "heist".

------
bitwize
"...some cash machine in Bumsville, Idaho spits out $700 into the middle of
the street. I did that! That was me!"

"You did this from your house?"

"What are you, stoned or stupid? You hack a bank across state lines, you get
nailed by the FBI!"

~~~
endlessvoid94
Man, I was JUST going to quote that. Well done.

------
smackfu
Can anyone figure out where a year went here? He plead guilty in April _2010_.
Was he really just sentenced in May _2011_?

------
hansy
How did he get caught?

~~~
jason_slack
That is a line from "Hackers" one of Angelina Jolie's first movies!

~~~
lazugod
Or he could actually be asking how he was caught.

~~~
jason_slack
I totally did not read Hansy's comment that way since it was posted in a weird
place in the thread. I thought he/she was referring to line from "hackers"

Hansy, I apologize.

------
omouse
Like father/BoA like son?

------
clarebear
Sounds like Office Space.

~~~
jsavimbi
More like Superman III.

~~~
leftnode
It doesn't sound like either of those movies. They just shaved off dollar
amounts less than 1 cent from millions of transactions. This guy just had the
machines spit out extra money when he entered his ATM card.

~~~
jason_slack
I think you have my stapler.....

~~~
hugh3
Please, just stop.

I mean, I love quoting tangentially-related old movies too, I think it's
totally the highest form of wit, but the url for fark.com is "fark.com".

------
delinka
I wonder how they'd have felt about it making phantom lines of credit instead.
(Of course, with interest.)

"Oh, it's Programmer D! How's it goin', D? You want $1,000? OK! And since you
don't have enough money just now, I'll just jot this down for you to pay back
later."

And magically, when I deposit $5,000, it pays back a few hundred on my, er,
his loan. :-)

~~~
delinka
Fine, more apropos- yeah, the guy was an idiot. I was going to pontificate on
how one might actually pull this off, but there's always a problem: you're
gonna make mistakes and eventually get caught.

~~~
jwhitney
Or, you won't and then no one will know how you did it.

~~~
fragsworth
If you don't mess up, nobody will know that you did it anything at all.

They don't seem to publish statistics on these things very often, but my gut
tells me more people get away with crimes than don't.

