60 comments

[ 5.0 ms ] story [ 126 ms ] thread
Oh the perception people have on security is varied and TV and hollywood makes it look easy, we think banks are hard and professional and reallity is a mix of the two. Some good, some exceptional and some fall short of expectations. Been many clever and not so clever ways of stealing from banks and also been some amazing and clever ways banks have stole of customers and non-customers as proven in times recent. Sad part is you steal from bank, then you break the law and if a bank steals from you, it is usualy goverment sanctioned as in the case of Greece.

Though any tester who did pentesting on banks would of signed a NDA and if not, somebody really messed up and how are we reading about this within 10 years of it happening!

While sanctions for violating an NDA during an assessment aren't usually defined explicitly in the contract, most security firms would never divulge methods and results even in a sanitized account like this. Security firms rely upon their reputation since they're get a good look under the kimono.

That leads to either the bank approving of this article or Security Compass having loose lips. I can't imagine a bank signing off on releasing this info, as it paints bank security in a bad light.

I expect that somewhere, someone is contacting their internal IT staff to find the SOW for this pentest, and then contacting their legal dept.

Well said and you have to laugh about the security of security companies now, but as you said it is reputation and trust is earned slowly and lost easily.
On a not so unrelated experience from many years back, pick a large bank, find the training room. Pick your flavour of thumb/floppy image unix/linux and boot of that and run tcpdump, then realise scary how some training rooms not as isolated from the real network/systems as training for many are live systems with training accounts/logins :(.

Another common issue is find a fire exit with disgarded cigerrete butt's and odds are somebody has taped over the door sensor or disabled it and you can just break into the building that way without an alarm going of. Done the going in as weekend to do a cleaning job which was covert security audit and found we could of just gone up the external staircase and in via a fire exit thanks to smokers and there adictions.

Also was common on trading floors to find unapproved modems so the blessed keeness could catch up from home or at weekends, nowadays how many end up trojaning there own pc's so they can remotly work without official sanction from IT and the security department.

Biggest fault in most systems will be the staff, one way or another, intended or not.

Like I said, more you look into it the more you store under your matress :).

I really do not understand how cybercriminals sophisticated enough to conduct these sort of heists would then go and deposit all the physical cash into the nearest bank account in the same country?

Or perhaps we only hear of the unsuccessful heists...

Oh he was testing and seperate compliance system should (legal remit in many countries) highlight any transactions over a certain amount, £10k I believe in the UK. So yes it would of stuck out like a sore thumb in audit checks.

If he was serious it would of been many different accounts/transaction and then gets into the arts of money laudering/avoiding the first like auditors/checks.

Yes you do only hear about unseccessful heists, though the times are changing with regards to being more open.

In short he was testing the security of the bank and not the auditing and laudering aspects, which is when you need somebody with some accounting knowledge and banking knowledge.

I was referring to the actual heist at the bottom of the article.
'Rather than steal money from depositors' accounts, Bhalla just invented a new account for himself. "We went into the database where the accounts are and set up an account with $14 million," Bhalla explained. "We just created $14 million out of thin air."

I remember the first time I discovered this is how banks operate when I was a kid. It's really pretty mind-blowing when you think about it. And knowing how full of bugs most software is it really made me question the entire banking system. (My mind has still yet to be put at ease on that...)

Oh, absolutely. People think of money in very concrete terms. Like physical currency.

But that hasn't been the case for a long time. Today, money is just a few bits in a database here and there. And of course, making yourself a millionare (or billionare) is as easy as inserting a row into a database.

Here is the important part: While the article insinuates this creation of money out of thin air as a victim-less crime, it is not!

Even worse, the bank does not lose a penny from this type of criminal activity. The ones who pay for it? We all do. By creating money out of thin air, you are increasing the money supply, which pushes up inflation due to higher demand for goods, which in turns reduces the value of the currency.

In other words, when you create money out of thin air like this, you are taking a tiny bit from everybody who uses the currency! Theft on an absolutely universal and massive scale!

That's not true. The bank does lose out from this. Individual banks can't simply add millions of dollars to all accounts on a whim, as they won't be able to pay out when customers withdraw / transfer out the cash.

It's just that, to a huge organisation, a $14 million accountancy error could go unnoticed for a long time. Likewise, a dollar or two missing from my piggy bank will probably not be noticed. Merely a question of scale, but the loss is still there.

> as they won't be able to pay out when customers withdraw / transfer out the cash

Banks can't do that right now anyway. Banks only hold onto cash to meet reserve requirements, which is a fraction of the deposits held for depositors. If everyone tried in a bank to withdraw cash, you'd have a run.

Yes, and the more money you 'create' by altering the database, the more likely they'd be unable to pay out.
> The bank does lose out from this. Individual banks can't simply add millions of dollars to all accounts on a whim, as they won't be able to pay out when customers withdraw / transfer out the cash.

Please explain this.

Almost all significant transactions are electronic now. Nobody withdraws millions of dollars in physical currency.

You're just modifying rows in a database.

All the bank would do is tell the other bank that they have the money now and debit a database row which was fake to begin with?

As you said, inflation occurs when the money supply goes up, and dangerously so if it happens for no good reason (in your example). I suppose it is not in the interest of banks to have hyperinflation either?
> Nobody withdraws millions of dollars in physical currency

I'd suggest that the hackers who manage to alter their balance are exceedingly likely to be the kind of people to try and obtain a physical withdrawal of their wealth!

But even in electronic form, there is some settlement going on behind the scenes. Let's say I hack my bank and give myself $100 billion dollars, then try and transfer this to another bank in a country with a suitable lack of extradition treaties. No receiving bank is going to blindly accept a transfer in of $100 billion. Do you think they just take the other bank's word for it, that they are good for the money?

Here's a better way of explaining this:

Let's say I frequently lend cash to a wide circle of friends, and they lend cash to me too. Because my memory is bad, I have to keep track of things by writing down the debts on a piece of paper, e.g. "Bob owes me $5, I owe Kathy $10" and so on.

In effect, what these hackers have done is to steal my piece of paper while I'm not looking and scribble "I owe Mr hax0r $10" on the bottom of it.

Now, who have they stolen from? Me, of course! I will blindly pay them out $10 should they ask for it. Has Bob lost money? No. Has Kathy lost money? No. Has money magically been created and cost everyone in the world fractions of a cent? No. I am the person who has lost out.

If they stole huge amounts of money from me such that I couldn't make good on my debts to other people, then others will be indirectly affected too. But I am the person who was robbed.

This is the best explanation. What I think a lot of the public doesn't realize is where the money comes from when you walk into a bank and you get a loan from that bank (instead of depositing the money from somewhere else).

They basically are just creating new rows in their databases. Just like the names-on-paper example above, someone just types "+$X,000" into the row that represents the money in your account. And then someone types the equivalent of "adastra owes us $X,000" into a row in another database for their balance sheet. It really is money created out of thin air.

But then I suppose all money is actually IOU's created out of thin air... It's just that for some reason people think it's only the federal government that can create new IOU's.

You are right. A bank loan is the borrower's liability and the bank's asset but the deposit resulting from the loan is bank's liability and the owner's asset. This is how most bank deposits come into existence. If all loans were paid off and no new loans were created, there would be a tiny bit of money left.
(comment deleted)
The US government printed hundreds of millions of dollars in physical currency and shipped it to Iraq and Afghanistan.
It's the next bit of this story that's most interesting.
Let's say Very Small Bank only has $100 million according to the database. If you create $14 million out of thin air and then move it somewhere else, they decrement their value in the database to $86 million.
If you transfer a million dollars from bank A to an account in bank B, then the following will happen:

1) Bank A will decrement your [fake] balance; 2) Bank B will increment that account's balance; 3) Bank A will note that they owe 1 million to bank B, and Bank B will not that they deserve 1 million from bank A. They'll settle that balance somehow (that's a bit complex and irrelevant), but the debt now exists. If they don't trust each other that much, then bank B will credit the funds only after bank A has paid them; this often causes a couple days delay in international bank transfers.

Do you now see how they can't "create money" by whatever they do in their databases? To give cash out, banks need cash; to send money somewhere else, they need to give money to that somewhere else or convince that 'somewhere else' to lend them that money.

In essence, altering an account balance is exactly equivalent to faking a document stating "Bank owes me X dollars" so well that the bank (temporarily) believes it - nothing more.

Good points. You are very close. However, the federal reserve system and "reserves" are the machinery that enables interbank currency flows. The federal reserve must honor all inter-bank transactions else the system collapses. In a sense they allow overdrafts on reserve accounts forcing the member bank to pay interest in these cases. So, a interbank transaction within the federal reserve system itself will never fail. So yes if you can create a fake deposit, its is funded.
I'm not sure on the exact USA fed reserve rules, but typically when the interbank deals are cleared through a centralised system or a national bank (as opposed to mutual correspondent accounts common for international deals), then it does not honor ALL inter-bank transactions - they validate against the bank's capacity to pay (i.e., their deposits at that central bank), the overdrafts are limited and a bankrupt or malicious banking company can't do that much damage.

In any case, if you fake a dollar in Bank A systems, then no matter where and how you withdraw or transfer it, it's a dollar that Bank A loses.

There is a vary specific exception. When a lot of FDIC ensured bank fail at the same time the FED create money out of thin air to pay some of the depositors. However, while you may have added a new line in a database somewhere there is a large audit that takes place and you may or may not get though that audit. Though in most cases when a bank fails it's paid out of FDIC funds which are just another form of insurance.
They do allow overdrafts. If a bank is deemed insolvent ( which has to do with bank capital not bank reserves) they are shuttered. So as long as the bank is open for business 'hacked' deposits, etc. , will flow.
> They'll settle that balance somehow (that's a bit complex and irrelevant)

Well, no, that's extremely relevant. How is that debt settled?

I'm quite certain they don't send over a truck full of cash.

If it's just a matter of Bank A telling Bank B to adjust their books and Bank B taking their word for it, then Bank A isn't losing anything. They just created that money out of thin air.

Let's suppose I tell you to pay the bartender for a beer and that I'll settle it with you afterwards; and you're taking my word for it - am I not still "losing" the beer money? Have I created the beer money out of thin air?

Is there any difference if I later settle this by giving you cash, write a check, pay with paypal or give you a gold piece? The debt is real, if I gave a binding certificate "I'll owe $100 to you" then I just lost $100.

Bank A isn't simply "telling Bank B to adjust their books", Bank A is telling "please adjust your books to give $X to Y, and for that I'll pay you that amount via method Z", where Z typically is either a clearing house (someone who aggregates the payments and settles the net differences of all the bazillion payments) or a mutual correspondent account. Until they settle, they have a valid, legally binding debt to Bank B.

Trucks full of cash may be involved in settlement, but usually are not since they are very inconvenient and expensive - but if Bank A holds their reserves at a central bank and thus has the right to request it to ship 123 truckloads of cash; then it may transfer part of these reserves to Bank B, so that Bank B will get one of them and Bank A will only be able to request 122 truckloads of cash. Of course, the truckloads of cash are used only as much as needed (say, to fill up ATM's) - but they are real, you can close up your bank, settle all debts, and take all remaining assets out in cash.

(comment deleted)
To kind of play devil's advocate here, then does this mean that every time the government prints money, they're stealing on "an absolutely universal and massive scale"?

I'm not trying to discredit you, it's just kind of an interesting thought.

Another way of looking at it when governments create money there taxing everyone for using there currency. If you have 1kg of gold there it's no cost to you it's only when you have cash or are owed cash that it's a problem.
(comment deleted)
Essentially, yes. The government printing more currency is roughly equivalent to levying a tax on all holders of that currency, in proportion to the amount held.
..which is interesting when you consider the uproar in Cyprus over the taxing of savings accounts. "Taxing savings" sounds so much worse than "printing money", but in fact it was better in some ways, because the tax could be applied progressively[1], so that wealthier individuals were taxed proportionately higher. It's probably worse in other ways, for example it probably does more to erode confidence in the banking system overall, which is perilous.

* - I realize this wont seem 'better' to everyone, but at-least taxing savings has the option of selective application. Printing money hits everyone the same.

No, it is not equivalent, as without a constant, steady inflation rate, actors in an economy have a propensity to hoard savings, which can in turn create a viscous deflationary cycle. Economics can not, at least not any time soon, be an exact science as there are infinitely many factors at work, however, a steady, relatively predictable amount of inflation coupled with understanding the time value of money is the best approach for the foreseeable future.
It's not that simple, which the current economic situation proves. The US government has increased the amount of money several times over since the beginning of the current crisis, but the inflation is still very low. In other words, printing money isn't inflationary in the current situation. The reason for that is that the increased amount of currency doesn't manage to decrease interest rates (since it is already about zero) which normally increase demand, and without increased demand to drive increase of prices no inflation. When the economy is working "as normal" the situation is very different. Then increased availability of currency increases demand which drives the prices up. But we aren't there now.
Yes, and this is hardly a new observation.

Governments have been debasing their currency for millennia, because it's an easier way to raise revenue than actually going out and taxing people for it.

In well run governments (like the US) this is not true. They make massively more money from taxation than seigniorage.

Poorly run governments sometimes try to do this. It generally doesn't work because it results in hyperinflation which wrecks the whole economy.

Of course, central banks control the money supply (both M1 directly and M3 indirectly by imposing reserve ratios on banks). Because absent competition, bad money drives out good, the reserve ratio basically imposes leverage on the banking system. That's why it blows up every decade or so but both the government and the banks prefer it this way: Governments can run deficits and monetize their debts (very useful for funding wars) while banks enjoy the rent seeking a regulated banking system allows.
There is a 3rd party that keeps track of how much money banks have. Editing that third party let's you steal from everyone until that point your just stealing from a specific bank.

http://en.wikipedia.org/wiki/Federal_Reserve_System

> There is a 3rd party that keeps track of how much money banks have.

My understanding of the reserve system, which is entirely limited, is that the Federal Reserve relies on what the bank reports?

If the bank doesn't know it's been hacked, it'll simply report the wrong figures and that will be that?

Banks report net transactions aka BoA and United have customers writhing checks back and forth all the time, but on a given day the net transaction is the sum of all those little transactions. Thus BoA would say the revived 1 million dollars net from United and united would say the lost 1 million to BoA. As long as those numbers match there is no reason not to trust them.

Cash is is handled separately and banks can slightly fudge those numbers. But, there digital cash on hand better match yesterday's balance plus today's net transactions.

PS: Banks can convert cash back and fort from digital to hard currency, but that's handeled by a third party which also reports those transactions.

Your mind should never be totaly at ease and offset by the banks that have govermental or seperate assurances/protection for worst case sitiuations. So if bank goes compeletely bust then upto a amount is covered by a goverment or seperate entity. Then you don't have to worry as much, then you avoid onine banking and have that sidabled for your account and have to worry even less, get to know your local branch staff and then have even less to worry about. But never be completely at ease, even if you own the bank.
A few myths are circulating here. Let me declare 1)Printing money does not cause inflation. 2)We do not have a fractional reserve banking system, banks can and do create money out of thin air as suggested(aka loans). 3) Bank Runs are not a problem.

The price level/inflation level in macro econ is the intersection of supply and demand. So called demand-pull/cost-push inflation. Sure, you can say that printing money causes inflation ceteris paribus. But in the real world things are not ceteris peribus. You can create money and have deflation if supply/production increases at a greater rate that money creation causes increases in demand. If money creation results in balances held in deposit but not spent, then there is no inflation as a result of the money creation itself. This probably explains why the US economy has been teetering on deflation: most of the money created ends up hoarded in the accounts or rich people who do not spend it.

There are two kinds of money: bank deposits and reserves. Reserves( aka hi powered money/vertical money) are physical currency in circulation or in bank vaults and special deposit accounts at the Fed held by banks that are members of the federal reserve system. Bank deposits ("private money" or vertical money) are created by banks when they create loans. The lending process is regulated by the Fed and government agencies( ex. office of the comptroller of the currency). Yes, the Fed imposes reserve requirements on member banks. But these requirements do not constrain their ability to lend. The reason is b/c banks can make loans and borrow reserves from the federal funds market or the Fed directly in the following accounting period. Reserves are used for interbank deposit settlement. So when a check is written from account holder A in bank A to AH B in bank B, the transaction is settled at the reserve level using reserve accounts at the Fed. It is complex and I could go into capital requirements, which are a true constraint on money creation by banks.

Because of FDIC insurance, bank runs are not a problem in our system. Ultimately the Fed can back stop the FDIC as it kind of did during the crisis of 08.

Yeah, I've been thinking about exactly this kind of attack for years. Didn't think it would be as easy as adding a row to a database table.
It's fascinating to think about how overall economy might be affected by simply adding a row to a database. Did that money actually become real when that row was created? If the money was withdrawn and spent, wouldn't it be real then?

Makes you wonder about the regulation of money in general.

No, hacking one bank doesn't really impact the wider money supply. The Federal Reserve serves as the bank's bank. It knows how much each bank has, and the individual banks are limited as to how much new money they can create in relation to their credit at the Fed.

But if you hacked the Fed itself, yes, you'd be creating new money.

True, BUT because banks operate on a fractional reserve system, it's quite likely that banks have available credit for lending (or creating, in the event of an error such as this) for such a small amount without exceeding their fractional reserve. In other words, banks only have to hold 10% [1] of the money in everyone's account. The rest is loaned or otherwise invested to generate returns.

So in a sense the money created IS real. At least, as real as any other money in a bank account.

[1]: http://en.wikipedia.org/wiki/Reserve_requirement#United_Stat...

True, in that sense you're essentially forcing the bank to make a loan they didn't intend to make (which does indeed expand the broad money supply).

If the bank had sufficient excess reserves, other banks would honor the new money. And today most banks do have big excess reserves (which is historically unusual).

No that is false. The money supply is endogenous. Its tied to the health of the economy and the amount of debt the private sector is willing to take on. Fractional reserve banking is a myth. Bankers do steal by using banks to create money for themselves. Research the S&L crisis and also the 08 crisis. They don't directly print money for themselves b/c regulators will catch them. They do it in an obfuscated way by creating fraudulent loans and charging 'legal' fees in the process.
I don't dispute that banks create money and greatly affect the money supply.

Under normal conditions, the banks stay pretty close to their reserve requirement, so a hacker suddenly creating a gigantic new loan at a bank is likely to push them over the limit and draw attention, either immediately or when somebody tries to move the money to another institution.

But at present, many banks do have big excess reserves, so getting away with it is more plausible. It essentially becomes a loan the bank didn't really intend to make.

I talked to a guy a few years back that used to do this as his full time job, but the constant law-suits that ensued drove him to stop doing this kind of pen-testing altogether. most companies just hired them to check off a list and when the security firm actually found something the client would try to sue the pants off of them for "violating there systems" even they they had full knowledge, signed forms, etc... too much hassle for them...

i personally would love to do this kind of work, legally breaking into a system to see if it could happen would be very entertaining.

I used to do this same thing and never heard about pen testing firms being sued by their client. Most likely he was spinning a yarn.

It is more likely that a security consulting firm will be sued if they report no issues and the bank is later compromised.

If only Security Compass was an anagram of Setec Astronomy...
I feel like there should be secondary checks for things like this. When I was running a MMORPG, I was terrified of duplication bugs (dupes). In many ways, dupes have the same effect on a game economy as this type of theft has on the real economy: it can go unnoticed for a long time, and the victims are primarily the masses (money supply) until someone finds out.

Since we didn't have any network security professionals on our team, I was especially worried. What we realized though, was that we kept a detailed log of all item/money creations/deletions, where trades were just a creation/deletion pair. Thus, we wrote a script to learn what the most expensive items (and thus most costly, if duplicated) were at any given time, and match creations to deletions with a frequency increasing with item value. Whenever there was a discrepancy, we were alerted.

I suppose banks could do something similar. If they separate the money transfer system from the account creation system, they could add an additional layer of security. I haven't really thought out the details, but it makes sense at first glance. Perhaps they already do something like this?

Adding another system to the mix is just another system that can be vulnerable to an attack. Once someone is in and they understand how everything works, there is no stopping them.
I wouldn't say he's describing "adding another system to the mix," at least not in a traditional sense; it's more along the lines of two distinct systems working towards a similar goal.

What he described is an auditing system with some particular policies of interest to a specific use case. Such a system should not have any direct access to the main system, and should ideally live in a fully segregated environment with tightly controlled read-only access to a copy of the data being audited.

The whole idea is that this system would not announce its presence on the network in any way so that the attacker is more likely to miss it. Even if the attacker does know that it's present, he should not know all the checks and validations that such a system uses to detect suspicious behaviour. Hell, you could air-gap the entire thing and just copy over data dumps by using USB sticks.

Granted, even in that situation you could get something like Stuxnet which may compromise the machines. However, if you have the resources to build another Stuxnet, chances are you don't really need to get into a bank network.

> His client gave him access to the bank's internal network.

That's just making it too easy.