On a not so unrelated experience from many years back, pick a large bank, find the training room. Pick your flavour of thumb/floppy image unix/linux and boot of that and run tcpdump, then realise scary how some training rooms not as isolated from the real network/systems as training for many are live systems with training accounts/logins :(.
Another common issue is find a fire exit with disgarded cigerrete butt's and odds are somebody has taped over the door sensor or disabled it and you can just break into the building that way without an alarm going of. Done the going in as weekend to do a cleaning job which was covert security audit and found we could of just gone up the external staircase and in via a fire exit thanks to smokers and there adictions.
Also was common on trading floors to find unapproved modems so the blessed keeness could catch up from home or at weekends, nowadays how many end up trojaning there own pc's so they can remotly work without official sanction from IT and the security department.
Biggest fault in most systems will be the staff, one way or another, intended or not.
Like I said, more you look into it the more you store under your matress :).
'Rather than steal money from depositors' accounts, Bhalla just invented a new account for himself.
"We went into the database where the accounts are and set up an account with $14 million," Bhalla explained. "We just created $14 million out of thin air."
I remember the first time I discovered this is how banks operate when I was a kid. It's really pretty mind-blowing when you think about it. And knowing how full of bugs most software is it really made me question the entire banking system. (My mind has still yet to be put at ease on that...)
Oh, absolutely. People think of money in very concrete terms. Like physical currency.
But that hasn't been the case for a long time. Today, money is just a few bits in a database here and there. And of course, making yourself a millionare (or billionare) is as easy as inserting a row into a database.
Here is the important part: While the article insinuates this creation of money out of thin air as a victim-less crime, it is not!
Even worse, the bank does not lose a penny from this type of criminal activity. The ones who pay for it? We all do. By creating money out of thin air, you are increasing the money supply, which pushes up inflation due to higher demand for goods, which in turns reduces the value of the currency.
In other words, when you create money out of thin air like this, you are taking a tiny bit from everybody who uses the currency! Theft on an absolutely universal and massive scale!
A few myths are circulating here. Let me declare 1)Printing money does not cause inflation. 2)We do not have a fractional reserve banking system, banks can and do create money out of thin air as suggested(aka loans). 3) Bank Runs are not a problem.
The price level/inflation level in macro econ is the intersection of supply and demand. So called demand-pull/cost-push inflation. Sure, you can say that printing money causes inflation ceteris paribus. But in the real world things are not ceteris peribus. You can create money and have deflation if supply/production increases at a greater rate that money creation causes increases in demand. If money creation results in balances held in deposit but not spent, then there is no inflation as a result of the money creation itself. This probably explains why the US economy has been teetering on deflation: most of the money created ends up hoarded in the accounts or rich people who do not spend it.
There are two kinds of money: bank deposits and reserves. Reserves( aka hi powered money/vertical money) are physical currency in circulation or in bank vaults and special deposit accounts at the Fed held by banks that are members of the federal reserve system. Bank deposits ("private money" or vertical money) are created by banks when they create loans. The lending process is regulated by the Fed and government agencies( ex. office of the comptroller of the currency). Yes, the Fed imposes reserve requirements on member banks. But these requirements do not constrain their ability to lend. The reason is b/c banks can make loans and borrow reserves from the federal funds market or the Fed directly in the following accounting period. Reserves are used for interbank deposit settlement. So when a check is written from account holder A in bank A to AH B in bank B, the transaction is settled at the reserve level using reserve accounts at the Fed. It is complex and I could go into capital requirements, which are a true constraint on money creation by banks.
Because of FDIC insurance, bank runs are not a problem in our system. Ultimately the Fed can back stop the FDIC as it kind of did during the crisis of 08.
Your mind should never be totaly at ease and offset by the banks that have govermental or seperate assurances/protection for worst case sitiuations. So if bank goes compeletely bust then upto a amount is covered by a goverment or seperate entity. Then you don't have to worry as much, then you avoid onine banking and have that sidabled for your account and have to worry even less, get to know your local branch staff and then have even less to worry about. But never be completely at ease, even if you own the bank.
I feel like there should be secondary checks for things like this. When I was running a MMORPG, I was terrified of duplication bugs (dupes). In many ways, dupes have the same effect on a game economy as this type of theft has on the real economy: it can go unnoticed for a long time, and the victims are primarily the masses (money supply) until someone finds out.
Since we didn't have any network security professionals on our team, I was especially worried. What we realized though, was that we kept a detailed log of all item/money creations/deletions, where trades were just a creation/deletion pair. Thus, we wrote a script to learn what the most expensive items (and thus most costly, if duplicated) were at any given time, and match creations to deletions with a frequency increasing with item value. Whenever there was a discrepancy, we were alerted.
I suppose banks could do something similar. If they separate the money transfer system from the account creation system, they could add an additional layer of security. I haven't really thought out the details, but it makes sense at first glance. Perhaps they already do something like this?
Adding another system to the mix is just another system that can be vulnerable to an attack. Once someone is in and they understand how everything works, there is no stopping them.
I talked to a guy a few years back that used to do this as his full time job, but the constant law-suits that ensued drove him to stop doing this kind of pen-testing altogether. most companies just hired them to check off a list and when the security firm actually found something the client would try to sue the pants off of them for "violating there systems" even they they had full knowledge, signed forms, etc... too much hassle for them...
i personally would love to do this kind of work, legally breaking into a system to see if it could happen would be very entertaining.
I really do not understand how cybercriminals sophisticated enough to conduct these sort of heists would then go and deposit all the physical cash into the nearest bank account in the same country?
Or perhaps we only hear of the unsuccessful heists...
Oh he was testing and seperate compliance system should (legal remit in many countries) highlight any transactions over a certain amount, £10k I believe in the UK. So yes it would of stuck out like a sore thumb in audit checks.
If he was serious it would of been many different accounts/transaction and then gets into the arts of money laudering/avoiding the first like auditors/checks.
Yes you do only hear about unseccessful heists, though the times are changing with regards to being more open.
In short he was testing the security of the bank and not the auditing and laudering aspects, which is when you need somebody with some accounting knowledge and banking knowledge.
It's fascinating to think about how overall economy might be affected by simply adding a row to a database. Did that money actually become real when that row was created? If the money was withdrawn and spent, wouldn't it be real then?
Makes you wonder about the regulation of money in general.
No, hacking one bank doesn't really impact the wider money supply. The Federal Reserve serves as the bank's bank. It knows how much each bank has, and the individual banks are limited as to how much new money they can create in relation to their credit at the Fed.
But if you hacked the Fed itself, yes, you'd be creating new money.
Oh the perception people have on security is varied and TV and hollywood makes it look easy, we think banks are hard and professional and reallity is a mix of the two. Some good, some exceptional and some fall short of expectations. Been many clever and not so clever ways of stealing from banks and also been some amazing and clever ways banks have stole of customers and non-customers as proven in times recent. Sad part is you steal from bank, then you break the law and if a bank steals from you, it is usualy goverment sanctioned as in the case of Greece.
Though any tester who did pentesting on banks would of signed a NDA and if not, somebody really messed up and how are we reading about this within 10 years of it happening!
While sanctions for violating an NDA during an assessment aren't usually defined explicitly in the contract, most security firms would never divulge methods and results even in a sanitized account like this. Security firms rely upon their reputation since they're get a good look under the kimono.
That leads to either the bank approving of this article or Security Compass having loose lips. I can't imagine a bank signing off on releasing this info, as it paints bank security in a bad light.
I expect that somewhere, someone is contacting their internal IT staff to find the SOW for this pentest, and then contacting their legal dept.
[+] [-] Zenst|13 years ago|reply
Another common issue is find a fire exit with disgarded cigerrete butt's and odds are somebody has taped over the door sensor or disabled it and you can just break into the building that way without an alarm going of. Done the going in as weekend to do a cleaning job which was covert security audit and found we could of just gone up the external staircase and in via a fire exit thanks to smokers and there adictions.
Also was common on trading floors to find unapproved modems so the blessed keeness could catch up from home or at weekends, nowadays how many end up trojaning there own pc's so they can remotly work without official sanction from IT and the security department.
Biggest fault in most systems will be the staff, one way or another, intended or not.
Like I said, more you look into it the more you store under your matress :).
[+] [-] adastra|13 years ago|reply
I remember the first time I discovered this is how banks operate when I was a kid. It's really pretty mind-blowing when you think about it. And knowing how full of bugs most software is it really made me question the entire banking system. (My mind has still yet to be put at ease on that...)
[+] [-] maratd|13 years ago|reply
But that hasn't been the case for a long time. Today, money is just a few bits in a database here and there. And of course, making yourself a millionare (or billionare) is as easy as inserting a row into a database.
Here is the important part: While the article insinuates this creation of money out of thin air as a victim-less crime, it is not!
Even worse, the bank does not lose a penny from this type of criminal activity. The ones who pay for it? We all do. By creating money out of thin air, you are increasing the money supply, which pushes up inflation due to higher demand for goods, which in turns reduces the value of the currency.
In other words, when you create money out of thin air like this, you are taking a tiny bit from everybody who uses the currency! Theft on an absolutely universal and massive scale!
[+] [-] bubbleRefuge|13 years ago|reply
The price level/inflation level in macro econ is the intersection of supply and demand. So called demand-pull/cost-push inflation. Sure, you can say that printing money causes inflation ceteris paribus. But in the real world things are not ceteris peribus. You can create money and have deflation if supply/production increases at a greater rate that money creation causes increases in demand. If money creation results in balances held in deposit but not spent, then there is no inflation as a result of the money creation itself. This probably explains why the US economy has been teetering on deflation: most of the money created ends up hoarded in the accounts or rich people who do not spend it.
There are two kinds of money: bank deposits and reserves. Reserves( aka hi powered money/vertical money) are physical currency in circulation or in bank vaults and special deposit accounts at the Fed held by banks that are members of the federal reserve system. Bank deposits ("private money" or vertical money) are created by banks when they create loans. The lending process is regulated by the Fed and government agencies( ex. office of the comptroller of the currency). Yes, the Fed imposes reserve requirements on member banks. But these requirements do not constrain their ability to lend. The reason is b/c banks can make loans and borrow reserves from the federal funds market or the Fed directly in the following accounting period. Reserves are used for interbank deposit settlement. So when a check is written from account holder A in bank A to AH B in bank B, the transaction is settled at the reserve level using reserve accounts at the Fed. It is complex and I could go into capital requirements, which are a true constraint on money creation by banks.
Because of FDIC insurance, bank runs are not a problem in our system. Ultimately the Fed can back stop the FDIC as it kind of did during the crisis of 08.
[+] [-] Zenst|13 years ago|reply
[+] [-] LowKarmaAccount|13 years ago|reply
http://archive.org/details/ModernMoneyMechanics
[+] [-] marvin|13 years ago|reply
[+] [-] Shenglong|13 years ago|reply
Since we didn't have any network security professionals on our team, I was especially worried. What we realized though, was that we kept a detailed log of all item/money creations/deletions, where trades were just a creation/deletion pair. Thus, we wrote a script to learn what the most expensive items (and thus most costly, if duplicated) were at any given time, and match creations to deletions with a frequency increasing with item value. Whenever there was a discrepancy, we were alerted.
I suppose banks could do something similar. If they separate the money transfer system from the account creation system, they could add an additional layer of security. I haven't really thought out the details, but it makes sense at first glance. Perhaps they already do something like this?
[+] [-] umsm|13 years ago|reply
[+] [-] dlhavema|13 years ago|reply
i personally would love to do this kind of work, legally breaking into a system to see if it could happen would be very entertaining.
[+] [-] PwdRsch|13 years ago|reply
It is more likely that a security consulting firm will be sued if they report no issues and the bank is later compromised.
[+] [-] drucken|13 years ago|reply
Or perhaps we only hear of the unsuccessful heists...
[+] [-] Zenst|13 years ago|reply
If he was serious it would of been many different accounts/transaction and then gets into the arts of money laudering/avoiding the first like auditors/checks.
Yes you do only hear about unseccessful heists, though the times are changing with regards to being more open.
In short he was testing the security of the bank and not the auditing and laudering aspects, which is when you need somebody with some accounting knowledge and banking knowledge.
[+] [-] danielrm26|13 years ago|reply
Makes you wonder about the regulation of money in general.
[+] [-] ef4|13 years ago|reply
But if you hacked the Fed itself, yes, you'd be creating new money.
[+] [-] Zenst|13 years ago|reply
Though any tester who did pentesting on banks would of signed a NDA and if not, somebody really messed up and how are we reading about this within 10 years of it happening!
[+] [-] greedo|13 years ago|reply
That leads to either the bank approving of this article or Security Compass having loose lips. I can't imagine a bank signing off on releasing this info, as it paints bank security in a bad light.
I expect that somewhere, someone is contacting their internal IT staff to find the SOW for this pentest, and then contacting their legal dept.
[+] [-] nikcub|13 years ago|reply
That's just making it too easy.
[+] [-] VMG|13 years ago|reply