Slashdot Mirror

← Back to Stories (view on slashdot.org)

Software Executive Exploits ATM Loophole To Steal $1 Million (zdnet.com)

Posted by BeauHD on from the sneaky-bastard dept.

An anonymous reader quotes a report from ZDNet: A Chinese software manager has been sentenced after being found guilty of stealing approximately $1 million from Huaxia Bank ATMs containing security weaknesses. The 43-year-old former manager employed in Huaxia Bank's software and technology development center spotted a "loophole" in the bank's core operating system which offered an unrecorded timeframe in which to make withdrawals, as reported by the South China Morning Post. Qin Qisheng realized that cash withdrawals made close to midnight were not recorded by the bank's systems in 2016, and in the same year, began systematically abusing the glitch.

Qin wrote a number of scripts which, once implanted in the bank's software, allowed him to probe the loophole without raising suspicion. It appears these tests were successful as the software chief then made withdrawals for over a year of between $740 and $2,965, the publication says. The money had to come from somewhere, and so Qin used a "dummy account" established by the bank for testing purposes. In total, Chinese law enforcement says that the former manager was able to steal over seven million yuan, equivalent to roughly $1 million. Huaxia Bank eventually uncovered the scheme, which Qin attempted to explain away as "internal security tests." When it came to the money, the software manager said the funds were simply "resting" in his own account but were due to be returned to the bank. The financial institution accepted his explanation and fixed the problem, but law enforcement didn't and arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld.

57 comments

  1. Its 1 mil from a bank by DarkRookie2 · · Score: 0, Offtopic

    He stole from a bank. Who cares. They are insured and prolly are not going to miss that money all that much.
    Maybe it was an executives bonus.

    --
    http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
    1. Re:Its 1 mil from a bank by Anonymous Coward · · Score: 0

      They're insured by the Chinese Communist government. It's worthless, it means nothing to the real world. Chinese banks aren't worth the pink paper they hoard, the whole system is a joke with shitty AI to try to find out if you laughed or not.

    2. Re:Its 1 mil from a bank by Anonymous Coward · · Score: 0

      Who cares? You should care. If it were legal to steal from banks, there wouldn't be any banks.

    3. Re:Its 1 mil from a bank by Opportunist · · Score: 1

      That's not the point. It's not about money.

      You think that a mafia boss notices when you steal a few bucks from him? Of course not. But you'll still sleep with the fishes if you do. There's a reputation to uphold, ya know?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Its 1 mil from a bank by Anonymous Coward · · Score: 1

      There is no such thing as a free lunch.

      If this guy siphons off $1M from the bank and the bank "fixes" things by printing up a fresh new $1M to replace the funds it lost, that causes monetary supply inflation. Everybody that was holding on to that type of currency just got less purchasing power than they thought they had because of inflation.

      If the people were smart, they'd ALL be spitting mad at that guy (and the bank) who just stole from them.

      Unfortunately, people are ignorant of how this type of theft affects them and the damages are spread thinly over a huge number of people... It's going to take a lot more people stealing this way (and they will if nobody stops them) for the cumulative effects to become strong enough to cause hyper inflation that everyone will notice.

    5. Re:Its 1 mil from a bank by Anonymous Coward · · Score: 0

      He stole from a CHINESE bank, which don't have any type of FDIC - like protections.

    6. Re: Its 1 mil from a bank by illiac_1962 · · Score: 1

      This never would have been prosecuted in the US.

    7. Re: Its 1 mil from a bank by Anonymous Coward · · Score: 1

      Yeah but there is something strange here, he withdraw money for one year from a dummy account...nobody got suspicious (was the guy the only one in charge to check the dummy account for testing?), the guy did not spend a single cent but stores all the money in his account, then return all the money to the bank...then he gets more than 10 years in prison. Dumbest heist in history...or something else is going on.

    8. Re:Its 1 mil from a bank by Actually,+I+do+RTFA · · Score: 1

      Banks cannot print money. They can be embezzled from. Which would cause this particular bank to lose money.

      --
      Your ad here. Ask me how!
    9. Re:Its 1 mil from a bank by Cederic · · Score: 1

      Banks cannot print money

      They can in the UK, if they're more than a certain distance from London.

      Which is why the Royal Bank of Scotland has its own bank notes.

    10. Re: Its 1 mil from a bank by Anonymous Coward · · Score: 0

      So you think that it is easy to simply move money every time he stole? Do you think that nobody would not see something going on in his own bank account which kept getting money in all the time? And you think that it is easy to wire money out of the country?

      The thing is that he did it and was still looking for a way to get the money out some how. He couldn't figure that part out yet so he waited and hoped that nobody would notice. Unfortunately, he still couldn't find a way to get it out himself that long. Not every thief knows every all around from stealing to moving goods to the safe heaven like in American movies.

    11. Re:Its 1 mil from a bank by Actually,+I+do+RTFA · · Score: 1

      The "Ryal Bank of Scotland" is a gvt agency. It's like being amazed that Germany andFrance can both print euros.,

      --
      Your ad here. Ask me how!
    12. Re:Its 1 mil from a bank by Cederic · · Score: 1

      No, the Royal Bank of Scotland is a business. It was printing bank notes before the Government became a majority shareholder.

    13. Re:Its 1 mil from a bank by Actually,+I+do+RTFA · · Score: 1

      Ah, you're right. I thought that the ownership by the government was the original and they let private companies buy in a small amount. Oops!

      But, in the course of reading about the RBS, I discovered that the notes they print aren't legal tender, they are promissory notes. So, redeemable at the RBS (which presumably has assets to back it up.) So, it's like saying VISA and AmEx are "printing currency" by selling prepaid credit cards. Except those use credit. So, it would be like the various house currencies (fun bucks, whatever), except they are so ubiquitous that you can use them for real transactions as well. I mean, the US has things like the Liberty Dollar, and Bitcoin is another attempt at this.

      --
      Your ad here. Ask me how!
    14. Re:Its 1 mil from a bank by Cederic · · Score: 1

      the notes they print aren't legal tender

      The same wikipedia article you linked also states that no currency is 'legal tender' in Scotland, so no, it's not

      like saying VISA and AmEx are "printing currency"

      and it's very obviously and demonstrably would not

      be like the various house currencies (fun bucks, whatever)

      In practice Scottish banknotes are rare outside of Scotland but generally accepted in England and Wales. I haven't tried spending one in Northern Island.

    15. Re: Its 1 mil from a bank by Anonymous Coward · · Score: 0

      Which is why you should always have permission rather than ask for forgiveness afterward. That's something that many modern companies and millennials need to learn. It's still not OK to just take something even if you promise to rectify it later.

  2. Some banks have laughable security. by Pig+Hogger · · Score: 2
    A year ago, I was hired for a customer tech support role for a bank (I helped the bank customers with their website and banking apps).

    We trained on the actual live production system; we could pull out any customer bank account

    1. Re:Some banks have laughable security. by Ecuador · · Score: 3, Interesting

      My bank was bought by a bank I was tried to avoid. In the migration my cell phone number was lost, to enable online transactions they had a "2 factor auth" setup where an SMS enabled a "secure key app", but the form that could send me an SMS could not be submitted, it said no phone number. They were telling me the only way is to go to a branch with my ID for my phone number to be entered in the system. Well, it seemed like a retarded website, so I gave it a go, what do you know, changing form and submitting it got my cell phone number added to the db and sent an SMS. Frontend-only validation on a banking website, congrats guys, I am not leaving much money on that account...

      --
      Violence is the last refuge of the incompetent. Polar Scope Align for iOS
    2. Re:Some banks have laughable security. by Ecuador · · Score: 1

      Oh, to clarify, I couldn't just go to the branch because I'm in a different country, that's why I wanted to enable online transactions...

      --
      Violence is the last refuge of the incompetent. Polar Scope Align for iOS
    3. Re:Some banks have laughable security. by AmiMoJo · · Score: 1

      I must admit I don't understand online banking security. On the one hand it's demonstrably shit, on the other we don't see mass account hacks and when money is stolen it's generally down to tricking the user into authenticating or revealing credentials.

      Maybe they do get regularly hacked and just cover it up.

      Having said that one of by bank's security is so good even I can't log in to my account any more.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Some banks have laughable security. by AlwinBarni · · Score: 1

      A year ago, I was hired for a customer tech support role for a bank ... We trained on the actual live production system

      Ok, which bank was it? Feel free to use AC as an unrelated post.

    5. Re:Some banks have laughable security. by Anonymous Coward · · Score: 0

      Yeah, and anything you do is logged. So good luck with that.

  3. Nobody say Huawei by Anonymous Coward · · Score: 0

    It's not the same fraud, it's totally different.

  4. "the former manager" by Anonymous Coward · · Score: 0

    "Huaxia Bank eventually uncovered the scheme, which Qin attempted to explain away as "internal security tests." - What a brilliant defense. I no longer work here, I'm just resting your money for security purposes in my account.

    Nice try Quiche.

    1. Re:"the former manager" by Anonymous Coward · · Score: 0

      "The funds were simply "resting" in his own account" The well known Father Ted Defence.

  5. . . . the funds were simply "resting" . . . by PolygamousRanchKid+ · · Score: 2

    . . . its total lack of movement was due to it bein' tired and shagged out following a prolonged squawk.

    The funds are not quite dead yet.

    They think they'll go for a walk.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    1. Re:. . . the funds were simply "resting" . . . by mrbester · · Score: 2

      Seems like this guy was a fan of Father Ted...

      Bonus points if he said "feck" at any point.

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    2. Re:. . . the funds were simply "resting" . . . by sysrammer · · Score: 1

      They're merely pining for the fjords.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    3. Re:. . . the funds were simply "resting" . . . by Alypius · · Score: 1

      They're stunned! He stunned them just as he was about to transfer them!

  6. Swift! by zamboni1138 · · Score: 2

    "...arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld."

    Arrested, tried, convicted, sentenced and appealed all in a little over two months?

    The justice system works swiftly in China.

    1. Re:Swift! by Anonymous Coward · · Score: 0

      When you don't bribe or have a rich Party Uncle the gloves come off quickly. Embarrass a Chinese financial institution? THERE IS NO GREATER CRIME IN CHINA.

    2. Re:Swift! by Opportunist · · Score: 1

      You just might be right...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Swift! by ShanghaiBill · · Score: 1

      Arrested, tried, convicted, sentenced and appealed all in a little over two months?

      The justice system works swiftly in China.

      As it should. Do you think America's system is better, where accused, and presumably innocent, people sit in jail for months or years awaiting trial?

      America uses the long delays to pressure people into accepting a plea bargain, by admitting to a crime they didn't commit.

      Per capita, America incarcerates four times as many people as China.

    4. Re:Swift! by Anonymous Coward · · Score: 1

      Per capita, America incarcerates four times as many people as China.

      Sounds better than the death penalty to me... as if my math is right, China executes people at a rate ~15x higher than the US.

      Looking at stats from 2017... the US executed 23 people, while China did at least 1551 people.

      Based on 2016 population estimates of 1.38b vs 232.13m... we've got China doing 1 execution for every 889,748 people, while the US is doing a 1 execution for every 14,049,130 people.

    5. Re:Swift! by Anonymous Coward · · Score: 0

      git blame

    6. Re:Swift! by Frank+Burly · · Score: 1

      In California you are entitled to a (misdemeanor, I think) trial within 30 days if you are in custody. Almost nobody does so.

      Defendants stipulate to delays for procedural or practical purposes: maybe to have a hearing to toss out evidence, or maybe their lawyer says he won't go to trial until he is paid in full, or whatever.

      This doesn't excuse the systemic failures, but it's the difference between a feature and a bug.

    7. Re:Swift! by Anonymous Coward · · Score: 0

      your mother

    8. Re:Swift! by AmiMoJo · · Score: 1

      It's a difficult balance, because on the one hand everyone wants swift justice and resolution if they are innocent, but on the other it can take a long time to investigate some crimes, especially financial crimes, and no-one wants mistakes to be made or avenues for appeal left open due to the rush.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re:Swift! by Anonymous Coward · · Score: 0

      The justice system works swiftly in China.

      Yep. The justice system in the United States is a little rusty in comparison.

      I'll show my way to the nearest reeducation camp.

  7. the funds were simply "resting" in his own account by grep+-v+'.*'+* · · Score: 1

    Yeeeah. All that pr0n in my home directory? I collected it all from websites and was going to turn it all over to the authorities, I just hadn't quiiiite gotten around to it yet.

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  8. CALLING ALL HACKINGBEARS! Hackingbear DO YOU READ? by Anonymous Coward · · Score: 0

    You are called to defend China's good name with your rhetoric, comrade - remember, we have your mother in a cage above a large hot pot of soup. Make us proud, propagandist! The west can't know Huawei is a fraud tentacle! Distract!

    Go forth and FUD or your family dies. Make the motherland proud, lie for the party!

  9. Re: show butthoal by Anonymous Coward · · Score: 0

    I have a feeling a disgusting narcissist like this is going to be in never ending trouble in prison. I doubt the guards will be savvy enough to contain his criminal urges. I hope they hang him more than once.

  10. What? Those blasted Commies! by Opportunist · · Score: 1

    If anyone had any doubts that their understanding of law and order is incompatible with ours, this is probably the last proof you need.

    They arrested and convicted a banker. How can this be legal?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Someone tried to make the same bug today at securi by raymorris · · Score: 2

    Just today I had a new co-worker try to make the same "at midnight" mistake in our code, at a security company.

    Wrong:
    Cron midnight SELECT where Date > 24 hours ago.

    Another way to do it wrong:
    Store update-ran (now())
    Process new since update-ran

    Right way:
    Process where processed != true

    You have to consider:
    A) Records that occur *during* the processing
    B) Yesterday's run wasn't *exactly* 24 hours ago. It was at least a few miliseconds more or less, long enough to insert a few transactions

    Better but still unsafe, btw:

    Cron midnight SELECT where Date > 48 hours ago AND processed != True ...
    Handle where processed = pending

  12. Stealing is legal in China, just bribe your way. by Anonymous Coward · · Score: 0

    Embarrass the government, that's the only crime they pursue. Fake rice, soup made from abortions, no big deal. Anything goes in China except embarrassing them with their incompetence.

  13. Nazi homo-recruiter RAY MORRIS pushes propaganda by Anonymous Coward · · Score: 0

    Nazi homosexual recruiter RAY MORRIS pushing debunked Nazi propaganda even after corrected, #ROPE

  14. China = shithole for totalitarians, nothing more. by Anonymous Coward · · Score: 1

    Plus, the "4 times" figure doesn't account for China's MILLIONS of disappeared in secret prisons throughout that criminal cabalist faggot country. Also - none of them got actual trials - not one.

  15. Not unheard of by Xenolith0 · · Score: 2
    https://www.smh.com.au/national/fast-money-20140804-3d2x4.html

    Saunders claims he did nothing more than stumble across a loophole, a period of time when the ATM was offline from the bank's main systems.

  16. Uh by fubarrr · · Score: 1

    Funny thing in China is that banks settle transactions with the central bank (People Bank of China) over QQ (a chat program) at the end of the day, and that account ballances of private individuals are stored in the central bank

  17. CISA to the Rescue! by Anonymous Coward · · Score: 0

    Have no fear, CISA is here! The Cybersecurity and Infrastructure Security Agency will protect you, just give us tons of money and don't hold us to any real results. We're too busy traveling to exotic locations for speaking engagements and conferences, giving taxpayer money to our golf pals (especially Don B's friends since he's their bitch), and constantly reorganizing since that's a great way of avoiding work.

  18. Re:Someone tried to make the same bug today at sec by Actually,+I+do+RTFA · · Score: 2

    You have several errors in your code. Please fix them and repost.

    --
    Your ad here. Ask me how!
  19. "Was just testing each day for the last year ok?" by Anonymous Coward · · Score: 0

    Honestly!

    Lol - guy was obviously not just 'testing'. You find that kind of flaw, you only need to run the test once or twice, then escalate it quickly so it gets fixed. He didn't, and did this 'test' for a year. It's also very likely that flaw had been happening for a while for other people accidentally, so *quite* important to get fixed.

    He got caught and punished for it. Probably self-justifying whilst he did it as 'testing', but really with the intention of only returning the funds if they were ever asked for - his 'get out of jail free card' (It's wonderful how the human mind works like this sometimes).

    Law enforcement correctly didn't agree with his view on the matter, and gave him some new wrist jewellery and a new place to live.

  20. Poor Money by ememisya · · Score: 1

    The cash was just tired, it needed some rest.