Slashdot Mirror
Software Executive Exploits ATM Loophole To Steal $1 Million (zdnet.com)
An anonymous reader quotes a report from ZDNet: A Chinese software manager has been sentenced after being found guilty of stealing approximately $1 million from Huaxia Bank ATMs containing security weaknesses. The 43-year-old former manager employed in Huaxia Bank's software and technology development center spotted a "loophole" in the bank's core operating system which offered an unrecorded timeframe in which to make withdrawals, as reported by the South China Morning Post. Qin Qisheng realized that cash withdrawals made close to midnight were not recorded by the bank's systems in 2016, and in the same year, began systematically abusing the glitch.
Qin wrote a number of scripts which, once implanted in the bank's software, allowed him to probe the loophole without raising suspicion. It appears these tests were successful as the software chief then made withdrawals for over a year of between $740 and $2,965, the publication says. The money had to come from somewhere, and so Qin used a "dummy account" established by the bank for testing purposes. In total, Chinese law enforcement says that the former manager was able to steal over seven million yuan, equivalent to roughly $1 million. Huaxia Bank eventually uncovered the scheme, which Qin attempted to explain away as "internal security tests." When it came to the money, the software manager said the funds were simply "resting" in his own account but were due to be returned to the bank. The financial institution accepted his explanation and fixed the problem, but law enforcement didn't and arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld.
Qin wrote a number of scripts which, once implanted in the bank's software, allowed him to probe the loophole without raising suspicion. It appears these tests were successful as the software chief then made withdrawals for over a year of between $740 and $2,965, the publication says. The money had to come from somewhere, and so Qin used a "dummy account" established by the bank for testing purposes. In total, Chinese law enforcement says that the former manager was able to steal over seven million yuan, equivalent to roughly $1 million. Huaxia Bank eventually uncovered the scheme, which Qin attempted to explain away as "internal security tests." When it came to the money, the software manager said the funds were simply "resting" in his own account but were due to be returned to the bank. The financial institution accepted his explanation and fixed the problem, but law enforcement didn't and arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld.
We trained on the actual live production system; we could pull out any customer bank account
. . . its total lack of movement was due to it bein' tired and shagged out following a prolonged squawk.
The funds are not quite dead yet.
They think they'll go for a walk.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
"...arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld."
Arrested, tried, convicted, sentenced and appealed all in a little over two months?
The justice system works swiftly in China.
Yeeeah. All that pr0n in my home directory? I collected it all from websites and was going to turn it all over to the authorities, I just hadn't quiiiite gotten around to it yet.
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
That's not the point. It's not about money.
You think that a mafia boss notices when you steal a few bucks from him? Of course not. But you'll still sleep with the fishes if you do. There's a reputation to uphold, ya know?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If anyone had any doubts that their understanding of law and order is incompatible with ours, this is probably the last proof you need.
They arrested and convicted a banker. How can this be legal?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Just today I had a new co-worker try to make the same "at midnight" mistake in our code, at a security company.
Wrong:
Cron midnight SELECT where Date > 24 hours ago.
Another way to do it wrong:
Store update-ran (now())
Process new since update-ran
Right way:
Process where processed != true
You have to consider:
A) Records that occur *during* the processing
B) Yesterday's run wasn't *exactly* 24 hours ago. It was at least a few miliseconds more or less, long enough to insert a few transactions
Better but still unsafe, btw:
Cron midnight SELECT where Date > 48 hours ago AND processed != True ...
Handle where processed = pending
Plus, the "4 times" figure doesn't account for China's MILLIONS of disappeared in secret prisons throughout that criminal cabalist faggot country. Also - none of them got actual trials - not one.
Saunders claims he did nothing more than stumble across a loophole, a period of time when the ATM was offline from the bank's main systems.
There is no such thing as a free lunch.
If this guy siphons off $1M from the bank and the bank "fixes" things by printing up a fresh new $1M to replace the funds it lost, that causes monetary supply inflation. Everybody that was holding on to that type of currency just got less purchasing power than they thought they had because of inflation.
If the people were smart, they'd ALL be spitting mad at that guy (and the bank) who just stole from them.
Unfortunately, people are ignorant of how this type of theft affects them and the damages are spread thinly over a huge number of people... It's going to take a lot more people stealing this way (and they will if nobody stops them) for the cumulative effects to become strong enough to cause hyper inflation that everyone will notice.
Funny thing in China is that banks settle transactions with the central bank (People Bank of China) over QQ (a chat program) at the end of the day, and that account ballances of private individuals are stored in the central bank
This never would have been prosecuted in the US.
Yeah but there is something strange here, he withdraw money for one year from a dummy account...nobody got suspicious (was the guy the only one in charge to check the dummy account for testing?), the guy did not spend a single cent but stores all the money in his account, then return all the money to the bank...then he gets more than 10 years in prison. Dumbest heist in history...or something else is going on.
Banks cannot print money. They can be embezzled from. Which would cause this particular bank to lose money.
Your ad here. Ask me how!
You have several errors in your code. Please fix them and repost.
Your ad here. Ask me how!
Banks cannot print money
They can in the UK, if they're more than a certain distance from London.
Which is why the Royal Bank of Scotland has its own bank notes.
The "Ryal Bank of Scotland" is a gvt agency. It's like being amazed that Germany andFrance can both print euros.,
Your ad here. Ask me how!
No, the Royal Bank of Scotland is a business. It was printing bank notes before the Government became a majority shareholder.
Ah, you're right. I thought that the ownership by the government was the original and they let private companies buy in a small amount. Oops!
But, in the course of reading about the RBS, I discovered that the notes they print aren't legal tender, they are promissory notes. So, redeemable at the RBS (which presumably has assets to back it up.) So, it's like saying VISA and AmEx are "printing currency" by selling prepaid credit cards. Except those use credit. So, it would be like the various house currencies (fun bucks, whatever), except they are so ubiquitous that you can use them for real transactions as well. I mean, the US has things like the Liberty Dollar, and Bitcoin is another attempt at this.
Your ad here. Ask me how!
the notes they print aren't legal tender
The same wikipedia article you linked also states that no currency is 'legal tender' in Scotland, so no, it's not
like saying VISA and AmEx are "printing currency"
and it's very obviously and demonstrably would not
be like the various house currencies (fun bucks, whatever)
In practice Scottish banknotes are rare outside of Scotland but generally accepted in England and Wales. I haven't tried spending one in Northern Island.
The cash was just tired, it needed some rest.