Slashdot Mirror

← Back to Stories (view on slashdot.org)

Software Executive Exploits ATM Loophole To Steal $1 Million (zdnet.com)

Posted by BeauHD on from the sneaky-bastard dept.

An anonymous reader quotes a report from ZDNet: A Chinese software manager has been sentenced after being found guilty of stealing approximately $1 million from Huaxia Bank ATMs containing security weaknesses. The 43-year-old former manager employed in Huaxia Bank's software and technology development center spotted a "loophole" in the bank's core operating system which offered an unrecorded timeframe in which to make withdrawals, as reported by the South China Morning Post. Qin Qisheng realized that cash withdrawals made close to midnight were not recorded by the bank's systems in 2016, and in the same year, began systematically abusing the glitch.

Qin wrote a number of scripts which, once implanted in the bank's software, allowed him to probe the loophole without raising suspicion. It appears these tests were successful as the software chief then made withdrawals for over a year of between $740 and $2,965, the publication says. The money had to come from somewhere, and so Qin used a "dummy account" established by the bank for testing purposes. In total, Chinese law enforcement says that the former manager was able to steal over seven million yuan, equivalent to roughly $1 million. Huaxia Bank eventually uncovered the scheme, which Qin attempted to explain away as "internal security tests." When it came to the money, the software manager said the funds were simply "resting" in his own account but were due to be returned to the bank. The financial institution accepted his explanation and fixed the problem, but law enforcement didn't and arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld.

8 of 57 comments (clear)

  1. Some banks have laughable security. by Pig+Hogger · · Score: 2
    A year ago, I was hired for a customer tech support role for a bank (I helped the bank customers with their website and banking apps).

    We trained on the actual live production system; we could pull out any customer bank account

    1. Re:Some banks have laughable security. by Ecuador · · Score: 3, Interesting

      My bank was bought by a bank I was tried to avoid. In the migration my cell phone number was lost, to enable online transactions they had a "2 factor auth" setup where an SMS enabled a "secure key app", but the form that could send me an SMS could not be submitted, it said no phone number. They were telling me the only way is to go to a branch with my ID for my phone number to be entered in the system. Well, it seemed like a retarded website, so I gave it a go, what do you know, changing form and submitting it got my cell phone number added to the db and sent an SMS. Frontend-only validation on a banking website, congrats guys, I am not leaving much money on that account...

      --
      Violence is the last refuge of the incompetent. Polar Scope Align for iOS
  2. . . . the funds were simply "resting" . . . by PolygamousRanchKid+ · · Score: 2

    . . . its total lack of movement was due to it bein' tired and shagged out following a prolonged squawk.

    The funds are not quite dead yet.

    They think they'll go for a walk.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    1. Re:. . . the funds were simply "resting" . . . by mrbester · · Score: 2

      Seems like this guy was a fan of Father Ted...

      Bonus points if he said "feck" at any point.

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
  3. Swift! by zamboni1138 · · Score: 2

    "...arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld."

    Arrested, tried, convicted, sentenced and appealed all in a little over two months?

    The justice system works swiftly in China.

  4. Someone tried to make the same bug today at securi by raymorris · · Score: 2

    Just today I had a new co-worker try to make the same "at midnight" mistake in our code, at a security company.

    Wrong:
    Cron midnight SELECT where Date > 24 hours ago.

    Another way to do it wrong:
    Store update-ran (now())
    Process new since update-ran

    Right way:
    Process where processed != true

    You have to consider:
    A) Records that occur *during* the processing
    B) Yesterday's run wasn't *exactly* 24 hours ago. It was at least a few miliseconds more or less, long enough to insert a few transactions

    Better but still unsafe, btw:

    Cron midnight SELECT where Date > 48 hours ago AND processed != True ...
    Handle where processed = pending

  5. Not unheard of by Xenolith0 · · Score: 2
    https://www.smh.com.au/national/fast-money-20140804-3d2x4.html

    Saunders claims he did nothing more than stumble across a loophole, a period of time when the ATM was offline from the bank's main systems.

  6. Re:Someone tried to make the same bug today at sec by Actually,+I+do+RTFA · · Score: 2

    You have several errors in your code. Please fix them and repost.

    --
    Your ad here. Ask me how!