Approaching Zero by Paul Mungo (bts book recommendations .txt) đź“–
- Author: Paul Mungo
- Performer: -
Book online «Approaching Zero by Paul Mungo (bts book recommendations .txt) 📖». Author Paul Mungo
favorites. Sometimes even the most basic security precautions are overlooked.
Recently two hackers demonstrated this point for a London newspaper. They
targeted the local headquarters of “a leading American bank” one that was so
well known for its laxity that its systems had become a training ground for
neophyte hackers. The two had first hacked into the bank’s computer in March
1988, and in October 1990 the pair did it again, using the same ID and password
they had first employed in 1988. The bank hadn’t bothered to modify its most
basic procedures, and its first line of defense against hackers, for over two
and a half years.
Given such opportunity, it could be assumed that banks are regularly being
looted by hackers. The mechanics appear straightforward enough: operating from
home a hacker should be able to break into a bank’s central computer quite
anonymously, access the sector dealing with cash transfers, then quickly move
the money to an account that he controls. However, in practice the procedure is
more complex. Banks use codes to validate transfers; in addition, transactions
must be confirmed electronically by the recipient of the funds. Because of such
safeguards, the plundering is probably limited.
But the threat from hackers is still real. There may be a hundred hackers in
the United States with the necessary skills to break into a bank and steal
funds, which is a sizable number of potential bank robbers. And of course it
would be the dream hack, the one that justifies the time spent staring at a
video terminal while learning the craft.
The most successful bank robbery ever carried out by hackers mal have occurred
two years ago. The target was a branch of Citibank in New York. The identity of
the two hackers is unknown, though they are thought to be in their late teens
or early twenties.
The scheme began when the two became aware that certain financial institutions,
including Citibank, used their connections on the various X.25 networks—the
computer networks operated by commercial carriers such as Telenet or Sprint—to
transfer money. (The process is known as Electronic Fund Transfer, or EFT.)
The two decided that if the funds could be intercepted in mid-transfer and
diverted into another account—in this case, a computer file hidden within the
system—then they could be redirected and withdrawn before the error was
noticed.
The hackers began the robbery by investigating Telenet. They knew that Citibank
had two “address prefixes” of its own—223 and 224 on the network; these were
the prefixes for the sevendigit numbers (or “addresses”) that denoted Citibank
links to the
system. By churning through sequential numbers they found a series of addresses
for Citibank computer terminals, many of which were VAXen, the popular
computers manufactured by DEC. One weekend they hacked into eight of the VAXen
and found their way to the Citibank DECNET, an internal bank network linking
the DEC computers. From there they found gateways to other banks and financial
institutions in the New York area.
They ignored the other banks. What had particularly intrigued them were
references in the computer systems to an EFT operation run by Citibank: in
various files and throughout the electronic mail system they kept turning up
allusions to EFT, clues that they were convinced pointed to a terminal that did
nothing but transfer funds. They began sifting through their lists of computer
access numbers, looking for one among hundreds that belonged to the EFT
computer, and by a laborious process of elimination they whittled the lists
down to five machines whose function they couldn’t divine: Of those, one seemed
particularly interesting. It could be entered by a debug port (a computer
access port used for maintenance) that had been left in default mode—in other
words, it could be accessed with the standard manufacturer-supplied password,
because yet again no one had ever bothered to change it.
The system they entered contained menus that guided them through the computer.
One path took them directly into an administration area used by system
operators. After an hour of exploration they found a directory that held a
tools package, allowing them to create their own programs. With it, they wrote
a procedure to copy all incoming and outgoing transmissions on the terminal
into their own file. They named the file “.trans” and placed it in a directory
they called “..- -” (dot, dot, space, space), effectively hiding it from view.
What they had created was a “capture” file; from the transmissions that were
copied, they would be able to divine the functions of the computer terminal.
The capture file was created late on a Sunday night. At about nine P-M- on the
next evening they logged on to the system again, and from the day’s
transmissions they could tell that the targeted machine was indeed an EFT
terminal. They discovered that the computer began transactions by linking
itself to a similar computer at another bank, waiting for a particular control
sequence to be sent, and then transferring a long sequence of numbers and
letters. They captured about 170 different transactions on the first day and
several hundred more in the following week. At the end of the week they removed
the “.trans” file and its directory, killed the capture routine, and went
through the system removing any trace that they had ever been there.
From the captured transmissions they were able to piece together the meaning of
the control sequence and the transfers themselves. They also noticed that after
the Citibank computer had sent its transfer, the destination bank would repeat
the transaction (by way of confirmation) and in ten seconds would say
TRANSACTION COMPLETED, followed by the destination bank ID. The two guessed
that the bank IDs were the standard Federal Reserve numbers for banks (every
bank in America that deals with the Federal Reserve system has a number
assigned to it, as do several European banks). To confirm the hunch, they
called up Citibank and asked for its Federal Reserve number. It was the same as
the ID being sent by the computer.
The two hackers then realized that they had collected all of the technical
information they needed to raid the bank. They had discovered the codes and the
procedures for the control sequence and the transfers; they knew what the bank
IDs signified; and from the Federal Reserve itself they got a listing of all
the national and international bank ID numbers. Now they had to organize the
downstream: a secure process of getting money into their own pockets.
One of the duo had a friend, an accountant of questionable moral character, who
opened a numbered Swiss account under a false name for the two hackers. He had
originally laughed at the idea, explaining that an initial $50,000 was required
to open a
numbered account. But when he was told to get the forms so that the money could
be wired to Switzerland, he began to take the scheme seriously. A few days
later the accountant delivered the paperwork, the account number, and several
transaction slips. He also raised his usual $1,000 fee to $6,500.
The two hackers flew to Oklahoma City to visit the hall of records and get new
birth certificates. With these they obtained new Oklahoma IDs and Social
Security numbers. Then, using the false IDs, they opened accounts at six
different banks in Houston and Dallas, with $1,000 cash deposited in each.
The next day, armed with one Swiss and six American accounts, they began the
attack. They rigged the Citicorp computer controlling the EFT transfers to
direct all of its data flow to an unused Telenet terminal they had previously
discovered. They took turns sitting on the terminal, collecting the
transmissions, and returning the correct acknowledgments with the Federal Reserve IDs. The transmissions each represented a cash transfer: essentially, the
money was being hijacked. But by sending the required acknowledgments the
hackers were giving Citibank “confirmation” that the transactions had reached
the destination banks. By noon the two had $184,300 in their limbo account.
The two then disabled the “data forwarding” function on the Citibank computer,
taking control of the EFT machine themselves so that they could redistribute
the captured funds. By altering the transmissions, they transferred the money
to the Swiss account. To the Swiss, it looked like a normal Citibank transmission; after all, it had come through the Citibank’s own EFT computer.
Once the two hackers had received the standard confirmation from the Swiss
bank, they immediately filled out six withdrawal forms and faxed them to its
New York branch, along with instructions detailing where the funds should be
sent. They told the Swiss bank to send $7,333 to each of the six U.S. accounts.
(The amount was chosen because it was below the sum requiring notification of
the authorities.) They followed the same procedure for three days, leaving the
Swiss account with a little over $52,000 remaining on deposit.
Over the next week they withdrew $22,000 from each of the Dallas and Houston
banks in amounts of $5,000 per day, leaving just under $1,000 in each account.
At the end of the week they had each taken home $66,000 in cash.
You can believe this story or not as you wish. Certainly Citibank doesn’t
believe a word of it; it has consistently denied that anything resembling the
events described above have ever happened, or that it has lost money in an EFT
transfer due to hacking. The only reason anyone knows about the incident is
that the two hackers who did it—or say they did—posted the details on a
pirate board called Black ICE. The board was used by the Legion of Doom, at one
time the most proficient and experienced hacker gang in the United States, and
the two hackers-cum-robbers are thought to be LoD members—or at least to
consider themselves LoD members.
Hackers are generally boastful. They gain credibility by exaggerating their
abilities and glamorizing their exploits. It’s the issue of identity: just as
meek little Harvey Merkelstein from Brooklyn becomes the fearsome Killer Hacker
when he gets loose on a keyboard, he also gains points with his peers by
topping everyone else’s last hack, and robbing a bank would be considered a
pretty good hack.
The report from the two hackers could have been a fantasy, a means of
impressing other LoD members. But, if they had managed to pull the robbery off,
they would still have wanted to boast about it. And the perfect crime is the
one that even the victim doesn’t realize has happened. In the report posted on
Black ICE, one of the two “bank robbers” wrote,
IT WILL BE INTERESTING TO SEE HOW THE CITICORP [CITIBANK’S PARENT] INTERNAL FRAUD AUDITORS AND THE
TREASURY DEPARTMENT SORT THIS OUT. THERE ARE NO
TRACES OF THE DIVERSION, IT JUST SEEMS TO HAVE HAPPENED. CITIBANK HAS PRINTED
PROOF THAT THE FUNDS WERE SENT TO THE CORRECT BANKS, AND THE CORRECT BANKS
ACKNOWLEDGMENT ON THE SAME PRINTOUT. THE CORRECT DESTINATION BANKS, HOWEVER,
HAVE NO RECORD OF THE TRANSACTION. THERE IS RECORD OF CITIBANK SENDING FUNDS TO
OUR SWISS ACCOUNT, BUT ONLY THE SWISS HAVE THOSE RECORDS. SINCE WE WERE
CONTROLLING THE HOST [THE EFT COMPUTER] WHEN THE TRANSACTIONS WERE SENT, THERE
WERE NO PRINTOUTS ON THE SENDING SIDE. SINCE WE WERE NOT ACTUALLY AT A TERMINAL
CONNECTED TO ONE OF THEIR LINE PRINTERS, NO ONE SHOULD FIGURE OUT TO START
CONTACTING SWISS BANKS, AND SINCE CITIBANK DOES THIS SORT OF THING DAILY WITH
LARGE EUROPEAN BANKS, THEY WILL BE ALL TWISTED AND CONFUSED BY THE TIME THEY
FIND OURS. SHOULD THEY EVEN GET TO OUR BANK, THEY WILL THEN HAVE TO START THE
LONG AND TEDIOUS PROCESS OF EXTRACTING INFORMATION FROM THE SWISS. THEN IF THEY
GET THE SWISS TO COOPERATE, THEY WILL HAVE A DEAD END WITH THE ACCOUNT, SINCE
IT WAS SET UP
Comments (0)