Approaching Zero, Paul Mungo [good summer reads TXT] 📗

and sex are perennial

favorites. Sometimes even the most basic security precautions are overlooked.

Recently two hackers demonstrated this point for a London newspaper. They

targeted the local headquarters of “a leading American bank” one that was so

well known for its laxity that its systems had become a training ground for

neophyte hackers. The two had first hacked into the bank’s computer in March

1988, and in October 1990 the pair did it again, using the same ID and password

they had first employed in 1988. The bank hadn’t bothered to modify its most

basic procedures, and its first line of defense against hackers, for over two

and a half years.

 

Given such opportunity, it could be assumed that banks are regularly being

looted by hackers. The mechanics appear straightforward enough: operating from

home a hacker should be able to break into a bank’s central computer quite

anonymously, access the sector dealing with cash transfers, then quickly move

the money to an account that he controls. However, in practice the procedure is

more complex. Banks use codes to validate transfers; in addition, transactions

must be confirmed electronically by the recipient of the funds. Because of such

safeguards, the plundering is probably limited.

 

But the threat from hackers is still real. There may be a hundred hackers in

the United States with the necessary skills to break into a bank and steal

funds, which is a sizable number of potential bank robbers. And of course it

would be the dream hack, the one that justifies the time spent staring at a

video terminal while learning the craft.

 

The most successful bank robbery ever carried out by hackers mal have occurred

two years ago. The target was a branch of Citibank in New York. The identity of

the two hackers is unknown, though they are thought to be in their late teens

or early twenties.

 

The scheme began when the two became aware that certain financial institutions,

including Citibank, used their connections on the various X.25 networks—the

computer networks operated by commercial carriers such as Telenet or Sprint—to

transfer money. (The process is known as Electronic Fund Transfer, or EFT.)

The two decided that if the funds could be intercepted in mid-transfer and

diverted into another account—in this case, a computer file hidden within the

system—then they could be redirected and withdrawn before the error was

noticed.

 

The hackers began the robbery by investigating Telenet. They knew that Citibank

had two “address prefixes” of its own—223 and 224 on the network; these were

the prefixes for the sevendigit numbers (or “addresses”) that denoted Citibank

links to the

system. By churning through sequential numbers they found a series of addresses

for Citibank computer terminals, many of which were VAXen, the popular

computers manufactured by DEC. One weekend they hacked into eight of the VAXen

and found their way to the Citibank DECNET, an internal bank network linking

the DEC computers. From there they found gateways to other banks and financial

institutions in the New York area.

 

They ignored the other banks. What had particularly intrigued them were

references in the computer systems to an EFT operation run by Citibank: in

various files and throughout the electronic mail system they kept turning up

allusions to EFT, clues that they were convinced pointed to a terminal that did

nothing but transfer funds. They began sifting through their lists of computer

access numbers, looking for one among hundreds that belonged to the EFT

computer, and by a laborious process of elimination they whittled the lists

down to five machines whose function they couldn’t divine: Of those, one seemed

particularly interesting. It could be entered by a debug port (a computer

access port used for maintenance) that had been left in default mode—in other

words, it could be accessed with the standard manufacturer-supplied password,

because yet again no one had ever bothered to change it.

 

The system they entered contained menus that guided them through the computer.

One path took them directly into an administration area used by system

operators. After an hour of exploration they found a directory that held a

tools package, allowing them to create their own programs. With it, they wrote

a procedure to copy all incoming and outgoing transmissions on the terminal

into their own file. They named the file “.trans” and placed it in a directory

they called “..- -” (dot, dot, space, space), effectively hiding it from view.

What they had created was a “capture” file; from the transmissions that were

copied, they would be able to divine the functions of the computer terminal.

 

The capture file was created late on a Sunday night. At about nine P-M- on the

next evening they logged on to the system again, and from the day’s

transmissions they could tell that the targeted machine was indeed an EFT

terminal. They discovered that the computer began transactions by linking

itself to a similar computer at another bank, waiting for a particular control

sequence to be sent, and then transferring a long sequence of numbers and

letters. They captured about 170 different transactions on the first day and

several hundred more in the following week. At the end of the week they removed

the “.trans” file and its directory, killed the capture routine, and went

through the system removing any trace that they had ever been there.

 

From the captured transmissions they were able to piece together the meaning of

the control sequence and the transfers themselves. They also noticed that after

the Citibank computer had sent its transfer, the destination bank would repeat

the transaction (by way of confirmation) and in ten seconds would say

TRANSACTION COMPLETED, followed by the destination bank ID. The two guessed

that the bank IDs were the standard Federal Reserve numbers for banks (every

bank in America that deals with the Federal Reserve system has a number

assigned to it, as do several European banks). To confirm the hunch, they

called up Citibank and asked for its Federal Reserve number. It was the same as

the ID being sent by the computer.

 

The two hackers then realized that they had collected all of the technical

information they needed to raid the bank. They had discovered the codes and the

procedures for the control sequence and the transfers; they knew what the bank

IDs signified; and from the Federal Reserve itself they got a listing of all

the national and international bank ID numbers. Now they had to organize the

downstream: a secure process of getting money into their own pockets.

 

One of the duo had a friend, an accountant of questionable moral character, who

opened a numbered Swiss account under a false name for the two hackers. He had

originally laughed at the idea, explaining that an initial $50,000 was required

to open a

numbered account. But when he was told to get the forms so that the money could

be wired to Switzerland, he began to take the scheme seriously. A few days

later the accountant delivered the paperwork, the account number, and several

transaction slips. He also raised his usual $1,000 fee to $6,500.

 

The two hackers flew to Oklahoma City to visit the hall of records and get new

birth certificates. With these they obtained new Oklahoma IDs and Social

Security numbers. Then, using the false IDs, they opened accounts at six

different banks in Houston and Dallas, with $1,000 cash deposited in each.

 

The next day, armed with one Swiss and six American accounts, they began the

attack. They rigged the Citicorp computer controlling the EFT transfers to

direct all of its data flow to an unused Telenet terminal they had previously

discovered. They took turns sitting on the terminal, collecting the

transmissions, and returning the correct acknowledgments with the Federal Reserve IDs. The transmissions each represented a cash transfer: essentially, the

money was being hijacked. But by sending the required acknowledgments the

hackers were giving Citibank “confirmation” that the transactions had reached

the destination banks. By noon the two had $184,300 in their limbo account.

 

The two then disabled the “data forwarding” function on the Citibank computer,

taking control of the EFT machine themselves so that they could redistribute

the captured funds. By altering the transmissions, they transferred the money

to the Swiss account. To the Swiss, it looked like a normal Citibank transmission; after all, it had come through the Citibank’s own EFT computer.

 

Once the two hackers had received the standard confirmation from the Swiss

bank, they immediately filled out six withdrawal forms and faxed them to its

New York branch, along with instructions detailing where the funds should be

sent. They told the Swiss bank to send $7,333 to each of the six U.S. accounts.

 

(The amount was chosen because it was below the sum requiring notification of

the authorities.) They followed the same procedure for three days, leaving the

Swiss account with a little over $52,000 remaining on deposit.

 

Over the next week they withdrew $22,000 from each of the Dallas and Houston

banks in amounts of $5,000 per day, leaving just under $1,000 in each account.

At the end of the week they had each taken home $66,000 in cash.

 

You can believe this story or not as you wish. Certainly Citibank doesn’t

believe a word of it; it has consistently denied that anything resembling the

events described above have ever happened, or that it has lost money in an EFT

transfer due to hacking. The only reason anyone knows about the incident is

that the two hackers who did it—or say they did—posted the details on a

pirate board called Black ICE. The board was used by the Legion of Doom, at one

time the most proficient and experienced hacker gang in the United States, and

the two hackers-cum-robbers are thought to be LoD members—or at least to

consider themselves LoD members.

 

Hackers are generally boastful. They gain credibility by exaggerating their

abilities and glamorizing their exploits. It’s the issue of identity: just as

meek little Harvey Merkelstein from Brooklyn becomes the fearsome Killer Hacker

when he gets loose on a keyboard, he also gains points with his peers by

topping everyone else’s last hack, and robbing a bank would be considered a

pretty good hack.

 

The report from the two hackers could have been a fantasy, a means of

impressing other LoD members. But, if they had managed to pull the robbery off,

they would still have wanted to boast about it. And the perfect crime is the

one that even the victim doesn’t realize has happened. In the report posted on

Black ICE, one of the two “bank robbers” wrote,

 

IT WILL BE INTERESTING TO SEE HOW THE CITICORP [CITIBANK’S PARENT] INTERNAL FRAUD AUDITORS AND THE

TREASURY DEPARTMENT SORT THIS OUT. THERE ARE NO

TRACES OF THE DIVERSION, IT JUST SEEMS TO HAVE HAPPENED. CITIBANK HAS PRINTED

PROOF THAT THE FUNDS WERE SENT TO THE CORRECT BANKS, AND THE CORRECT BANKS

ACKNOWLEDGMENT ON THE SAME PRINTOUT. THE CORRECT DESTINATION BANKS, HOWEVER,

HAVE NO RECORD OF THE TRANSACTION. THERE IS RECORD OF CITIBANK SENDING FUNDS TO

OUR SWISS ACCOUNT, BUT ONLY THE SWISS HAVE THOSE RECORDS. SINCE WE WERE

CONTROLLING THE HOST [THE EFT COMPUTER] WHEN THE TRANSACTIONS WERE SENT, THERE

WERE NO PRINTOUTS ON THE SENDING SIDE. SINCE WE WERE NOT ACTUALLY AT A TERMINAL

CONNECTED TO ONE OF THEIR LINE PRINTERS, NO ONE SHOULD FIGURE OUT TO START

CONTACTING SWISS BANKS, AND SINCE CITIBANK DOES THIS SORT OF THING DAILY WITH

LARGE EUROPEAN BANKS, THEY WILL BE ALL TWISTED AND CONFUSED BY THE TIME THEY

FIND OURS. SHOULD THEY EVEN GET TO OUR BANK, THEY WILL THEN HAVE TO START THE

LONG AND TEDIOUS PROCESS OF EXTRACTING INFORMATION FROM THE SWISS. THEN IF THEY

GET THE SWISS TO COOPERATE, THEY WILL HAVE A DEAD END WITH THE ACCOUNT, SINCE

IT WAS SET UP