Software Executive Exploits ATM Loophole To Steal $1 Million

An anonymous reader quotes a report from ZDNet: A Chinese software manager has been sentenced after being found guilty of stealing approximately $1 million from Huaxia Bank ATMs containing security weaknesses. The 43-year-old former manager employed in Huaxia Bank's software and technology development center spotted a "loophole" in the bank's core operating system which offered an unrecorded timeframe in which to make withdrawals, as reported by the South China Morning Post. Qin Qisheng realized that cash withdrawals made close to midnight were not recorded by the bank's systems in 2016, and in the same year, began systematically abusing the glitch.

Qin wrote a number of scripts which, once implanted in the bank's software, allowed him to probe the loophole without raising suspicion. It appears these tests were successful as the software chief then made withdrawals for over a year of between $740 and $2,965, the publication says. The money had to come from somewhere, and so Qin used a "dummy account" established by the bank for testing purposes. In total, Chinese law enforcement says that the former manager was able to steal over seven million yuan, equivalent to roughly $1 million. Huaxia Bank eventually uncovered the scheme, which Qin attempted to explain away as "internal security tests." When it came to the money, the software manager said the funds were simply "resting" in his own account but were due to be returned to the bank. The financial institution accepted his explanation and fixed the problem, but law enforcement didn't and arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld.

Its 1 mil from a bank

[DarkRookie2]

He stole from a bank. Who cares. They are insured and prolly are not going to miss that money all that much.
Maybe it was an executives bonus.

Re:

[Opportunist]

That's not the point. It's not about money.

You think that a mafia boss notices when you steal a few bucks from him? Of course not. But you'll still sleep with the fishes if you do. There's a reputation to uphold, ya know?

Re:

[Anonymous Coward]

There is no such thing as a free lunch.

If this guy siphons off $1M from the bank and the bank "fixes" things by printing up a fresh new $1M to replace the funds it lost, that causes monetary supply inflation. Everybody that was holding on to that type of currency just got less purchasing power than they thought they had because of inflation.

If the people were smart, they'd ALL be spitting mad at that guy (and the bank) who just stole from them.

Unfortunately, people are ignorant of how this type of theft aff

Re: Its 1 mil from a bank

[Anonymous Coward]

Yeah but there is something strange here, he withdraw money for one year from a dummy account...nobody got suspicious (was the guy the only one in charge to check the dummy account for testing?), the guy did not spend a single cent but stores all the money in his account, then return all the money to the bank...then he gets more than 10 years in prison. Dumbest heist in history...or something else is going on.

Re:

[Actually, I do RTFA]

Banks cannot print money. They can be embezzled from. Which would cause this particular bank to lose money.

Re:

[Cederic]

Banks cannot print money

They can in the UK, if they're more than a certain distance from London.

Which is why the Royal Bank of Scotland has its own bank notes.

Re:

[Actually, I do RTFA]

The "Ryal Bank of Scotland" is a gvt agency. It's like being amazed that Germany andFrance can both print euros.,

Re:

[Cederic]

No, the Royal Bank of Scotland is a business. It was printing bank notes before the Government became a majority shareholder.

Re:

[Actually, I do RTFA]

Ah, you're right. I thought that the ownership by the government was the original and they let private companies buy in a small amount. Oops!

But, in the course of reading about the RBS, I discovered that the notes they print aren't legal tender [wikipedia.org], they are promissory notes. So, redeemable at the RBS (which presumably has assets to back it up.) So, it's like saying VISA and AmEx are "printing currency" by selling prepaid credit cards. Except those use credit. So, it would be like the various house curren

Re:

[Cederic]

the notes they print aren't legal tender

The same wikipedia article you linked also states that no currency is 'legal tender' in Scotland, so no, it's not

like saying VISA and AmEx are "printing currency"

and it's very obviously and demonstrably would not

be like the various house currencies (fun bucks, whatever)

In practice Scottish banknotes are rare outside of Scotland but generally accepted in England and Wales. I haven't tried spending one in Northern Island.

Re: Its 1 mil from a bank

[illiac_1962]

This never would have been prosecuted in the US.

Some banks have laughable security.

[Pig Hogger]

A year ago, I was hired for a customer tech support role for a bank (I helped the bank customers with their website and banking apps).

We trained on the actual live production system; we could pull out any customer bank account

Re:Some banks have laughable security.

[Ecuador]

My bank was bought by a bank I was tried to avoid. In the migration my cell phone number was lost, to enable online transactions they had a "2 factor auth" setup where an SMS enabled a "secure key app", but the form that could send me an SMS could not be submitted, it said no phone number. They were telling me the only way is to go to a branch with my ID for my phone number to be entered in the system. Well, it seemed like a retarded website, so I gave it a go, what do you know, changing form and submitting it got my cell phone number added to the db and sent an SMS. Frontend-only validation on a banking website, congrats guys, I am not leaving much money on that account...

Re:

[Ecuador]

Oh, to clarify, I couldn't just go to the branch because I'm in a different country, that's why I wanted to enable online transactions...

Re:

[AmiMoJo]

I must admit I don't understand online banking security. On the one hand it's demonstrably shit, on the other we don't see mass account hacks and when money is stolen it's generally down to tricking the user into authenticating or revealing credentials.

Maybe they do get regularly hacked and just cover it up.

Having said that one of by bank's security is so good even I can't log in to my account any more.

Re:

[Alwin Barni]

A year ago, I was hired for a customer tech support role for a bank ... We trained on the actual live production system

Ok, which bank was it? Feel free to use AC as an unrelated post.

. . . the funds were simply "resting" . . .

[PolygamousRanchKid]

. . . its total lack of movement was due to it bein' tired and shagged out following a prolonged squawk.

The funds are not quite dead yet.

They think they'll go for a walk.

Re:

[mrbester]

Seems like this guy was a fan of Father Ted...

Bonus points if he said "feck" at any point.

Re:

[sysrammer]

They're merely pining for the fjords.

Re:

[Alypius]

They're stunned! He stunned them just as he was about to transfer them!

Swift!

[zamboni1138]

"...arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld."

Arrested, tried, convicted, sentenced and appealed all in a little over two months?

The justice system works swiftly in China.

Re:

[Opportunist]

You just might be right [wikipedia.org]...

Re:

[ShanghaiBill]

Arrested, tried, convicted, sentenced and appealed all in a little over two months?

The justice system works swiftly in China.

As it should. Do you think America's system is better, where accused, and presumably innocent, people sit in jail for months or years awaiting trial?

America uses the long delays to pressure people into accepting a plea bargain, by admitting to a crime they didn't commit.

Per capita, America incarcerates four times as many people as China.

Re:

[Anonymous Coward]

Per capita, America incarcerates four times as many people as China.

Sounds better than the death penalty to me... as if my math is right, China executes people at a rate ~15x higher than the US.

Looking at stats from 2017... the US executed 23 people, while China did at least 1551 people.

Based on 2016 population estimates of 1.38b vs 232.13m... we've got China doing 1 execution for every 889,748 people, while the US is doing a 1 execution for every 14,049,130 people.

China = shithole for totalitarians, nothing more.

[Anonymous Coward]

Plus, the "4 times" figure doesn't account for China's MILLIONS of disappeared in secret prisons throughout that criminal cabalist faggot country. Also - none of them got actual trials - not one.

Re:

[Frank Burly]

In California you are entitled to a (misdemeanor, I think) trial within 30 days if you are in custody. Almost nobody does so.

Defendants stipulate to delays for procedural or practical purposes: maybe to have a hearing to toss out evidence, or maybe their lawyer says he won't go to trial until he is paid in full, or whatever.

This doesn't excuse the systemic failures, but it's the difference between a feature and a bug.

Re:

[AmiMoJo]

It's a difficult balance, because on the one hand everyone wants swift justice and resolution if they are innocent, but on the other it can take a long time to investigate some crimes, especially financial crimes, and no-one wants mistakes to be made or avenues for appeal left open due to the rush.

the funds were simply "resting" in his own account

[grep -v '.*' *]

Yeeeah. All that pr0n in my home directory? I collected it all from websites and was going to turn it all over to the authorities, I just hadn't quiiiite gotten around to it yet.

What? Those blasted Commies!

[Opportunist]

If anyone had any doubts that their understanding of law and order is incompatible with ours, this is probably the last proof you need.

They arrested and convicted a banker. How can this be legal?

Someone tried to make the same bug today at securi

[raymorris]

Just today I had a new co-worker try to make the same "at midnight" mistake in our code, at a security company.

Wrong:
Cron midnight SELECT where Date > 24 hours ago.

Another way to do it wrong:
Store update-ran (now())
Process new since update-ran

Right way:
Process where processed != true

You have to consider:
A) Records that occur *during* the processing
B) Yesterday's run wasn't *exactly* 24 hours ago. It was at least a few miliseconds more or less, long enough to insert a few transactions

Better but still unsafe, btw:

Cron midnight SELECT where Date > 48 hours ago AND processed != True ...
Handle where processed = pending

Re:

[Actually, I do RTFA]

You have several errors in your code. Please fix them and repost.

Not unheard of

[Xenolith0]

https://www.smh.com.au/national/fast-money-20140804-3d2x4.html [smh.com.au]

Saunders claims he did nothing more than stumble across a loophole, a period of time when the ATM was offline from the bank's main systems.

Uh

[fubarrr]

Funny thing in China is that banks settle transactions with the central bank (People Bank of China) over QQ (a chat program) at the end of the day, and that account ballances of private individuals are stored in the central bank

Re:

[account_deleted]

Comment removed based on user account deletion