Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Software The Almighty Buck

Software Executive Exploits ATM Loophole To Steal $1 Million (zdnet.com) 57

An anonymous reader quotes a report from ZDNet: A Chinese software manager has been sentenced after being found guilty of stealing approximately $1 million from Huaxia Bank ATMs containing security weaknesses. The 43-year-old former manager employed in Huaxia Bank's software and technology development center spotted a "loophole" in the bank's core operating system which offered an unrecorded timeframe in which to make withdrawals, as reported by the South China Morning Post. Qin Qisheng realized that cash withdrawals made close to midnight were not recorded by the bank's systems in 2016, and in the same year, began systematically abusing the glitch.

Qin wrote a number of scripts which, once implanted in the bank's software, allowed him to probe the loophole without raising suspicion. It appears these tests were successful as the software chief then made withdrawals for over a year of between $740 and $2,965, the publication says. The money had to come from somewhere, and so Qin used a "dummy account" established by the bank for testing purposes. In total, Chinese law enforcement says that the former manager was able to steal over seven million yuan, equivalent to roughly $1 million. Huaxia Bank eventually uncovered the scheme, which Qin attempted to explain away as "internal security tests." When it came to the money, the software manager said the funds were simply "resting" in his own account but were due to be returned to the bank.
The financial institution accepted his explanation and fixed the problem, but law enforcement didn't and arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld.
This discussion has been archived. No new comments can be posted.

Software Executive Exploits ATM Loophole To Steal $1 Million

Comments Filter:
  • He stole from a bank. Who cares. They are insured and prolly are not going to miss that money all that much.
    Maybe it was an executives bonus.
    • That's not the point. It's not about money.

      You think that a mafia boss notices when you steal a few bucks from him? Of course not. But you'll still sleep with the fishes if you do. There's a reputation to uphold, ya know?

    • by Anonymous Coward

      There is no such thing as a free lunch.

      If this guy siphons off $1M from the bank and the bank "fixes" things by printing up a fresh new $1M to replace the funds it lost, that causes monetary supply inflation. Everybody that was holding on to that type of currency just got less purchasing power than they thought they had because of inflation.

      If the people were smart, they'd ALL be spitting mad at that guy (and the bank) who just stole from them.

      Unfortunately, people are ignorant of how this type of theft aff

      • by Anonymous Coward

        Yeah but there is something strange here, he withdraw money for one year from a dummy account...nobody got suspicious (was the guy the only one in charge to check the dummy account for testing?), the guy did not spend a single cent but stores all the money in his account, then return all the money to the bank...then he gets more than 10 years in prison. Dumbest heist in history...or something else is going on.

      • Banks cannot print money. They can be embezzled from. Which would cause this particular bank to lose money.

        • by Cederic ( 9623 )

          Banks cannot print money

          They can in the UK, if they're more than a certain distance from London.

          Which is why the Royal Bank of Scotland has its own bank notes.

          • The "Ryal Bank of Scotland" is a gvt agency. It's like being amazed that Germany andFrance can both print euros.,
            • by Cederic ( 9623 )

              No, the Royal Bank of Scotland is a business. It was printing bank notes before the Government became a majority shareholder.

              • Ah, you're right. I thought that the ownership by the government was the original and they let private companies buy in a small amount. Oops!

                But, in the course of reading about the RBS, I discovered that the notes they print aren't legal tender [wikipedia.org], they are promissory notes. So, redeemable at the RBS (which presumably has assets to back it up.) So, it's like saying VISA and AmEx are "printing currency" by selling prepaid credit cards. Except those use credit. So, it would be like the various house curren

                • by Cederic ( 9623 )

                  the notes they print aren't legal tender

                  The same wikipedia article you linked also states that no currency is 'legal tender' in Scotland, so no, it's not

                  like saying VISA and AmEx are "printing currency"

                  and it's very obviously and demonstrably would not

                  be like the various house currencies (fun bucks, whatever)

                  In practice Scottish banknotes are rare outside of Scotland but generally accepted in England and Wales. I haven't tried spending one in Northern Island.

    • This never would have been prosecuted in the US.
  • A year ago, I was hired for a customer tech support role for a bank (I helped the bank customers with their website and banking apps).

    We trained on the actual live production system; we could pull out any customer bank account

    • by Ecuador ( 740021 ) on Tuesday February 05, 2019 @07:45PM (#58076332) Homepage

      My bank was bought by a bank I was tried to avoid. In the migration my cell phone number was lost, to enable online transactions they had a "2 factor auth" setup where an SMS enabled a "secure key app", but the form that could send me an SMS could not be submitted, it said no phone number. They were telling me the only way is to go to a branch with my ID for my phone number to be entered in the system. Well, it seemed like a retarded website, so I gave it a go, what do you know, changing form and submitting it got my cell phone number added to the db and sent an SMS. Frontend-only validation on a banking website, congrats guys, I am not leaving much money on that account...

      • by Ecuador ( 740021 )

        Oh, to clarify, I couldn't just go to the branch because I'm in a different country, that's why I wanted to enable online transactions...

      • by AmiMoJo ( 196126 )

        I must admit I don't understand online banking security. On the one hand it's demonstrably shit, on the other we don't see mass account hacks and when money is stolen it's generally down to tricking the user into authenticating or revealing credentials.

        Maybe they do get regularly hacked and just cover it up.

        Having said that one of by bank's security is so good even I can't log in to my account any more.

    • A year ago, I was hired for a customer tech support role for a bank ... We trained on the actual live production system

      Ok, which bank was it? Feel free to use AC as an unrelated post.

  • . . . its total lack of movement was due to it bein' tired and shagged out following a prolonged squawk.

    The funds are not quite dead yet.

    They think they'll go for a walk.

  • by zamboni1138 ( 308944 ) on Tuesday February 05, 2019 @06:14PM (#58075968)
    "...arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld."

    Arrested, tried, convicted, sentenced and appealed all in a little over two months?

    The justice system works swiftly in China.
    • You just might be right [wikipedia.org]...

    • Arrested, tried, convicted, sentenced and appealed all in a little over two months?

      The justice system works swiftly in China.

      As it should. Do you think America's system is better, where accused, and presumably innocent, people sit in jail for months or years awaiting trial?

      America uses the long delays to pressure people into accepting a plea bargain, by admitting to a crime they didn't commit.

      Per capita, America incarcerates four times as many people as China.

      • by Anonymous Coward

        Per capita, America incarcerates four times as many people as China.

        Sounds better than the death penalty to me... as if my math is right, China executes people at a rate ~15x higher than the US.

        Looking at stats from 2017... the US executed 23 people, while China did at least 1551 people.

        Based on 2016 population estimates of 1.38b vs 232.13m... we've got China doing 1 execution for every 889,748 people, while the US is doing a 1 execution for every 14,049,130 people.

        • Plus, the "4 times" figure doesn't account for China's MILLIONS of disappeared in secret prisons throughout that criminal cabalist faggot country. Also - none of them got actual trials - not one.

      • In California you are entitled to a (misdemeanor, I think) trial within 30 days if you are in custody. Almost nobody does so.

        Defendants stipulate to delays for procedural or practical purposes: maybe to have a hearing to toss out evidence, or maybe their lawyer says he won't go to trial until he is paid in full, or whatever.

        This doesn't excuse the systemic failures, but it's the difference between a feature and a bug.

      • by AmiMoJo ( 196126 )

        It's a difficult balance, because on the one hand everyone wants swift justice and resolution if they are innocent, but on the other it can take a long time to investigate some crimes, especially financial crimes, and no-one wants mistakes to be made or avenues for appeal left open due to the rush.

  • Yeeeah. All that pr0n in my home directory? I collected it all from websites and was going to turn it all over to the authorities, I just hadn't quiiiite gotten around to it yet.
  • If anyone had any doubts that their understanding of law and order is incompatible with ours, this is probably the last proof you need.

    They arrested and convicted a banker. How can this be legal?

  • Just today I had a new co-worker try to make the same "at midnight" mistake in our code, at a security company.

    Wrong:
    Cron midnight SELECT where Date > 24 hours ago.

    Another way to do it wrong:
    Store update-ran (now())
    Process new since update-ran

    Right way:
    Process where processed != true

    You have to consider:
    A) Records that occur *during* the processing
    B) Yesterday's run wasn't *exactly* 24 hours ago. It was at least a few miliseconds more or less, long enough to insert a few transactions

    Better but still unsafe, btw:

    Cron midnight SELECT where Date > 48 hours ago AND processed != True ...
    Handle where processed = pending

  • by Xenolith0 ( 808358 ) on Tuesday February 05, 2019 @07:24PM (#58076256)
    https://www.smh.com.au/national/fast-money-20140804-3d2x4.html [smh.com.au]

    Saunders claims he did nothing more than stumble across a loophole, a period of time when the ATM was offline from the bank's main systems.

  • by fubarrr ( 884157 )

    Funny thing in China is that banks settle transactions with the central bank (People Bank of China) over QQ (a chat program) at the end of the day, and that account ballances of private individuals are stored in the central bank

  • Comment removed based on user account deletion

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...