Home of the Guides to (mostly) Harmless Hacking Brought to you by... The website computer criminals don't want you to read!

Guide to (mostly) Harmless Hacking

Vol. 6 Real Hackers

No. 4 How to Break into Banks – without Breaking the Law

In this Guide you will learn about:

Greggory Peck’s nightmares began just days after he broke into the computer network of the Bank of Fubar. (The name of the bank has been changed.)

He was a new hire at KPMG, one of the world’s biggest accounting firms. Bank of Fubar was unhappy with security tests run by Peck’s predecessor, Vlad, a hacker who wore a vampire costume at work. Vlad is not the real name. I’ve changed it so I don’t have to worry about Vlad defacing a bunch of websites with a rant against me.

Peck’s manager said that Bank of Fubar was threatening to cancel their contract with KPMG. It was Peck’s job to deliver something better than Vlad the Hacker’s tests. All Vlad had allegedly done was to scan the bank’s firewalls with a commercial vulnerability detection program. This was a test almost anyone who could navigate a keyboard could have done. As Greggory recalls, “It was important to bring value to the client and simply providing such canned tests and reports was not substantiating the fees of conducting such an engagement.”

What Bank of Fubar needed to know was whether somebody could take advantage of their computer system to exploit the clearinghouses that route money from one bank to another. If a criminal understands the Secure Electronic Communications (SET) protocol, and if the criminal was able to break into the bank's computer system where these transactions are carried out, it would be possible to steal a huge amount of money before anyone discovered the theft.

Relationship between Clearinghouses and Secure Electronic Transactions (SET) Protocol

Figure 1: How the settlement system transfers funds from one bank to another through a clearinghouse (yellow oval).i

When someone deposits a check at a bank that is different from the one used by the person who wrote the check, the payee’s bank sends the check to the payer's bank. The actual transfer of funds is made a settlement system. In the United States, the Federal Reserve (the FedWire service) and several private clearinghouses provide settlement services.

Then along came the Internet and ecommerce. In February of 1996, Visa and MasterCard announced joint support of a new protocol, Secure Electronic Transactions (SET), for Internet credit card transactions. SET can operate in real time, which is essential for ecommerce, or where there are delays in the system, as in emailed transactions.

Automated Clearinghouse (ACH) transfers use a network of computerized processing centers, often run by the Federal Reserve, to transfer funds between ACH member institutions. ACH transfers take longer than FedWire transfers, do not make funds immediately available, but cost less. ACH transfers may be returned, but FedWire transfers are final.

More How to Break into Banks--->>

i “Credits and Debits on the Internet,” by Marvin A. Sirbu, Professor of Engineering and Public Policy, Tepper School and Electrical and Computer Engineering, Carnegie Mellon.






Google Groups
Subscribe to Happy Hacker
Visit this group
Privacy policy      © 2013 Happy Hacker