How I 'stole' $14 million from a bank: A security tester's tale
Click here to post a comment for How I 'stole' $14 million from a bank: A security tester's tale on our message forum
3dPlayer
Holy moly.Where do i start?! :banana:
sverek
1) Overall knowledge and weaknesses of Internet protocol suite
2) Knowledge of linux distributions (CentOS / Debian)
3) Can freely use MySQL / PostgreSQL / Microsoft SQL
With knowledge of Internet protocol suite, you should be flexible at finding servers within and outside of network.
2 and 3 is needed when you got access to the server. It will be about gaining access to Database and insert / update records.
scatman839
Story is slightly cut off, here's the rest.
VultureX
So all dutch banks that got attacked recently now probably all have new unknown bank accounts with millions of euro's on them 😛
I knew there was a reason for those seemingly pointless attacks.
phill1978
hacking, not from the outside but the 'near' side is super easy.
also its not hard to imagine money being stolen by banks / bankers / top level organisations under the guise of a hacker, or even pay a hacker to take a fall with a get out of jail free card.
some wireless systems still use LEAP and WEP ?! no LAN port blocking, no USB port blocking etc..
Its quite safe to assume most admins use simple or default passwords on their network servers and don't apply broadcast storm control on switches.
a tip* find a quiet spot in an organisation near a lan socket, identity / mac spoof, hide a 900mhz transmitter under a table or plant pot, steal data beyond the eye of any wi-fi monitoring @ 2.4 or 5ghz .. all this stuff be it illegal or not is easy if you want.
makes me wonder why any criminal bothers with a shotgun and a mask these days
sverek
Hacking is like sniping, requires lots of patience. Not all got it.
alanm
This article will just encourage would be hackers whom otherwise would never have known about it to have a go at it.
Speed Weed
Want to learn how that's done?
Buy the Syngress series of books entitled ' Stealing The Network.'
There are loads of ideas on how to carry out a caper like this in real-time, without ever being caught. 😉
iamcreasy
w.h.a.t.?
airbud7
Count me in too:banana:.........:)
Chouji
Private pipes probably, think internet that only allows specific network data.
OR, a cable modem, that has channels specific to inter-bank data. and doesn't connect to the internet as a whole.
since the data isn't actually on the internet, they figured they won't need to encrypt it, would be like networking 2 computers directly together with a patch cable. except 1 computer also connects to the internet via wifi. ^_^
you remotely hack the wifi, but the data between the 2 computers goes uninterrupted.
Still you'd think they'd encrypt that stuff.
Sprig
If that had been in NZ, he would have been arrested regardless of his intentions. Probably in the States too.
alanm
Even if someone hacked a bank and created a $14 mil account as this guy did, he wouldnt be able to get away with it. He would need valid ID credentials to cash it in. He can probably transfer or move the amount around to other accounts for a while, but sooner or later a real ID at an end point when any cash is withdrawn will be required. Then its only a short matter of time before he's busted.
Corrupt^
Tbh goes with anything. In my previous job I actually got to know how I could disable alarms before even entering a building.
Want a heist done right, both irl or cyber, planning is in order 🤓
iamcreasy
For me it never feels right to send non-encrypted transmission when there is a possibility of eavesdropping. If they were so certain that nobody would ever enter their wifi network...
I don't know...there might be some other issues involved. Like, added expense for setting up encryption filter. I am noob.
Chouji
I figured it was just early protocols still in place. Still, no matter how sure you are, it should still be encrypted. Even if it's strictly internal, infranet etc.
iamcreasy
Yea...
