How Bank Hacking Works

1957 Words4 Pages

A certain number of financial institutions that reside within the packet-switched confines of the various X.25 networks use their connections to transfer funds from one account to another, one mutual fund to another, one stock to another, one bank to another, etc... It is conceivable that if one could intercept these transactions and divert them into another account, they would be transferred (and could be withdrawn) before the computer error was noticed. Thus, with greed in our hearts, an associate and I set forth to test this theory and conquer the international banking world. We chose CitiCorp as our victim. This multinational had two address prefixes of its own on Telenet (223 & 224). Starting with those two prefixes, my associate and I began to sequentially try every possible address. We continued through 1000 in increments of one, then A-Z, then 1000-10000 by 10's, and finally 10000-99999 by 100's. Needless to say, many addresses were probably skipped over in our haste to find valid ones, but many we passed over were most likely duplicate terminals that we had already encountered. For the next few days my associate and I went over the addresses we had found, comparing and exchanging information, and going back to the addresses that had shown 'NOT OPERATING,' 'REMOTE PROCEDURE ERROR,' and 'REJECTING.' We had discovered many of the same types of systems, mostly VAX/VMS's and Primes. We managed to get into eight of the VAXen and then went forth on the CitiCorp DECNET, discovering many more. We entered several GS1 gateways and Decservers and found that there were also links leading to systems belonging to other financial institutions such as Dai-Ichi Kangyo Bank New York and Chase Manhattan. We also found hundreds of addresses to TWX machines and many in-house bank terminals (most of which were 'BUSY' during banking hours, and 'NOT OPERATING' during off hours). In fact, the only way we knew that these were bank terminals was that an operator happened to be idle just as I connected with her terminal (almost like the Whoopie Goldberg movie, "Jumpin' Jack Flash," not quite as glamorous ...yet.) Many of the computers we eventually did penetrate kept alluding to the electronic fund transfer in scripts, files, and personal mail. One of the TOPS-20 machines we found even had an account EFTMKTG.EFT, (password EFTEFT)! All the traces pointed to a terminal (or series of terminals) that did nothing but transfer funds. We decided that this was the case and decided to

More about How Bank Hacking Works

Open Document