A certain number of financial institutions that reside within the
packet-switched confines of the various X.25 networks use their connections to
transfer funds from one account to another, one mutual fund to another, one
stock to another, one bank to another, etc... It is conceivable that if one
could intercept these transactions and divert them into another account, they
would be transferred (and could be withdrawn) before the computer error was
noticed. Thus, with greed in our hearts, an associate and I set forth to test
this theory and conquer the international banking world.
We chose CitiCorp as our victim. This multinational had two address
prefixes of its own on Telenet (223 & 224). Starting with those two prefixes,
my associate and I began to sequentially try every possible address. We
continued through 1000 in increments of one, then A-Z, then 1000-10000 by 10's,
and finally 10000-99999 by 100's. Needless to say, many addresses were
probably skipped over in our haste to find valid ones, but many we passed over
were most likely duplicate terminals that we had already encountered.
For the next few days my associate and I went over the addresses we had
found, comparing and exchanging information, and going back to the addresses
that had shown 'NOT OPERATING,' 'REMOTE PROCEDURE ERROR,' and 'REJECTING.' We
had discovered many of the same types of systems, mostly VAX/VMS's and Primes.
We managed to get into eight of the VAXen and then went forth on the CitiCorp
DECNET, discovering many more. We entered several GS1 gateways and Decservers
and found that there were also links leading to systems belonging to other
financial institutions such as Dai-Ichi Kangyo Bank New York and Chase
Manhattan. We also found hundreds of addresses to TWX machines and many
in-house bank terminals (most of which were 'BUSY' during banking hours, and
'NOT OPERATING' during off hours). In fact, the only way we knew that these
were bank terminals was that an operator happened to be idle just as I
connected with her terminal (almost like the Whoopie Goldberg movie, "Jumpin'
Jack Flash," not quite as glamorous ...yet.)
Many of the computers we eventually did penetrate kept alluding to the
electronic fund transfer in scripts, files, and personal mail. One of the
TOPS-20 machines we found even had an account EFTMKTG.EFT, (password EFTEFT)!
All the traces pointed to a terminal (or series of terminals) that did nothing
but transfer funds. We decided that this was the case and decided to
concentrate our efforts on addresses that allowed us to CONNECT periodically
but did not respond. After another week of concentrated effort, we managed to
sort through these. Many were just terminals that had been down or
malfunctioning, but there were five left that we still had no idea of their
function. My associate said that we might be able to monitor data
transmissions on the addresses if we could get into the debug port. With this
idea in mind, we set out trying sub-addresses from .00 to .99 on the mystery
addresses. Four of the five had their debug ports at the default location
(.99). The fifth was located 23 away from the default. That intrigued us, so
we put the others aside and concentrated on the fifth. Although its location
was moved, a default password was still intact, and we entered surreptitiously.
The system was menu driven with several options available. One option,
Administrative Functions, put us into a UNIX shell with root privilege. After
an hour or so of nosing around, we found a directory that held the Telenet
Debug Tools package (which I had previously thought existed solely for Prime
computers). Using TDT, we were able to divert all data (incoming and outgoing)
into a file so we could later read and analyze it. We named the file ".trans"
and placed it in a directory named ".. ", (dot, dot, space, space) so it would
remain hidden. This was accomplished fairly late on a Sunday night. After
logging off, we opened a case of Coors Light and spent the rest of the night
(and part of the morning!) theorizing about what we might see tomorrow night
(and getting rather drunk).
At approximately 9:00 p.m. the following evening, we met again and logged
onto the system to view the capture file, hoping to find something useful. We
didn't have to look very far! The first transmission was just what we had been
dreaming about all along. The computer we were monitoring initiated by
connecting with a similar computer at another institution, waited for a
particular control sequence to be sent, and then transferred a long sequence of
numbers and letters. We captured about 170 different transactions on the first
day and several hundred more in the following week. After one business week,
we removed the file and directory, killed the TDT routine, and went through the
system removing all traces that we had been there.
We felt that we had enough to start piecing together what it all meant, so
we uploaded our findings to the LOD HP-3000 (ARMA) in Turkey. This way we
could both have access to the data, but keep it off our home systems. We
didn't bother to tell any of the other LOD members about our doings, as most
had retired, been busted, or were suspected of turning information over to the
Secret Service. Using this as a base, we analyzed the findings, sorted them,
looked for strings being sent, etc.
We came to the conclusion that the transmissions were being sent in the
following way:
XXXXXXXXXXXXTCxxxxxxxxxxxx/NNNNNNNNNNNNCnnnnnnnnnnnnAMzzzzzzz.zzOP#
X=Originating Bank ID
T=Transfer (Also could be R(ecieve), I(nquire))
C=Type of account (Checking--Also S(avings) I(RA) M(oney Market)
T(rust) W(Other wire transfer ie. Credit Transfer, etc.))
x=Originating Account Number
/=Slash to divide string
N=Destination Bank ID
C=Type of account (See above)
n=Destination Account Number
AMzzzzzzz.zz=Amount followed by dollar and cents amount
OP#=operator number supervising transaction
After this string of information was sent, the destination bank would then
echo back the transaction and, in ten seconds, unless a CONTROL-X was sent,
would send "TRANSACTION COMPLETED" followed by the Destination Bank ID.
We now needed to check out our theory about the Bank ID's, which I figured
were the Federal Reserve number for the Bank. Every bank in America that deals
with the Federal Reserve System has such a number assigned to it (as do several
European Banks). I called up CitiBank and inquired about their Federal Reserve
Number. It was the number being sent by the computer. With this information,
we were ready to start.
I consulted an accountant friend of mine for information on Swiss or
Bahamanian bank accounts. He laughed and said that a $50,000 initial deposit
was required to get a numbered account at most major Swiss banks. I told him
to obtain the forms necessary to start the ball rolling and I'd wire the money
over to the bank as soon as I was told my account number. This shook him up
considerably, but he knew me well enough not to ask for details. He did,
however, remind me of his $1000 consulting fee. A few days later he showed up
at my townhouse with an account number, several transaction slips and
paperwork. Knowing that I was up to something shady, he had used one of his
own false identities to set up the account. He also raised his "fee" to $6500
(which was, amazingly enough, the amount he owed on his wife's BMW).
My associate and I then flew to Oklahoma City to visit the hall of records
to get new birth certificates. With these, we obtained new State ID's and
Social Security Numbers. The next step was to set up bank accounts of our own.
My associate took off to Houston and I went to Dallas. We each opened new
commercial accounts at three different banks as LOD Inc. with $1000 cash.
Early the next day, armed with one Swiss and six American accounts, we
began our attack. We rigged the CitiCorp computer to direct all of its data
flow to a local Telenet node, high up in the hunt series. Amazingly, it still
allowed for connections from non-909/910 nodes. We took turns sitting on the
node, collecting the transmissions and returning the correct acknowledgments.
By 12:30 we had $184,300 in electronic funds in "Limbo." Next we turned off
the data "forwarding" on the CitiCorp computer and took control of the host
computer itself through the debug port to distribute the funds. Using its data
lines, we sent all the transactions, altering the intended bank destinations,
to our Swiss account.
After I got the confirmation from the Swiss bank I immediately filled out
six withdrawal forms and faxed them to the New York branch of the Swiss bank
along with instructions on where the funds should be distributed. I told the
bank to send $7333 to each of our six accounts (this amount being small enough
not to set off Federal alarms). I did this for three consecutive days, leaving
our Swiss account with $52,000. I signed a final withdrawal slip and gave it
to my accountant friend.
Over the next week we withdrew the $22,000 from each of our Dallas and
Houston banks in lots of $5000 per day, leaving $1000 in each account when we
were through. We were now $66,000 apiece richer.
It will be interesting to see how the CitiCorp Internal Fraud Auditors and
the Treasury Department sort this out. There are no traces of the diversion,
it just seems to have happened. CitiBank has printed proof that the funds were
sent to the correct banks, and the correct banks acknowledgment on the same
printout. The correct destination banks, however, have no record of the
transaction. There is record of CitiBank sending funds to our Swiss account,
but only the Swiss have those records. Since we were controlling the host when
the transactions were sent, there were no printouts on the sending side. Since
we were not actually at a terminal connected to one of their line printers, no
one should figure out to start contacting Swiss banks, and since CitiBank does
this sort of thing daily with large European banks, they will be all twisted
and confused by the time they find ours. Should they even get to our bank,
they will then have to start the long and tedious process of extracting
information from the Swiss. Then if they get the Swiss to cooperate, they will
have a dead-end with the account, since it was set up under the guise of a
non-entity. The accounts in Dallas and Houston were also in fake names with
fake Social Security Numbers; we even changed our appearances and handwriting
styles at each bank.
I'm glad I'm not the one who will have the job of tracking me down, or
even trying to muster up proof of what happened. Now we won't have to worry
about disposable income for awhile. I can finish college without working and
still live in relative luxury. It's kind of weird having over six-hundred $100
bills in a drawer, though. Too bad we can't earn any interest on it!
** Since the events described transpired, CitiBank has made their Banking
Transaction Ports all refuse collect connections. Even by connecting
with an NUI they now respond "<<ENTER PASSWORD>>". C'est La Vie.
