Apparently, the bank's system was recently cracked, and the intruders managed to obtain several card/authorization combinations. Not all of them were valid, but some were. And so the thieves decided to use an online payment system to steal small amounts of money from each card. After all, a small, non-round number like $18.42 could easily be dismissed when reviewing the account as something we forgot about. And doing it over ~500 cards yields almost $2000 booty for a day's "work". Clever scam.

But the bank caught on pretty quick when 500 cards each had a charge of $18.42 to the same place in a single day.

So we told the bank which recent charges should be approved, cancelled the card number, and are getting a new card FedEx'd to us.

"It almost worked, Pinky! Next time don't sit on the ENTER button, just push it."

"Ha, ha, NARF!"

"Well, we better rest up for tomorrow night."

"Why, what are we going to do tomorrow night, Brain?"

quote:

---

Originally posted by rw:
Well, the bank made a mistake (they got hacked) and the hackers made a mistake (they got caught). I think it's interesting that we all know exactly what the hackers should have done, but we have no advice for the bank. We jus say "get a new bank", and hope that the new one knows something we don't.

---

The advice to the bank would be pretty simple and obvious: implement secure computer systems. But that's their job. They're supposed to know that and be doing it already.

Use Linux.

Of course, I don't know what the particular vulnerability was that allowed their system to be cracked. It might have been the human element, or it might not have been. It might be that the system was running the tightest known NetBSD configuration possible and that the cracker discovered some before-now unknown buffer overflow and chose to exploit it and not announce it through Bugtraq, or it might be running WinNT 3.5 with software that hasn't been upgraded since 1996. In the absence of facts, trying to simplify the problem to that of a particular OS, or even to that of software, is likely to make you end up looking foolish.

------------------
cb
Oooh! What does this button do!?

quote:

---

Originally posted by rw:
Well, the bank made a mistake (they got hacked) and the hackers made a mistake (they got caught). I think it's interesting that we all know exactly what the hackers should have done, but we have no advice for the bank. We jus say "get a new bank", and hope that the new one knows something we don't.

---

Well, we know what the hackers did wrong, but we do not know what the bank did wrong. How did they get hacked? We don't know, and the bank will surely never say, so it's hard for us to know what they should have done differently.

However it wouldn't tend, it would allow you to enter your pin but would then say the machine was out of cash.

It was actually a scam set up by a group of people. They bought the rent on the building in the high street, installed a cash machine which was patched straight to the web, every pin that was entered was sent down a modem with all relevent info pertaining to the persons card. The scammers then created new cards with a magnetic strip with the pin on, then off to a proper machine to draw moneies, they got away with over 180 grand before someone got suspicious of the cash machine never vending.

Stupid people on the other hand are always pulling off crime sprees....maybe the old tried and true "Stick'em Up!" works better. *shrug* I guess most of them end up getting caught in the end anyway so I might as well worry about something more important like how to get home while avoiding direct contact with the "daystar" outside...