nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Hacker exposed bank loophole to buy luxury cars and a face tattoo

This post has been deleted by its author

Anonymous Coward

What a world we live in.

People dumb enough to get their faces tattooed are smart enough to find loopholes in online banking systems.

53
0

Considering he discovered it accidentally by trying to transfer more money out of his account than he actually had, "smart" isn't the word I'd use. It's a shame El Reg echoed the claim that he's a "hacker" — that sets the bar so low that script kiddies look like evil geniuses by comparison.

16
0
Silver badge

Steal £66,000 pounds from a bank, get a 16 month sentence.

Commit GBH causing victim to be unable to dress or cook, get a 3 month *suspended* sentence.

That, unfortunately, is British justice.

46
2
Bronze badge

re steal £66,000

As the story reads, £34k was recovered, leaving losses approaching £100k.

THAT, unfortunately is the state of British arithmetic today.

Damn shame that that financial "genius" Gordon Clown Brown didn't discover the loophole circa 2008.

Not to mention the massive"theft" (except it was by government decree) of huge chunks of private pensions from 1997 onwards.

16
5

Commit GBH causing victim to be unable to dress or cook, get a 3 month *suspended* sentence.

Citation please?

4
1
Silver badge

Re: re steal £66,000

Dear Bank,

Take advantage of our Special Offer this week only - a complete security scan of your Bank for only £100k guaranteed to discover security holes.

6
0
Silver badge

"Citation please?"

This was just the first one out of Google. There are plenty more, I could have gone with breaking someone's jaw and getting a £70 fine.

http://www.tenby-today.co.uk/article.cfm?id=110799&headline=Suspended%20jail%20sentence%20for%20Pembroke%20Dock%20man%20who%20admitted%20GBH%20charge&sectionIs=news&searchyear=2017

6
0
Silver badge

Re: re steal £66,000

"THAT, unfortunately is the state of British arithmetic today."

Arithmetic seems ok; my comprehension was lacking! Thanks.

1
0
Trollface

The Daily Mail.

Pick a day. Any day.

0
0
Silver badge

"Steal £66,000 pounds from a bank, get a 16 month sentence."

Cause a global financial meltdown at a bank, get a bonus!

0
0
Silver badge

@martin. How about get away scot free almost?

https://www.google.co.uk/amp/www.gazettelive.co.uk/news/local-news/lazenby-glass-attack-victim-left-3676467.amp

0
0
Pint

If it was an American bank, he'd be on his way to Gitmo.

8
2
Silver badge

How did the bank manage that? All the checking should be built in to the operation 'transfer funds' so that it simply cannot take place without the checks. If there's a way round that it implies there's loads of other loopholes waiting to be found.

28
0
Silver badge

ACID, I blame ACID

Call me old fashioned, but don't ALL databases work on the principles of ACID (Atomic, Consistency, Isolation, Durability) precisely to prevent this sort of thing happening.

Or is the bank using one of those new fangled millennial age database engines that farts fairy dust ?

23
0

Re: ACID, I blame ACID

I think what we're looking at here is two, possibly ACID, systems that had agreed to disagree on the use of UTC.

22
0
Silver badge

Re: ACID, I blame ACID

I doubt it was a database issue. My suspicion is a programming error in the nightly reconciliation that allowed a transfer between accounts not have the withdrawal properly posted.

4
0

Re: ACID, I blame ACID

> but don't ALL databases work on the principles of ACID

Short answer: no.

1. ACID adds significant performance overheads. At sufficient scale this is too much. Hence "eventually consistent" systems. And, of course, some systems just don't need ACID (eg. all you are doing is adding data – no updates or deletes – with naturally unique identifiers).

2. Do not assume that two accounts even in the same institution all be all on one database (mergers often leave "duplicate" systems for years). Since the systems have to handle moving money between different institutions anyway do all transfers like that (this usually involves holding accounts and messaging systems with reconciliation processes) to avoid having multiple code paths to test.

(And in case anyone is thinking "distributed transaction": allowing other institutions to hold locks in your systems is a DDOS waiting to happen.)

5
0

Re: ACID, I blame ACID

My guess is a batch job that runs at midnight, which blocks any new ledger entries being processed until its finished.

8
0
Silver badge

The sheer brilliance of this guy's plan ...

... is absolutely breathtaking.

4
0
Silver badge

So which tattoo did he get? The snake? The snow flake? All of them? What a tard.

2
0

Based on the redness, I think the bowtie on his cheek is probably the new one... Then again, I admit that I'm distracted enough by the stupid haircut** & cloud of pubic hair under his jaw that I might be overlooking something.

**Kids: just wait a decade and you'll be snickering as much as my generation has at the crimped hair, bulletproof bangs, mullets, and rat-tails popular when we were growing up.

7
0
Bronze badge

Did he get the tattoo...

..when he realised he was going to end up in jail and turned himself in?

I mean, it's the only reason I can think of getting a face tattoo, at least they'll leave him alone inside now as no one wants to have to look at that even if you are making them your bitch...

1
3
Silver badge

Re: Did he get the tattoo...

From the direction they'll be looking at him, they don't need to look at his face...

7
1
Bronze badge

Re: Did he get the tattoo...

I was going with some good old fashioned Ridley Scott face-rape, but, whatever's your poison..

0
0
Gold badge
FAIL

OMFG it's 2017 and you can still do this.

But what makes it especially impressive is you can do it within the same bank.

2
0
Bronze badge

cheap lesson in security for the bank.

3
0
Headmaster

Wait..

There's a 1am in the morning now?

8
0
Anonymous Coward

The bank got away very lightly. This could easily have been millions lost with no recovery if he'd sold the exploit to organised criminals.

They would have opened dozens of accounts and shifted all the money off shore and out of reach leaving a few mules (paid just to open an account and hand over the passwords) to take the blame.

5
0
Bronze badge
IT Angle

Notional funds and software reconciliation

"Ejankowski had reportedly discovered that if he used software to transfer notional funds between his current account and his savings account between midnight and 1:00am in the morning, the transaction would go through even though he didn't have adequate funds and without prompt reconciliation.

It would be interesting to know what software platform was involved and the nature of the bug that disabled balance checking between midnight and 1:00am.

1
0

Re: Notional funds and software reconciliation

Their website, probably.

0
0
Silver badge
Holmes

NAG...

Having worked on online banking for NAG, I hope they take the 100k from the total cowboy* consultancy they had working on this.

* CB and YB use the same backends, accounts and processing, but somehow the YB online bank was 3 months ahead in development?!? Everyone looked like I'd taken a dunno on the table when I brought this up in a meeting. Quit after only 4 weeks there.

2
0
Gold badge
Holmes

"* CB and YB use the same backends, accounts and processing, "

G'day

That's right the Yorkshire Bank, the national bank of the land of Whippets is in fact owned by the National Australia Group.

With, it would appear, hilarious consequences.

0
0
Anonymous Coward

One sided law

And yet when a bank steals money from you no lawyer you approach will take the case. The ombudsman is on their side making excuses as to why they stole your cash despite a paper trail. Good on this man for evening out the books. Minus points for being stupid with the spoils.

1
0

He did the bank a service and it only cost them 100000. If Hillary Clinton would have found out about the hack the bank would be out billions or more.

0
4
Silver badge

What?!?

Dear Mr or Ms Logic, does this make any sense at all and also does it follow at all? Should you choose another handle?

1
0
Bronze badge

How does this make him a "hacker"?

2
0
Bronze badge

He used a computer, didn't he? So he's a terrist... erm, hacker.

1
0
Holmes

Fraud?

More like "Bank Error in your Favour"

Do not pass go, collect £134.000.

All he needed was a "Get out of Jail" card ;^(

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing