back to article Hacker exposed bank loophole to buy luxury cars and a face tattoo

A UK hacker who stole £100,000 from his bank after spotting a loophole in its systems has been jailed for 16 months. Unemployed James Ejankowski, 24, of Bridlington, squandered his ill-gotten gains by splurging on a BMW and a Range Rover, and getting his face tattooed (as shown in a story in the Teeside Evening Gazette here). …

  1. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    What a world we live in.

    People dumb enough to get their faces tattooed are smart enough to find loopholes in online banking systems.

    1. Trilkhai

      Considering he discovered it accidentally by trying to transfer more money out of his account than he actually had, "smart" isn't the word I'd use. It's a shame El Reg echoed the claim that he's a "hacker" — that sets the bar so low that script kiddies look like evil geniuses by comparison.

  3. Adam 52 Silver badge

    Steal £66,000 pounds from a bank, get a 16 month sentence.

    Commit GBH causing victim to be unable to dress or cook, get a 3 month *suspended* sentence.

    That, unfortunately, is British justice.

    1. The Nazz

      re steal £66,000

      As the story reads, £34k was recovered, leaving losses approaching £100k.

      THAT, unfortunately is the state of British arithmetic today.

      Damn shame that that financial "genius" Gordon Clown Brown didn't discover the loophole circa 2008.

      Not to mention the massive"theft" (except it was by government decree) of huge chunks of private pensions from 1997 onwards.

      1. Version 1.0 Silver badge

        Re: re steal £66,000

        Dear Bank,

        Take advantage of our Special Offer this week only - a complete security scan of your Bank for only £100k guaranteed to discover security holes.

      2. Adam 52 Silver badge

        Re: re steal £66,000

        "THAT, unfortunately is the state of British arithmetic today."

        Arithmetic seems ok; my comprehension was lacking! Thanks.

    2. Martin

      Commit GBH causing victim to be unable to dress or cook, get a 3 month *suspended* sentence.

      Citation please?

      1. Adam 52 Silver badge

        "Citation please?"

        This was just the first one out of Google. There are plenty more, I could have gone with breaking someone's jaw and getting a £70 fine.

        http://www.tenby-today.co.uk/article.cfm?id=110799&headline=Suspended%20jail%20sentence%20for%20Pembroke%20Dock%20man%20who%20admitted%20GBH%20charge&sectionIs=news&searchyear=2017

      2. Shady
        Trollface

        The Daily Mail.

        Pick a day. Any day.

    3. phuzz Silver badge

      "Steal £66,000 pounds from a bank, get a 16 month sentence."

      Cause a global financial meltdown at a bank, get a bonus!

      1. Danny 14

        @martin. How about get away scot free almost?

        https://www.google.co.uk/amp/www.gazettelive.co.uk/news/local-news/lazenby-glass-attack-victim-left-3676467.amp

  4. NoneSuch Silver badge
    Pint

    If it was an American bank, he'd be on his way to Gitmo.

  5. Christoph

    How did the bank manage that? All the checking should be built in to the operation 'transfer funds' so that it simply cannot take place without the checks. If there's a way round that it implies there's loads of other loopholes waiting to be found.

  6. Dwarf

    ACID, I blame ACID

    Call me old fashioned, but don't ALL databases work on the principles of ACID (Atomic, Consistency, Isolation, Durability) precisely to prevent this sort of thing happening.

    Or is the bank using one of those new fangled millennial age database engines that farts fairy dust ?

    1. Barracoder

      Re: ACID, I blame ACID

      I think what we're looking at here is two, possibly ACID, systems that had agreed to disagree on the use of UTC.

      1. Jon Double Nice

        Re: ACID, I blame ACID

        My guess is a batch job that runs at midnight, which blocks any new ledger entries being processed until its finished.

    2. a_yank_lurker

      Re: ACID, I blame ACID

      I doubt it was a database issue. My suspicion is a programming error in the nightly reconciliation that allowed a transfer between accounts not have the withdrawal properly posted.

    3. richardcox13

      Re: ACID, I blame ACID

      > but don't ALL databases work on the principles of ACID

      Short answer: no.

      1. ACID adds significant performance overheads. At sufficient scale this is too much. Hence "eventually consistent" systems. And, of course, some systems just don't need ACID (eg. all you are doing is adding data – no updates or deletes – with naturally unique identifiers).

      2. Do not assume that two accounts even in the same institution all be all on one database (mergers often leave "duplicate" systems for years). Since the systems have to handle moving money between different institutions anyway do all transfers like that (this usually involves holding accounts and messaging systems with reconciliation processes) to avoid having multiple code paths to test.

      (And in case anyone is thinking "distributed transaction": allowing other institutions to hold locks in your systems is a DDOS waiting to happen.)

  7. jake Silver badge

    The sheer brilliance of this guy's plan ...

    ... is absolutely breathtaking.

  8. John 104

    So which tattoo did he get? The snake? The snow flake? All of them? What a tard.

    1. Trilkhai

      Based on the redness, I think the bowtie on his cheek is probably the new one... Then again, I admit that I'm distracted enough by the stupid haircut** & cloud of pubic hair under his jaw that I might be overlooking something.

      **Kids: just wait a decade and you'll be snickering as much as my generation has at the crimped hair, bulletproof bangs, mullets, and rat-tails popular when we were growing up.

  9. Sampler

    Did he get the tattoo...

    ..when he realised he was going to end up in jail and turned himself in?

    I mean, it's the only reason I can think of getting a face tattoo, at least they'll leave him alone inside now as no one wants to have to look at that even if you are making them your bitch...

    1. Pen-y-gors

      Re: Did he get the tattoo...

      From the direction they'll be looking at him, they don't need to look at his face...

      1. Sampler

        Re: Did he get the tattoo...

        I was going with some good old fashioned Ridley Scott face-rape, but, whatever's your poison..

  10. John Smith 19 Gold badge
    FAIL

    OMFG it's 2017 and you can still do this.

    But what makes it especially impressive is you can do it within the same bank.

  11. cantankerous swineherd

    cheap lesson in security for the bank.

  12. CaptainCorrection
    Headmaster

    Wait..

    There's a 1am in the morning now?

  13. Anonymous Coward
    Anonymous Coward

    The bank got away very lightly. This could easily have been millions lost with no recovery if he'd sold the exploit to organised criminals.

    They would have opened dozens of accounts and shifted all the money off shore and out of reach leaving a few mules (paid just to open an account and hand over the passwords) to take the blame.

  14. Anonymous Coward
    IT Angle

    Notional funds and software reconciliation

    "Ejankowski had reportedly discovered that if he used software to transfer notional funds between his current account and his savings account between midnight and 1:00am in the morning, the transaction would go through even though he didn't have adequate funds and without prompt reconciliation.

    It would be interesting to know what software platform was involved and the nature of the bug that disabled balance checking between midnight and 1:00am.

    1. Ian 55

      Re: Notional funds and software reconciliation

      Their website, probably.

  15. scrubber
    Holmes

    NAG...

    Having worked on online banking for NAG, I hope they take the 100k from the total cowboy* consultancy they had working on this.

    * CB and YB use the same backends, accounts and processing, but somehow the YB online bank was 3 months ahead in development?!? Everyone looked like I'd taken a dunno on the table when I brought this up in a meeting. Quit after only 4 weeks there.

    1. John Smith 19 Gold badge
      Holmes

      "* CB and YB use the same backends, accounts and processing, "

      G'day

      That's right the Yorkshire Bank, the national bank of the land of Whippets is in fact owned by the National Australia Group.

      With, it would appear, hilarious consequences.

  16. Anonymous Coward
    Anonymous Coward

    One sided law

    And yet when a bank steals money from you no lawyer you approach will take the case. The ombudsman is on their side making excuses as to why they stole your cash despite a paper trail. Good on this man for evening out the books. Minus points for being stupid with the spoils.

  17. SouthernLogic

    He did the bank a service and it only cost them 100000. If Hillary Clinton would have found out about the hack the bank would be out billions or more.

    1. Hollerithevo

      What?!?

      Dear Mr or Ms Logic, does this make any sense at all and also does it follow at all? Should you choose another handle?

  18. David Nash Silver badge

    How does this make him a "hacker"?

    1. Alumoi Silver badge

      He used a computer, didn't he? So he's a terrist... erm, hacker.

  19. adam 40 Silver badge
    Holmes

    Fraud?

    More like "Bank Error in your Favour"

    Do not pass go, collect £134.000.

    All he needed was a "Get out of Jail" card ;^(

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like