“In some cases the in-arcs and out-arcs are for different dates,” Rudy continued. He stabbed a node near the center of the diagram. “For example, on this account here the forged withdrawals are for July 13th while the forged deposits are for July 14th. Thus, while the account balance was ultimately left unchanged, there was a twenty-four hour period when it was incorrect by…” He leaned over and studied the numbers. “By $14,213,” he finished.
“Why steal money and then turn around and give it right back?,” Lisa wondered out loud. “It doesn’t make any sense.”
“Well,” offered Rudy, “the deposits come from different accounts. Perhaps the subject is some sort of Robin Hood figure and likes to redistribute wealth.”
That would have made more sense if the hacker actually was redistributing wealth. In just the small number of forged EFT’s that had been found, the net affect on hacked accounts was zero. In each case — except Lisa’s — the balances were restored within 24 hours. No money was changing hands other than for brief transient periods. Most of the balances were restored immediately. Some were “restored” even before the money was withdrawn.
Now, for the first time, I began to understand what had happened to Lisa’s account on the day I replayed the messages between Bendix of St. Louis and First Chicago Trust. It was plain now. The hacker had forged an EFT to deposit funds into her account. He also forged an EFT to withdraw part of the deposited money. Then, either he was spooked by the error messages by First Chicago or else he intended to withdraw the remaining portion the next day. The result was that Lisa Cryer’s account was the only account that was used to route forged EFT’s where the net change in balance was not zero. The fact that the net change was positive, and by several thousand dollars, was what had Lisa in hot water with the police.
“Do you remember who the forged payment out of your account was to?” I asked Lisa.
“Oh yeah, I remember all right,” she replied with a mirthless laugh and a nod. “It was to Jonathan Rogers for about one thousand dollars.” She bent over to open her handbag as she said this. Moments later she had a small piece of paper in her hand and she read from it as she continued. “The amount was $1021.33 to Jonathan Rogers. The deposit was from Anthony R. Lee for $18120.11. That makes my net profit $17098.78.”
Rudy slowly thumbed through the pages before answering. “In addition to the deposit from Ms. Cryer’s account there was a second illegitamate deposit into that account. Also, there was a payment out of Rogers’ account. The amount of the payment equals the sum of the two forged deposits and we have confirmed that the payment was also forged.
This made Jonathan Rogers’ account one of the many that the hacker was apparantly using to launder money. The hacker was routing money through numerous accounts. Sometimes he simply deposited money from one place and then immediately paid it out to another place. Other times he split a transfer or merged two or more. In the case of Jonathan Rogers, the hacker appears to have deposited money from two seperate accounts, one of which was Lisa’s, and then used a single EFT to withdrawal the money. My guess is that Lisa’s account was also being used to launder money, but in that case the hacker was using a single EFT for a deposit and two EFT’s for withdrawals… except the second debiting EFT was never made.
“Carl, what is the point of all of this? Why is the hacker doing this?” implored Lisa. Clearly exasperated, she was at a loss. “Except for screw-up’s like the one with my account, the hacker isn’t stealing any money. What’s the point? Is it just a power trip?”
“Probably. Most hacks are.” I myself was not fully satisfied with this explanation even as I voiced it. It is true that most intrusions into computer systems are by kids on power trips, but this attack seemed far too sophisticated to be a joy-ride. The MAC’s on the bogus EFT’s were perfect forgeries. Any attacker that can crack DES is no prankster. Joy-riding through the bank accounts of numerous private citizens seems too high-stakes for even the most couragous braggart. When Robert Tappem Morris unleashed his worm on the Internet in 1988, he victemized a very large number of people, but he had no malicious intent. His worm was disruptive due to a bug in the software, causing it to replicate far too rapidly. Kevin Mitnick, while a major nuisance, never directly stole money from bank accounts. He appears to have broken into computer systems as part of an obsessive hobby, collecting root passwords as trophies. All indications are that the prize that Mitnick sought was respect from his peers, be they other hackers or his adversaries fighting to keep hackers out of their systems. Indeed, the standard but dubious argument that hackers use in their own defense is that they never actually steal anything. Hackers of this type tend to exploit bugs in operating systems and server programs. The most infamous security-bug-ridden program is sendmail, but there are many others. These same hackers also rely heavily on “social engineering”, which is their term for a con-job. These people are phone phreaks and OS groupies. What they lack in formal education they more than make up for in persistence. They read OS manuals and phone company service manauls. Very rarely do they have any expertise in cryptology.