“What did First Chicago do with all of these copies?” asked Mr Templemeyer.
“Because the versions I sent were the first ones to arrive after the supposed transmission error, they were the ones that were accepted by First Chicago Trust. My versions were the ones that actually caused money to change hands.
“The copies sent by Bendix the next day were replays of EFT’s that had already been processed and, save for the two EFT’s on Ms. Cryer’s account, they were rejected.”
Templemeyer furrowed his brow and looked at the ceiling for a moment. He lowered his head and nodded toward Lisa. “And we still don’t know why those two transfers on this young lady’s account made it through twice?” he asked.
Lisa answered. “We know that somebody forged those EFT’s; they did not originate from Bendix of St. Louis. And they certainly do not represent legitimate payments I made or recieved.”
“Right,” I added, “somebody has found a way to forge the message authentication codes used in funds transfers. We don’t know how they are doing it. As unlikely as it seems, he or she may have found a way to crack DES. DES — the Digital Encryption Standard — is a widely used encryption algorithm. So long as adequate key sizes are used, it is believed to be very strong, with no known weaknesses to speak of.”
“How vulnerable is the banking industry if DES has been cracked,” asked Templemeyer.
“Very. It forms the basis of EFT security.”
He took this news well. He nodded his head slowly and turned to Agnes. “Do you have any leads?”
“We have some. Our team has made progress since the last update I gave you, but it is not something I’m prepared to discuss at this time,” she said as she glanced in the direction of Lisa and me.
There was an awkward silence that followed. Templemeyer eased the tension by asking for clarification on some points. “Why did the forgeries go through when the legitimate EFT’s didn’t?” he wanted to know.
“Well,” Lisa began, “since those EFT’s were forged and inserted into the message stream by the hacker, when Bendix got the error messages from First Chicago, those forged EFT’s were not included in the batch of repeated transmissions. From the vantage point of workers at First Chicago, it appeared as if somebody had tried to duplicate all the EFT’s except two. There was Carl’s set of messages, which included all the EFT’s including the forgeries, and there was Bendix re-transmission, which included only the legitimate EFT’s that Bendix actually created. The duplicates were easily spotted and rejected, but the non-duplicated EFT’s — the forgeries — were accepted. The fact that these two EFT’s were the only ones that weren’t duplicated focused attention on them. These are the two transfers that netted about $17,000 into my account. That focused attention on me.”
Templemeyer nodded slowly. “OK, so the point here is that the forged EFT’s were not treated in the same way as the legitimate ones when Bendix tried to correct for the errors reported by First Chicago. I can understand that.”
“And,” Lisa continued, “since the hacker thought that his EFT’s had been been rejected by First Chicago, he did not bother following up with a second batch of EFT’s to withdraw his money out of my account and move it on to another account. Normally he leaves the account balances unchanged and only passes money through accounts.”
Now Templemeyer was confused again. “How does the hacker profit from this?”
“The hacker profits on the float,” Lisa explained.