The most successful bank robbery ever carried out by hackers mal have occurred two years ago. The target was a branch of Citibank in New York. The identity of the two hackers is unknown, though they are thought to be in their late teens or early twenties.
The scheme began when the two became aware that certain financial institutions, including Citibank, used their connections on the various X.25 networks--the computer networks operated by commercial carriers such as Telenet or Sprint--to transfer money. (The process is known as Electronic Fund Transfer, or EFT.) The two decided that if the funds could be intercepted in mid-transfer and diverted into another account--in this case, a computer file hidden within the system--then they could be redirected and withdrawn before the error was noticed.
The hackers began the robbery by investigating Telenet. They knew that Citibank had two "address prefixes" of its own--223 and 224 on the network; these were the prefixes for the sevendigit numbers (or "addresses") that denoted Citibank links to the system. By churning through sequential numbers they found a series of addresses for Citibank computer terminals, many of which were VAXen, the popular computers manufactured by DEC. One weekend they hacked into eight of the VAXen and found their way to the Citibank DECNET, an internal bank network linking the DEC computers. From there they found gateways to other banks and financial institutions in the New York area.
They ignored the other banks. What had particularly intrigued them were references in the computer systems to an EFT operation run by Citibank: in various files and throughout the electronic mail system they kept turning up allusions to EFT, clues that they were convinced pointed to a terminal that did nothing but transfer funds. They began sifting through their lists of computer access numbers, looking for one among hundreds that belonged to the EFT computer, and by a laborious process of elimination they whittled the lists down to five machines whose function they couldn't divine: Of those, one seemed particularly interesting. It could be entered by a debug port (a computer access port used for maintenance) that had been left in default mode--in other words, it could be accessed with the standard manufacturer-supplied password, because yet again no one had ever bothered to change it.
The system they entered contained menus that guided them through the computer. One path took them directly into an administration area used by system operators. After an hour of exploration they found a directory that held a tools package, allowing them to create their own programs. With it, they wrote a procedure to copy all incoming and outgoing transmissions on the terminal into their own file. They named the file ".trans" and placed it in a directory they called "..- -" (dot, dot, space, space), effectively hiding it from view. What they had created was a "capture" file; from the transmissions that were copied, they would be able to divine the functions of the computer terminal.
The capture file was created late on a Sunday night. At about nine P-M- on the next evening they logged on to the system again, and from the day's transmissions they could tell that the targeted machine was indeed an EFT terminal. They discovered that the computer began transactions by linking itself to a similar computer at another bank, waiting for a particular control sequence to be sent, and then transferring a long sequence of numbers and letters. They captured about 170 different transactions on the first day and several hundred more in the following week. At the end of the week they removed the ".trans" file and its directory, killed the capture routine, and went through the system removing any trace that they had ever been there.
From the captured transmissions they were able to piece together the meaning of the control sequence and the transfers themselves. They also noticed that after the Citibank computer had sent its transfer, the destination bank would repeat the transaction (by way of confirmation) and in ten seconds would say TRANSACTION COMPLETED, followed by the destination bank ID. The two guessed that the bank IDs were the standard Federal Reserve numbers for banks (every bank in America that deals with the Federal Reserve system has a number assigned to it, as do several European banks). To confirm the hunch, they called up Citibank and asked for its Federal Reserve number. It was the same as the ID being sent by the computer.
