The two hackers then realized that they had collected all of the technical information they needed to raid the bank. They had discovered the codes and the procedures for the control sequence and the transfers; they knew what the bank IDs signified; and from the Federal Reserve itself they got a listing of all the national and international bank ID numbers. Now they had to organize the downstream: a secure process of getting money into their own pockets.
One of the duo had a friend, an accountant of questionable moral character, who opened a numbered Swiss account under a false name for the two hackers. He had originally laughed at the idea, explaining that an initial $50,000 was required to open a numbered account. But when he was told to get the forms so that the money could be wired to Switzerland, he began to take the scheme seriously. A few days later the accountant delivered the paperwork, the account number, and several transaction slips. He also raised his usual $1,000 fee to $6,500.
The two hackers flew to Oklahoma City to visit the hall of records and get new birth certificates. With these they obtained new Oklahoma IDs and Social Security numbers. Then, using the false IDs, they opened accounts at six different banks in Houston and Dallas, with $1,000 cash deposited in each.
The next day, armed with one Swiss and six American accounts, they began the attack. They rigged the Citicorp computer controlling the EFT transfers to direct all of its data flow to an unused Telenet terminal they had previously discovered. They took turns sitting on the terminal, collecting the transmissions, and returning the correct acknowledgments with the Federal Re- serve IDs. The transmissions each represented a cash transfer: essentially, the money was being hijacked. But by sending the required acknowledgments the hackers were giving Citibank "confirmation" that the transactions had reached the destination banks. By noon the two had $184,300 in their limbo account.
The two then disabled the "data forwarding" function on the Citibank computer, taking control of the EFT machine themselves so that they could redistribute the captured funds. By altering the transmissions, they transferred the money to the Swiss account. To the Swiss, it looked like a normal Citibank transmis- sion; after all, it had come through the Citibank's own EFT computer.
Once the two hackers had received the standard confirmation from the Swiss bank, they immediately filled out six withdrawal forms and faxed them to its New York branch, along with instructions detailing where the funds should be sent. They told the Swiss bank to send $7,333 to each of the six U.S. accounts.
(The amount was chosen because it was below the sum requiring notification of the authorities.) They followed the same procedure for three days, leaving the Swiss account with a little over $52,000 remaining on deposit.
Over the next week they withdrew $22,000 from each of the Dallas and Houston banks in amounts of $5,000 per day, leaving just under $1,000 in each account. At the end of the week they had each taken home $66,000 in cash.
You can believe this story or not as you wish. Certainly Citibank doesn't believe a word of it; it has consistently denied that anything resembling the events described above have ever happened, or that it has lost money in an EFT transfer due to hacking. The only reason anyone knows about the incident is that the two hackers who did it--or say they did--posted the details on a pirate board called Black ICE. The board was used by the Legion of Doom, at one time the most proficient and experienced hacker gang in the United States, and the two hackers-cum-robbers are thought to be LoD members--or at least to consider themselves LoD members.
Hackers are generally boastful. They gain credibility by exaggerating their abilities and glamorizing their exploits. It's the issue of identity: just as meek little Harvey Merkelstein from Brooklyn becomes the fearsome Killer Hacker when he gets loose on a keyboard, he also gains points with his peers by topping everyone else's last hack, and robbing a bank would be considered a pretty good hack.
The report from the two hackers could have been a fantasy, a means of impressing other LoD members. But, if they had managed to pull the robbery off, they would still have wanted to boast about it. And the perfect crime is the one that even the victim doesn't realize has happened. In the report posted on Black ICE, one of the two "bank robbers" wrote,
