The defendant must comply with a sentence of more than 10 years in prison
A Chinese software manager was convicted of
stealing around $1M USD exploiting a known vulnerability in the Huaxia Bank ATM system.
According to network
security and ethical hacking specialists from the International
Institute of Cyber Security, the 43-year-old man worked at the banking institution’s
software development center when he discovered a loophole in the bank’s central
operating system that provided him a deadline for withdrawals that would not be
recorded in the systems.
Qin Qisheng discovered that, since 2016, cash
withdrawals made around midnight were not registered by the bank; the employee
also realized that the flaw had been systematically exploited since its
discovery, for almost two years.
According to network security specialists, Qin
developed a set of scripts, injected them into Huaxia Bank systems, and was
able to exploit the security flaw without generating suspicion. Evidences
suggest that the plan of Qin Qisheng succeeded; for more than a year, the software
manager performed cash withdraws of between $700 and $3k USD in a systematic
Part of Qin Qisheng’s plan was to use a ‘test’
bank account, used for security analysis at the bank, as a source of ATM
withdrawals. Chinese authorities estimate that the former employee
would have stolen more than 7M Yuan (approximately $1M USD).
After more than a year Huaxia Bank discovered
the fraud of its employee, who tried to justify himself by stating that he had
done all this as part of “an internal security test plan”. When questioned
about the stolen money, the software manager mentioned that the assets were on
his own bank account and that they would be returned to the bank at the end of
the system tests.
According to local media reports, Huaxia Bank
would have decided to accept the employee’s explanation; however, the Chinese
authorities did not buy his story and found him guilty of robbery after his
arrest in December 2018.
Qin will now have to comply with a
10-and-a-half-year prison sentence.
Huaxia Bank asked the Chinese authorities to
dismiss the case, as all stolen assets were returned shortly after the incident
was known. The police considered this application to be ‘illegitimate’, so the
implicated has no choice but to comply with his sentence.
According to specialists in network security,
the cybercriminals do not have only methods such as the use of skimmers,
exploiting vulnerabilities and design flaws to rob ATMs. Recently a group of
researchers discovered a malware variant specially designed to compromise ATMs;
this tool is available on some hacker forums on dark web. The average price of
this kind of malicious software is around $25k USD.