==Phrack Inc.== Volume Three, Issue 29, File #7 of 12 The Legion of Doom! EFT Division Presents HOW WE GOT RICH THROUGH ELECTRONIC FUND TRANSFERS (OR: GEE! NO, GTE!) A certain number of financial institutions that reside within the packet-switched confines of the various X.25 networks use their connections to transfer funds from one account to another, one mutual fund to another, one stock to another, one bank to another, etc... It is conceivable that if one could intercept these transactions and divert them into another account, they would be transferred (and could be withdrawn) before the computer error was noticed. Thus, with greed in our hearts, an associate and I set forth to test this theory and conquer the international banking world. We chose CitiCorp as our victim. This multinational had two address prefixes of its own on Telenet (223 & 224). Starting with those two prefixes, my associate and I began to sequentially try every possible address. We continued through 1000 in increments of one, then A-Z, then 1000-10000 by 10's, and finally 10000-99999 by 100's. Needless to say, many addresses were probably skipped over in our haste to find valid ones, but many we passed over were most likely duplicate terminals that we had already encountered. For the next few days my associate and I went over the addresses we had found, comparing and exchanging information, and going back to the addresses that had shown 'NOT OPERATING,' 'REMOTE PROCEDURE ERROR,' and 'REJECTING.' We had discovered many of the same types of systems, mostly VAX/VMS's and Primes. We managed to get into eight of the VAXen and then went forth on the CitiCorp DECNET, discovering many more. We entered several GS1 gateways and Decservers and found that there were also links leading to systems belonging to other financial institutions such as Dai-Ichi Kangyo Bank New York and Chase Manhattan. We also found hundreds of addresses to TWX machines and many in-house bank terminals (most of which were 'BUSY' during banking hours, and 'NOT OPERATING' during off hours). In fact, the only way we knew that these were bank terminals was that an operator happened to be idle just as I connected with her terminal (almost like the Whoopie Goldberg movie, "Jumpin' Jack Flash," not quite as glamorous ...yet.) Many of the computers we eventually did penetrate kept alluding to the electronic fund transfer in scripts, files, and personal mail. One of the TOPS-20 machines we found even had an account EFTMKTG.EFT, (password EFTEFT)! All the traces pointed to a terminal (or series of terminals) that did nothing but transfer funds. We decided that this was the case and decided to concentrate our efforts on addresses that allowed us to CONNECT periodically but did not respond. After another week of concentrated effort, we managed to sort through these. Many were just terminals that had been down or malfunctioning, but there were five left that we still had no idea of their function. My associate said that we might be able to monitor data transmissions on the addresses if we could get into the debug port. With this idea in mind, we set out trying sub-addresses from .00 to .99 on the mystery addresses. Four of the five had their debug ports at the default location (.99). The fifth was located 23 away from the default. That intrigued us, so we put the others aside and concentrated on the fifth. Although its location was moved, a default password was still intact, and we entered surreptitiously. The system was menu driven with several options available. One option, Administrative Functions, put us into a UNIX shell with root privilege. After an hour or so of nosing around, we found a directory that held the Telenet Debug Tools package (which I had previously thought existed solely for Prime computers). Using TDT, we were able to divert all data (incoming and outgoing) into a file so we could later read and analyze it. We named the file ".trans" and placed it in a directory named ".. ", (dot, dot, space, space) so it would remain hidden. This was accomplished fairly late on a Sunday night. After logging off, we opened a case of Coors Light and spent the rest of the night (and part of the morning!) theorizing about what we might see tomorrow night (and getting rather drunk). At approximately 9:00 p.m. the following evening, we met again and logged onto the system to view the capture file, hoping to find something useful. We didn't have to look very far! The first transmission was just what we had been dreaming about all along. The computer we were monitoring initiated by connecting with a similar computer at another institution, waited for a particular control sequence to be sent, and then transferred a long sequence of numbers and letters. We captured about 170 different transactions on the first day and several hundred more in the following week. After one business week, we removed the file and directory, killed the TDT routine, and went through the system removing all traces that we had been there. We felt that we had enough to start piecing together what it all meant, so we uploaded our findings to the LOD HP-3000 (ARMA) in Turkey. This way we could both have access to the data, but keep it off our home systems. We didn't bother to tell any of the other LOD members about our doings, as most had retired, been busted, or were suspected of turning information over to the Secret Service. Using this as a base, we analyzed the findings, sorted them, looked for strings being sent, etc. We came to the conclusion that the transmissions were being sent in the following way: XXXXXXXXXXXXTCxxxxxxxxxxxx/NNNNNNNNNNNNCnnnnnnnnnnnnAMzzzzzzz.zzOP# X=Originating Bank ID T=Transfer (Also could be R(ecieve), I(nquire)) C=Type of account (Checking--Also S(avings) I(RA) M(oney Market) T(rust) W(Other wire transfer ie. Credit Transfer, etc.)) x=Originating Account Number /=Slash to divide string N=Destination Bank ID C=Type of account (See above) n=Destination Account Number AMzzzzzzz.zz=Amount followed by dollar and cents amount OP#=operator number supervising transaction After this string of information was sent, the destination bank would then echo back the transaction and, in ten seconds, unless a CONTROL-X was sent, would send "TRANSACTION COMPLETED" followed by the Destination Bank ID. We now needed to check out our theory about the Bank ID's, which I figured were the Federal Reserve number for the Bank. Every bank in America that deals with the Federal Reserve System has such a number assigned to it (as do several European Banks). I called up CitiBank and inquired about their Federal Reserve Number. It was the number being sent by the computer. With this information, we were ready to start. I consulted an accountant friend of mine for information on Swiss or Bahamanian bank accounts. He laughed and said that a $50,000 initial deposit was required to get a numbered account at most major Swiss banks. I told him to obtain the forms necessary to start the ball rolling and I'd wire the money over to the bank as soon as I was told my account number. This shook him up considerably, but he knew me well enough not to ask for details. He did, however, remind me of his $1000 consulting fee. A few days later he showed up at my townhouse with an account number, several transaction slips and paperwork. Knowing that I was up to something shady, he had used one of his own false identities to set up the account. He also raised his "fee" to $6500 (which was, amazingly enough, the amount he owed on his wife's BMW). My associate and I then flew to Oklahoma City to visit the hall of records to get new birth certificates. With these, we obtained new State ID's and Social Security Numbers. The next step was to set up bank accounts of our own. My associate took off to Houston and I went to Dallas. We each opened new commercial accounts at three different banks as LOD Inc. with $1000 cash. Early the next day, armed with one Swiss and six American accounts, we began our attack. We rigged the CitiCorp computer to direct all of its data flow to a local Telenet node, high up in the hunt series. Amazingly, it still allowed for connections from non-909/910 nodes. We took turns sitting on the node, collecting the transmissions and returning the correct acknowledgments. By 12:30 we had $184,300 in electronic funds in "Limbo." Next we turned off the data "forwarding" on the CitiCorp computer and took control of the host computer itself through the debug port to distribute the funds. Using its data lines, we sent all the transactions, altering the intended bank destinations, to our Swiss account. After I got the confirmation from the Swiss bank I immediately filled out six withdrawal forms and faxed them to the New York branch of the Swiss bank along with instructions on where the funds should be distributed. I told the bank to send $7333 to each of our six accounts (this amount being small enough not to set off Federal alarms). I did this for three consecutive days, leaving our Swiss account with $52,000. I signed a final withdrawal slip and gave it to my accountant friend. Over the next week we withdrew the $22,000 from each of our Dallas and Houston banks in lots of $5000 per day, leaving $1000 in each account when we were through. We were now $66,000 apiece richer. It will be interesting to see how the CitiCorp Internal Fraud Auditors and the Treasury Department sort this out. There are no traces of the diversion, it just seems to have happened. CitiBank has printed proof that the funds were sent to the correct banks, and the correct banks acknowledgment on the same printout. The correct destination banks, however, have no record of the transaction. There is record of CitiBank sending funds to our Swiss account, but only the Swiss have those records. Since we were controlling the host when the transactions were sent, there were no printouts on the sending side. Since we were not actually at a terminal connected to one of their line printers, no one should figure out to start contacting Swiss banks, and since CitiBank does this sort of thing daily with large European banks, they will be all twisted and confused by the time they find ours. Should they even get to our bank, they will then have to start the long and tedious process of extracting information from the Swiss. Then if they get the Swiss to cooperate, they will have a dead-end with the account, since it was set up under the guise of a non-entity. The accounts in Dallas and Houston were also in fake names with fake Social Security Numbers; we even changed our appearances and handwriting styles at each bank. I'm glad I'm not the one who will have the job of tracking me down, or even trying to muster up proof of what happened. Now we won't have to worry about disposable income for awhile. I can finish college without working and still live in relative luxury. It's kind of weird having over six-hundred $100 bills in a drawer, though. Too bad we can't earn any interest on it! ** Since the events described transpired, CitiBank has made their Banking Transaction Ports all refuse collect connections. Even by connecting with an NUI they now respond "<<ENTER PASSWORD>>". C'est La Vie. >--------=====END=====--------<