Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Networking Programming The Almighty Buck Technology

UK ATM System Could Have Ruined Economy 135

Posted by Zonk from the in-for-a-penny-in-for-a-pound dept.
seanyboy writes "The Register is running the story of how the UK banking system could have collapsed in the early 1990s, how easy it was at the time to withdraw against other people's accounts and the worrying case of a Bank's rogue IT Department." From the article: "What quickly became clear was that the law needed a system to provide proof that events had happened so that legal cases could be made. You might say that 'the computer debited the account', but to a barrister (and more importantly, a judge) that's not enough. Did the computer do it at random? In that case it's like a tree branch falling - an accident. Or did a person program it to do so? In which case the person must be able to testify about the precise circumstances when a debit could happen. Sounds daft, but the law rests on proving each step of an argument irrefutably."
This discussion has been archived. No new comments can be posted.

UK ATM System Could Have Ruined Economy More

UK ATM System Could Have Ruined Economy

Comments Filter:

  • What A Mess (Score:5, Interesting)

    by geomon ( 78680 ) on Friday October 21, 2005 @01:07PM (#13846236) Homepage Journal
    The worst part of the story was that the lawyer couldn't tell anyone about the security problem because he was no longer retained by his original client. I believe that in the US attorneys are obliged to come forward with information related to a criminal nature because they are officers of the court. I don't know if that distiction would have helped in this case, but the fact that the whole system perched precariously on the fact that only a few criminals knew how to bilk the system is disturbing.
    • As I understand it (from my education-by-TV), a defense attorney is only really obliged to come forward when their client is planning a future crime (as opposed to, say, the crime they hired the attorney for to begin with). They can't say "He killed his wife," but they have to say "He's now planning to kill her lover."

    • Not just 1990's bank machines (Score:1, Informative)

      by Anonymous Coward
      Avoid any online payment systems based on "epay". No transaction begin/commit statements, no journal, few authorization checks, cleartext password table, one big table syndrome. It's clear the authors had little knowlege of accounting or database design beyond LAMP for blog/forum sites.
    • Weinberg's Law: If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization. (Gerald M Weinberg)
    • That has changed now with the new money laundering regulations. Now they are required to report such things to the National Criminal Intelligence Service.
  • As long as the situation remains that no one person can take any my money without my money, any number of people in fact, I'm happy.

  • Wasn't so hot in 1987 either (Score:4, Interesting)

    by Anonymous Coward on Friday October 21, 2005 @01:12PM (#13846276)
    I had an account with National Westminster in '87 when I lived in the UK. The ATM's would always let you take cash out no matter how much in the red you already were. (It was my roommate that took advantage of it, not me, honest!)
    • Of course, they would have your account info and know where to go to get you to pay it back, right?
    • Those basards would let you withdrawal money from an already overdrawn account and then charge you a $29 dollar overdraft fee.

    • It's slightly different in the States (Score:1, Informative)

      by Anonymous Coward
      Here, most banks have "bounce protection," which basically means that the ATM will happily let you withdraw $50 when you only have $49.99 in the bank, and then charge you a $30-$50 "fee" for the privelege.

      Personally, I'd rather have the ATM tell me to bugger off.
      • Most all US banks operate this way. They don't check your account when you make a withdrawal or debit card purchase, they just process it and then charge you an overdraft fee for each transaction. Banks like Wells Fargo will even reorder your transactions for your from largest to smallest when they process them, to make sure as many transactions as possible are left to process when you become overdrawn. That way they can maximize the fees. I found this out the hard way and had a long and heated conversation
    • Used it myself a few times when I worked in London in the 80's.

      First of all, it would only work with a Nat West Deposit Account, if you did it with a current account you were screwed as you would get charged.

      Lets say you had a big weekend coming up, you had £100 in your pocket and £100 in the bank. You would go to the bank and deposit £100 in the branch so you had £200 in Nat West. This would flag up on the ATM as you had £200 to withdraw, so you could go and withdraw
    • The ATM's would always let you take cash out no matter how much in the red you already were

      Around the same time ATMs here in Australia would do that if they could not contact the banks central systems. This often happened during night time batch processing.

      I funded a hitch hiking trip around Tasmania in 1987 by making night time withdrawls.

  • What happened to me... (Score:5, Interesting)

    by Karma_fucker_sucker ( 898393 ) on Friday October 21, 2005 @01:14PM (#13846299)
    here in the US.

    I went to withdraw from an ATM. I put the card in, entered my PIN, and selected the amount I wanted - $200.
    The ATM goes nuts and procedes to give me only $160 while debiting my account two transactions: one for $200 and another for $160.
    I call my credit union and I tell them what happened. They tell me to fax a letter stating that I was diputing the $200. I did. They audited the ATM.

    Long story short, the credit union backed out the $200 debit.

    • I had a similar situation in the early 80s when ATMs were still new, except that the ATM debited my account 8 times. They caught that one pretty quickly -- all 8 withdrawals were within a couple of seconds, way too fast for any human to do.
    • My story:
      Beware using an ATM in a thunderstorm. I was at the ATM of a drive-through bank on a rainy Sunday. I stuck my card in and began the transaction just in time for the electricity to blink off and then on again. The ATM blanked out. I sat there and watched as it rebooted (Windows) and stopped at the desktop. I could get no response from the machine and it apparently wasn't giving my card back. No employees at the bank, being a weekend, so I immediately went home and called to cancel the card.
      Is
      • There are some ATMs, such as certain models from Triton, that actually have UPSes built into them to protect against brief power outages.

      • I believe you experienced the failsafe: ATM keeps card, no one gives it back. Similiar thing happens if you enter your PIN incorrectly x times at some ATMs. The ATM keeps the card, and unless the bank has proof of signature for you, they then shred it after they empty the ATM. The bank reissues your card.

        What if the electricity had gone out for much longer? And, upon boot, the machine cleared the cardreader by spitting your ATM card into the street? That'd be worse, methinks.

        --
        Phil
    • About 8 years ago, there was one branch of Wells Fargo locally that had an ATM with issues. That ATM would essentially, every night at 12:28AM, be taken off the network for some kind of maintenance. For 10 minutes, that ATM wasn't connected in any way, and because of some sort of bug, if you withdrew cash, it would never report it to the bank.

      This went on for a year before they fixed it. Anytime I was really low on cash I'd go make a free withdrawal in the middle of the night.

      I still don't know how it wo
      • That sounds absolutely insane.

        I worked for a company who, among other things, serviced ATMs. Although it wasn't 8 years ago, they certainly looked after some of that era (and then some).

        They serviced Diebold, IBM and NCR machines, among others (like those little cash terminals). If the ATM goes offline for "maintenance", the authorised field tech has to call the Bank's NOC and obtain a new 3DES key to punch into the thing.

        And believe me, if there is _ANY_ kind of network problem which prevents the ATM from
    • Earlier this year, I withdrew $100 from an ATM at a Wawa convenience store. The cash was deposited into the tray, but I didn't pick it up right away (was organizing some $1 and $5 bills that were in my pocket).

      After approximately 30 seconds, the ATM sucked/retracted the $100 back into the machine.

      I called my credit union, sent in the dispute form. About a month later, I get a letter stating that my dispute has been denied (by PNC bank, the owner of the ATM).

      Apparently, there was no record of the re

    • Call that Nuts (Score:5, Interesting)

      by slashnik ( 181800 ) on Friday October 21, 2005 @05:25PM (#13848629)
      In the late 80's,

      There was a known fault on some of the ATMS where the "picker" and the "presenter" units could go into a runaway condition.

      This happened on London's Edgeware Road while the shutter (remember them) was open.
      So there we were with the ATM spewing £5's and &10s all over the street as fast as it could pick them.

      A number of passers by collected up the money while another went into the bank to alert the staff.

      Amazingly when the bank balanced the ATM they found that there was no money missing.

      A retrofit was quicly engineered to prevent the presenter motors running when the picker unit was in operation.

       
  • Did anyone else see the headline and 1990's in the link and at first glance think this would be an article about why running an ATM network but using LANE everywhere is bad? Or perhaps how implementing this correctly would have caused bankruptcy because of all the expensive network cards for servers that would have to be purchased?
    • I was actually wondering if this article was about the NERC centre in Swannwick being 6 years late and grossly over budget.

      /You say "Asyncrhonous Transfer Mode" and I say "Air Traffic Management"
    • Could be that too, the entire BT UK ADSL network is still successfully based on ATM as opposed to PPPoE as used in many other countries because of its excellent QoS features.
      • the whole concept of ADSL rests on an ATM infrastructure (even with pppoe, you still have to provide the VPI/VCI for the link), most provider tack a pppoe layer on top of it for, i believe, accounting and authentication.
        • At a risk of going further OT, I must admit that I do find it odd that while many of the latest networking QoS standards are having a hard time being taken seriously (what happened to the Win 2K RSVP implementation in XP?), we are still sticking with the old ATM infrastructure for ADSL.. I assume because the telco industry invested so much in it?
        • whereas here in the uk they tend to use PPPoA which gives a slightly lower overhead and more importantly allows a higher MTU meaning you run into less problems caused by that horrible combination known of as path mtu discovery and badly configured firewalls.

  • Related articles (Score:2, Insightful)

    by Barkley44 ( 919010 )
    Seems like this article and http://it.slashdot.org/article.pl?sid=05/10/21/135 204&tid=172&tid=156 [slashdot.org] are related - getting to market is more important than making sure it's 100% secure.
    • And as long as the perfect continues to be the enemy of the good, situations like this will continue to arise as a natural side effect of human endeavors. In the event, the UK banking system and economy survived more or less intact, so by good fortune if nothing else the solution was "good enough", though clearly not perfect.

  • record audit standards (Score:3, Interesting)

    by 5n3ak3rp1mp ( 305814 ) on Friday October 21, 2005 @01:17PM (#13846326) Homepage
    Could someone post some techniques to record changes to database records that don't involve a lot of overhead yet allow one to revisit any prior state of the data?

    I suppose this sort of duplicates the functions of a transaction log but I don't know if a transaction log is queryable.

    The reason why I ask is that I suppose it might have been useful in this case (as long as the law enforces audit logging)
    • It's called a Journal. You'll find it in any first semester accounting [wikipedia.org] textbook.
      • For a bank, you have 3 main tables:

        accounts describes all the accounts

        create table accounts (
        id serial not null primary key,
        owner int references customer,
        type int references accounttype,
        ballance numeric(18,2)
        );

        JournalEntries shows the date, time, type, who, etc of each transaction

        create table JournalEntries (
        id serial not null primary key,
        when timestamp not null default now(),
        ttype int not null references transactiontypes,
        whodid int not null references users
        );
        revoke update, delete fr

    • Re:record audit standards (Score:1, Insightful)

      by Anonymous Coward
      I was always interested in the Prevayler [prevayler.org] methodology. The concept is that the database is one big transaction log, with occasional full rewrites to speed up restarts. It's a neat idea, and seems to work rather well in practice. (Though the API is unnecessarily PAINFUL.)

      Traditionally, however, a classic database is mated with a transaction log. The transaction log can be rerun to get the state of the database at any point in time. That way if the database is modified or goes kaput, the transaction log can be
    • Could someone post some techniques to record changes to database records that don't involve a lot of overhead yet allow one to revisit any prior state of the data? I suppose this sort of duplicates the functions of a transaction log but I don't know if a transaction log is queryable.

      The easiest technique is to buy a database with a queryable transaction log.

      The second easiest technique is create a table that contains all prior states of the data plus timestamps, and create a view that contains the current
    • Another (somewhat naive) technique consist on never deleting anything physically, only logically.

      Basically you have:
      - a version number added to each primary key
      - a sequence to generate a new version number for each transaction
      - and a status for deletable objects.

      When you want to delete, you insert a new row with status deleted.

      All your queries find the max version number, and filter out deleted records (unless you are searching for old information).

      A process may periodically move old records to an archiving

    • You need to check out products from SenSage Inc. They specialize in collecting log data from all levels of the network and consolidating it in a central log repository, queryable by SQL. This is the best technology for recording legal audit trails of electronic networks, and is a big deal for forensics, compliance, ...

      Sensage [sensage.com]

  • Meanwhile, the paranoid old guy (Score:5, Funny)

    by Recovering Hater ( 833107 ) on Friday October 21, 2005 @01:20PM (#13846348)
    lifts up his mattress and whispers to his stash of crumpled bills that he knew they were safe all along and the youngsters just don't know! They JUST DON'T KNOW!

  • And they think worries about... (Score:4, Insightful)

    by Safe Sex Goddess ( 910415 ) on Friday October 21, 2005 @01:21PM (#13846355) Homepage Journal
    And the politicians think worries about electronic voting machine fraud is just a bunch of conspiracy nuts.

    It would be a sad thing if we've already lost our democracy.

    • In the US you have never had democracy to lose!

      Lack of proportional voting, Electoral college, Two party system etc etc etc

      Myself, I want all public positions decided by lotto. Pull the SSN out of a hat, Ms. Brown welcome to the white house.

      This way the government is a true representation of the country as a whole not some old rich wasp guy clique.

  • Computers? (Score:5, Funny)

    by Hogwash McFly ( 678207 ) on Friday October 21, 2005 @01:21PM (#13846363)
    Computers? Pah! Everyone knows that back in those days it was a midget with a box of money, trained to make BEEP! BEEP! noises.
    • *SNIFF*!! You smell like the inside of my mama's purse!
    • Indeed. Many years ago I approached an Allied Irish Bank ATM in Dublin behind a seemingly confused old lady who was waiting for the ATM to do something. Suddenly her card was ejected with force and a voice from inside said

      I SAID FUCK OFF!!

  • In industrialized Britain... (Score:4, Funny)

    by cached ( 801963 ) on Friday October 21, 2005 @01:27PM (#13846398)
    banks rob YOU!

  • How much should you believe this? (Score:3, Interesting)

    by Mugs ( 551377 ) on Friday October 21, 2005 @01:28PM (#13846403)
    The article has a number of strange assertions. First, only 3 PINs being generated by the card issuing system. I can see this is possible if you hack the application code itself but the HSMs (hardware security modules) that actually do the cryptographic operations wouldn't do this using Visa, IBM or Diebold PIN offset generation calls. It's possible, but it would be an insider job in one bank NOT the whole banking system. Second, the description of the scam is that one PIN offset on track 2 can be used with multiple account numbers. Again, all the standard PIN methods explicitly prevent this - the account number (PAN) is part of the input data to the PIN verification call. Third, the description has the crook shoulder surfing for PINs. Why does he need to do this if any known PIN can be used with any account? He only needs one known PIN and the corresponding card to be able to write as many cards as he likes. I'm sure there's some truth in the story but the technical detail is unconvincing.
    • Yeah, I agree with you -- I had to read the story twice and I still didn't understand it properly. It contradicts itself, and sometimes just reads like hyped up garbage. There's a link at the bottom of the original article that probably makes more sense. I'm gonna read it now.

      This is typical of the Register's technical reporting btw, they often fuck up the retelling.

      - Oisin
    • You're reading it like he was talking about one group of people. He was referring to several problems/crimes performed by many different groups. Bank insiders put the PIN hack in, common street criminals shoulder surfed etc.
    • You're talking about the standard forms of PIN storage and handling. They've been standard (at least in the US) for a long time. I worked for a place that wrote software that had to use secure PIN pads for debit, and I don't remember anything about the PIN being on the card. The decision of whether the PIN was correct or not was entirely the responsibility of the other side of the network. All the customer side had to do was encrypt it for transport before it left the PIN pad, and the PIN pad would have

    • First, only 3 PINs being generated by the card issuing system. I can see this is possible if you hack the application code itself but the HSMs (hardware security modules) that actually do the cryptographic operations wouldn't do this using Visa, IBM or Diebold PIN offset generation calls. It's possible, but it would be an insider job in one bank NOT the whole banking system.

      This is what the article indicates, it was the people working with the PIN production system rigged it to do this

      Second, the description of the scam is that one PIN offset on track 2 can be used with multiple account numbers. Again, all the standard PIN methods explicitly prevent this - the account number (PAN) is part of the input data to the PIN verification call.

      The account number did not feature in this case, thus simply changing the account number on the card was sufficent, the original PIN would still work

      Third, the description has the crook shoulder surfing for PINs. Why does he need to do this if any known PIN can be used with any account?

      This is what the guy used to do originally, then he discovered the account number rewriting trick

      The article is not that well writen, it took me 2 1/2 reads of the article to actually establish all of the above. what I want to know is, who is "rogue Bank" and are they the same one I bank with

      • what I want to know is, who is "rogue Bank" and are they the same one I bank with

        Well, after that Hack, Rogue Bank's CEO Frank ADOM resigned. The bank went belly-up and was bought out by Angbank, a subsidiary of Moria Holding.
      • The fact that Kelman's capitalization is specifically mentioned: Rogue Bank may provide a clue. Or maybe not.
        • As a long-time Reg fan (from last century in fact!) and having lived round the corner from their first office and drunk very near their new(er) offices many times - tho' not knowingly in their company, more's the pity - I reckon I can be confident that they've mentioned the capitalisation believing it to be significant. Recall that they say that they (the Reg hacks) know which bank it was.

          There were four main British clearing banks operating at the time:

          • National Westminster
          • The Midland / HSBC Bank (they

  • Not new actually... (Score:5, Interesting)

    by Spy der Mann ( 805235 ) <spydermann.slash ... com minus distro> on Friday October 21, 2005 @01:29PM (#13846410) Homepage Journal
    computers have been a synonym for organized fraud in other places.

    In Mexico, in the 1988 elections, the opposition candidate was winning by a large margin according to the official data. Then suddenly, "the system crashed", and when it came up, the official party was winning by a large margin.

    This event was called "La caida del sistema de 1988" [google.com], and makes me think that there's nothing new under the sun (Diebold voting machines, anyone?).

    The lesson is clear: Regarding data and computers, if someone can do something wrong, he WILL. So auditing is a must.
    • hmm, wasnt mexico a one party dictatorship until the last few years? i doubt those elections would have mattered
      • The opposition parties always existed. First was Accion Nacional since around the 40's, and in 1988 the "Partido de la Revolucion Democratica" (PRD) was born. This was the party that promoted Cuauhtemoc Cardenas for president. The point was that the official party used voting fraud to legitimize their dictatorship and pretend there was a democracy after all. But I'm going off-topic, so I'll shut up now.
      • They matter as good as any election. Either you make sure "they" dont win, or you make sure you rule whoever wins. Who cares if the muppets has a doneky or an elephant as logo as long as you are the muppeteer.

  • Sounds like 2 issues here (Score:4, Insightful)

    by TykeClone ( 668449 ) * <TykeClone@gmail.com> on Friday October 21, 2005 @01:37PM (#13846481) Homepage Journal
    1 - If something undermines trust in the banking system (in any country), the economy can quickly go to hell in a handbasket.

    2 - The UK didn't have something similar to Reg E in the United States regulating "electronic" banking (in the US, that would include ACH items, wire transfers, and ATM/debit card transactions). And apparently, the UK doesn't have the banking regulatory structure to add such regulations as necessary without passing new laws.

    If anyone is interested, here is Reg E in all of its glory. [gpoaccess.gov]

  • Another 1990s ATM exploit (Score:4, Interesting)

    by mu-sly ( 632550 ) on Friday October 21, 2005 @01:39PM (#13846489) Homepage Journal
    My dad, who used to work for a well-known UK building society, told me a story sometime in the early 1990s of how there had been some buggy code on all their ATMs. When making a withdrawl, the machine would issue the cash and wait around a minute. If you hadn't taken the cash by then, it assumed you were still waiting for the cash to be dispensed and would issue it again, possibly even several times over if you kept waiting and waiting. Apparently it took the company quite some time to discover this bug.

    I'm reasonable sure the story is completely true, although since my dad isn't around anymore, I can't ask him about it.
    • a friend who works with a bank informs me that even now on some machines you can ask for £60, and only take out the middle note. when the machine takes back thr remaining £40 then if the other notes are not disturbed it has then no way of knowing that you have taken some of the money. but at the end of the day nothing will ever be totally secure; someone can always pinch your wallet when you're not looking.
    • Similar to this, I remember a bug that was discovered in several ATMs in Germany: if you had not taken after x minutes, the ATM would pull it back in and the charge to your account would be canceled. If you simply held on to the money, the ATM would go through the motions, you got to keep the money and the charge was still canceled.
    • Another similar situation, my economics prof told the class of an ATM which would spit out the cash before ejecting your card, and if the card couldn't be ejected (perhaps because you had your thumb over the slot), the machine would assume that there had been a problem and would reverse the transaction.

      I've noticed that the ATMs I use most frequently eject the card before handing out the cash.
      • I've noticed that the ATMs I use most frequently eject the card before handing out the cash

        This is good practice on another level.
        You go to the machine to get cash.
        If you get your cash first you are more likely to leave without your card.

  • TFA is absurd on its face. Who would believe this story? There are no facts, just faulty logic.

    Whats the name of the "rogue bank"?

    He was trying to charge £1,750 per hour? Now he's going to court to try to collect fees that where not paid?

    Nice try, but advice to the authors of the register dot com: if you are going to make up a story, try to make it sound believable.

    --Barry
  • Lawyer. What's happening? We need to talk about your TPS ATM reports.

    Bank: Yeah. The withdralws errr coversheet. I know, I know. I'm uh...working on the ATM errors right now.

    Lawyer: Yeah. So if you could just remember to do make sure the customer only withdralws his own money from now on, that'd be great.

  • Why Cryptosystems Fail (Score:3, Informative)

    by sharp-bang ( 311928 ) <sharp@bang@slashdot.gmail@com> on Friday October 21, 2005 @01:51PM (#13846614) Homepage
    If you liked this article and are interested in some technical background, you might also like Ross Anderson's essay: Why Cryptosystems Fail [cam.ac.uk], which discusses some of the poor engineering that contributed to this situation.

  • A German friend of mine had phamtom debits (Score:3, Interesting)

    by NigelJohnstone ( 242811 ) on Friday October 21, 2005 @02:05PM (#13846728)
    This was about 1999 or 2000. He was in Germany, his ATM card was in Germany with him, his account was being debitted from ATMs in Thailand, 10 Euros or so a time. The bank refused to return the money (about 80 euros in total?) until he hired a solicitor, then they settled immediately.

    So I think there are newer cases than 1992 that this comes from.

  • There are several holes in the U.S. banking system, most notable of which is the demand draft.

    But banks would prefer secrecy and bad legislation to contain their screw ups.

  • EFT vulnerability (Score:4, Interesting)

    by jonniesmokes ( 323978 ) on Friday October 21, 2005 @02:25PM (#13846875)
    Related to this is the completely insecure EFT system in the US. One time, just to see if I could, I typed my friends routing number and checking account number into my online credit card website. She had given me a check, and so I wasn't stealing from her. I was just debiting the funds from her checking account in a slightly different way. The credit card online website had no trouble taking the money out of her account and crediting it to my account.

    But this story gets better. I went on a trip and didn't see my friend for a few weeks. She noticed the debit in her checking account and at first thought it was something fishy. She called her bank and they told her the name of the credit card company and said that she'd have to call the credit card company to find out more. She called the CC company and they couldn't help her even though they had taken her money. After a couple weeks, she made the connection that it was probably me, sent me an email and I confirmed it. She had a father who went to jail for banking fraud and wasn't freaked out by things like this.

    But the point is, that there's no security on EFT transfers, or for that matter checks. I could print up a check if I know the routing and account numbers and just cash it at one of those check cashing places... I can't believe that our system hasn't collapsed yet.
    • One time, just to see if I could, I typed my friends routing number and checking account number into my online credit card website. She had given me a check, and so I wasn't stealing from her.

      Yes, you were. At the very least, that was an unauthorized electronic funds transfer - a wire fraud. Just because she had given you a check, doesn't mean that you can convert it to an ACH item (which is what you did in this case) without her explicit authorization.

      • Regardless of what law might or might not have been broken. This should not be so easy. I was appalled that there was no check of even a name match or similarity. Some banks do EFT validation like the way Paypal does with those little deposits amounts that you have to go check and report back to Paypal. But so many online services just initiate EFTs without any checking whatsoever. Its a system ripe for abuse. And the fact that I wasn't even aware that what I did was against the law is even worse. Th

        • Re:EFT vulnerability (Score:3, Informative)

          by TykeClone ( 668449 ) *
          Currently, assuming consumers look at their statements, the only losers will be banks. Reg E gives consumers a great number of rights for their money back if an unauthorized transaction is reported within 60 days of it showing up on a statement. But it is up to the consumer to look at their statements and to report bad transactions.

          Online services are not banks (unless they are banks, but that's different). If I'm at some website and want to pay via "e-check", the company doesn't have incentive to vali

    • For a month last summer, I made cash by printing ", INC." at the end of my name on my checks and writing them out in large amounts to myself.

      My bank never noticed until I told them and turned myself in.

    • Re:EFT vulnerability (Score:1, Informative)

      by Anonymous Coward
      It is quite disturbing - the only security you have is to keep your account number (or at least the account/routing number pair) as private as you do your SSN. If anyone gets hold of this pair of numbers, you're done for (as your example shows).
  • A 'friend of mine' used to get free money out of ATMs in the late 80's by using the simple method of a piece of stickytape. you go to the ATM and draw out £5, on those old machines and when the gate opened you had time to stick a peice of tape across the dispensing rollers. You then hang around like surly teenagers while people fail to draw money out - after 5 people have done this you go back and withdraw another £5, when the gate opens you use a pair of tweezers to rip off the tape and clai
    • What happens when five people complain
      The journal roll is checked and the five failed transactions are found to occur between two of your transactions.
      I don't think you have to try this too many times before they are onto you

      • Re:free money from ATMs (Score:2, Interesting)

        by FLEB ( 312391 )
        I was going to say:

        But, if you replace the tape, and take only some of the money (an amount completely unrelated to either of your deposits), and lodge a complaint as well, I imagine you could get away with it.

        Then I realized, that you'd still leave a trail. What dumbass uses a broken ATM twice at two different times?

        Perhaps if you had use of someone else's card to make the final "withdrawal".

  • The Briths economy is already fucked, and has been for some time.

    Of course, sixteen years of economic incompetence will do that to a country, especially when eight of them are under Marxist government... currently shifting to a despotic Marxist government.

    God save the fucking Queen. Nobody else can.

  • I heard Abbey National had some weird stuff with their cards. Apparently people were using binoculars from across the street to get the account details from the card... I also heard that Barclays had phantom withdraws from the Abbey National network...

    But I don't really know.

    Anyone?

  • It was quite fun to watch. The TV company had copied one ATM card and distributed it to guys across the country. At a given point in time, everyone withdrew all the funds simultaneously - and everyone got the money in the account (which was just up to the withdrawal limit).

    Before you ask, they weren't silly. They had (if I recall correctly) the whole thing audited and monitored by both a lawyer and the police.

    The evil bit was that they had scheduled interviews with major bank directors the next day and t
  • In Belgium, there recently was a problem where ATMs would crash when the digit 7 was entered. Kind of nasty if that's part of your PIN...

    In Taiwan, machines can be used not only to withdraw money, but also to transfer it. This is used for scams where people are told they won some amount of money, they just need to enter their PIN to get it transferred to their account...

Slashdot Top Deals

Garbage In -- Gospel Out.

Close