
What a world we live in.
People dumb enough to get their faces tattooed are smart enough to find loopholes in online banking systems.
A UK hacker who stole £100,000 from his bank after spotting a loophole in its systems has been jailed for 16 months. Unemployed James Ejankowski, 24, of Bridlington, squandered his ill-gotten gains by splurging on a BMW and a Range Rover, and getting his face tattooed (as shown in a story in the Teeside Evening Gazette here). …
This post has been deleted by its author
Considering he discovered it accidentally by trying to transfer more money out of his account than he actually had, "smart" isn't the word I'd use. It's a shame El Reg echoed the claim that he's a "hacker" — that sets the bar so low that script kiddies look like evil geniuses by comparison.
As the story reads, £34k was recovered, leaving losses approaching £100k.
THAT, unfortunately is the state of British arithmetic today.
Damn shame that that financial "genius" Gordon Clown Brown didn't discover the loophole circa 2008.
Not to mention the massive"theft" (except it was by government decree) of huge chunks of private pensions from 1997 onwards.
"Citation please?"
This was just the first one out of Google. There are plenty more, I could have gone with breaking someone's jaw and getting a £70 fine.
http://www.tenby-today.co.uk/article.cfm?id=110799&headline=Suspended%20jail%20sentence%20for%20Pembroke%20Dock%20man%20who%20admitted%20GBH%20charge§ionIs=news&searchyear=2017
Call me old fashioned, but don't ALL databases work on the principles of ACID (Atomic, Consistency, Isolation, Durability) precisely to prevent this sort of thing happening.
Or is the bank using one of those new fangled millennial age database engines that farts fairy dust ?
> but don't ALL databases work on the principles of ACID
Short answer: no.
1. ACID adds significant performance overheads. At sufficient scale this is too much. Hence "eventually consistent" systems. And, of course, some systems just don't need ACID (eg. all you are doing is adding data – no updates or deletes – with naturally unique identifiers).
2. Do not assume that two accounts even in the same institution all be all on one database (mergers often leave "duplicate" systems for years). Since the systems have to handle moving money between different institutions anyway do all transfers like that (this usually involves holding accounts and messaging systems with reconciliation processes) to avoid having multiple code paths to test.
(And in case anyone is thinking "distributed transaction": allowing other institutions to hold locks in your systems is a DDOS waiting to happen.)
Based on the redness, I think the bowtie on his cheek is probably the new one... Then again, I admit that I'm distracted enough by the stupid haircut** & cloud of pubic hair under his jaw that I might be overlooking something.
**Kids: just wait a decade and you'll be snickering as much as my generation has at the crimped hair, bulletproof bangs, mullets, and rat-tails popular when we were growing up.
..when he realised he was going to end up in jail and turned himself in?
I mean, it's the only reason I can think of getting a face tattoo, at least they'll leave him alone inside now as no one wants to have to look at that even if you are making them your bitch...
The bank got away very lightly. This could easily have been millions lost with no recovery if he'd sold the exploit to organised criminals.
They would have opened dozens of accounts and shifted all the money off shore and out of reach leaving a few mules (paid just to open an account and hand over the passwords) to take the blame.
"Ejankowski had reportedly discovered that if he used software to transfer notional funds between his current account and his savings account between midnight and 1:00am in the morning, the transaction would go through even though he didn't have adequate funds and without prompt reconciliation.
It would be interesting to know what software platform was involved and the nature of the bug that disabled balance checking between midnight and 1:00am.
Having worked on online banking for NAG, I hope they take the 100k from the total cowboy* consultancy they had working on this.
* CB and YB use the same backends, accounts and processing, but somehow the YB online bank was 3 months ahead in development?!? Everyone looked like I'd taken a dunno on the table when I brought this up in a meeting. Quit after only 4 weeks there.