Schneier on Security
A blog covering security and security technology.
« New Kind of Door Lock |
| Airport Passenger Screening »
March 22, 2006
Australian Bank Fraud
I really wish this article had more details about the crime. Basically, a criminal ring used an authentication failure with fax transmissions to steal (unsuccessfully, as it turned out) $150 million Australian dollars.
Posted on March 22, 2006 at 12:08 PM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Sounds like a movie plot threat to me.
Actually, it seems plausible to me.
I work for a financial information exchange company. Many of our clients are still using fax-based authentication and authorization for multi-million dollar trades. Our job is to convert them from fax-based systems to more efficient systems, and in the process making them more secure.
Day-to-day I find interesting holes in authentication and authorization procedures. Personally, I'm surprised more money isn't stolen this way.
A bank I work with also takes this kind of fax + telephone order as sufficient for execution. Almost regardless of the amount. I just hope the guy that processes these orders remembers my voice well...
Know the process, abuse the process - in oz there seems to be little or no understanding of how authentication (of transactions, people, etc) can be done, when it should be done (and when it shouldnt) and how much/what type of information should be requested or given to effect authentication. Theres a surprisingly large number of "authentication tokens" used by business that prove precisely nothing other than a knowledge of the people or the process.
I wonder if 'to represent oneself' means the same thing in Australian courts as it does in the US? The article mentions that, "Bourchier, who is representing himself, sat alone." I think that not having legal representation in a case this large would be pretty foolish, innocent or not.
I wonder if in this situation it means something like he has severed his case fom the other defendants?
Goes to show that when large amounts of money are at stake, criminals are perfectly prepared to undertake elaborate schemes to get at it. Such schemes are not "movie plot threats" in the sense of being incredible. They may be movie plot threats if JP Morgan focusses on the specific techniques used by this gang, instead of the fundamental problem: its procedure for authenticating large transactions is too weak. In fact it is too weak even for small transactions!
It is remarkable that banks still accept such weak authentication for such large transactions. Notably Nick Leeson, the embezzler who caused the collapse of 233 year old Barings Bank a decade ago, authorised his fraudulent transactions in much the same way. Leeson didn't even bother to fake the CLID on the fax and was eventually caught when someone noticed that a fax allegedly from a client had actually come from Leeson's fax.
Faking fax CLIDs is trivial; it certainly doesn't require a phone company insider to help. Presumably the phone company insider was required because JP Morgan was using some slightly stronger authentication mechanism, such as checking ANIs. However, the prevalence of VoIP systems means that faking ANIs is now also fairly easy, so the phone company insider is not required even for this.
The number of people allegedly involved is rather curious. Eight people have been charged, but most of them seem to have contributed little to the scheme. In fact if I read it right, only Hufnagl (technical knowledge) and Kurland (financial knowledge) were actually required; everyone else either had bit parts, or were involved in bringing the other players together. Both Hufnagl and Kurland seem to have stuffed-up in that what they did was traceable before they got away with the money.
I'm rather curious about Bourchier's role. Police are alleging that he provided inside information on JP Morgan's operations, in the form of documents passed to the "unnamed crime figure" via Petersen. However on the strength of the evidence presented in the SMH article, it seems equally possible that he carelessly lost the documents at Petersen's club where they were found either by Petersen (who then passed them on treacherously), or by an associate of the "unnamed crime figure" who presumably also frequented the club.
[Oh, one small explanatory comment for readers outside Australia, and indeed outside NSW: the RSL is the Returned Services League, an organisation similar to, say, the American Legion. The clubs are generally places where veterans reminisce with old comrades and wash down cheap, wholesome cooking with a few quiet ales. However due to oddities of local law, within the Australian state of New South Wales most inner city RSL clubs are operated as casinos, and most persons present on any given night are either "associate members" with no connection to the military, or "temporary guests" who got in simply by signing a ticket stating that they live more than 5 km away. Mickey Mouse is a frequent "temporary guest".]
@mikeb - "to represent oneself" here in oz means to argue your own case in court, and not have someone with a law degree and wearing a funny wig do it for you.
I agree, it does seem rather, umm, 'brave'.
In Aus there are probably a higher number of people in the know that many other nations, except like every other nation the number is such a low percentage that you really cant differentiate between nations. ie: its the same situation everywhere as a general case.
"A 'Pty Ltd' had been mistakenly added to a personal bank account."
Not quite by accident, I think. If a multimillion $ transcation looked as if it was headed for someone's shopping account, it would probably have been stopped earlier in the process.
To me the odd thing is trying to launder the money through a HongKong floating Casino. Surley they must know of better ways of laundering money than that.
The other mildly odd thing is why the police are only relying on documents that had Mr Bourchier's hand writing on them, they should need a bit more evidence than that, ie tracebale to the money further down the laundering chain. If not you can see the argment Mr Bourchier or his representative are going to put up,
On the balance of probability alone it is quite likley that if Mr Petersen was involved then he would know what Mr Bourchier did for a living (quite likley in some depth, afterall fishing for info from a long term friend is not overly difficult if done over time and a lot of us do it subconciously in the name of "small talk").
Likwise if Mr Petersen had been planning the scam for a while he would just invited Mr Bourchier to dinner on a more frequent basis untill it became a regular event. Based on knowing that he was comming from work Mr Petersen, would fill him up with a few drinks before dinner and when Mr Bourchier goes to the toilet has a quick flick through his brief case for interesting stuff.
If Mr Petersen was carefull Mr Bourchier might well not notice and even if he did just blame careless colleauges (who looks for movie plots when office colleagues are such slouches)
When it come to the actual scam, Mr Petersen probably allready knew that Mr Bourchier is going to be on the desk. You can imagine the conversation over dinner at the club, Mr Petersen says "you going away for Xmas" and Mr Bourchier says "Not as long as I would like I have to work Xmas eve on the desk".
Without other evidence the Police are going to find it difficult to make a case against Mr Bourchier that a halfway smart jury are going to swallow. I guess we will have to wait for the trial proper to see what happens.
@ Rob Mayfield
I work in the Australian banking sector in one of the largest banks.
We *do* understand the authC/authZ issues, process, and audit requirements. Have done for years and years.
On systems where we have been successful at enforcing our policy and mitigating risk, we are world leaders in adopting successful technologies and strategies which prevent fraud. You just don't hear about it because we generally don't speak about our successes.
Unfortunately, the "Business" hates anything which gets in the way of them making money, which they interpret as "annoying" customers with bothersome details like properly identifying themselves. Whereas if we are successful, we prevent them losing money. "We've always done it that way" and seeking exemptions from policy are endemic in every firm I've ever worked at, and I can't see it stopping any time soon. I use articles like this to justify my being a complete hardarse to projects - I wish there were more articles like this.
But back to my main point, the Australian banking and finance industry is at least 2-5 years ahead of the US banking system, and every bit as good if not better compared to the leading Europeans.
Recently, I managed to get myself an E3 visa so I could go work in the US. I looked into migrating my finances to a suitable bank there, and I was surprised at how backward the US banking system is compared to what I have now, particularly from Internet Banking and electronic payments. I'm sure the US will catch up, but not any time soon.
Examples of live systems working today:
SMS based transaction signing for retail customers:
SMS trx signing is cheap and extraordinarily effective. I wish I could tell you how effective it is, but I can't.
To a lesser extent, using tokens for logging on and approvals, Bendigo Bank is making themselves a harder target:
The others in our market are all considering similar schemes and it's only a matter of time before traditionally "trusted" (=untrustworthy) dealing and brokerage services are brought into line as their fraud and losses become more visible as high volume transactional systems essentially become fraud free (or at least extremely hard to target without direct and risky social engineering attacks).
If I was looking to steal a cool $150m, the first thing I would do is start trawling (not trolling!) Schnieirs Blog! Man I get the greatest tips in here .. oops..
Maybe Mr Bourchier cannot afford a lawyer? I suspect this could be the case as they are pretty costly and to get Legail Aid is hard enough.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.