Aftermath... The Knuth Perspective | Stealing the Network. How to Own a Continent

Aftermath The Knuth Perspective

I m in the cage, preparing a list of source accounts that have to be distributed to the right people. It s somewhat surprising, even to me, just how many places there are that you can suck money out of. Did you know that all it takes to suck money out of your checking account is a routing number, account number, and sometimes a check number? No permission from you required at all.

You ve got no recourse, either. If the bank decides that you were at fault at all for the loss, then your money is gone. There is no guarantee of any kind, no insurance, it s just gone. The bank won t investigate. They just don t want to know .

I ve got no interest in tracking ten thousand checking accounts, though. I m after big game. Companies. Banks. Financial institutions. I d rather pull a couple dozen sizable jobs.

I ve got the same personnel problems that anyone else does. It takes many people for me to pull off one job. There are managers, workers, maintenance people, and contractors. These cost me money. They cost me attention . The worst thing you can do as part of my team is to be a problem child, to cost me time. People like that don t last long in my organization. Fortunately, I m good at interviewing, and I rarely have to fire anyone.

One way to get money out of a company is to get all the information that they would use to authorize a transaction. If they can send their money, then so can I. To be sure, there are limits, there are checks and balances . Those only help you if I don t know what they are. Your burglar alarm doesn t help you if I know it s there and I know how to shut it off.

My biggest wins will be from the financial institutions themselves . Unlike most of my work, I ve decided to take a personal interest in a handful of transactions. A talented individual has granted me the keys to some important banking systems. Via this access and a little research, I ll be able to facilitate a number of lucrative transactions.

Not that I have any reason to implicitly trust this individual, of course. Yes, I have him watched, but detection would be too late. If he decides to play games or share, we would have a problem. Hopefully, he s smart enough to stay scared. Still, the numbers are with me. I can get by with just a portion of the systems he has captured. I have had some software developed that will tell me when the access has been used as well. When I come in the back door, I ll know if it has been opened since I was there last.

Naturally, I will take the utmost care that these connections are not traceable back to me. In fact, should someone care to check after the fact, there will be every indication that the connections came from another financial institution.

Not all of the systems I own are for direct exploitation. Some are there to be a hop, to be the first IP address in the logs of my victims. The hop bank will have no way to trace back to me. The victim bank will see the attack came from the hop bank.

That should make for some interesting decisions. Do they report the rogue bank? What do they do about the otherwise normal daily exchanges with that bank, now? Do the banks try to report the losses as errors, maybe make an insurance claim?

Hopefully, the questions will be interesting enough to make things take a couple of days longer.