How I 'Stole' $14 Million From a Bank: A Security Tester's Tale

Bank receipt
Security Compass
By Steve Hargreaves

In early 2010, Nish Bhalla sat down at his computer with one objective: steal a huge amount of money from a bank.

It wasn't a typical heist. Bhalla is the chief executive of Security Compass, a company that tests security systems at banks, retailers, energy companies and other organizations with sensitive data. His clients -- including the bank branch in the United States that he targeted in his 2010 attack -- pay him to break into their systems.

It can be easier than most people think. The alleged thieves who made headlines last week for their $45 million bank heist used a similar type of attack that "created" money out of nowhere.

Bhalla talked CNNMoney through his caper. Here, in four easy steps, is how he made himself into a millionaire.

Step one, get access. Bhalla had one big advantage on actual thieves: His client gave him access to the bank's internal network. For real-world crooks, there are some surprisingly easy ways to get in.

It's possible, Bhalla said, to gain access in some places simply by logging on to the bank's wireless network -- an amenity more and more banks are providing as a service to customers. Once you're on the bank's Wi-Fi, the internal and external networks are frequently not segregated enough. It can be possible to fool the bank's other computers into thinking that your computer is a bank computer, a process known as "arp spoofing."

Another on-ramp: Someone posing as a janitor could insert a thumb drive into a teller's system and reboot it using a new operating system, which would enable them to access the hard drive of the teller's system. From there, user names and passwords are often readable.

Because he could simply log straight into his client's network, Bhalla and his assistantsskipped the "get physical access" step and dove straight into finding the money.

Step two, start exploring. Bhalla used "sniffer" software, available online for free, to map out which of the bank's systems were connected to each other.

Then he "flooded" switches -- small boxes that direct data traffic -- to overwhelm the bank's internal network with data. That kind of attack turns the switch into a "hub" that broadcasts data out indiscriminately.

The machines that the tellers use quickly became Bhalla's prime target. Again, the sniffer software was deployed to look for login information and passwords in the data flood. Eventually, one hit. He was inside a teller's machine.

Step three, move up the ranks. Amazingly, the information being sent between the tellers' computers and the branch's main database was not encrypted. This meant passwords and bank account numbers were all out in the open.

Step four, cash in. Rather than steal money from depositors' accounts, Bhalla just invented a new account for himself.

"We went into the database where the accounts are and set up an account with $14 million," Bhalla explained. "We just created $14 million out of thin air."

If he wanted to, he could have walked into any bank branch, transferred the money to an offshore account, and never have had to work again.

Instead, he went to an ATM to print out a record of his ill-gotten wealth.

"The bank executives were extremely surprised," Bhalla said. "Their faces were shocked."

The bank promptly deleted Bhalla's bounty, he said, and took steps to shore up its network.

In the heist that came to light last week, federal officials say the thieves hacked into networks at firms that process transactions for pre-paid debt cards and manipulated accounts to create high spending limits. From there, it was just a matter of making physical debt cards for those accounts and going around to ATMs to withdraw the cash.

"They just updated the database with that debit-card information," Bhalla said. "That's how simple it was."

In many cyber bank heists, including the recent $45 million scam, it's hard to pin down who is ultimately liable for any losses.

It's typically not individual customers. U.S. law protects consumer checking and savings accounts from losses stemming from fraud. Business accounts, though, have fewer protections.

Bhalla said some financial institutions have insurance to cover the losses -- but he noted that insurance companies are reluctant to issue policies with high coverage limits because the risks in this area area still poorly understood.

In the end, he said the losses are likely borne by a combination of the company, insurance firms and governments.

More from CNNMoney:
Fortune 500: 20 Biggest Stock Gainers
Weight Watchers' Famous Faces
5 Apple Rumors Likely to Come True





Increase your money and finance knowledge from home

Getting out of debt

Everyone hates debt. Get out of it.

View Course »

Forex for Beginners

Learn about trading currencies and foreign exchange transactions

View Course »

Add a Comment

*0 / 3000 Character Maximum

17 Comments

Filter by:
marcopoloxoxo

Actually he made 2 accounts...shhhhhhhhhhhh

May 17 2013 at 12:05 PM Report abuse rate up rate down Reply
EzinWy

Money - magic time !

May 17 2013 at 11:35 AM Report abuse rate up rate down Reply
Ed.

hey, throw some of that $$$$ into my account!

May 17 2013 at 11:17 AM Report abuse rate up rate down Reply
shmegmasmith

"In the end, he said the losses are likely borne by a combination of the company, insurance firms and governments."

If my security is not all it should be, I lose. If a bank's is not all it should be, the government helps pick up the tab?

May 17 2013 at 9:08 AM Report abuse rate up rate down Reply
1 reply to shmegmasmith's comment
BARRY AND KATHY

So it's ''you'' again.

May 17 2013 at 12:42 PM Report abuse rate up rate down Reply
PAMELA S

Of course, as we one and all, know the difference between right and wrong. Would never think of taking any one else's money,

Timeline: Last evening, News... WCPO, Cincinnati, Ohio. News item: elementary school children couldn't be/wouldn't be, served lunch because their accounts were not up to date.

I find it despicable that a school would not provide nutrition, "food" to CHILDREN. JUST BECAUSE THEY MIGHT STILL OWE $1.50 TO BRING their lunch account up to date. A mother (an Angel on earth),whose child attends the same particular school, paid the crappy school, $56.00 plus change, just so the students, children, human beings could eat lunch.

It is just an example of too many, in the country of America. That and where there is not enough money. Yet the greedy bastards (school, etc.), deny what is necessary anyway.

If someone actually would and/or does steal money from banks etc., someday or not far into the distant future? Would you just spread it across America especially to those, too many that need it daily?

Thank you,

Pamela S

May 17 2013 at 8:52 AM Report abuse +1 rate up rate down Reply
ectullis

Creating money out of thin air? Same as just printing money?

May 17 2013 at 4:31 AM Report abuse +1 rate up rate down Reply
kosgolbez

Creating money out of thin air? Oh, like after they crashed the economy?

May 17 2013 at 4:22 AM Report abuse +2 rate up rate down Reply
1 reply to kosgolbez's comment
BARRY AND KATHY

Believe it or not, since they didn't actually ''print'' more actual notes, the effect wouldn't even be noticed except by those who actually got the money. Every bit of money in the economy recirculates many times a year but this money won't circulate at all, it's the same money that would have been circulating anyway but with a single detour.

May 17 2013 at 12:45 PM Report abuse rate up rate down Reply
the aol experien

Where’s the article about how the banks (with the help of congress) steal billions every year from us? If Americans would pull their money out of these huge banks and find some privately owned community banks the USA would be a better place. If businesses would start giving a 3% discount for cash instead of sending it to all those big banks for using their credit cards we could all put a big hurt on the crooks. My thoughts!

May 16 2013 at 8:29 PM Report abuse +1 rate up rate down Reply
metusmetu

'Scuse me,...........I've got to go now,....got some serious online work to get completed......bye...!

May 16 2013 at 7:11 PM Report abuse +2 rate up rate down Reply
Miss ms

OOH so i guess your next 'INFORMATIVE' will be......... 'how to breako ut of jail'

May 16 2013 at 6:21 PM Report abuse +1 rate up rate down Reply