May 28th, 2008
E-trade, Schwab, Google fall victim to "Office Space/Superman 3" attack
A great example of an attack where Web Application Firewalls (WAFs), simple scanning tools, HackerSafe certifications, and PCI (it might through some financial controls I’m not aware of) are not going to help you stay secure was posted by Kevin Poulsen over at the crime blog at blogs.wired.com. Poulsen’s article states:
A California man has been indicted for an inventive scheme that allegedly siphoned $50,000 from online brokerage houses E-trade and Schwab.com in six months — a few pennies at a time.
Michael Largent, of Plumas Lake, California, allegedly exploited a loophole in a common procedure both companies follow when a customer links his brokerage account to a bank account for the first time. To verify that the account number and routing information is correct, the brokerages automatically send small “micro-deposits” of between two cents to one dollar to the account, and ask the customer to verify that they’ve received it.
Largent allegedly used an automated script to open 58,000 online brokerage accounts, linking each of them to a handful of online bank accounts, and accumulating thousands of dollars in micro-deposits.
Wow, sound like “Office Space” anyone? Right down to this guy jacking the scheme up as well… I wonder if it was a decimal point error, just like the movie. If you haven’t seen “Office Space” and have no idea what I’m talking about, you have your homework assignment for the weekend (you will enjoy it), but basically the story include a scheme that dumps the remainder of a rounding operation into a bank account through the use of a trojan. Of course, the programmer of the trojan makes a decimal point error and hillarity ensues.
Seriously though, if this guy had been less greedy and did this over a longer period of time, I don’t know if anyone would’ve noticed it. Of course, he was greedy, and they did notice it, as Poulsen mentions:
A May 7 Secret Service search warrant affidavit (.pdf) says Largent tried the same thing with Google’s Checkout service, accumulating $8,225.29 in eight different bank accounts at Bancorp Bank.
When the bank asked Largent about the thousands of small transfers, he told them that he’d read Google’s terms of service, and that it didn’t prohibit multiple e-mail addresses and accounts. “He stated he needed the money to pay off debts and stated that this was one way to earn money, by setting up multiple accounts having Google submit the two small deposits.”
The Google caper is not charged in the indictment. (.pdf)
According to the government, Largent was undone by the USA Patriot Act’s requirement that financial firms verify the identity of their customers. Schwab.com was notified in January that more than 5,000 online accounts had been opened with bogus information. When the Secret Service investigated, they found some 11,385 Schwab accounts were opened under the name “Speed Apex” from the same five IP addresses, all of them tracing back to Largent’s internet service from AT&T.
The Patriot Act, seriously? Wow. I wonder why Google is not included in the indictment. Very interesting stuff, but the kicker to this is to remember that there’s nothing that tools could’ve done to prevent this. It’s likely; however, that a good consultant performing a source code review would’ve found this.
-Nate
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
