Systems Beware - Hackers Want In
Weinstein, Michael, American Banker
It's late at night and a young man is rummaging through the trash behind a bank branch.
He's looking for a key to unlock the bank's computer system -- to obtain valid identification codes and passwords.
If he finds the right ones, he can go home to his personal computer and dial into the bank's computer system.
If he doesn't find the right codes, he'll return the next night or spend hours in front of his computer trying to figure out the codes himself.
While many bank computer systems are designed to prevent access by these youthful intruders, or hackers, they are constantly thinking of new ways to penetrate business' computers.
And since banks, like other businesses, have significantly automated their operations in recent years, they are increasingly dependent on their computers.
Meanwhile, the number of microcomputers, or personal computers, is increasing dramatically. And these small computers are using phone lines and other communications networks to gain access to big corporate computers.
The threat to corporate information posed by this new technology has been highlighted by a few well-publicized cases of young computer enthusiasts, or hackers, gaining unauthorized access to various computer systems. Banks Security Better
Computer-security experts generally acknowledge that banks' data security is better tahn that of most companies. And many banks use a variety of techniques to protect their systems, especially the most sensitive ones involving account information and funds transfer. There has been only one known case of hackers breaching a bank's computer system, and that was a low-level inter-office message network.
But a few potential trouble spots are unresolved. Bankers should not underestimate the hacker community: It pools information and is relentless in the pursuit of its goals. Identification codes for bank computer systems have already begun appearing on the electronic bulletin boards used by hackers.
Illicit activity by insiders -- whether alone or in tandem with hackers -- is even more threatening. Computer education courses are taught in prisons, and some computer-security experts worry that hardened criminals are getting into computer crime.
The banking industry itself is encouraging the spread of microcomputers through its home banking and corporate cash management programs. Ironically, these systems that are designed to improve banking services may increase the vulnerability of customers' accounts and banks' computer systems.
There are no firm statistics on the banking industryhs losses due to computer crime. Banks are loath to publicize such incidents, but there are a few known cases.
An operations officer at Wells Fargo Bank embezzled $21.3 million from the bank beginning in 1978 by manipulating the branch settlement system. The scheme went undetected for two years. And Stanley Mark Rifkin, a computer consultant, stole $10.2 million from Security Pacific National Bank several years ago through a fraudulent wire transfer.
While these crimes were not perpetrated by hackers, they show the large amounts of money involved with computerized banking. Dial-Up Lines
For now, banks' exposure to hackers is mainly limited to dial-up phone lines. With a dial-up line, one computer, such as a hacker's microcomputer, can call another, like a bank's central computer, to support communications between the two computers.
For instance, in 1982 a former employee of the Federal Reserve Board dialed into a Fed computer using the access code of another Fed employee. Working for a brokerage firm at the time, the former Fed worker was looking for secret money supply data.
In a typical hacker operation -- accurately depicted in the movie "War Games" -- the hacker finds a phone number that is connected to a computer and repeatedly tries different passwords to get into the system. The hacker's modem, which allows computers to communicate via phone lines, can automatically redial different phone numbers.
So the hacker can pick an area code and three-digit exchange, and put the computer to work. (Hackers also pride themselves on their ability to make unlimited long-distance calls for free.) Dialing can be repeated for hours, even while the hacker sleeps, and the computer will keep track of useful phone numbers. When the hacker returns to his computer, he will have a list of phone numbers.
Armed with the phone number, the hacker then tries to log on, or enter, the computer system by trying different codes. Although this procedure is done manually, hackers are willing to spend hours trying to find the right codes.
Hackers can frequently pick the right codes quickly because companies use easily guessed codes or have left the log on code unchanged from the factory, or default, setting. "'Test,' that's a great one. It works all over," said Ian A. Murphy, a retired hacker from Philadelphia who is forming a computer-security consulting firm. Trash a Good Source
Hackers also find codes and passwords by rummaging through firms' garbage. Mr. Murphy, who claims that trash was his most useful source of information, spent hours "trashing" at company offices.
Equipped with phone numbers and passwords, the hacker can often roam through much of a company's computer system, sometimes with the ability to change or destroy data.
Or hackers simply leave harmless messages. Mr. Murphy, who was known as Captain Zap in his hacking days, occasionally left the message "Captain Zap was here" in computer files that he penetrated.
Once the hacker tires of his romp, he may send his newly discovered information -- phone number, passwords, and other tips about the company's computer -- to one or more electronic bulletin boards.
The bulletin boards, which run on individual's microcomputers, are connected to a phone line, so they are available to other personal computer users. The bulletin boards, which number at least a few thousand, include much legitimate information of interest to computer hobbyists.
But some of these bulletin boards include special sections in which hackers trade information, such as computer access codes, credit card numbers, and codes for long-distance telephone service. So when one hacker learns how to crack a computer system, that knowledge may quickly spread to hundreds of thousands of others.
No one knows how many hackers there are. Donn B. Parker, a senior management consultant at SRI International, the research institute, estimates that there are tens of thousands of hackers.
Mr. Murphy also estimates that there are thousands of hackers. And when it comes to hacking, Mr. Murphy knows what he is talking about.
He and some others were convicted on a variety of charges in a hacking operation that stole several hundred thousand dollars worth of goods and resources. They used phone-company codes to make illegal long-distance calls and credit card numbers of fraudulently buy computers, camping equipment, and CB radios.
Mr. Murphy wants to put his knowledge to work as consultant.
In an interview in a Philadelphia hotel, he exuberantly expounded of computers and telecommunications, as he pulled and telecommunications, as he pulled from a briefcase sheafs of explantory papers, including a thick list of more than 2,300 bulletin boards.
He also brought a case filled with electronic "toys," such as a device that analyzes voices over the phone to detect lying and a unit that determines if the wearer is being bugged with a microphone. He used to build such equipment.
Mr. Murphy, whose education comprises a high school diploma and a few college computer courses, is proud of his talent. Hackers are famous for their big egos. They exist in a community where computer-cracking ability, above all else, determines their stature among peers.
Hackers, who often socialize through their computers, express their personalities in their hacking. They even taken on new identifies, with names like Captain Zap, Stainless Steel Rat, The Wizard, and Dr. Atomic.
And hackers thrive on the challenge of beating an unknown computer system. "It opens a world to them," Mr. Murphy said. "It's a new form of entertainment."
When a group of hackers in Milwaukee cracked a computer system at Security Pacific National Bank last summer, they were caught by an alert system operator who was monitoring the bank's computer. The hacker -- known as the 414s, after Milwaukee's area code -- got into an inter-office message system by figuring out a valid identification number.
But the operator noticed that the number should not have been logged on to the system at that time. So he limited the hackers to one part of the bank's computer system and monitored their activity, said Ed Zeitler, a vice president and manager of the information systems security division at Security Pacific.
The message system lacked extensive controls because it did not handle sensitive data, Mr. Zeitler said.
While the Security Pacific case is the only well-known instance of hackers penetrating a bank computer, other such episodes have probably been hushed up by the banks. "I do know of several banks that had a hacker problem," said Mr. Parker of SRI International, but they declined to publicize the cases.
One observer of the hacker world, who is active in hacker networks and claims to be an FBI informant, said that he saw on bulletin boards log on codes and passwords for several bank computer systems.
He claims one message included a number and password for a Citibank computer. The message then advised users to type "help," and the system would tell them everything they needed to know to get into the computer.
"As a matter of policy we don't discuss our computer security procedures," a Citibank spokesman said.
"Most of what I have seen has been on a very low level," he said, referring to information about bank computers. But such messages are becoming more sophisticated, he said. "These kids are going to grow up."
This source, who insisted on anonymity, also said he saw a message in which the sender had a bank log on code but needed the password and offered to pay $1,000 for it. Passwords Not Secret
The bulletin boards could become more threatening if employees or others with inside information start putting data in the hacking network.
When employees are assigned passwords, rather than picking their own, they frequently write them down and leave them in plain view of repairmen or delivery boys. "I think banks have got to recognize that identification numbers and passwords aren't secret any more," said Donald G. Miller, a vice president at First National Bank of Chicago.
But there are a number of techniques banks can use to stymie hackers -- and many banks are already using them. Bankers and consultants offer these suggestions to protect computer systems:
* Employees should pick their own passwords to avoid writing them down;
* Passwords should be changed regularly, between once every month and once every three months;
* If there are too many attempts by one identification number of enter the computer system, it should deny access to that number;
* If a user wants to get into the computer system, have the computer call back the user at a prearranged phone number;
* Use a special modem that gives access to the computer systems only after a special code is entered;
* Maintain a clean audit trail, so that the computer system knows when each user is on the system and which file he looks at.
There are other more elaborate identification systems, such as terminals that verify a user's fingerprint, palmprint, or ocular veins, but they are considered too expensive. Also, banks could encrypt, or scramble, the information in their computers, but this is also cumbersome and expensive. No System Foolproof
Although bankers feel that their systems are well protected by their security procedures, they recognize that no system is foolproof. Some people are concerned that hackers will develop the ability to penetrate even dedicated phone lines.
In addition to dial-up lines, computers can communicate over dedicated lines, also known as leased or private lines. These lines are considered more secure than dial-up lines because dedicated lines are reserved solely for the use of those that lease the line. And outsider cannot dial into a leased line.
But dedicated lines can be tapped, and hackers are ardent followers of telecommunications technology.
Many hackers are former "phone phreaks," the young people of the early seventies who devoted all their energy to beating the phone system, much as hackers now enjoy breaking into computer systems. With the convergence of computer and telecommunications technologies, "phone phreaking" is useful experience for hackers.
An underground newsletter, called TAP, offers advice on how to manipulate computers, phones, communications networks, chemicals, and even automated teller machines.
"There may be some ways of getting into leased lines through telephone company switching system," said Donn Parker, the consultant, although he does not know how that could be done.
Perhaps the most inviting targets are the wire transfer networks. These systems carry hundreds of millions of dollars a day, and bankers have taken great pains to make these systems secure. But hackers already have their eyes on these networks.
A hacker source said that he saw a message giving the format to gain access to S.W.I.F.T., the Society for Worldwide Interbank Financial Telecommuncations. The message promised that passwords would follow.
But the message was for a dial-up telex line, and S.W.I.F.T. does not use telex lines, according to W. Robert Moore, senior vice president at Chemical Bank and vice chairman of the S.W.I.F.T. board. It turns out the message was for a line used by Swift Global Communications Inc., a Minneola, N.Y., telex company.
With the promotion of home banking and corporate cash management systems, banks are encouraging the installation of microcomputers. Home banking systems typically use dial-up lines, while some corporate programs use dedicated lines.
Banks have, of course, built security mechanisms into these systems. For example, Chemical Bank's home banking program, called Pronto, runs on a computer separate from other bank computers. And to get into their accounts, users must have a special software cartridge, unique to each user, and three different codes, said John Farnsworth, senior vice president of electronic banking at Chemical.
And even if an unauthorized user, such as roommate, gained access to an account through Pronto, he would be limited to transactions involving only the accounts of the authorized user, Mr. Farnsworth said. Insiders a Threat
A number of observers think that insiders pose the most serious threat to bank computers. Banks are rapidly installing more microcomputers in their offices, and with automation, banks stand to lose much more money in a single theft.
On the other hand, fewer people need access to sensitive data with computerized systems. "I think we've seen a reduction of exposure rather than an increase," said Mr. Miller of First Chicago.
Computer-security experts agree that a complete audit trail is the best safeguard against employee fraud -- committed with or without microcomputers. When employees know that the system is tracking the activity of each user, identified by his password, they are reluctant to steal, the experts said.
"With automated systems, I think we have a much cleaner, clearer, recognizable audit trail," Mr. Miller said.
Even so, there have been a few recent cases of insider fraud. A computer programmer at a Los Angeles commercial bank illegally transferred about $10,000 to his own account to support his wife's drug habit, said Clifton H. Garrott, deputy district attorney in charge of electronic crimes for Los Angeles County. The ploy was uncovered by a random audit, Mr. Garrott said.
In Philadelphia, the district attorney's office has started investigating six cases of insider computer fraud -- involving four banks and two insurance companies -- since a state computer-crime statute took effect Jan. 31, said Gail Thackery, assitant district attorney for the city.
There are undoubtedly more instances of computer crime -- committed by outsiders and insiders -- than are publicly known. But banks avoid such disclosures. "They don't like the publicity and they don't like the [expense of the] investigation," said Ms. Thackeray, who noted that several Philadelphia banks are notorious in her office for shunning investigations.
Some computer-crime experts are concerned that hardened criminals are getting into computer fraud. While there is virtually no evidence that organized crime has yet moved into computer crime, microcomputers have turned up in police raids on gambling, prostitution, and drug rings around the country, Mr. Parker said.
And prison inmates have been taught data processing for a number of years. "It does make a lot of us nervous that they're teaching these [computer education] courses in prisons," Ms. Tacheray said.…
Questia, a part of Gale, Cengage Learning. www.questia.com
Publication information: Article title: Systems Beware - Hackers Want In. Contributors: Weinstein, Michael - Author. Magazine title: American Banker. Volume: 149. Publication date: April 2, 1984. Page number: 11+. © 2009 SourceMedia, Inc. COPYRIGHT 1984 Gale Group.
This material is protected by copyright and, with the exception of fair use, may not be further copied, distributed or transmitted in any form or by any means.