Software executive exploits ATM loophole to steal $1 million

The software chief tried to explain away his actions as “internal security tests.”
Written by Charlie Osborne, Contributing Writer

A Chinese software manager has been sentenced after being found guilty of stealing approximately $1 million from Huaxia Bank ATMs containing security weaknesses.

The 43-year-old former manager employed in Huaxia Bank's software and technology development center spotted a "loophole" in the bank's core operating system which offered an unrecorded timeframe in which to make withdrawals, as reported by the South China Morning Post.

Qin Qisheng realized that cash withdrawals made close to midnight were not recorded by the bank's systems in 2016, and in the same year, began systematically abusing the glitch.

Qin wrote a number of scripts which, once implanted in the bank's software, allowed him to probe the loophole without raising suspicion.

See also: ATM hacking becomes a priority in IBM cybersecurity facilities

It appears these tests were successful as the software chief then made withdrawals for over a year of between $740 and $2,965, the publication says.

The money had to come from somewhere, and so Qin used a "dummy account" established by the bank for testing purposes.

In total, Chinese law enforcement says that the former manager was able to steal over seven million yuan, equivalent to roughly $1 million. 

Huaxia Bank eventually uncovered the scheme, which Qin attempted to explain away as "internal security tests." When it came to the money, the software manager said the funds were simply "resting" in his own account but were due to be returned to the bank. 

In an interesting turn of events, the financial institution did accept his explanation and fixed the problem. Law enforcement, however, did not believe the story and eventually arrested him for theft in December 2018. 

CNET: Apple stores Russian users' data on Russian servers,report says

Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld. 

Huaxia Bank asked Chinese authorities to drop the case once the money was returned, of which all of the proceeds were recovered. This request was not accepted as "legitimate" by law enforcement, and therefore Qin must serve his sentence.

TechRepublic: 3 ways state actors target businesses in cyber warfare, and how to protect yourself

Glitches, skimmers, and software weaknesses are not the only methods criminals exploit in order to force ATMs to spew out cash. Last year, researchers uncovered a range of malware designed specifically for attacks against Bitcoin-based ATMs up for sale in the Dark Web.

Malicious code which exploits so-called "service vulnerabilities" and malware which disconnects alarms from ATM systems to stop them sounding are on sale for roughly $25,000.

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards