System manager steals $1M USD using ATM vulnerability

The defendant must comply with a sentence of more than 10 years in prison

A Chinese software manager was convicted of stealing around $1M USD exploiting a known vulnerability in the Huaxia Bank ATM system.

According to network security and ethical hacking specialists from the International Institute of Cyber Security, the 43-year-old man worked at the banking institution’s software development center when he discovered a loophole in the bank’s central operating system that provided him a deadline for withdrawals that would not be recorded in the systems.

Qin Qisheng discovered that, since 2016, cash withdrawals made around midnight were not registered by the bank; the employee also realized that the flaw had been systematically exploited since its discovery, for almost two years.

According to network security specialists, Qin developed a set of scripts, injected them into Huaxia Bank systems, and was able to exploit the security flaw without generating suspicion. Evidences suggest that the plan of Qin Qisheng succeeded; for more than a year, the software manager performed cash withdraws of between $700 and $3k USD in a systematic way.

Part of Qin Qisheng’s plan was to use a ‘test’ bank account, used for security analysis at the bank, as a source of ATM withdrawals. Chinese authorities estimate that the former employee would have stolen more than 7M Yuan (approximately $1M USD).

After more than a year Huaxia Bank discovered the fraud of its employee, who tried to justify himself by stating that he had done all this as part of “an internal security test plan”. When questioned about the stolen money, the software manager mentioned that the assets were on his own bank account and that they would be returned to the bank at the end of the system tests.

According to local media reports, Huaxia Bank would have decided to accept the employee’s explanation; however, the Chinese authorities did not buy his story and found him guilty of robbery after his arrest in December 2018.

Qin will now have to comply with a 10-and-a-half-year prison sentence.

Huaxia Bank asked the Chinese authorities to dismiss the case, as all stolen assets were returned shortly after the incident was known. The police considered this application to be ‘illegitimate’, so the implicated has no choice but to comply with his sentence.

According to specialists in network security, the cybercriminals do not have only methods such as the use of skimmers, exploiting vulnerabilities and design flaws to rob ATMs. Recently a group of researchers discovered a malware variant specially designed to compromise ATMs; this tool is available on some hacker forums on dark web. The average price of this kind of malicious software is around $25k USD.