Udo Flohr
Bank robbers are trading in their firearms for a new weapon: computers. And although companies are usually reluctant to admit embarrassing rips in security, Citibank (New York, NY), the banking division of Citicorp, has upgraded all security procedures following a breach of the bank's cash management system. In a series of break-ins, the bank's payment system was compromised (perhaps
with inside help
) for no less than the hack of the century: more than $10 million. (The bank says it eventually recovered most of that sum.)
Citibank is not the only bank to suffer from electronic burglary: Security expert Arnaud de Borchgrave estimates that in just two months this year, about $300 million dollars has disappeared, electronically, from U.S. banks.
In July 1994, Vladimir
Levin, a mathematician in St. Petersburg, Russia, befriended a former St. Petersburg bus driver who had turned entrepreneur in San Francisco, according to recently unsealed court documents. Levin allegedly told his new friend he had found out how to wire-transfer money out of Citibank's computer system. Twice already, he allegedly bragged, he had squirreled substantial amounts into his own account in Finland. Court documents say Levin's colleague became a partner in what would become a multinational hacker ring.
Just a few weeks later, transfers were made to BankAmerica accounts held by Primorye (roughly translated as "Shoreland" in Russian) Corp. and Shore Corp., both of San Francisco. The companies were owned by Levin's friend Jevgenij Korolkov.
By this time, Citicorp officials had begun to suspect foul play and started questioning Korolkov. Korolkov left the country but apparently was not deterred. Instead, the two pressed on and recruited new partners around the globe, authorities say. By Oct
ober 1994, 40 more transfers were made to California, Israel, Germany, Holland, and Switzerland.
Levin, who was system administrator at AO Saturn, a St. Petersburg software house, has been advised by his attorney not to speak to the press. But court documents allege he accomplished the illegal transfers by dialing into Citibank's cash management system. The system allows Citibank customers to initiate their own fund transfers to other banks; daily turnover is about $500 billion. Authorities say that to avoid causing suspicion, Levin dialed in from his house in Russia late at night. Conducting transactions during New York business hours would less likely raise alarms.Levin apparently used valid user IDs and passwords of other banks, among them Banco del Sud in Argentina and Bank Artha Graha in Indonesia. How he got those passwords, given Citibank's extensive security, is unclear. Inside help seems likely, but Citibank claims that no employees were involved. Citibank officials declined to discuss their se
curity procedures with BYTE, but a spokeswoman said that the bank continuously evaluates and improves its security measures.
According to Citibank, its security system flagged two August 1994 transfers, $26,800 and $304,000, as "strange." Bank officials called the FBI, who observed the electronic interlopers as they made their illegal transfers. U.S. officials were also assisted by telecommunications employees in Russia who helped track the illegal fund transfers to St. Petersburg, according to published reports.
Citibank claims it recovered most of the approximately $10 million in illegal transfers but says perpetrators were able to withdraw "less than $400,000" before other banks were notified and able to stop the transactions. Officials also say that at no time were any client funds at risk.
In March, Levin was arrested in transit at London's Heathrow airport. At presstime, he was fighting extradition to the U.S. from England. U.S. authorities want to try Levin on charges of theft, forger
y, and computer fraud. Levin's attorney, Colin Reynolds, told BYTE that Levin wants to return to Russia. Five alleged accomplices in other countries, including Israel, the Netherlands, and the U.S., have been arrested.
illustration_link (16 Kbytes)
Most acts against a corporation are committed with help from the inside, including employees, vendors, and contractors. That's according to the American Society for Security's (Arlington, VA) 1995 Intellectual Property Loss Survey.
Bank Robbers Go Electronic
