Throwback Thursday: Bank error in your favor, collect $100,000

Credit to Author: Sharky| Date: Thu, 05 Dec 2019 03:00:00 -0800

It’s the late 1980s, and this pilot fish is working as a teller at small suburban bank with a few branches.

“Automation is catching on, but slowly,” says fish. “We have terminals to process deposits, withdrawals and money orders — but at the end of the day, the branch manager still takes our totals and enters them into a handwritten ledger.”

The terminals use a text-based menu for everything, but for some operations that require a manager’s approval — say, printing a cashier’s check — the manager must walk over, hold down an override key and type in a password to let the teller access the check-printing menu.

Fish notices that the console beeps now and then during the password process. But it doesn’t happen every time, and there’s no pattern he can detect.

So on a slow day, with no one in line, fish tries holding down the override key and pressing another key at random.

The terminal beeps.

“I go through the alphabet,” fish says. “On S, it doesn’t beep.

“I blink. Is the security system so brain-dead that it actually warns you when you’re mistyping the override password?”

He repeats the process. On SA, SB, SC and so on through the alphabet, there are beeps. But on SU, no beeps.

Fish already has a pretty good idea what the override password is. He goes to the check-printing screen, holds down the override key and types “SUPERVISOR.”

No beeps — and he’s in.

Then fish feeds an ordinary piece of paper (instead of a blank check) into the printer next to his terminal, and prints out a “check” for $100,000.

He shows it to his manager. Manager just grimaces and says, “Don’t do that again.”

Says fish, “I worked there for two years, and that password never changed.

“When I later became a sysadmin, I instituted strict password policies back when it was still common to have your username and password be the same. Whenever I got pushback — ‘Why are you being so difficult about passwords?’ — I’d tell the story of my $100,000 check, and ask how much they could afford to lose because of a lax password policy.

“That won the argument every time.”

You’ll never guess Sharky’s pA$$w0rd. Send me your true tales of IT life at sharky@computerworld.com. You can also subscribe to the Daily Shark Newsletter.

http://www.computerworld.com/category/security/index.rss