Bank IT Manager Gets 10 Years for ATM Exploit

Written by

An IT developer at a Chinese bank has been jailed for over a decade after exploiting a vulnerability in its systems to withdraw more than $1m from ATMs.

Qin Qisheng, 43, was a manager in Huaxia Bank’s technology development center in Beijing who spotted that a glitch in the lender’s core OS meant cash withdrawals around midnight weren’t recorded.

He subsequently tested his theory, deliberately hiding his activity as he did so, making withdrawals of 5,000-20,000 yuan ($740-3000) from a test bank account.

After doing so for over a year without telling his superiors, he had built a small fortune of over seven million yuan ($1m) in his own bank account, investing some funds in the stock market.

However, his luck ran out after the unusual activity in the test account was spotted at a branch in Hebei.

Amazingly, however, the bank wanted police to drop the case, believing Qin’s excuse that he was merely pen-testing.

“Qin Qisheng said that the matter was complicated and involved lots of work … he believed the bank would not pay attention even if he reported it,” a representative said in court, according to the South China Morning Post.

“We think this reason for not reporting is legitimate.”

Although Qin returned all the money he stole from the bank, it wasn’t enough to save him from a 10-and-a-half year jail sentence. This is the final appeal ruling of the Beijing Intermediate People's Court, upholding a December conviction.

“On the one hand, [the bank] said that the accused’s behavior was in violation of the rules. On the other hand he said that he could conduct relevant tests. This is self-contradictory,” the judge is reported to have said.

What’s hot on Infosecurity Magazine?