A Chinese software manager has been sentenced to prison for 10.5 years for stealing over seven million yuan ($1.03m/£795k) from Huaxia Bank after exploiting an ATM vulnerability.
The South China Morning Post reports that Qin Qisheng, a 43-year-old former manager at Huaxia Bank’s software and technology development centre, discovered a flaw in the bank’s core operating system which introduced an unrecorded time-frame during which to make withdrawals.
Qin realised that cash withdrawals made at midnight were not being recorded by the bank’s systems in 2016, and in the same year, began systematically abusing the glitch, withdrawing chunks of money from the bank’s system for almost two years.
Usually, withdrawing money in such a manner sends warning signs to the device, but Qin inserted scripts into Huaxia Bank ATM systems and was able to exploit the security flaw without triggering any suspicion.
Since the money had to come from somewhere, Qin managed to withdraw between 5,000 yuan and 20,000 yuan ($740/£572 to $2,965/£2,290) with a test account, the publication says.
After more than a year, the bank discovered the unusual activity from the test account that was withdrawing money and reported Qin to the authorities. After being caught, he tried to justify his actions by stating that he had done all of this as part of an “internal security test” to examine the vulnerability.
However, when it came to the money that he stole, the software manager said that the funds were “resting” in his own personal account and were going to be returned to the financial institution.
According to the report, a bank representative told a district court trying Qin that his “reason for not reporting it is legitimate”.
According to the Post, the bank representative told the court: “Qin Qisheng said that the matter was complicated and involved lots of work. He believed the bank would not pay attention even if he reported it.”
Qin returned all of the funds back to the bank, and the bank requested for law enforcement to drop charges against him. However, the court’s documents show that the bank said his actions were in violation of its rules.
The court said the request by Huaxia bank to dismiss Qin’s case was not legitimate.
“On the one hand, [the bank] said that the accused’s behaviour was in violation of the rules. On the other hand, he said that he could conduct relevant tests. This is self-contradictory,” said the judge.
The court did not believe Qin’s story and found him guilty of theft after his arrest in December of last year.
The court fined Qin 11,000 yuan (about $1,600/£1,259) and he was sentenced to 10.5 years in prison.