Bank Hacking Program
The 21st-century heist. Pictures Tom was trying to hack a bank. Based in Copenhagen, he targeted a Nordic financial institution. Assisted by a team of hackers, he began by casing the joint, working out who worked for the bank, what they did, and where the bank's mainframe was located. By going after the bank's employees, Tom's team managed to obtain passwords, logins, and almost everything required to gain access.
Discover our student banking account options & learn how to gain future financial success as a college student. Perhaps I should introduce myself, and how I have extensive knowledge in this area of expertise. I have 4 decades of experience in hacking, knowing about bank accounts is just one small area that you learn in cyber-security and computer forensics. The Aircrack suite of Wifi (Wireless) hacking tools are legendary because they are very effectively when used in the right hands. For those new to this wireless-specific hacking program, Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking hacking tool that can recover keys when sufficient data packets have been captured (in monitor mode).
But there was a catch: The bank 'had secured the mainframe, so you could only access the mainframe from one building physically,' Mikko Hypponen, the chief research officer at the security company F-Secure, told Business Insider. Tom managed to get initial access to the building by going to a formal event there under false pretenses. 'And then as they were being escorted out of the building he asked to be taken to the toilet, and just stays there,' Hypponen said. 'Doesn't come out for 45 minutes.' When he finally emerged, the host escorting him had vanished. 'So then he's in his suit with his laptop, walking around this building in plain sight,' Hypponen said. 'But nobody cares because he seems to know what he's doing, walking with purpose,' talking to people.
He 'sits down in an empty cubicle, takes out his laptop, connects the cable — he's in the right building — gains access to the mainframe.' Tom didn't do any damage or attempt to move any funds. That's because he was a penetration-tester employed by F-Secure. The Nordic bank had contracted the security company to test its systems — and, mission accomplished, they had been found lacking. But then Tom didn't leave. 'He's getting hungry,' Hypponen said. 'He's like, 'I can do better!'
He's pinged the mainframe — it pings back in two milliseconds.' The hacker set himself a new goal, Hypponen said: 'I'm going to find this mainframe and take a selfie with the mainframe.' ' 'So he's guessing it's in the basement, because that's where it's most likely to be — and he's in floor four, so he needs to get down several floors,' Hypponen said.
'Which is hard, because you don't have a pass, so how do you do that? You chat with people. He's walking the corridor with someone who is obviously going that way. 'Hey, how you doing, haven't seen you in ages'.
Talking with someone as he is going through the doors. Don't try to hide, put yourself out in the open, because no one expects you to do that if you're an outsider. 'So he gets down two or three floors. Getting closer, when bad luck happens. He's walking the corridor, and at the other end of the corridor is the host from two hours ago, same guy.
Tom is trying to walk away, but too late — he sees him, he's caught. The guy comes over: 'Hold on, how are you here? You can't possibly be here — I left you in the toilet three hours ago!'
And Tom is like, 'Yeah, I'm lost!' 'OK, this a security breach, I have to escort you out.'
' At this point, Tom decides there's no reason keeping up the pretense. He tells the host that he works for a security consulting company and is doing an audit of the bank. 'The host goes, 'Ohhhh, I see.
You have a good day!' ' Hypponen said, and goes away, leaving Tom there. 'Then he gets down one more floor, actually finds the mainframe, and takes the selfie.' He stole employee passwords, got in, got access to the bank's systems — even got caught! — and still managed to get away again. Hypponen concludes: 'People are a weak link, because there's no patch.
There's nothing you can do to fix that.' Bank hacking for dummies. The profits from hacking a financial institution can be astronomical. There has been a flood of news recently about hacks targeting financial institutions., with the attackers taking off with $81 million (£58 million) and attempting to steal as much as $1 billion (£710 million). The same group has attacked banks in Ecuador, Vietnam, and the Philippines,.
Hackers are getting more ambitious, spending longer on attacks and demonstrating greater sophistication, experts told Business Insider — and the rewards they're reaping are larger than ever. So how do you hack a bank? For starters, you need to scope the organisation out the way Tom and his team did. You need to research employees and work out whom you will target. This is because you are likely to rely on human error for your initial penetration — using a phishing scam to steal an employee's password, dropping a USB stick with malware on it, etc.
— rather than exploiting a vulnerability in the bank's outward-facing systems. 'It's very hard to guarantee a company will have forgotten to patch a system, or they'll have a coding error in their website application, or they'll have some other vulnerability you can exploit from the outside,' says Luke Hull, the UK and Ireland director for Mandiant, a FireEye-owned security firm that is one of those investigating the Bangladesh bank hack.
'It's a lot easier to trust in the fact someone in that organisation is going to click a link in an email, or they're going to fall for a scam of some kind, and that's going to give you that first level of access.' The attacker's resources will determine the nature of the attack When you're trying to steal tens of millions of dollars, a mole might be worthwhile. How the employees are compromised will depend on the determination and sophistication of the attacker. You can buy off-the-shelf 'exploit kits' for infecting employees with malware for about £1,000 ($1,400) that can — potentially — get you in, while at the higher end attacks will be far more targeted and considered.
Another option for getting in is hiring someone on the inside, if the stakes are high enough. 'If you're stealing hundreds of millions of dollars, you can afford to have a mole inside the organisation planted there,' Hypponen, the F-Secure chief research officer, said. 'That's going to pay itself back a thousandfold.' Once the hacker has gained access, some level of technical skill will be required to move through the network undetected, with some attackers demonstrating remarkable finesse. In the case of the Bangladesh hack, the bank had a security feature that printed out every transaction on paper. 'They knew the data on computers can be falsified, but if it's on paper, it cannot be changed,' Hypponen said.
'And they actually bypassed that,' hacking the printers themselves to hide the fraudulent transactions. Attackers are willing to spend months on attacks in pursuit of their goals, with operations acting much like traditional businesses. Jobs are sometimes advertised in advance, with clearly defined roles, the Mandiant director Hull says. In addition to technical jobs, you've got human-resources-type support roles as well as 'people behind the scenes who can handle the business end' — understanding how the bank functions, mapping out its corporate structure as the infiltrators move through it.
Successful attackers will end up with valid user accounts and an intimate knowledge of how the bank operates. What you do next depends on your motivations. Hackers target banks for cash — or intelligence It's not just organised crime syndicates targeting banks — intelligence-hungry governments are also at it.
Alan Crowhurst/Getty Images For many hacks, the endgame will be turning a profit. This means the goal when infiltrating a bank is to gain access to the institution's money-transfer systems to steal funds. The attacker will attempt to send cash to an account elsewhere under his or her control; in the recent bank hacks this has been via the Swift network, an international messaging system among banks. The funds, once successfully exfiltrated, will be laundered while the hacker attempts to cover his or her tracks to allow maximum time for the getaway, as the Bangladeshi hackers did with the printer hack. But that's not the only reason you might want to hack a bank. Some other attacks — largely carried out by government-backed hackers — have a different aim: intelligence-gathering. Across all industries, about 45% of the attacks Mandiant detects will be nation-state attacks, Hull said.
'If a nation state were to attack the bank, I'm sure they'd be much more interested in things like where is the bank moving the money. If they had their own central bank, how does it match up.
All this kind of stuff is information collection, and all this kind of stuff requires a very low footprint and very long-term access,' Hull said. 'So they're probably not going to be moving money.' In other words, if you're hacking a bank for intel, then you're not going to risk setting off alarm bells by trying to steal funds. Your endgame is to sit there quietly, watching. And this is what makes one theory about the culprits behind the Bangladesh hack so unusual. 'This would have been the first in history' Some code discovered in the hack had been seen before — in the devastating 2014 hack of Sony Pictures and used against South Korean banks and media companies. North Korean hackers were blamed.
If North Korea is behind the bank hacks, however, it would be a worldwide first. If true, 'it's a financial attack — they're trying to fix their budget,' Hypponen said. 'And this makes it even more unique, because we have seen thousands of nation-state attacks over the last 15 years. Every single one of them — every single one — has been either espionage or sabotage.
They're either stealing information or doing stuff like Stuxnet. This would have been the first in history which is a nation state doing offensive cyberattacks to steal money.'
North Korea is one of the suspects behind the Bangladesh hack, in what could be a first-of-its-kind attack. NKnews evidence of state-sponsored Pakistani hackers in Bangladesh's central bank — and it may be a third, as-yet-unidentified organisation that was responsible for the actual theft of funds.
(If correct, this would mean that while North Koreans may have also breached the bank, they were presumably there only for intelligence-gathering purposes.) Who is this third group? An unpublished report from Booz Allen Hamilton 'makes the case this is Filipino-Chinese businessmen collecting money to overthrow the government of the Philippines,' Hypponen told Business Insider. 'The technical evidence doesn't really support all that so far as I can see, but it's perfectly possible.' The Booz Allen Hamilton report has not been released publicly, and the organisation did not respond to Business Insider's request for a copy of the report. Regardless of who is behind the recent string of attacks, more are likely to come.
'I'm certain there are other cases, which either the banks don't know about themselves or which just haven't been made public,' Hypponen said. 'These attacks have targeted more banks than just these four.' And most attacks against financial institutions by other groups of attackers are most likely going unnoticed, Hull of Mandiant says. 'I'd be surprised if the majority of attacks were recognised,' Hull says.
'A lot of attacks, unless you catch them right at the start, they. Move further away from malware. You start to use actual user accounts as if they were in the office, start to use their home working solutions, and eventually you use their actual accounts to move money or something. At that point it becomes more of an antifraud exercise than a technical redesign exercise.' This is a 'wakeup' call, experts say The attacks on central banks mark a break from tradition. 'We have seen banks targeted by online criminals for 15 years,' Hypponen said. 'But most of the attacks — practically all of the attacks — against banks have not been against banks' own central systems.
It's about the banks' customers' systems.' 'Because banks are very good at securing their own systems,' he said. 'They put a lot of money in there. It's kind of hard to break — it's doable, but it's very hard. As opposed to breaking a bank's customer's systems. Of course you can't steal as much from them, but if you have a thousand victims, and you steal a thousand euros from each, that's a million euros.' Industries tend to be targeted in a cyclical basis.
Businesses in one sector get hit hard, they upgrade their systems to a point at which it is no longer profitable for hackers to target them, and the attackers move on to something else. 'They pick an industry, beat it up, and get out before the money is spent on security,' Hull said. Hypponen said: 'We saw a great wakeup call in the industrial control sector six years ago with Stuxnet. The car industry woke up last year.' After banking, who will be next to wake up?
'I don't know,' Hypponen said, 'but I guess we'll find out.'
At first I was wondering what I could possibly use this for, but as I sat and thought about it, I realized the possibilities are enormous. I'd like to know if the following are possible: 1. Forcing me to stay on budget, unless there's an emergency (perhaps allow purchases over budget after the third attempt). Automatically distribute paychecks or other income into different accounts (some to retirement, some to savings, some to checking, w/e.); this behavior could change based on the current distribution of your money too, so if your 'emergency fund' got really low you could automatically spend more of your income replenishing it. Deny unwanted transactions and tightly control your own fraud detection (SMS confirmation for every purchase out of your zip code, confirmations for purchases from new places, you name it.).
Automate the creation and destruction of virtual cards to minimize danger of online purchases or to make sure that 'free trial' never starts charging you. I'm sure there's tons of other awesome ideas, but I want all of these quite badly. Like you, I thought that this was pretty unimpressive at first. It seemed to me that this is just a regular bank account and that they expose some API and you have to program the web/mobile app yourself. The homepage is rather uninformative and I didn't really get what this is about until I went to their press release page:.
Then it hit me. You can write small pieces of code, sort of like small apps, to manage what happens when you send or receive money. What's even more interesting is that you can share these apps on their Root platform, sort of like an app store for internet/mobile banking functionalities it seems.They mention some examples of what you could do and this looks seriously interesting now. Replying to myself here because I can no longer edit my comment. Just wanted to say that, while this is potentially a huge thing, there are certain things that need to be taken into account. First of all, there's heavy regulation when it comes to banking software.
There are laws and bank regulations that are here to prevent people from losing their money and/or suing the bank for some reason or another. Root needs to take great care to ensure that the software written by their users stays within the boundaries of south african law and their own bank regulations. Second, the software absolutely needs to be reviewed not just by people from Root but also by a reputable independent consulting company. Third, Root mustn't allow direct initiation of transactions from their platform to prevent potential disastrous effects due to bugs. You should be able to write code that does something when the money is being received or sent from your account but not code that charges your account. To be fair, your original comment: 'was told he could delay a payment'; namely, ' a payment'. The limit for danger with any credit is 3 monthly payments.
Technically a single missed/delayed payment can affect your credit bureau, though many credit providers are nice enough not to report 30 and 60 day faults. Anyone who thinks they can get away with 3 months of not paying back any kind of credit product, let alone a mortgage, is going to be in trouble. If your friend skipped 3 mortgage payments in a row, I'm surprised they won the case in court. They must have had concrete proof that a bank employee truly misinformed about what it means to miss multiple payments in a single year, let alone 3+ consecutive payments. Maybe it was indeed one payment and then the bank asked for something unreasonable, further delaying other payments.
It happened to me once. I received an unreasonable bill for building maintenance fees, didn't pay, they sent me a lawyer making more unreasonable demands, I told them to fuck off (after consulting a lawyer myself). The thing is: because I didn't know how much to pay, I didn't pay for several months in a row.
I only paid after everything was sorted out. It never went to court BTW, the guy responsible for the mess has been fired and his successor did a great job cleaning it. If that's the case then sure, but it probably isn't. People who still use cash for small purchases probably use their bank card two or three times a week at most. That 'short amount of time' is likely to be days. And that's just for people who use one card; anyone with more than one card could go for weeks between transactions on a particular card. Even then, if I telephone a business on the other side of the country and order something over the phone then the transaction will originate hundreds of miles from where I am.
You don't need to be physically present when your card is used. There are many scenarios where a card could appear to move around the country (or world) while still actually being legitimate transactions. I don't know about Visa, but Mastercard called me on more than several occasions. Yes, a real phone call, whether it was me that just purchased this and that item and if they should let the payment go.
This happened when I was travelling around Europe. Many times the seller was also blown up by the promptness of the call, sometimes like 20 seconds after the swipe. After some time, the MC system seems to have learned my patters and also coordinated with other data.
For example, I bought a ticket to US with the same card. No single call on any purchase over there. They knew I was in US and most probably the shopping was legit. How are restaurant tips charged? The card is run, and then you add a tip, and at some point they enter in the tip amount I assume.
Would that charge show as going through at the original time, or at the time they revised the total? I imagine if they come through as special revisions, allowing those up to a certain time after the original charge and up to a certain percentage over the original amount might be sufficient, as long as there's not multiple different ways that different vendors (restaurants) do it because they don't know what they are doing. They obtain an 'authorization' in some amount, probably the bill minus tip, then fulfill it later for the amount of the bill plus tip. This is a ubiquitous practice with payment cards - for example, when you pay for gas with one, the POS authorizes some small amount to ensure the account can accept debits before unlocking the pump, and later fulfills the authorization for the price of the fuel you purchased.
Authorizations of this sort count against your available balance, and time out eventually if not fulfilled; when you look at your account and see 'pending charges', this is what they actually are. Not all charges use this process - when the total amount is immediately known, it's generally immediately charged as well.
But in any case where the amount may change or the account requires validation before a transaction can proceed, this is how it's done. Presumably, since a valid authorization constitutes an agreement to pay the charge (hence the language under the signature line on your bar tab), the 'enable' step you perform via the API would permit the authorization to occur, and fulfillment would work the same way it does now. How is that different from not having the money to spend in the first place, though? Even people with very little money use credit occasionally, and I can definitely see the benefit of strong-arming a budget so you don't spend money you don't have.
The typical reaction to this scenario is to put back what you have at the grocery store and leave (or put back enough so that you can afford it). (It could be argued that you don't need a feature like this at all if you have X level of self-control, but many people would benefit from taking any requirement of self-control out of the equation.). I would expect people not to use this as their main account for a long time. People will just transfer in a small portion of their money to this automatable account and not risk 100% so while this roboaccount can go mad and empty everything, you are only out say $3K when your traditional main account still has $9999997K Treasury functions within large corporations do the same thing. They dole out only a portion of the companies wealth to departments so they cannot go mad ( amongst other reasons ). People asking about what problem this solves haven't been to South Africa or Zimbabwe which in some ways are ahead of the West in creating cashless societies. The biggest bank is a phone operator and people can send each other money over the phone and from what I understand this is very common.
Also interestingly most phones aren't smart phones. It's mostly analog. Banks have a serious incentive to create and encourage cashless societies - because they're limited by the liquidity ratio. People there are more skeptical of hard cash there while here it's nearly on par with Gold in terms of confidence. I don't think I've to explain offering an API allows third party engagement and endorsement and an opportunity for others to grow their service. Yes there are security concerns but these can be all secured from backend.
Let me counter with these facts about banking in South Africa: 1. Fees at most banks are high. (A basic account with no transactions typically have fees of several dollar per month). If people are moving away from physical cash, its because of security concerns (theft and robbery), not liquidity. Most transactions are done by credit card, debit order or Electronic Fund Transfer (EFT). EFTs are done between numbered banks account.
Mobile to mobile phone transfers are still very rare. People are stubornly loyal to their banks. If root fails, it will be cause of this. One of the issue with cashless is that banks/financial service provided making money of of the money i.e. $100 making more than $100 with out adding any real value in fees (100 time circulation). I know time is money in most western countries but my place we do one crop a year and sit idle for 9 months. So time is not a money and we would rather give cash to a person get that much worth of a product.
My sons school charges 2% extra if i use credit card, Rs 20 if i use netbank and does not accept cash. So on a Saturday i am happy pay in cash when i have nothing else to do. Unless government makes the transfer without fee (now they can print less money and that cost can be used for this infra of transfer), why is cashless better in the scenario where that saved time is not used for anything value generating? Genuinely looking for answers to this that makes sense rather than saying time is money. The example of your son's school is fine, but imagine that your son lives in another country.
Cash has other problems beside being slow. It's insecure - a person could steal your $20 bill from your mailbox or his, or from the Post Office. It's untraceable - if your son's school says 'We never got your payment' but your son swears he gave them the cash, you're stuck in a situation where either your son or the school is ripping you off (I'm sure your son would never do that). And last, it takes both time and money to convert cash to another currency.
Taking the cash to somewhere where a person can convert it to the preferred currency is bad enough, and then it costs you money on top of it. China is cashless. Stores don't accept your cash much. And you have to show a government id to buy anything.
And they track you. But it gets worse than that. If the government wants to punish you, they can just cut you off. Can't buy food, can't pay rent. Oh you think your friends can help you? China has that covered too, with its shiny new credit system. Being associated with - let alone helping - people cut off from buying food may result in a drastic lowering of score and ability to do business yourself.
On the bright side, used wisely such coersion may he better than outright violence at stopping criminals and terrorists. That's not accurate. I was just in Chengdu and Shenzhen last month and paid almost exclusively in cash everywhere I went. In fact for smaller vendors and street food, cash is the only option.
Many vendors also accept WeChat payments (which seems to be the most common form of payment, at least for casual to mid-range transactions by people in my peer group), and UnionPay network credit cards are also widely accepted. Western credit/debit cards tend to work only at more upscale/modern/larger vendors. From what I've seen of Chinese commerce in various cities, I would be very very surprised if China went anywhere near cashless anytime soon.
Cash seems to be a bigger part of the culture there than in the USA. You do have to show government ID to get a cell phone or purchase long-distance train tickets. Also checking into a higher end hotel. And since using public Wi-Fi requires you to authenticate with your Chinese phone number, that's also effectively linked to your ID. There are many aspects of Chinese society that are easily trackable by the government, but commerce does not seem to be one of them, at least from what I've seen. Thankfully, there is a good amount of space between money under mattresses and a government controlled economy. Your comment is a giant straw man.
Canadian and EU systems are private ones and the government has little or no power to directly intervene, short of law enforcement. The idea that eliminating paper is some sort of boogeyman from Revelations is about as silly as the idea that holding on to your Glock allows you defend your rights against a corrupt government.
Neither actually offer any type of protection against these particular issues. Unless you are wandering around with $20K in cash everyday, your bank account is still subject to the very things you seem to be afraid of. The only thing that changes in a mostly cashless society is your access to your bank account. If the government is going to freeze your account, it matters little if you have a chip card or need to go to the teller. Thankfully, we in the west have moved most of the management of this to the private sector, and require things like warrants before any real action is done.
That can and is an issue at times, but has little effect on the day to day implementation of one method over another. Sadly, I think the solution in the US and some parts of the EU is even worse than the chinese one. Try buying Cuban cigars without cash anywhere. Your VISA or MasterCard will mysteriously fail to allow this purchase – because, due to the embargo, these companies just refuse to allow transactions containing the words 'cuba', 'iran', etc. VISA and MasterCard also have additional rules of their own, and if you have a society that is cashless, they can just cut you off, too. This is giving a for-profit entity (which, by its own nature, does not care about you, just about taking your money) far too much power. Sweden is having that problem: You can’t do anything without a debit card anymore, banks have high fees just to get cash from your account, but the only debit cards you can get are from VISA or MasterCard.
This wouldn’t be an issue if there were many competitors, or even local competitors, or if the systems were open. I'm Canadian, so not only can I buy Cuban cigars, I can buy them in a store down the street with my debit card. (A real debit card that connects directly to my account, not just a prepaid credit card.) Regardless though, making an illegal purchase isn't a very good reason to argue for cash; in fact you may have more luck changing the dumb laws if people are truly hurt by them. The US definition of a 'debit card' is massively different than the Canadian one.
For us, our bank card is the debit card. The same one I use to take money out of my account at an ATM is the same one I can use to buy a $1 coffee. Why some banks do charge outrageous fees, thanks to the free market there is a healthy market and many banks in Canada are now fully virtual or offer next to no fees. Just because a system is poorly designed in one locale does not mean the idea itself is flawed, just that it should be implemented in an improved way. The US definition of a 'debit card' is massively different than the Canadian one. For us, our bank card is the debit card.
The same one I use to take money out of my account at an ATM is the same one I can use to buy a $1 coffee. I keep seeing this pop up, but it's a misconception; we have these in the US too. I have one, although I don't use it for purchases (I use a rewards credit card that gets paid off monthly instead). Here's an example (hopefully Wells Fargo doesn't redirect you because you're in Canada). No, my assertion is pretty much right.
It went so far that PayPal, VISA and MasterCard ended up threatening several German store chains to stop selling products from Cuba or they’d end all business with the store It went into national media, and was discussed on reddit: Rossmann won against PayPal in court, to this date they don’t offer any payment via PayPal. They came to an agreement with VISA and MasterCard, where if a sale contains embargoed products, everything but these products can be paid by card, but the embargoed products can not. Then they send the money back home. But if they send cash back it gets stolen 90% of the time. If they transfer the money it from one bank account to another, they don't lose their money. Making transactions more customizeable/ WTF are you talking about?
No one1 uses bank transfers to send money to their families in the SADC region: it's quicker and cheaper to use formal and informal money transfer agencies where the recipient gets cash, which is not stolen '90% of the time'. I swear HN seems knowledgeable on all subjects except those I am deeply familiar with. SWIFT transfers do get used for big transactions or paying corporations, but no one I know will be sending amounts less than monthly income this way. And I was talking about the cash being stolen 90% of the time, if you do choose to physically carry it with you back home. (Or trust someone else to do it) This is also not true. 17,000 Zimbabweans1 travel into South Africa daily by road, most are destined for Musina (nearest South African town to the border) where they buy goods with cash2.
If theft rate is 90%, that would result in 15,300 cases of theft per day (5.5 million per year) which (a) just can't go unreported, even if you think Zimbabwe is some undeveloped backwater and (b) where do I sign up to join this very effective Thieves Guild? It has to be well-paying.
As of 2015, numbers are seasonal. Because of depleted nostro accounts, most Zimbabwean banks have a maximum international withdrawal of $20-$50 (US dollars) per day. Absolutely - the police can be very corrupt in Zimbabwe so you don't want hard cash hanging around or it will be taken. The actually official Zimbabwe currency can't really be taken seriously because of insane inflation rates. US Dollars vary greatly in price. Small transaction fees are nothing to operate cashlessly for some of these people compare to the risk of trying to store cash.
Even India recently banned high denomination notes because they were so associated with drugs and illegal behaviour. Actual Zimbabwean here: you are so wrong I'll have to ask: have you ever been to Zimbabwe?
Absolutely - the police can be very corrupt in Zimbabwe so you don't want hard cash hanging around or it will be taken. Yes, the police are corrupt but they won't rob you1, they might try and coerce a bribe.
The actually official Zimbabwe currency can't really be taken seriously because of insane inflation rates. This is wrong. It has been wrong for close to a decade because Zimbabwe 'demonetized' its currency (Zimbabwean dollar) in 2008 after an infamous bout of hyperinflation - you might have seen/heard of the 100 Trillion dollar note. Unless you have been incapacitated by a traffic accident. A worrying trend has emerged in recent years where passers-by or attending police go through the car and belongings of dead/dying accident victims. Is there really much practical difference between a police officer demanding a bribe and being robbed? Yes: you can say no to coercion but you have no choice when you are being robbed.
Violence (or the threat of it) is a hallmark of robbery: Zimbabwean police will not do that at traffic stops - they are usually not armed. They will, however threaten to impound your vehicle for minor infractions (which would be illegal in most cases) and/or threaten to jail you to wait for your court date.
Either of these situations will require paperwork and the money goes to the state and not their pockets, so they make you wait and reconsider the bribe, but eventually let you go. Also, in the context of this thread, having cash or money in the bank makes no difference because traffic stops now have portable card machines for 'spot fines'! When can I have direct control of recurring payments? I want to be able to 'push' money instead of having it 'pulled' from my account. This is a totally reasonable feature. If a merchant wants assurance that they will be paid, they should charge a deposit. The closest I've had is Entropay, but I don't really trust them for large payments.
Recurring payments are so abused, I can't count how many times I have been mislead. And there is a strong financial incentive to mislead people. And having to contact my credit card company after the fact is not good enough. I wish I could just have the ability to create virtual credit card numbers.
I would be able to fill it with a certain balance, set up recurring balance refills, change the expiration date, keep a merchant whitelist, and cancel the number at any time. This gives me the opportunity to make sure that even if my card number was stolen or abused, the charge won't go through. If I sign up for a free trial or a service I only want for x months but need a card on record, I give them a virtual number and set the card up to cancel itself after the period is up. Or if I want to put all my netflix, hulu, pandora, etc charges on one number, I can set a monthly allowance for each merchant.
If someone changes their prices, the charge gets declined and I can go back and reup the limit if I want. I use entropay.com, which lets you create virtual credit cards, and pre-charge them. And if the account runs out of money, the transaction is declined, and the merchant has no way to get your money after that. As a warning, there are some problems with entropay.com though. Over the last year, some merchants have been able to detect that entropay.com virtual credit cards are prepaid, and require a plastic card. Also, entropy cards are from Malta, so companies like Spotify or Netflix will only give you access to content licensed there.
Finally, and most importantly, entropay.com has a tendency to 'float' your money, and I've heard that sometimes they just snatch it. I've never dealt with more than $150 at a time. Since they are based in Malta, I think it would be very hard to dispute anything with them. But if you have to do any bigger transactions, you should use a bank here anyway. But it's great for trying out services where you don't trust them, or are just concerned with overages.
I use them as a buffer for a lot of recurring payments. I've seen some services on hackernews that offer virtual credit cards, but the problem is, that they all are tied to some underlying checking account, and even if the prepaid balance is declined, the company is obligated to somehow collect the money, if they can. There's no way to simply cancel a recurring payment. I'm sure that this is because they are required to by banks in the US. I really wanted to have a complex money firewall, like you describe, but in practice, I've ended up just using plain old credit cards for most things.
It is still very good to have an entropay account, though. What I basically want, is to have more control. I want a similar amount of control as to what I have with paper money, or even virtual in game currencies. Right now, the scale is not tipped in my favor. I would be happy to pay for it.
I understand that banks have reasons for things to be arraigned the way they are. I would love to have a 'personal firewall' level of control over my money. I'd like to see that Widget of the month club is requesting $50, and I can confirm/deny it. I only signed up for a widget of the month because it seemed like a good idea, but they deceived me into thinking I could back out at any time, and then when I cancelled my account, they just 'paused' it for three months.
We don't use the 'banking' model for other resources that are supposed to be our property. An app on my phone isn't supposed to be able to delete my photos, and the accepted solution is not that I call some external entity to undelete them. I know that these examples are very different, but that is what I would like. I can also simply block someone from contacting me if I want, without having to justify it to my isp. I want to be able to do that with my money. If someone disagrees with me doing this, and thinks I still owe them money, they can be free to sue me, or do some other sanctions.
Right now, I create virtual credit cards and only fund them enough to pay my recurring payments. I want to automate it. 95% of the time, recurring payments that fail for me are done in bad faith, and these actors will not make a fuss if they can't process their payments.
I know this is probably a pipe dream, and that there are already system I can use, and that our financial system is set up the way it is for reasons. But that's a pain point for me, and a lot of people. People would like to be empowered, and feel that they have control. I think, in the end, things won't really change. Most people will still pay legitimate charges. What I've found, is that every virtual credit card provider has to try to process recurring payments, even if that virtual credit card is depleted, kind of defeating a big use of virtual credit cards. I am sure that this is something they were obligated to do by other financial institutions.
So virtual credit cards just end up being solely for online transactions that are not recurring. The only company I have found that actually does what I'm describing is entropay.com, and they are based in Malta and I don't trust them for big transactions, as they have been known to steal people's money. I'd love to collapse all of my recurring payments into a monthly report, that I can review and authorize. This is exactly the thing banks are suited to handle. It would also be cool if a bank could abstract bill payments for me, where they present the debit, and show the time window to pay it, and let me select what business day to process it on. Actually, all of these services exist in one form or another.
Bank Hacking Tools Free Download
If you have a business account. And most banks have bill payment processing.
But I'm surprised that no bank is offering these services bundled together, directly to consumers. I'd happily pay for a checking account console. I'd love to collapse all of my recurring payments into a monthly report, that I can review and authorize.
Yes, even just a list of the recurring payments (that is updated in realtime and that you can centrally discontinue) should be available to the banking consumer - and it should be the responsibility of the banking entity to provide this feature. The do not, because the financial sector makes its revenue from payments occurring, rather than not.
A consumer would naturally gravitate towards a bank that was not limited by this concern (or derived equivalent profit elsewhere for provision of value). I always imagined a future where there would be an oAuth scopes like gateway for banks. Something like - This website requires the following permission: x Monthly recurring payments of $20 o Automatically get the payments Send me the link to deposit every month Proceed Cancel Life would have been so simpler then (Obviously I haven't thought this through completely, but something similar to this with proper security would be far superior than our current model of Name + Credit card number + CVV). I developed a serious allergy to what were called 'debit orders' when I used to live outside the USA many years ago. You would sign a form to allow the merchant to debit your bank account every month for (say) a subscription. Cancellation was theoretically possible by calling or mailing the merchant, but too many times, an extra payment (or two, or three.) went through and it was hell to get the money back.
The banks were not much help - you would have to try to get the debit reversed, and it was no fun. I think I had a few similar experiences here in the USA, but I can't recall specifics. Now I pay everything in 'push' mode via online banking, as silly as that may seem. I hope things like SEPA work better at revocation than what I experienced back in the day! In South Africa we have stop orders and debit orders.
Stop orders are for an amount agreed in advance. Debit orders allow the payee to debit your account for whatever amount they choose, obviously with the proviso that they have to produce evidence that you agreed to this, and that they can justify the charge. I've heard some stories about people having issues with unscrupulous payees abusing this, but I believe that's rare.
I, for example, pay for my mortgage, credit card, cellphone, satellite TV, etc. Via debit order. In my experience, this is only the case if you set up the payment through the bank's automatic payment system, which typically uses paper checks (but may do an electronic deposit for some payees who have specially registered). Most subscription-based businesses that go to your bank account get an authorization to do an 'ACH pull'.
In some instances, this authorization alone can act as collateral (e.g., in securing payday loans or medical payment agreements). As such, I would assume that allowing consumers to revoke the authorization is more problematic than it sounds. I love the concept of this. It took me a minute to figure out how I could get the most out of it, but the possibilities are endless. The fact that I can write my own rules that can manage my account semi-autonomously for me and know that my code is always watching my back even when I'm not - which is most of the time is awesome. I can have this account do everything I call the bank to get them to do and be told there's no facility for that.
Things like automatically taking the remainder of my chequing account balance and dumping it into my savings account as my pay is being deposited so my account starts fresh from 0.00 each month and all surpluses are put into savings accounts. I can then have some kind of AI monitoring investments and automatically transferring money in and out of my investment accounts and TFSA. I love love love this idea. It could almost become a pension manager. What I don't love is the lack of information they have on their website. They're in South Africa, does this mean the service is only available for South African residents and Rands? Or can we get international accounts for U.S.
And Canadian dollars and more? Anyone have any further info other than what the site presents?
Do we have any founders or insiders reading that can enlighten us further? First, good luck - it's a difficult space and I applaud you for trying something different. I have a few uncorrelated questions: 1) Is the API limited to types of transactions or do you host configuration information? For example, I've often wished for a bank account that would look at my outgoings and some criteria that I've set, and then allocate some monies to savings or investments on a percentage basis rather than an absolute number.
Are those calculations something I'd need to do at my end and then send you a bunch of API calls to make the transaction, or would they run as bots on your server? Sorry if that's not very clear 2) Will you impose tight or narrow restrictions on who can open accounts? For example in the USA many banks require an SSN to open an account and won't accept an ITIN (another kind of tax ID sometimes issued to immigrants), placing millions of people outside the banking system and thus making it that much more difficult for them to pay bills etc. 3) Will your service have access to the SWIFT network for international transfers or are you subject to restrictions while you prove some sort of banking bona fides? I don't know anything about banking relationships in South Africa or so but I've noticed the US is very aggressive about limiting transaction access for anything that looks like it could be remotely connected to crime of any kind, and I have sometimes had the impression that US banks are very 'suspicious' of anything that might coincidentally pose a threat to their business model.
I want to wish you a lot of luck and am very excited to see where this might go. I've never enjoyed dealing with money or finance, and get no more enjoyment out of being paid than I do out of paying bills. Financial chores are about as much fun as cleaning a toilet and the idea of being able to reduce the amount of time spent on dealing with money without putting myself at financial risk sounds heavenly. Thanks:) (1) A mixture of the two. We do allow you to write code that we host for you, to make prototyping (or building small features) easier and quicker, and you can access it all through the API, so you could do everything through a few https calls.
(All account transactions are available to you) (2) We try our best to make everything as seamless as possible, but we still have to comply with local regulations. We're working hard to create the best user experience possible given the tightly controlled environment we're in. (3) That's part of the plan, yes:). Hey - I previously worked on a prepaid debit platform that worked slightly farther from the metal here (post-processor). I'm interested in two pieces of data we couldn't get there, but that I had really high hopes for. 1) Dynamic merchant-type filtering before auth.
For example, if tom has spent 50$ on food this month, all merchants that identify as 'food' will fail auth on further transaction attempts. I'm not sure if these are still called MCCs outside of the US, or 'merchant codes'. 2) Level 3/line item receipt data. For example, instead of showing I spent 5.00 at QuikEMart, it shows 2.50 on soda, 2.00 candy bar, 0.50 tax. Will your platform offer that level of control/visibility? I haven't seen any stack information yet (although I haven't checked the slack channel) what technologies are involved and how do you plan on mitigating the mass loads?
- for the stack was there specific criteria why certain languages where chosen in your use cases? Are there any API rate limits for clients? Are there any current plans on mitigating DDOS or other malicious attacks? 2016 has been a hard year for banks and hacking specifically the story about Bangladesh. The trend seems that this will become more likely as we move towards a full online infrastructure.
For banking this is another layer where vulnerabilities can come up are there are plans in place for this? 2016 has been a hard year for banks and hacking specifically the story about Bangladesh.
The trend seems that this will become more likely as we move towards a full online infrastructure. For banking this is another layer where vulnerabilities can come up are there are plans in place for this? I'm not affiliated with Root, but the bank they are partnering with (Standard Bank of South Africa) was also hacked in 2016 and defrauded of R300 million ($16 million) via withdrawals from ATMs in Japan1. I'm sure they are acutely aware of the need for security. Do you have programmable international wire transfers in the works?
That would be an instant sell to me. My current bank requires me to show up in person, and then verify the transfer by phone, both of which require making time out of a busy schedule. Do you have programmable virtual credit card numbers? - Have you considered virtual bank account numbers as well? For example, I have had issues with organizations continuing to deduct from my account via ACH after stopping service. If I had a virtual bank account number that could be deleted, those rascals could be stopped in their tracks the moment I make the call saying 'you are no longer authorized to deduct from my account'.
With the current system banks still let the unauthorized ACH transactions slide. I would like to volunteer writing binding for as many languages as you can come up with, but I can't guarantee I won't shave off a fraction of a cent in transactions. Or that I'll get the decimal placement right when dealing with that 'fraction'. In all seriousness, I would be fairly worried running someone else's code on my bank account unless it was very straightforward. Even forgoing malice and incompetence, there's plenty of 'wow, that's a crazy interaction between systems that wasn't obvious' to go around. It is quite good, but it's not perfect.
The apps look non-native and the UI has many issues (e.g. Entering 10 international characters quickly in the 'transfer note' box pops up 10 'only latin characters' notifications), the login UI looks weird on Firefox, and causes an infinite loop that I reported weeks ago. Other than that, I'm very satisfied with the service, and I use them as my bank bank, but I use Revolut (revolut.com) for my everyday transactions, just because it 'feels' nicer. The transparent N26 card definitely turns heads, though, cashiers are always asking me about that. I'm Brian, the CEO of Seed. Thanks for remembering us and thank you for trying us out.:) Long story short, we're still working on making the API available to our members. Plans changed along the way and we ended up releasing our mobile business bank account first, but our long term goal of offering a more open platform remains.
It's tough to do anything innovative within the US banking system due to regulations, partner challenges, risk, and other factors, but we're going to keep working at it.