I was sitting in the lobby of Ms. Cryer's apartment building by 6:00, enjoying the cool air-conditioned comfort. I allowed myself to doze a bit more as I waited. With my eyes only half-open I traced the pattern on the rug beneath my outstretched legs. A green line twisted and turned on a red background, forking frequently into numerous branches. Occasionally some of these branches merged back together again. While it was an abstract pattern, it gave the impression of a hopelessly tangled and twisted vine.
Ding!
An elevator door opened behind me. I shook off my drowsiness and looked up. It was Ms. Cryer. She flashed a very brief, slight smile and nodded her head as she approached. I returned her greeting and got to my feet.
I hadn't had a chance to change my clothes, of course, and upon seeing Ms. Cryer I became acutely aware of this. She had changed.
She wore a different pair of pants, although they were still stretch-pants and still black. Her grey sweatshirt was replaced by a loose-fitting white blouse that buttoned down the front. She hadn't tucked it in at the bottom, instead letting it hang loose like a jacket. The white blouse and black pants made for a sharp contrast. The blouse brought out the natural beauty of her dark face.
We turned and headed out the door without saying anything immediately. She had also put on lipstick, light-red, and earrings. The earrings were gold rings about the size of a quarter and showed with dramatic effect due to her ultra-short hair. Other than the lipstick, I couldn't tell if she was wearing make-up. Hers is the sort of beauty that either doesn't require make-up or else is the result of very expertly applied make-up. I was struck once again by the striking beauty of her eyes --- large round eyes, the whites in sharp contrast to her skin. She may have had eye shadow... I wasn't sure and didn't want to peer too closely. These observations came from side-ways glances during the short walk to the restaurant. The conversation during that walk consisted of sanitized small-talk, which suited me just fine. When we reached Sid's Seafood Grill, Ms. Cryer let me hold the door for her as we went in. I also held the door for a young couple entering immediately after us. They had just stepped out of a black sport-utility vehicle parked at the curb in front of the restaurant.
I had to pause briefly inside the door to let my eyes adjust to the dim lighting. The same blonde woman was sitting at the same spot at the bar. It looked as if she hadn't moved. She still had a cigarette in her hands and a drink sitting on the bar in front of her. The rest of the bar was empty; the two men had apparently left.
I noticed a surprised and slightly amused expression cross Ms. Cryer's face when I gave my name and mentioned our reservation, but she didn't say anything. The couple that had followed us in did not have a reservation but were shown a table in the non-smoking section along with us. Most of the tables were still empty at this point.
Ms. Cryer informed me that all of the food on the menu was good but that the swordfish, crab, and fillet of sole were especially good. I decided on swordfish.
Before making another attempt to explain the banking debacle I wanted some idea of Ms. Cryer's educational background. My guess was that she had a college degree. I hoped so. It would be even better if it were in the sciences instead of the humanities. Not wanting to seem too intrusive I gingerly broached the subject and learned to my delight that she had been a computer science major at Northwestern.
``That's great,'' I exclaimed, ``so you can follow the details of the computer mix-up at the bank.''
``Yes,'' she replied coldly. ``I know what a hacker is and I understand the world in which they operate.''
So I was a hacker in her eyes. Yuck. Time to start explaining. ``It isn't like that,'' I said.
``Then what were you doing messing around with banking transactions?''
``All I really wanted to do was prove a point,'' I began. ``It is my contention that nobody is making full use of the tools that are readily available for computer security. Sure, everybody worries about hackers and most people are careful to use passwords and stuff like that, but there is much more that can be done. Much more can be done by hackers than merely guessing passwords, and much more can be done by honest computer users to thwart hackers. We've come a long way since movies like War Games. Yet, most people don't recognize that, including people that most definitely should.''
She said nothing so I continued. ``The banking industry is only one example of what I'm talking about. But it also happens to be a very visible and prominent example. I figured if I could illustrate some of the weaknesses in the wholesale banking system, maybe people would wake up. And if I could do it without actually stealing any money, then I could claim the moral high road. I fancy myself as the Ralf Nadar of the information integrity business. Now you might argue with that stance, and I'll concede that what I did was highly illegal, but there you have it --- you won't get any apologies from me over that. But I will apologize yet again for putting you in the hot-seat. That was entirely accidental.''
Our food arrived and I paused to eat. The pause stretched for longer than I had intended, as the food was delicious and I suddenly discovered I was very hungry. Eventually I resumed where I had left off.
``All I wanted to do was double all the transfers between a pair of banks on a particular day. I chose Bendix of St. Louis and First Chicago Trust as the two banks. I could have chosen any two out of hundreds of banks. The choice of those two was entirely arbitrary.''
She had stopped eating. She sat back with one arm folded across her chest while she lightly tugged at her ear with the hand of the other. I took a sip of wine to wet my throat and continued. ``I took physical control of the communications line between Bendix of St. Louis and First Chicago on July 11th. By that I mean that I tapped into the phone system and rerouted all calls between the two banks so that the calls were routed through my phone number. Or, more precisely, through the computer in my apartment --- this was a data line between the two banks. I won't describe how I was able to reroute the calls. Let it suffice to say that is was extremely easy and extremely illegal.
``Anyway, having done this, I could monitor all the data transmissions on my computer. Electronic Funds Transfers --- EFT's for short --- are sent in the clear, meaning that they are not encrypted. They are transmitted using TCP/IP and the payloads are formatted in ASCII.''
``They don't use any encryption at all?'' she asked. ``Its all just ASCII?''
``Right. Anybody can read the messages. Well, anybody that eavesdrops on the phone line. There is no privacy beyond the privacy provided by the basic security of the phone system, which is notoriously bad. Long before there were computer hackers there were phone hackers, and very little has been done in the last three decades to change that. In fact, with the booming business of cellular phones, the situation has become worse.
``But even if the banks don't encrypt the transfers, they do at least protect them from tampering. They use something called message authentication codes, or MAC's for short. Each funds transfer has a MAC appended to it. The MAC is a string of bits that is derived from the content of the message in such a way that it is extremely difficult to compute a MAC without knowledge of a secret key.''
``So a MAC is a form of encryption?'' she asked. Wrinkles formed on her forehead. She had a very pretty face and this expression suited her features well, much like every other expression I'd seen thus far.
``Yes. It is somewhat analogous to a signature,'' I replied, pleased that she was warming up to the conversation. With her background I knew that she would be able to follow the details of the funds transfer protocol; I was anxious to fill her in.
``Or you can think of it as being a lot like a checksum,'' I said, offering an alternative intuitive explanation for a MAC. ``It is like a checksum because it is a function of the entire message and is very sensitive to even small changes in the content of the message. But unlike a regular checksum, which is designed to protect against only accidental errors, a MAC is all but impossible to alter in a way that is consistent with alterations to the message itself.
``EFT MAC's are computed using a very common cryptographic algorithm. The algorithm is called DES, which stands for Digital Encryption Standard. DES can be used to encrypt messages or to compute message authentication codes. The American Bankers Association has opted to use it to compute MAC's.''
She nodded her head and swallowed the large mouthful of bread she had bitten off moments earlier. ``OK,'' she said. ``So you were able to pry and peek at everybody's payments, including mine. But you said something about doubling the amounts on all of those payments. Yet MAC's are supposed to make these messages tamper-proof.''
Teaching had always been an ambition of mine and I was thoroughly enjoying the chance to give a lecture to such a bright and responsive pupil.
``Not quite,'' I replied. ``I spoke of doubling the payments but not doubling the amounts. You're right; I can't alter the amounts because the MAC's guard against altering the content of EFT's. Or, more accurately, if I did alter the amounts, it would be detected because the MAC's wouldn't pass the verification test executed by the receiving bank. But I can send the same EFT twice. Certainly it is no trouble to record all the messages while letting them pass through, and then later send them all again. These transfers were passing over a data line routed through my computer so ---''
``Is that what you did?'' she interrupted. ``You sent out copies of all the EFT's so that every check was cleared twice?''
``Not exactly,'' I answered. ``There is an entire protocol for dealing with communication failures and other errors. Unfortunately the standard doesn't lay out the error handling very clearly. Consequently I have to do my research by introducing errors and observing the responses.''
Between bites I gave Lisa the details of July 11th. Like many other afternoons in the last two months, on July 11th I had intercepted a phone call originating from a bank in St. Louis by the name of Bendix. The call was part of the Electronic Funds Transfer (EFT) system for the US banking infrastructure. I knew this because that is the only reason that Bendix and First Chicago use that particular line. Like many other afternoons, I then proceeded to eavesdrop on the data transmitted over the line. OK, this occasion was a bit different in that I had also inserted some messages into the traffic stream as well. But even that wasn't entirely new; I'd done it before without such strange results.
The funds transfer network is actually a collection of a several smaller networks. The largest and most important of these is the Clearing House Interbank Payments System, or CHIPS for short. As the name suggests, CHIPS is used for inter-bank transactions (otherwise known as wholesale banking). It is a closed network, where all of the member banks are pre-registered and known to each other. CHIPS handles about 182,000 messages a day. That comes out to a weekly load of about 910,000 messages. CHIPS is a world-wide banking network and is used to move an average of $1.2 trillion every business day. A single message can carry a dollar amount of as little as $50 or as much as $2 million.
Retail banking, where consumers can issue payments and check balances, uses an entirely separate network. The wholesale banking network is carefully guarded and consumers are barred from any direct interaction with the system. For wholesale banking, there is CHIPS, the Automated Clearing House (ACH), FedWire, and several smaller networks. ACH is regulated and managed by the Federal Reserve, although it is operated privately. All of these networks operate in roughly the same way.
The use of CHIPS and it bretheren has increased dramatically in recent years. As recently as three years ago the daily load was only $400 billion. Part of the increase is due to the increased popularity of direct deposit and automatic payments. It has become quite common for employees of large companies to have their paychecks deposited into there accounts electronically. More recently, consumers have begun to make greater use of automated payment options. For example, many people have their utility bills paid automatically. Consumers give authorization to banks and utility companies to affect these payments electronically. And, of course, it has long been true that even paper checks are processed at least in part electronically.
My interest in the EFT network stems from professional curiosity. My curiosity can be labeled as ``professional'' because I've been trained in computer security and cryptographic protocols. My interest must be labelled as ``curiosity'' because no bank is paying me at the moment. This leaves me in a position of being on the outside looking in. While the design of the CHIPS network is publicly available for review, lower-level implementation details are not. Consequently I was not privy to some of the error-handling aspects of the system. My admittedly unorthodox method of determining how the banks had opted to implement error-handling is to introduce errors and observe the results. This brought me to the important part of the story, the whole reason I'd been forced to seek out Ms. Cryer in the first place. Thus far she had listened intently with only a few interruptions for clarification.
Next I explained how, after recording the EFT messages originally bound for First Chicago from St. Louis, I sent the recorded messages on to First Chicago. This meant that First Chicago Trust recieved duplicates of all of those EFT's. I kept the connection open after sending my copies so that I would recieve the error messages from First Chicago. It was for the purpose of studying these error messages that I was sending the recorded copies in the first place. Sure enough, error messages began pouring back from First Chicago, complaining that the EFT's were replays of earlier transmissions. The security routines at the recieving bank had detected my attack and they were responding appropriately. Except for the transfers on Lisa Cryer's account! Those replays were not rejected; all others were. Why?
Lisa said that she had no idea. She suggested that perhaps I had corrupted the EFT on her account in some way and therefore it differed from the original and was not a replay.
``If I did corrupt it in any way, then the MAC would not have checked out,'' I said. ``Bear in mind that the entire purpose of a MAC is to detect tampering by a third party. I would have gotten authentication errors.''
At this point the waitress came to the table to refill our water classes. Neither of us said anything until after she had left again. Then Lisa asked, ``what made you decide you could trust me?''
``I had to.''
Puzzled, she asked why.
``It was clear that something had gone dreadfully wrong with the transfers,'' I explained. ``As soon as I saw that a few EFT replays went through I knew something was amiss. At first I thought that maybe you were tampering with the EFT traffic too and that the your EFT was a forgery of some sort.
``I've spent a lot of time studying those EFT's over the last few days,'' I groaned. ``Then, after I saw you in the bank I realized that you were probably an innocent victem in all of this.''
``Because I don't look like a computer scientist?'' she asked indignantly.
``Because you don't look like a hacker.''
``Oh... I'll take that as a complement!'' she smiled sweetly. ``Unlike you, I don't mess around with other people's livelihood for a cheap thrill.''
It seemed best to let that comment pass. Instead I elaborated on my answer to her earlier question. ``Clearly something strange is going on at First Chicago Trust. I can't approach the bank. Nor can I go to the police. The first thing they would do would be to arrest me. Maybe they would ask questions later... and maybe not.
``Really, when you stop and think about it, I had no choice but to approach you,'' I confessed. ``My only two options are to run away from the whole thing and pretend I am completely unaware of any irregularities, or to try to figure out for myself exactly what happened. I choose the latter.''
``You took a chance,'' she said, ``just by showing up in person and identifying yourself to me as the man who has made my life a living hell for the last four days. For that matter, while I'm not going to run to the police immediately, I'm not going to let this drag out forever. If you can't patch things up quickly I'll still go to the police.'' She looked at me pointedly as she said this. She wasn't bluffing; she was issuing a warning.
I looked around as I emptied my wine-glass and refilled both of our glasses. Odd, the place was still nearly empty and yet this should be peak hours. The two other parties that were already seated when we came in were still there. Only one additional table had been filled. The woman at the bar had either found somebody to her liking or she had been waiting for a friend who wasn't particularly punctual. Either way, a man for whom she had been waiting had finally arrived. They were sharing a light dinner now. The remainder of the roughly twenty tables were all empty.
I turned back to my dinner companion. ``We really didn't need that reservation, did we?'' I asked. ``You probably come here often, is it always this empty?''
She let a short pretty laugh escape her lips and set down her glass. ``I'm surprised they even took a reservation for you. Did they give you a funny look when you made it?'' She glanced around the room. ``This is a typical turn-out. And yes, I do come here often. Not a very original line; you can do better than that, can't you?'' She had a glint in her eye and a slight smirk on her face as she leaned her head into her right hand with her elbow on the table and swirled her glass with her left hand.
I wasn't sure what to say next, mainly because I wasn't sure what she meant by that last comment. I hoped she was flirting. Her attitude toward me fluctuated between contempt and acceptance. We had met only hours earlier and already she had yelled at me, made snide remarks, and threatened me with the police. Yet, inbetween these hostile moments we seemed to be getting along quite well... like now for example. To cover my puzzlement I poked at the remains of my fish and tried not to look as awkward as I suddenly felt. Mistake. The moment passed.
``So what do you do now?'' She straightened up as she asked this and smoothed out the napkin in her lap. Her manner became business-like. ``You want my help. OK, what do you need to know? Fire away.''
``Can you think of anything at all that might be unusual about the money transfers that you made this month?''
``You mean my automatic utility payments, right? No, nothing unusual.''
``These utility payments are automatically deducted from you checking account every month?''
She nodded her head in the affirmative. Then she added that she had been paying her bills in that way for close to a year with no troubles up until now.
``But,'' she added, ``when I was there yesterday the guy at the bank claimed I also recieved a payment by automatic deposit, and that it was not from my employer. While the bank won't tell me who the payment is from, I can assure I was not expecting any money transfers from anybody.''
``That must be the windfall that makes the bank suspect you. Did they tell you how much it was for?''
``Nope.''
Then her face suddenly lit up. ``Hey!'' she exclaimed, ``you can probably find out can't you? Did you keep the file of EFT's that you recorded? I would also be curious to know who it is from.''
Indeed I had kept the file. ``Yes I have the file. I want to take a closer look at it tonight. Can you think of any clues I should look for? Say, for example, EFT's to or from a particular person? Also, what are all the payments you made on or around the 11th? That includes paper checks as well as automatic debits. I need to be able to recognize a discrepency between honest activity and illegitemate EFT's.''
``All I can think of is my gas bill and electric bill. I don't know off-hand how much those two payments should be for. Also, I'm not even sure what days the automatic payments are made, so I do not even know if either one of those payments should have been made on the 11th. I can check my bills from last month and at least give you estimates.''
``Do that. And please get back to me with the information,'' I said as I pulled a pen from my pants pocket and scribbled my phone number on a paper napkin. Pushing the napkin over to her, I continued to press gently for details. ``Remember, it isn't just automatic payments that we need to think about; have you written any checks within the last two weeks that might have cleared on the 11th?''
``Well yes, I am sure I have written several checks recently, and any number of them might have gone through that day. Again, I will have to get back to you with details after I have had a chance to look at my checkbook.'' She took an address book out of her handbag and copied the phone number from the napkin to her book.
I wanted to make sure we did not overlook anything. ``While you are thinking about those things,'' I said, ``also try to think of any automated payments you might have recieved legitamately. I'm sure you've already given that quite a bit of thought since the bank has given you ample motivation to do so. Nonetheless...'' I let the suggestion trail off.
``The bank said that they do not care about any paper checks I recieved and cashed, only automatic payments.''
``Good,'' I exclaimed. ``That helps. It means that the suspicious EFT is for an automatic deposit and not part of a check truncation whereby a paper check you deposit is converted into an electronic transfer.
``Did they tell you anything else that might be helpful?'' I asked hopefully, pressing for more clues. ``Anything that might help limit our scope?''
She furrowed her brow and said nothing for quite some time. Her gaze was cast downward at the table. ``Not really. They were being very careful not to say anything more than they had to.''
The fact that the bank was reluctant to discuss the matter only added to my suspicions about the bank's role in this entire matter. I felt that executives at First Chicago Trust were too zealous in their pursuit of Ms. Cryer. In phone conversations with the FBI these bankers claimed that internal security at the bank was iron-clad and that they only hired people of the highest moral character. They would not even listen to suggestions of a possible inside job. Instead, they pointed accusing fingers toward Lisa Cryer, a customer that I had a hard time imagining anybody viewing as a threat. I can understand being careful to view each suspect with objectivity, but how could they be so certain that she had tampered with the EFT's from the outside?
Lisa interrupted my thoughts. ``Do you really think you will be able to unravel this mess? Can you solve the mystery even when the banks can't? You don't have access to the same level of information they do.''
``Well, I do have a formal education in the study of cryptographic protocols. I do consulting work in the area. At the moment I don't have any contracts. The last four months have been a dry spell. Therefore, I am not privy to the details of the internal workings of wholesale banking. I have to work with whatever information is made public --- which is quite a bit --- and whatever other information I can collect by less honorable methods.
``In the beginning I started out by introducing errors in more mundane ways. For example I introduced bad payments into the ACH check clearing system simply by bouncing checks. I would intentionally write a bad check and then monitor the EFT activity to see how it was handled in the EFT protocols.
``I had to stop after the bank began to take exception,'' I added. I couldn't help but chuckle as I recalled the episode where the bank called me in to ask why I kept writing overdrafts on one of my accounts when I had more than adequate funds in my other account to cover the checks.
Lisa slumped back in her chair and rested her chin in her hand, her elbow was perched on the edge of the table. ``Uh, Carl,'' she said, ``why don't you have a normal job like the rest of us? Bouncing checks and hacking phone lines is not computer science.''
Her eyes twinkled with amusement. Such beautiful eyes they were too. She seemed to be enjoying our dinner. We had both long since finished eating but neither one seemed anxious to leave. After catching up on some much needed sleep in the park and filling up on good food and wine, I was feeling reinvigorated. It was a pleasant dinner until Lisa mentioned Psuedo-One as an example of one of the many new Internet companies that are on top of things. My disgust for Psuedo-One would not permit me to let that comment go by uncontested.