Tech Time Warp: 1994 Citibank Heist Yet Another Reminder to Keep Credentials Secure

Tech Time Warp

Tech Time WarpThe bank heists of Hollywood are glamorous: all-black clothes, darting around lasers, and — in modern cinema — genius hackers with incredible programming skills. But one of the first major digital heists of history, which took place 32 years ago this summer, relied on the most basic of tool: stolen credentials.

The $10 million login

In July 1994, corporate customers of Citibank began reporting unauthorized transfers of funds to overseas bank accounts using the bank’s computer cash management system — a new feature in a banking industry just beginning to embrace the digital realm. Attackers used credentials available to bank employees to complete the transfers.. From June through October 1994, 40 unauthorized transactions totaling more than $10 million in funds took place.

The FBI got involved. In August 1994, attackers transferred approximately $522,000 to Bank of America accounts owned by Russian couple Yevgeny and Yekaterina Korolkova. Authorities arrested Yekaterina Korolkova in San Francisco after she opened checking accounts at five banks. When the FBI arrested her on  August 26, she had a one-way airplane ticket to Russia.

The weakest link

She persuaded her husband to return to the United States and cooperate with authorities. This led the FBI to the individual at the center of the heist: Vladimir Levin. Levin was eventually lured to London and extradited to the United States. Levin had acquired network addresses for Citibank computers from a 1993 hacker magazine and eventually found his way in via a computer where the user hadn’t logged out — and had stored system credentials in plain text.

Did you enjoy this installation of SmarterMSP’s Tech Time Warp? Check out others here.

Photo: Bumble Dee / Shutterstock

This post originally appeared on Smarter MSP.