Thursday, July 17, 2014

Attack on the Virtual Bum’s Pocket

All the virtual bum’s pockets (VBP) come equipped with an audit scope. The scope is a web page that came as standard equipment in the software development kit. The designers created the scope originally for bankers only to examine the internal activity of a potential or operational partner, but its early implementation had a buggy verification mechanism, and since the scope only displays aggregate data and no instructions could flow down from the port, most VBP operators turned off the “validation required” setting (acting against the advice of Treasury security people).

I pointed my browser to the audit scope page and received the first page of the site that contained all the information I needed for a successful attack. Diagram 23 depicts the landing page of a standard virtual bum’s pocket audit scope.

Diagram 23 VBP Standard Starting Dashboard

It was the perfect size. The Galactic Bank like other astronomical financial institutions seldom validated a deposit in the form of a VBP currency in real time because of the drag on throughput. If they actually attempted to validate the currency and had a delayed response of over a few hundred milliseconds, validation just did not happen.  At least I was counting on lax security, especially since I was going to make the deposit at rush hour.

I spent the next few days recording purchases at the bars, restaurants, and grocery stores around town and copied the certificate and inferred the serial numbers for the entire circulation. Once again, these yahoos ignored the warnings of security experts and issued all their currency with sequential security numbers. It felt like taking candy from a baby.

I bought the tool to manufacture a unit of currency and created one in the mid range of the serial numbers. I made it for a few pythons less than the entire circulation amount so it would not attract undue attention. I took the coin to a close (about 50 light years) Galactic branch, beamed it to the change machine, and I now am writing this blog in a Styngyn jail cell. The yahoos did follow one procedure, they pinged their currency every 2 seconds, found my coin (required to respond when pinged) and revoked all their certificates through a dedicated link for the banking network.

Next Blog: Less fiction. 

No comments:

Post a Comment