The missing transactions are stored in new files we created on your computer. These data files are encrypted and so are useless to you without the appropriate keywords.
To confirm this, you can restore one account to its proper status by using the DES encryption method to unscramble the file named account1.dat — the keyword is: malden
A different keyword protects account2.dat. We suspect whoever owns this account will be quite irate when they discover you’ve lost their money!
The First Malden Bank is just like every other bank in America. You’ve ruined our country by chasing profits at any cost. You foreclose on people who are working hard to get by, and then drive down the value of everyone else’s homes by dumping those properties on the real estate market. You demand payment with no regard for the people whose lives are crushed when hardships strike.
Now you’re going to find out what it’s like for someone else to control YOUR money for a change.
You will make a public announcement by noon tomorrow that the First Malden Bank is creating a special fund to protect the customers who have been affected by your own greedy policies. Once the announcement is made you will be provided with the keyword for the scrambled account data along with further instructions.
Financial Patriots of America
Rob laid the sheet down and blew out a shocked breath. A tumble of thoughts flew through his mind as he tried to wrap his head around the enormity of what this meant for First Malden. As far as he knew, there had never been a successful cyberattack on a bank, at least none that had gone public. But here he was thrust into the middle of one.
He was the first to break the stony silence.
“This is unbelievable,” he said.
“The operations staff thought it was spam when they first received the email,” Kelleher said, “but they checked it out to be sure. They called me when the files turned out to be on the computer. Since then, Paul has been looking into it.”
“I was able to unscramble the first file,” Dees said. “It contains a savings account number plus three transaction records that show a deposit and a withdrawal at about eight this morning, then a twenty-dollar withdrawal just after lunch time. AMS shows no transactions for this account today. By the way, the two scrambled files were created at five-thirty this afternoon.”
“Just before the six o’clock backup,” Rob said, “so even if we went to the morning backup copy, we’re still missing almost twelve hours worth of data.”
“Exactly,” Dees said. “Seems our friends know what they’re doing. I checked the remote copy of the database as well. The records have been scrambled there too. And if the transaction records I unscrambled are accurate, this account should contain over a thousand dollars. AMS says the balance is nineteen cents.”
Finnamore let out a low whistle.
“Hold it now,” Rob said. “What if AMS is right? Maybe the file is just a decoy and AMS hasn’t been touched.”
“We thought of that,” Dees said, “but even putting a file on our system is a serious security breach. And once I had the data to restore the account, Mr. Dysart agreed to let me phone the customer. His name is Arthur Stevens. I told him we had a minor system hiccup and were phoning a few selected customers to make sure everything had been restored properly. He was suspicious at first about whether I was really with the bank, so I had him call back in. Once I convinced him who I really was, he confirmed that he withdrew twenty dollars using an ATM at one-thirty-eight this afternoon. He had the receipt in his wallet and quoted me the exact time and transaction ID number. I fixed the account manually as soon as I got off the phone. As for the second account, I don’t even know how to figure out which account has been altered, let alone how to fix it.”
“There’s no way to decode the second file?” Dysart said.
Dees shook his head. “There are trillions of possible values for the keyword. Even a computer would take years to try them all. Basically, someone managed to steal today’s records for these accounts. And of course if they can do it for two accounts—”
“Then they might be able to do it to all of the accounts,” Finnamore said.
Rob could barely believe what he was hearing. Could this really be happening? Was he about to have an insider's view as an American bank imploded?
Dees’ somber look matched the others in the room.
“Exactly,” he said.
“So who sent the emails?” Rob asked.
“They came from a UCLA address,” Kelleher said, “someone using the id FinancialPatriots.”
“Can we trace that,” Dysart asked, “find out who’s behind this?”
Kelleher looked at Dees, who said, “Maybe. We’d have to contact the folks at UCLA and ask for their help.”
“Which would mean telling them we have a problem,” Dysart said.
Dees shrugged. “Probably, unless we can think up some other reason why they should tell us about one of their accounts. That type of information is normally confidential.”
“We can’t admit to anyone outside this building we were vulnerable to attack,” Dysart said. “As far as the public is concerned, any issues are strictly technical.”
“Then we’ll have to give it careful thought before we try contacting UCLA,” Kelleher said.
“If we contact them,” Dysart said.
Kelleher nodded in acknowledgment.
“But how did someone hack into our systems?” Rob said. “I would have bet that was close to impossible. Did you check the security logs?”
Dees nodded. “Of course. As far as I can tell, only the system operators have logged on to the account server in the past several weeks. But their accounts don’t have the privileges they’d need to mess with AMS. And according to the firewall logs, no one has hacked in either. I also looked to see if there was any new software on the server. I mean, they’d need some sort of program to create the encrypted files.” Dees spread his hands. “All I found was the stuff that’s supposed to be there.”
“So you don’t know how they did it,” Kelleher said.
“Not yet,” Dees said, “but I’ve only had time to check the obvious things so far. With a little persistence we should be able to figure out what happened.”
“Should be isn’t good enough,” Dysart said. “This problem has to be fixed right away. Any other option is simply not acceptable.” He punctuated the last word with a jab of his finger. “Customer confidence is everything to a bank. The only reason people give us their money is because they know we won’t lose it. What do you think will happen if we have to tell our customers we have no idea how much money they have in their accounts?”
Dysart swept the room with his gaze but this time only Rob met it. All the others were studying the wood grain of the table.
“We’d have lineups out the door at every branch,” Dysart said. “People demanding their money. In cash. Right now. All of it, thank you. No bank can withstand that kind of run.”
He paused to let these words sink in.
“There will be no special fund,” Dysart continued, “or public announcements of any kind for that matter. I’m not letting a bunch of terrorists tell me what to do. Apparently you people built some jerry-rigged system that’s not good enough to keep out the unwashed hordes. Now you damn well need to fix it! I want that second account restored to its proper balance, and I want you to fill in whatever electronic hole these people crawled through so this never happens again. If you can do that, it’s possible — just possible mind you — some of you might keep your jobs. Otherwise, there probably won’t be any jobs left to keep.”