A Romanian security researcher has created a machine that can take advantage of rounding errors to make money at the expense of banks. Yes, that’s a key plot point in Office Space (among other movies), and no, it wouldn’t exactly be as profitable as in the movie.
Adrian Furtuna is a penetration tester for KPMG Romania and was hired by an online bank to try to find ways people could breach its systems. He explored what happens when you transfer money between Internet bank accounts set up in different currencies. He noted that the bank accounts always list amounts to two decimal places, meaning for example to the nearest cent when using the US dollar or Euro and to the nearest hundredth of a Leu when using Romania’s national currency.
However, exchange rates used for currency conversions are more precise, meaning that depending on the amount you convert and the current rate, the amount you receive will be rounded up or down, meaning you gain or lose a tiny amount with each transaction.
Because banks and other currency exchanges usually charge different rates depending on whether you buy or sell currency, any gain would usually be wiped out. However, this isn’t the case when you convert a tiny amount, something that would be socially awkward at a currency exchange, but can work with online banking.
Because the gain is so tiny with each transaction, the key to the technique is being able to make large numbers of transfers between two online accounts in different currencies, effectively making you both the buyer and seller of currencies. That tactic is slowed down by the fact that Internet banking needs to verify each transaction request.
Furtuna explored options such as using software to automate the creation of hundreds of transactions and approve them with a single authentication, or to upload a single file containing multiple payments, something some systems allow as a matter of convenience, for example for a business making payroll.
His most creative solution, however, was a makeshift machine designed for online accounts that use a small keypad device for authentication, with the user having to type in their PIN code and a sequence of numbers provided by the banking site specifically for a transaction, then wait for the device to produce a second sequence of numbers (a response code) and then type it into the site.
The machine Furtuna created was more of a robot than a computer. It uses cameras and robotic arms to read the computer screen, physically type the code into the security keypad, read the keypad display, then type the response code on the computer keypad.
Furtuna found the machine was able to perform the process in six seconds. While it’s nothing a human couldn’t do, the machine could do it continuously without mistakes or needing a break. That meant it could carry out 14,400 transactions a day.
The problem is that even at this pace, the tiny amount of profit made on each transaction means the theoretical maximum daily take would be the equivalent of US$68 a day. Any kind of mass-scale scam would have to involve multiple accounts and multiple machines.
In practice a bank would likely notice somebody carrying out so many transactions. Even if such behavior didn’t break either the terms and conditions of the bank account or the local law, it might well cause unwanted hassles from tax authorities and agencies investigating potential money laundering.
That said, Furtuna recommends banks can take a couple of steps to make the technique worthless, even if they can’t or won’t limit the number of daily transactions. One is to have a minimum amount for each transaction. The other is to impose a tiny fee (such as one cent) for each cross-currency transaction, which would not only make the technique unviable, but would ironically add up to a huge profit for the bank.