Money-making machine cashes in on currency trades

A money-making machine that exploits rounding errors in currency exchanges in favour of bank customers has been built by a security researcher.

If left to run at its top speed, the device could generate almost 70 euros (£58) a day by carrying out thousands of small transactions.

The device was built to test the security of online banking systems.

However, said experts, banks' anti-fraud systems would probably prevent the machine cashing in.

The device was created by Romanian security researcher Dr Adrian Furtuna, who noticed what happened when certain amounts of Romanian leu were exchanged for euros.

These transactions were rounded up in a customer's favour so they ended up with cash worth slightly more than they started with.

"The trick is that users can choose the amounts that they want to exchange such that the rounding will be always done in their favour," Dr Furtuna told the BBC.

The amounts involved are so small, 0.005 of a euro, that thousands of transactions are needed to generate a significant amount of money.

Dr Furtuna, who works for KPMG Romania as a penetration tester, set out to see if banks' online currency trading systems were vulnerable to large scale exploitation of this rounding error.

The machine was needed because many banks use authentication gadgets to secure online transactions.

These devices typically generate a short sequence of numbers that must be entered alongside other credentials when moving or exchanging money online.

He automated the sequence by building a machine that could press buttons on the security device and read the code it generated as part of the authentication process.

The response rate of the device limited the number of transactions that could be carried out, Dr Furtuna told the BBC. At most, he said, it could carry out 14,400 transactions per day. This means, at most, it could generate about 68 euros per day if left to run unchallenged.

So far the device has been only proven to work in the lab, as the bank that asked Dr Furtuna to test its security did not give him permission to try it against its live online banking system.

Separate research had shown that the online systems of at least five banks in Romania might be vulnerable to the money-machine attack, he said. Other banks in other nations might also be susceptible, he added.

"Banks believe that nobody can do a high number of transactions in a feasible time since each transaction requires to be signed using the [authentication] device," he said. "By building this machine I proved that this assumption is wrong and transactions can be automated with or without an [authenticator]."

Tod Beardsley, a security engineer at Rapid7, said such "salami slicing" attacks were well known, having been depicted in films such as Superman III, Hackers and Office Space.

"Salami slicing attacks are usually illegal, since they usually add up to some kind of bank or tax fraud, or run afoul of anti-money laundering laws," he added.

Many banks avoided falling victim to such attacks by imposing a minimum transaction size that removed the fractional error, said Mr Beardsley.

Penetration tester Charlie Svensson, from security firm Sentor, said banks' anti-fraud mechanisms would probably spot and stop anyone trying to carry out thousands of tiny trades all day, every day.

"I have the feeling that he would not be the first to do this, but banks tend to take notice when money goes missing," he said. "If there's one thing that banks worry about, it's money."