This sound more like a feat seen in movies “bank programmer stole millions from ATM using loophole”. But it actually did happen as confirmed by both The South China Morning Post and Daily Economic News. The bank programmer exploited and finds a loophole to withdraw $1 million in cash from his bank ATM. Can this just happen in one night raid? No, no bank ATM can house such a huge amount of money. In fact, the average sized ATM machine can hold as much as $200,000, although only few machines do. But in off hours, most ATM machines contain less than $10,000. This is as a result of withdrawal during the day and a good security measure. For most ATM thefts happen during off hours.
Back to the question “how was he able to withdraw such a huge amount from a machine with limited cash deposit”. Could he possible had stolen the money from several machines and accumulated the sums? No, he actually did find a loophole and exploited his discovery for years.
Qin Qisheng, a 43 years old senior programmer working with Huaxia Bank’s technology development centre in Beijing, China. He discovered a loophole in his bank’s core system. The discovery was that the bank’s system couldn’t properly record withdrawals made from the machine around midnight, due to time and date change from one day to another. This resulted in the machine spitting out cash without deducting the withdraw amount from a user’s account. This system failure normally will log an error report on the bank’s system.
On discovery this as a programmer and his job was to report such abnormalities and system failures. Qisheng instead inserted a scripts (computer program file) into the bank’s system to keep those alert unreported to the system. He afterwards started withdrawing money from the machine around November 2016 to January 2018 with a total of 1,358 withdrawals amounting to over 7 million yuan ($1 million upwards). He was apprehended when the bank later discovered the program script he inserted in the system with traces to him.
Aftermath of his arrest
The bank decided to let go of the charges against him on the condition that he would return the money. They also did ask the police to drop the charges leveled against Qisheng. Their explanation was that Qisheng as a programmer to the bank was merely testing the bank’s system vulnerability and holding onto the cash to be later given back to the bank.
The Chaoyang district court refused the bank’s plea and found him guilty. They didn’t accept the bank’s explanation and Qisheng was charged for theft. For he moved the stolen funds to his personal bank account, instead of the bank’s dummy account and did invest some amount in the stock market. The bank did so, simply to hide its face from publicity scandal since the loophole has already been fixed.
Qisheng was supposed to be the good guy and report any lapses discovered about the system, but he took advantage of it. He is now looking at 10 and half jail sentence after losing his court appeal.