Jump to Main ContentJump to Primary Navigation
Top

We Sat With A Hacker As He Accessed The Bank Accounts Of Everyone In A Coffee Shop

hacker.jpg

Sitting in a London coffee shop, within the labyrinthine folds of financial mecca Canary Wharf, ShortList has journeyed deep into the belly of the beast.

We are in the presence of an individual that operates in a notorious, sometimes criminal, and often misunderstood subculture. No, not a City trader (though there are 50 besuited bankers sipping macchiatos around us). Instead, a member of the digital community credited with outing 37 million would-be adulterers registered to Ashley Madison, that remotely killed a Jeep’s engine while it travelled at 70mph on a motorway, and that compromised Iran’s secret nuclear facilities by blasting AC/DC’s Thunderstruck out from speakers.

 

Someone within Wi-Fi range is accessing porn... probably in the bathroom.

 

 

ShortList has an audience with a hacker as he stages a live attack to prove how easy it is to observe an unsuspecting stranger online, pillage their personal data, empty their bank account and, just for kicks, load up some viruses. Five minutes in, we’re not sure we like it.

“Uh, this is embarrassing, for whoever it is,” says the man we’ll call Mr X, whose employer is a tech company that, among other things, schools corporations in the art of hacking.

“Someone within Wi-Fi range is accessing porn.”

He gestures a few feet to our right. “They’re on RedTube. They’re probably in that bathroom.”



To clumsily paraphrase a famous anti-piracy ad: you wouldn’t leave your front door open. You wouldn’t leave the keys in the ignition of your car. You wouldn’t write your bank details and passwords on a napkin, photocopy it, and hand out copies to passers-by in the street. So why, in 2015, do so many of us play fast and loose with our safety when connected to the internet?

We’ve all been there: step off a plane in a foreign country, perhaps a train or bus in the middle of nowhere, and in the absence of 4G signal scour for a Wi-Fi network not protected with a password. And lo, while you may have scored a quick dopamine rush by catching up on Instagram, you’d better hope double tapping that moodily-shot avocado on sourdough toast was worth it, as the unsecured network you accessed might have been just that – unsecure – leaving you wide open to a catalogue of attacks.

hacker conference

Whether proffering a Wi-Fi network named something ambiguous or, in the hope it’ll lure you in, the shop or restaurant where it’s hosted, these so-called ‘Man In The Middle’ attacks pose as a legitimate web service, by inserting a hacker between the victim and server.

This means any data sent over the network can be monitored and, once in possession of such valuable info, a hacker might sell it to advertisers, steal your identity or even threaten to delete your hard drive for a ransom.

“We’ve moved from just using computers to go on the internet, read news stories and play games,” says X, “to a place where we conduct commerce; buying flights, clothes, food. We do our banking online, talk to friends, even arrange extramarital affairs. Data is now much more valuable – we’re talking potentially life-destroying stuff – so the stakes are much higher.”

Yet these hacks aren’t exactly a closely guarded secret of the digital underworld. Europol warned of the dangers free Wi-Fi hotspots pose last year, months after the European parliament itself was targeted in a Man In The Middle attack, whereas in 2013 the NSA is reported to have used an MITM to impersonate tech giant Google and spy on the public. And still, given the opportunity to log on to a potentially toxic network without knowledge of its safety, if it’s free users seem happy to roll the dice.

Back in our well-known coffee shop (that will remain unnamed for legal reasons), we have pilfered the Wi-Fi network of a nearby clothes store and set up a hotspot called ‘Free Public Wi-Fi’. Anyone connecting will feed straight into the flashing-blue antenna on our table that, surprisingly, no one seems remotely concerned about, their activities displayed on our laptop. Little do these coffee drinkers know, but not one of them is safe. Not even the individual watching porn in the toilet cubicle nearby. What’s more, all this is – at this stage, at least – entirely legal.

Within minutes, six people log on. One is using an Android phone, browsing their emails. Another is reading the FT. Then, oh look, some poor sod’s just accessed their bank. And, as this bank has an unencrypted homepage, we can inject a ‘key-logger’ – a tool that records every keystroke – to strip out all security before they access the more securely protected login page, or redirect to a new page entirely. In short, this oblivious person is in serious trouble.

“From here we can see what is being sent – passwords, usernames, customer numbers,” says X. “We can then change their request. Maybe they are transferring money to their mum – we can change the account number the money goes to.” 

Fortunately for those in range, Mr X doesn’t break the law. Even when meeting ShortList under the blanket of anonymity, he’s not so foolish as to commit a crime in a national magazine. But while mass security breaches often portray the hacking community as a gang of crooks, X believes the majority of hackers are a force for good.

He claims such people (known as ‘White Hat’ hackers) want to preserve safety, not compromise it.

Granted, two US hackers commandeering a Jeep Cherokee on a highway in July – for a Wired article – might’ve appeared malicious, but the truth behind the hack was far more noble.

“They reported this security vulnerability a year ago, and Jeep didn’t say much. They kept announcing it to Jeep, who responded slowly and ineffectively. Then the Wired article came out and suddenly Jeep recalls millions of cars. It took a sensational video before the company would take it seriously.”

There’s even a hacking conference, Def Con, held annually in a Las Vegas casino. Host to in-depth lectures and a variety of contests (from lock-picking to capture-the-flag hacks), it figures that you’re advised against using the public Wi-Fi.

“You get some serious people there,” claims X. “They’ll barely sleep – by the last day there are people asleep on their laptops.” X should know, this year he was a guest speaker at the four-day summit.

 

...From 50m away, you can kill people.

 

Just in case you weren’t already tempted to fling your MacBook off a bridge and embrace a new tech-free Amish lifestyle, the threat of hacking doesn’t cease when you switch off. As our modern world becomes more digitised, where everyday objects such as fridges and light bulbs are synced to cyberspace, hackers are increasingly becoming a threat to your physical safety, too.

“What we’re about to find, with the Internet Of Things,” says Mr X, “is that everything is connected to the internet. Your car, TV, kettle, toaster, doors – that’s potentially scary. [Hacking] a kettle sounds trivial, but if someone can get into your kettle and turn it on when there’s no water in it, they can start an electrical fire in your house.

“There was also a cheesy script in Homeland where a pacemaker gets hacked, remotely killing the vice president. People said it was unrealistic, but someone worked out you could actually do it, from 50m away. So you can kill people.”

While malevolent ‘Black Hat’ hackers do irrefutably exist, in a strange twist of irony, it might be the hackers themselves that represent our best shot at survival.

“One aspect is embracing the hacker community,” says X. “These are the people you want on your side – those who live and breathe this stuff, and want to take systems to their extreme.”

As a fresh Wi-Fi user pops up (checking Twitter), then another (their bank), Mr X smiles.

Written by Sam Rowe, follow him on Twitter: @SamRowe_


More by Sam Rowe


Related

ios9flaw1.jpg

iOS 9 Bug Lets People Skip Your Passcode To Access Photos and Contacts

hack.jpg

British Spies Could Soon Be Allowed To Legally Hack Your Phone

shock.jpg

Your Secret Porn Habits Could Easily Be Revealed To The Entire World

Comments

More

A man has used his fidget spinner to like EVERYBODY on Tinder

Where's the quality control, though?

by Gary Ogden
25 May 2017

This new emoji tool tells you which are still cool and which are lame

Less 💅, more 🍆

by Emily Reynolds
24 May 2017

You can now buy the revamped Nokia 3310 in the UK

The retro phone you know and love is back (kind of)

by Matt Tate
24 May 2017

Nintendo respond to touching thank you letter from a blind fan

"We want to keep making games that everyone can have fun playing"

by Matt Tate
24 May 2017

Secret rules on what Facebook allows you to post have been revealed

And it's a pretty confused state of affairs

by Dave Fawbert
22 May 2017

Stephen Hawking reckons we only have 100 years left on Earth

Anyway, happy Friday!

by Tom Mendelsohn
19 May 2017

Watch a young Mark Zuckerberg discover he's got into Harvard

His dad is a lot more excited than he is

by Tom Mendelsohn
19 May 2017

Nintendo have removed a gesture deemed to be offensive from Mario Kart

Up yours, Yoshi

by Matt Tate
18 May 2017

This is rumoured to be the iPhone 8's finished design

Bye bye bezels (maybe)

by Matt Tate
18 May 2017

We might be about to get smartphones that charge fully in five minutes

An Israeli start-up claims it's going to go into production next year

by Tom Mendelsohn
15 May 2017