Dreamland's Currency Convertor abused on day of bank heist.

I just discovered from talking to a support associate for ACS, after checking on my dreamland account, that the currency converter for PED to linden has been shut down on a temporary basis while a security issue is addressed. Someone moved a lot of money through their currency conversion utility The alleged laundering occurred approximately the same day as the massive SL bank heists. Although DSE was not subject to the same exploits as I've seen at many institutions, it brings to light another problem.

Banks and exchanges with currency conversion utilities; whether it be one game currency to another or game currency to dollar, face many more complications and should be dealt with carefully. If the institutions in question are not properly formatted for use there is a possibility of exploitation for illegal means that could render the institution itself liable. This would have the potential of destroying that institution, so please.. be careful where you invest. I am sure Dreamland will fix this problem and be back up and running in little time. They're all very professional and this is a problem I'm sure that was not anticipated. The support associate told me they were currently in talks with Linden Labs and Entropia in an attempt to solve the problem and nail the perps.

SL Mythbusters: The negative withdraw test. Sloppy coding at fault? White hat at work.

I heard part of the reason some banks were hit was sloppy coding. I went around and began to test atms to see if they were vulnerable to negative withdraws. This is just one of the rumors about how I've heard banks have been hacked.. so I though it'd be fun to test with 1 linden amounts. Here's the results:

1. BCX openly mocks you for not being sane when you try to withdraw -1.
2. ACE does not allow it. Ignores you.
3. SLIB does not allow it. Ignores you.
4. ISE removes the negative and simply takes the absolute value of the amount from your account.
5. DSE states you are using the wrong amount.
6. VSTEX reports that you have insufficient funds.
7. JTF/CAPEX ignores your request
8. BNTF Ignores your request.
9. EDGE ignores your request.
10. Banca Di Italia: Secured as of 1:33 PM est.
11. SL Bank ignores negative withraw requests.
12. WSE/One Bank only allows the use of keypad entry for withdraws and does not allow the use of negative integers.

I intend to con tinue my testing to other institutions, these are the results to date.

A vulnerability has been confirmed, the name of the bank has not been released to protect the bank as it works to repair its atms.

Currently sitting in Kremer waiting on the Governance team.. yay. Even after all these warnings the past few days, some banks still leave themselves exposed.

Update: 1:09 PM est, 10:09 AM slt: The vulnerable bank has been notified of its exposure. The representative told me they would work on resolution immediately and that the transactions can be tracked and are reversible if any have occured that are fraudulent.

Linden Lab just removed the exposed ATM, so I can release the name of the bank now. Banca D Italia's programming was exposed to this exploit. Theoretically, I just saved all of Freedom Italy.

When Banca D Italia loads their new atm, I will retest it once again to ensure the loophole has been closed and update this blog.

The loophole was repaired, now added to list of secured banks.

Multiple SL banks rocked by 3.2 million L$+ heist from atm scripting vulnerability.

I logged on to another bank failure looming on the horizon this morning in second life. The problem with the SL financial community is there is a notable lack of testing of the security of atms before their implementation and some of banks tend to find out about their weaknesses after the fact. Well, this appears to be the unfortunate case with LNL. They thought their atm secure, deployed it, and now they're 3.2 million dollars down the gutter with an alleged hacker(s) heisting 3.2 million from their systems.

One of these days the banks will learn to keep balances in separate avatars and use monitoring scripts to move money around to prevent abuses. The world of "I can withdraw as much as I want when I want" really needs to go, it's not realistically feasible in this environment and poses a massive security vulnerability.

Of greater concern, Lindsay Druart stated that JTF/CAPEX's atms are programmed by the same programmer. However, I wish to note that JTF (the bank) has been around since before this exchange or even LNL existed, I do not believe most of their programming is by the same programmer and highly doubt that the same vulnerabilities exist but it's still a concern since the one that Lindsay has claimed did their programming, Unoti Quonset, is also the programmer of the Second Life Capitol Exchange, or SLCAPEX. Unoti has contested the claims that he is the direct programmer of LNL/JTF/SLCAPEX you can see his statement in the comments and the response of Lindsay Druart.

I think we just need to get a clarification from CAPEX as to who did their main bank and withdraw programming. This said, it did unnerve me to see Unoti Quonset at the atm at the same time we were having this conversation. I'm not sure of his role in all of this outside of programming, but it was rather questionable. Perhaps just bad timing... I hope. Unoti, if you're out there, I'd really like to see your response to the claims being made, you more than anyone should know how your programming works. I'd also like someone to tell me how one "hacks" an atm that operates on text entry commands. Based on my understanding of programming it'd be almost impossible to do except for if the coder left back door commands in the system. Unoti Quonset has since contested these statements saying he had nothing to do with the coding of either CAPEX or LNL. Given the expanse of the potential banks affected however, I am still nervous about putting my funds into institutions til I see who will pop and who will not.

LNL was not approved on my watch, but under the reigns of Investor Allen who managed most of the deal personally. Investor Allen began to show a very shady history after the sell of his exchange. There was a lot of verbal sparring on the initial listing conditions, but after AVIX was sold to CAPEX things seemed to calm down under the new management and Lindsay was even given a management position briefly for the exchange.

I think it's going to be a while before we get the whole story on who or what is exactly at fault. Lindsay says she's in fervent talks with Linden Labs in an attempt to get concierge assistance on the 3.2 million dollar theft. If they do not intervene it's highly likely LNL will go insolvent. This leaves a big question as to what will happen with the WSE listed LLL. According to this post by Lindsay said there was no exposure to the bank from her own real-estate company that they only had a fraction of cash in there on deposit to use to purchase some new sims, but having your leadership and finances co-mingled can be a messy affair to try to resolve with investors in the courts of public opinion.

Best of luck dealing with Mr. Linden, Lindsay, you're in my prayers.

Appended note: Someone reminded me that a couple weeks back LNL briefly halted trading and their atms were removed for reworking. According to their announcement history there is a record of atm and web page difficulties. I'd like to know who was responsible for the most recent update. They also pointed out to me the growing financial struggles of LNL in the history of the firm.

Given the current crisis I cannot morally maintain the link to their website on this blog, it has been removed from the banks section, but you may view it here for research purposes. Do not deposit at this time if an in world ATM becomes available until further clarification on these incidents is brought to light.

Did I mention this is the second bank collapse and supposed ATM heist that Lindsay Druart has been tied to? The last such collapse ocured on the World Stock Exchange, under a now non-existant ticker symbol. They took in the customers of that particular event in an attempt to restore what was lost. Supposedly, Lindsay was to be a hero and save those accounts. What now?

Update: Ah, I found a remnant of that old bank through google. It was the Touchet Group Corporation. I could not find a link back to the actual company symbol. If you note, on the page with the information there, it notes the ticker symbol as (RMV). That's one of WSE's ghost (as in dead) shell (as in rotting husk that no longer exists) companies. It was headed up by the infamous JC Brink. Lindsay got one of their sims from him. And the story was the same for that collapse. Rogue agent, broken atm coding. I smell a pattern and regardless of who is responsible it needs stopped. Diligence is the responsibility of the bank operator.

Did I mention that when the WSE was hacked, that it also lost 3.2 million linden? If this is the same crook they're walking away with $20,000.00 USD.

For more info on this past failure, visit the following links: Fraud Ghost Hits At SL Banking System, Lindsay Druart, CEO LLL's official account of the TGC incident on the WSE, Taran's TGC investigation.

Has anyone ever heard the phrase, "Fool me once shame on you... Fool me twice..." When do we start seeing CEO accountability for transaction security?

How ironic that LLL is amid secondary offer on the WSE for just a little more than twice the amount that LNL was breached by or equal to the sum of supposed thefts against LNL and the WSE combined. What an interesting coincidence. REVISION: Thanks to encouragement in the comment area and the help of Lindsay, I discovered that WSE misleadingly/alternatively mentions the current outstanding shares of the company instead of the outstanding shares in the issue, which can make the issue seem much larger, the actual issue is around 640k. This greatly relieves me needless to say.