Blog entry by Les Bell

Les Bell
by Les Bell - Monday, 25 September 2023, 9:08 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


$A10 million Turns Up Unexpectedly - What Would You Do?

When $A10.47 million was suddently deposited into her account by a cryptocurrency exchange, the answer was obvious to a hard-working immigrant - invest in real estate, vehicles, art and furniture. After years of hard work, life was good - until the mistake was realized, her bank set out to recover the funds, ands she was arrested attempting to flee the country.

The case, which has implications for the operation of systems to process failed transactions, started when the partner of a Malaysian immigrant to Australia, Thevamanogari Manivel, tried to open an account with crypto exchange Crypto.com, making an initial transfer of funds from Manivel's bank account. The exchange rejected the payment, however, because the name on the bank account did not match the name on the crypto account. So far, so good.

But a Bulgaria-based worker who processed the refund did so by directly entering the data into an Excel spreadsheet - and entered the account number into the refund amount column. Instead of refunding $A100, the bank transferred over $A10 million into Manivel's account. When her partner discovered this the following day, he told her to transfer the funds into a joint account at a different bank, telling her he had won a competition run by Crypto.com.

It was over a year later that Crypto.com detected the error and tried to recover the funds from the bank, but when the bank contacted her, Manivel assumed this was likely a scam - and on calling the bank, was told that it probably was. To safeguard the remaining money, she and her partner transferred the remaining $A4 million to Malaysia. She was arrested while attempting to board a flight to Malaysia in March 2022, after which she spent 209 days in custody.

Prior to the windfall, Manivel had been a struggling immigrant, taking low-paid jobs while studying aged care and pathology at night school and saving enough money to bring her children to Australia. On pleading guilty to a charge of recklessly dealing with the proceeds of crime, she was sentenced to an 18 month community corrections order with six months' intensive compliance and unpaid community work in addition to time already spent in custody. The sentencing judge remarked that the money had been recovered and no sinister intent was proven - up to the point where her bank had informed her of the error.

Manivel seems to have returned to the straight and narrow, now studying for a B.Sc., but now her visa could be rescinded. Her partner, Jatinder Singh, was charged with theft and will face a plea hearing on 23 October.

All this started with a simple data entry error in a spreadsheet; such manual processes are sometimes used to deal with unusual transaction problems, but this illustrates the need for appropriate safeguards such as separate review to meet segregation of duties requirements, and the implementation of input validation - something easily implemented, even in spreadsheets. Crypto.com says that it has updated its refund and withdrawal systems after this incident.

Taylor, Josh, A crypto firm sent a disability worker $10m by mistake. Months later she was arrested at an Australian airport, The Guardian, 24 September 2023. Available online at https://www.theguardian.com/australia-news/2023/sep/24/a-crypto-firm-sent-a-disability-worker-10m-by-mistake-months-later-she-was-arrested-at-an-australian-airport.



Upcoming Courses

  • SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
  • SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: