Good news! We took the time to transcribe Ali's interview at "De Wereld Draait Door" from February 7, 2018 into English so all bunqers can enjoy!đ
ALI: Ali
HOST: Mattijs van Nieuwkerk (host)
HUIB: (Huib Modderkolk, journalist for âde Volkskrantâ who reported Jelle did DDoS attack for fun)
ANDRE: âTable guestâ, someone who joins the host in an informal capacity, as part of the format of âDe Wereld Draait Doorâ.
HOST: [Weâre] here with Huib Modderkolk and Ali Niknam, founder of modern payment service bunq. Letâs go back two weeks, when first ABN AMRO and later ING, Rabobank and Tax offices were hit hard by DDoS attacks: Systems go offline, users canât log in and can no longer bank online.
<Reel of news clips in which experts and bank directors say itâs Russia or something equally advanced>
HOST: SoâŚno Russians, but just 18 year old Jelle S. from Oosterhout. He got arrested early February, but Huib Modderkolk had his eye on him before that and corresponded with him by email. To the question why he did this, Jelle responded: âBecause itâs funny,â or so we read in de Volkskrant this morning.â¨
HUIB: Yes, that is what he emailed me.â¨
HOST: Letâs start off: Weâre seeing experts, CEOâs of banks, everybody says this is highly advanced, something weâve never seen before, that itâs the Russians, out for payback on the Dutch Secret Service for helping out America. Nothing of the sort. Are we really that clueless, even the people at the top?
HUIB: Well, maybe a little, yes. These attacks are relatively easy to organize. Itâs the equivalent of a bomb scare. You donât need much knowledge/sophistication and it generates a lot of panic/chaos/unrest. What it boils down to is that you send so much traffic to a certain website that this website stops functioning, in this case stops âonline bankingâ.â¨
HOST: That I get, or at least thatâs what I read in the paper this morning. But the point is that those who should be knowledgeable about this, CEOâs of banks, claim itâs the Russians, while itâs just an 18 year old twat in his attic.â¨
ALI: The new worldâŚ
HOST: ButâŚ.did we see the old world talking then? (refers to reel of news clips)
ALI: I saw a lot of young people, but I heard a a lot of old stories, stuff for great crime novels by the way, which is greatâŚbut at bunq unfortunately weâve been having trouble with this for some time. Weâve known who the perpetrator is for several months now. We saw it (refers to news reports of Russia etc.) and thought to ourselves âwell, this is starting to become bigâ, but at that point in time we already knew who we were dealing with.
HOST: Iâll get back to you, AliâŚ.But anyway, itâs just a very young guy. He think heâs being funny. He was a little bored.
HUIB: Thatâs what it is. Itâs a lark of sorts for guys like this. They donât see it (the damage). Itâs not tangible. Itâs not like throwing a âmolotov cocktailâ (âfire bombâ) into a bank. You donât set anything on fire. You donât stab anyone. You just sit behind your computer, order a package and you know that if you push a button a lot of traffic is directed to a website. For a guy like this the impact isnât very apparent, which became clear from the correspondence I had with him. The question we should ask ourselves is; arenât we too vulnerable, digitally? Itâs great that the Netherlands are ahead in the digital field. We were very quick to adapt to online banking. Great, we reap the benefits, but it makes us vulnerable. In these cases the damages are in the millions, so we have to ask ourselves if our defences are in order.
HOST: This young man is detained now. He can go to prison for up to six years.â¨
HUIB: 2 to 4 years is more realistic, I think, which is a lot for something like this.â¨
HOST: How did you find out the identity of this guy?â¨HUIB: I obtained an email address through someone he was supposedly corresponding with. That turned out to be an email address Ali also had already. And I simply sent him a message, figuring it couldnât hurt to just ask. Eight minutes later I got a reply: âBecause I think itâs kinda funny: Everybody points to the Russians, everybody panicsâŚthatâs funny.â
ANDRE: You already knew the guy then? You had already dealt with him?â¨HUIB: No no no. Ali did.â¨
HOST: Iâll get to you, Ali.
â¨HUIB: Itâs a form of attention seeking. It turned out he was posting messages on Tweakers to show âhow serious it wasâ as well as posting on bunqâs forum to talk about itâŚ
HOST: Kinda like an arsonist watching his own fire?
â¨HUIB: Yes, thatâs what you often see indeed, people who watch their own fire.
HOST: Now to you, Ali, to bunq. Letâs go back in time. 3/4 months ago I think, which is when you already caught this guy.
ALI: Thatâs right. We were the first victim of the attacks and went looking for who it was and why and after a while, through various channels, we found out.
HOST: Can you explain that in terms Andre and I can understand?
ALI: Well, put very simply, it boils down to the fact itâs unwise to attack someone and then post on a forum 5 seconds afterward. At a certain point in time we found out and thatâs when he reported himself to us, the day before we wanted to have him arrested actually. He emailed us saying âGuys, Iâm very sorry. I had no idea I had caused so much trouble. Iâd like to come by and sincerely apologize.â Heâs just a kid.â¨
HOST: Just a teenager?
ALI: BarelyâŚ.and he came by and I thought to myself âdo I want to send this person to prison?â I seemed irresponsible to me, so at bunq we told him: âGo do community service for a week. You caused us trouble, but our users have barely noticed anything.â
HOST: What sort of community service?
â¨ALI: He had to help around Amnesty International for a week..and then he would never do it again and all would be well. He had just turned 18 then.
HOST: By the way, the fact you guys didnât experience the problems some of the banks I mentioned earlier did, means you have better security. Does that also relate to the fact that youâre a young guy too and that you have a background in ICT?
ALI: Thanks for calling me young.
<laughter>
ALI: Weâre a true IT company. bunq is there to create a wholly different experience for its users. Weâre just different. In all those [3/4] months we didnât have more than something like 33 minutes of downtime.
HOST: But alright, this boy gets caught and made to promise not to do it againâŚand did he do that week [of community service]?
ALI: He tried. But his schedule wasnât right or something. It didnât happen. It stayed quiet for a while and about four or five weeks later it started again.
HOST: Did you recognize his signature?
ALI: Yes.
â¨HOST: So you immediately knew: there he is again?
â¨ALI: Well, we used the same method of trying to find out who it was. Thatâs when we ended up at the same name. By that time there were a lot of IT people who figured âYou let him go, now this dude is at it again.â There were informers, people who sent us messages with prepaid phones saying âIt is Jelleâ. So when we ended up with that name again, we notified the police. At this point we were just done with it.
HOST: Whatâs the moral of the story? We canât help but think that banks donât know a lot when it comes to these relatively simplistic attacks. You can simply buy the equipment.
ANDRE: So itâs all very unsafe?
â¨HUIB: If you go on Google for a day you can do it too. Itâs very low key. Itâs the easiest form of digital attacks. It took the police 3/4 months to finish the investigation, which goes to show how complicated this is. He (Jelle S.) made some mistakes as well. I think the moral is that technology, for all its merits and beauty, makes us vulnerable and that these things are possible, and with big consequences.
HOST: But is there a group thatâs in the loop: AliâŚand is there a group of old school people that doesnât know enough toâŚ?
HUIB: (interrupts) I find it surprising these attacks have led to such major disruptions with ING and ABN. It could be there are more attackers, but there are no indications of that. It raises the question: If this belongs to the critical infrastructure of the Netherlands, and it does, is there a way for us to test that?
ANDRE: It could happen again tomorrow?â¨
HUIB: It happens every day.
HOST: CEO Kees van Dijkhuizen (ABN AMRO) just this morning still said: âIt could NOT have been an amateur,â and thatâs after having read your piece (in de Volkskrant). So they canât seem to believe that this much damage can be done by a teenager.
HUIB: Last year there was an attack in the Ukraine the effects of which trickled down to Rotterdam Harbor, causing an outage that lasted days. The reason was that the company in question didnât want to pay for improvements to their systems because it was too expensive. That caused the damage. Perhaps companies that donât have their security in order should be reprimanded.
HOST: Thanks for coming.