When Muneeb Akhter first graduated from George Mason University at age 19 with a Master’s degree in computer engineering, behind bars was probably the last place he thought he would end up.
The achievement, which puts him at the top of his field as one of the youngest to ever graduate with such honors, earned him and his brother national attention when they were featured by the Washington Post in a story covering their accelerated educational exploits.
The dreams of what that academic achievement might bring him were quickly dashed however, after the white-hat hacker was caught scheming prepaid debit card providers out of thousands of dollars when he discovered an unpatched part of the process that allowed him to game the system and get hundreds of dollars in gifted cash all for the low cost of free-99.
“My mission is just to see where the loopholes are, where to expose them and probably develop solutions to counter them,” Akhter explained just a day after agents searched his grandmother’s home with a federal warrant for his arrest in tow.
After the raid, the department of Homeland Security offered an official explanation behind Akhter’s investigation, detailing the exact methods he used to trick the card companies into loading up his accounts with fake cash.
“A sworn signed statement was obtained from the subject, Muneeb Akhter. In the signed sworn statement, subject admitted to creating computer codes on his personal notebook computer to gain unlawful access to multiple e-commerce sites, including Shell Gas, Whole Foods, K-Mark, Starbucks and Dunkin Donuts. Akhter has used his codes to trick the e-commerce systems into adding funds to gifts cards he has possession of without actually expending any money to do so. He admitted to using his program to add funds to other individuals’ gift cards without the need to actually expend funds.”
Akhter claims he is innocent, and was only using the hole to his advantage as a proof-of-concept, one he was supposedly going to reveal to the companies who were affected by the unpatched portion of code once he had gathered a significant enough amount of data about the problem to give them a reasonable path for a solution.
His fatal flaw, however, was hubris. Unable to contain his excitement over getting so much moolah for nothing, Akhter bragged to a co-worker about the scheme, who then informed his boss, and eventually, Homeland Security.
“I told my co-worker I used to own my own company and we were doing attacks against smart cards, gift cards and those things,” Akhter said. “I had a few gift cards with me and I showed him the gift cards and said ‘I know how to reload them for free.'”
Among the entities affected by the bug, Akhter was able to scam retailers K-Mart and Sears out of around $500 each, organic grocery store Whole Foods for another $300, and Starbucks for at least $100, according to the facts of the story currently being told in his honor.
Luckily, Akhter has both the personal and the professional cred to back up his actions, and as of this writing, still has not been charged with any crime.
He says he believes he should make it out of the ordeal with little more than a slap on the wrist, and could potentially even be recruited by his prosecutors for work in their financial crimes division in the future.