we have an interesting discussion internally on this article:
In short: The guy who cost the french bank you all know about 7 billion US$ just used VBScript and Office to do this. Hu, how bad is VBScript and Office?? Well...
It is very obvious that he used the tools he had and the tools that were easy enough to use. He could have used Ruby, too. Or Python or what ever.
Now once again I have this feeling like because it is a Microsoft tool the tool was bad. If it had been any other tool the would be good (because it is so easy...hey, isn't this a proof how easy it is??). Oh, well...
Going deeper on this it unveils a typical problems of modern times:
Using digital machinery to automate processes open those processes to automatic fraud. This does not mean that pure paper based processes are intangible but those are slower and the amount of damage is (at least in the mean) much smaller than with digitized processes.
Optimal in the sense of an attacker is when ever you can make use of what machines do better than humans. Without deeper knowledge I think our french guy used the fact that machines do not get tired and are fast in low level decisions (simple if-than-statements). Or for example have a look at the typical ebay bot. Here the fact that the communication between machines is faster than between machine and human being is used to set the "last second bit". You certainly know the situation when you were the leading guy on a bet but you loose 5 seconds before the bet closes.
Another good example is this "Playing Dirty" in dec 07 of the IEEE Spectrum (see http://www.spectrum.ieee.org/dec07/5719). This guy used an array of computers to automate an army of World of Warcraft characters to earn virtual money. They did this by doing repetitively the same thing (preparing and selling cooked chickens). He then sold this virtual money for real money making a good buck on it. While - as stated in the article - humans (most of the time hired low cost players in China) are more efficient regarding their earnings the guy has been very efficient regarding his efforts 😉
Is there a solution out there? Well, maybe in some cases but not always. As I blogged months ago you can use a Turing test to check wether there is a human being talking to you. But this might be inappropriate sometimes or you can hire humans to solve just this task. At least it takes the velocity out of the game but introduces some kind of frustration to the user.
You can also throttle down the process for each individual so it is still ok for humans but takes the advantage from the machine. Still as the World of Warcraft guy shows this can be tricked.
Maybe the best thing is to be aware of it and ask yourself before you open a process.