Stealing From Banks One Cent at a Time

JRHelgeson writes "In a story strangely reminiscent of Superman 3, a 'hacker' allegedly stole over $50,000 from PayPal, Google Checkout as well as several unnamed online brokerage firms. When opening an online brokering account it is common practice for companies such as E-trade and Schwab to send a tiny payment — ranging from only a few cents to a couple of dollars — to verify that the user has access to the bank account listed. According to the story, the attacker wrote a script that opened thousands of accounts at dozens of these providers. He was arrested not for taking the money, but for using false names in order to get it."

First clue

[tsstahl]

If you have to make up a name or SSN to open the account, then in fact, you are doing something wrong. Color me simple, but that's the way I see it. :\ This is clearly a case where a novel approach to crime is still, well, criminal.

Re:Superman 3?

[geoffrobinson]

No one has seen Superman 3 for years because it is such a bad movie. So it is kind of like the telephone game.

Frankly, the only good thing to come out of the movie was the concept of stealing fractions of pennies so no one notices.

Re:Superman 3?

[qoncept]

Are you serious? Do you think it would be dumb to compare a Dell laptop to an IBM because IBM uses Hitachi drives and a 32x CDROM instead of Seagate and 36x?

Since you can't figure it out, let me explain what aspects are similar. He was stealing next to nothing lots of times. Like the guy in Superman.

No flags raised?

[GBC]

The amounts were being deposited into the same few bank accounts. The thing I can't figure out is, given the sheer number of transactions involved, how was this not spotted sooner?

If there was an assumption that it wasn't worth it prior to this (due to the tiny amounts involved in a genuine authentication check), I assume now they will implement a system that flags a bank account which receives authenticating deposits over a certain number.

Re:$50,000?

[xpuppykickerx]

I would do absolutely nothing.

Re:What were the crimes again?

[plague3106]

Well, there's always plain old fraud.

C'mon now

[willyhill]

You absolutely have to tip your hat at this guy. I'm not sure if I feel bad for the financial institutions "bilked" by him (I'm sure they'll recover the money from insurance) or their CEOs that make millions while the stocks underperform, but I feel bad for him. After all he's just playing the system they set up to begin with.

It's obvious he knew exactly what he was doing, and he knew it was wrong. But you have to acknowledge the inventiveness and sheer perseverance.

Re:What were the crimes again?

[gmack]

Payment systems are considered a form of banking.

Re:Well Duh

[mollymoo]

As much as the bank looks oddly at a sudden amount of large withdrawls, they'd certainly take the time to wonder why someone is getting three cents continuously deposited into their account.

It doesn't strike me as at all inevitable that his bank would notice. Alarms on the automated systems which trigger human intervention would I expect be primarily based on large transactions, not small ones. I suppose there must be a specific trigger for an unusually large number of transactions, or a trigger for a review for accounts operating on the edge of the distribution curve for a variety of parameters. With no trigger no human ever looks - it's all automated. I doubt any human other than me has looked at my bank account in years.

Re:What were the crimes again?

[gmack]

Not a bank but still considered a form of Banking.

Any messing with systems involving financial transactions can get you bank fraud / wire fraud.

Deny after 1 transfer causes problems

[patio11]

Look at this from Paypal's perspective: you've got millions of people trying to sign up on your system. Statistically speaking, hundreds of thousands of them are not so bright, and will do things like forget they already tried signing up, not see their bank statement and try doing it again, etc. Since the cost of re-authenticating them is less than a buck (mostly for the ACH transfer fees) and the expected lifetime value of the account is still (for Paypal = eBay) anywhere from $10 to several hundred to depending on where you got the lead, obviously you want to let them try it again.

So we've disposed with the rationale for prohibiting 2 verifications. Now we need to draw a line somewhere. Here's what goes through this engineer's brain: it isn't obvious to me that putting the line at 3 is any better than putting it at 2. The possibility of exploit is remote, the damage from exploit is minimal and containable, engineer time is expensive, there might be some legal/regulatory/compliance issues that prohibit me from solving this problem in a minute by arbitrarily setting MAX_VERIFICATION_TRANSFERS to 20, and any restriction multiplied by millions of customers causes support problems and the attendant costs.

So yeah, I think that not doing the seemingly obvious thing is defensible here. The goal of Paypal/the bnaks/etc isn't to be fraud free, it is to maximize profits. Sometimes, the profit maximizing path means tolerating security risks with minor impact and non-trivial costs to address. Did it work for Paypal in this instance? Well, yeah -- they had about a decade of no problems and then when a problem finally did crop up it cost them less than a man-month to resolve. Easy peasy.

Re:How many bank accounts did he have?

[Zcar]

A married couple with their own PayPal accounts that work against a joint checking account?

Re:Superman 3?

[barzok]

today, of course, most coins are made from metals that are worth very little compared to the value of the coin itself

Except for the US penny, of course.

How about: Banks - Stealing from clients....

[MagicBox]

...one cent at t time.


Steal a penny from the Banks - go to jail - Banks steals $10 from you - calls it a "service charge".

We need the banks (except the World Bank), but it is despicable that they are allowed to play with our money the way they do. Twice I have been locked out of my money. And it was a weekend, so the banks were closed. I asked the 24/7 help guy from India what I should do, and his advice was: Can you borrow some money from someone until Monday when the bank opens?

Re:Superman 3?

[blackfrancis75]

of course, we have no metrics on how many times it HAS worked because those people are't in the news, they're in the Bahamas.

Re:oh wait....

[ZERO1ZERO]

Actually, i'm an idiot.

Re:Well, yeah...

[Anonymous Coward]

Lying to someone to get their money is the definition of fraud...

Paypal is not a bank

[adisakp]

How could he be "Stealing from Banks" when Paypal is not a bank [slashdot.org]. Google Checkout is not a bank either.

Neither are required to safeguard your money the same way a bank does. Paypal can and often does freeze the deposits in accounts for it's members without warning and your recourse towards unfreezing accounts leaves much to be said. I haven't heard horror stories about Google Checkout but they are not a bank either - they are a payment processor for merchants.

FWIW, there is a new Person-to-Person payment competitor to Paypal that is actually run by a bank and your deposits are FDIC insured. It's called Revolution Money Exchange [tinyurl.com]. It's currently free like Paypal was in the beginning but I'm sure they'll add more fees sooner or later.

Oh, and if you sign up for Revolution, you get a couple pennies deposited to any accounts you link to it, so don't sign up 50,000 times under a fake name or you'll be stealing from a Bank for real!!!

Re:Paypal is not a bank

[ckblackm]

Pretty cheesy of you to have the link for Revolution Money Exchange as a refer-a-friend link so that you could get a referral bonus.