Stealing From Banks One Cent at a Time 313
JRHelgeson writes "In a story strangely reminiscent of Superman 3, a 'hacker' allegedly stole over $50,000 from PayPal, Google Checkout as well as several unnamed online brokerage firms. When opening an online brokering account it is common practice for companies such as E-trade and Schwab to send a tiny payment — ranging from only a few cents to a couple of dollars — to verify that the user has access to the bank account listed. According to the story, the attacker wrote a script that opened thousands of accounts at dozens of these providers. He was arrested not for taking the money, but for using false names in order to get it."
First clue (Score:5, Insightful)
Re:Superman 3? (Score:3, Insightful)
Frankly, the only good thing to come out of the movie was the concept of stealing fractions of pennies so no one notices.
Re:Superman 3? (Score:5, Insightful)
Since you can't figure it out, let me explain what aspects are similar. He was stealing next to nothing lots of times. Like the guy in Superman.
No flags raised? (Score:3, Insightful)
If there was an assumption that it wasn't worth it prior to this (due to the tiny amounts involved in a genuine authentication check), I assume now they will implement a system that flags a bank account which receives authenticating deposits over a certain number.
Re:$50,000? (Score:2, Insightful)
Re:What were the crimes again? (Score:3, Insightful)
C'mon now (Score:2, Insightful)
It's obvious he knew exactly what he was doing, and he knew it was wrong. But you have to acknowledge the inventiveness and sheer perseverance.
Re:What were the crimes again? (Score:3, Insightful)
Re:Well Duh (Score:3, Insightful)
It doesn't strike me as at all inevitable that his bank would notice. Alarms on the automated systems which trigger human intervention would I expect be primarily based on large transactions, not small ones. I suppose there must be a specific trigger for an unusually large number of transactions, or a trigger for a review for accounts operating on the edge of the distribution curve for a variety of parameters. With no trigger no human ever looks - it's all automated. I doubt any human other than me has looked at my bank account in years.
Re:What were the crimes again? (Score:3, Insightful)
Any messing with systems involving financial transactions can get you bank fraud / wire fraud.
Deny after 1 transfer causes problems (Score:5, Insightful)
So we've disposed with the rationale for prohibiting 2 verifications. Now we need to draw a line somewhere. Here's what goes through this engineer's brain: it isn't obvious to me that putting the line at 3 is any better than putting it at 2. The possibility of exploit is remote, the damage from exploit is minimal and containable, engineer time is expensive, there might be some legal/regulatory/compliance issues that prohibit me from solving this problem in a minute by arbitrarily setting MAX_VERIFICATION_TRANSFERS to 20, and any restriction multiplied by millions of customers causes support problems and the attendant costs.
So yeah, I think that not doing the seemingly obvious thing is defensible here. The goal of Paypal/the bnaks/etc isn't to be fraud free, it is to maximize profits. Sometimes, the profit maximizing path means tolerating security risks with minor impact and non-trivial costs to address. Did it work for Paypal in this instance? Well, yeah -- they had about a decade of no problems and then when a problem finally did crop up it cost them less than a man-month to resolve. Easy peasy.
Re:How many bank accounts did he have? (Score:2, Insightful)
Re:Superman 3? (Score:3, Insightful)
How about: Banks - Stealing from clients.... (Score:4, Insightful)
Steal a penny from the Banks - go to jail - Banks steals $10 from you - calls it a "service charge".
We need the banks (except the World Bank), but it is despicable that they are allowed to play with our money the way they do. Twice I have been locked out of my money. And it was a weekend, so the banks were closed. I asked the 24/7 help guy from India what I should do, and his advice was: Can you borrow some money from someone until Monday when the bank opens?
Re:Superman 3? (Score:4, Insightful)
Re:oh wait.... (Score:5, Insightful)
Re:Well, yeah... (Score:1, Insightful)
Paypal is not a bank (Score:3, Insightful)
Neither are required to safeguard your money the same way a bank does. Paypal can and often does freeze the deposits in accounts for it's members without warning and your recourse towards unfreezing accounts leaves much to be said. I haven't heard horror stories about Google Checkout but they are not a bank either - they are a payment processor for merchants.
FWIW, there is a new Person-to-Person payment competitor to Paypal that is actually run by a bank and your deposits are FDIC insured. It's called Revolution Money Exchange [tinyurl.com]. It's currently free like Paypal was in the beginning but I'm sure they'll add more fees sooner or later.
Oh, and if you sign up for Revolution, you get a couple pennies deposited to any accounts you link to it, so don't sign up 50,000 times under a fake name or you'll be stealing from a Bank for real!!!
Re:Paypal is not a bank (Score:2, Insightful)