Stealing From Banks One Cent at a Time

JRHelgeson writes "In a story strangely reminiscent of Superman 3, a 'hacker' allegedly stole over $50,000 from PayPal, Google Checkout as well as several unnamed online brokerage firms. When opening an online brokering account it is common practice for companies such as E-trade and Schwab to send a tiny payment — ranging from only a few cents to a couple of dollars — to verify that the user has access to the bank account listed. According to the story, the attacker wrote a script that opened thousands of accounts at dozens of these providers. He was arrested not for taking the money, but for using false names in order to get it."

They pay me?

[MaXMC]

No.. when I change my credit card information on PayPal they deduct 15SEK that and then I get them back on my PayPal account (from which they take a percentage?) So it's realy PayPal that steals?

Well, yeah...

[Oxy the moron]

He was arrested not for taking the money, but for using false names in order to get it.

Of course he wasn't arrested for taking the money. Said institutions willingly deposited that money into his account(s), yes? And these institutions did so under the pretense that this was to identify the customer? So the charge makes sense. The guy didn't steal money, it was given to him... a "him" with a fake identity.

Well Duh

[oahazmatt]

Largent used an automated script to open 58,000 such accounts, collecting many thousands of these small payments into a few personal bank accounts.

As much as the bank looks oddly at a sudden amount of large withdrawls, they'd certainly take the time to wonder why someone is getting three cents continuously deposited into their account. How did he figure he would not get caught?

When his bank contacted him about the thousands of small payments, Largent explained that he had read the terms of service of the sites he was targeting, and believed he was doing nothing wrong, claiming that he needed the money to pay off debts.

Oh, well that's okay, then.

Man, they'll throw the "Hacker" label on anyone these days, won't they?

Attacker?

[140Mandak262Jamuna]

Since when taking money from chumps is called an attack? Google and Paypal set up the system and they paid out carelessly, why call this ingenious programmer an attacker?

Re:They pay me?

[MaXMC]

Well, the first time I did it, I did indeed agree to it. But the next time I just changed my VISA number and a few days later they had withdrawn 15 SEK.

How many bank accounts did he have?

[__aailob1448]

I don't understand how he managed to do this. He can't use 50,000 bank accounts. There aren't 50,000 payment services. So why would any of them send a few cents to the same bank account more than once?

Can anyone explain this to me? It makes no sense at all.

Silicon Slim

[Anonymous Coward]

Such rumors have been common, though it's rare to see documented evidence.

In the 1980's John Forster wrote "The Ballad of Silicon Slim", a country/western ballad song about a home computing thief. An excerpt:

In the dead of night he'd access each depositor's account
And from each of them he'd siphon off the teeniest amount.
And since no one ever noticed that there'd even been a crime
He stole forty million dollars -- a penny at a time!

Little Janet was only eight but she had her own account
And the seven dollars in it was to her a huge amount.
So the day that penny vanished one unhappy little tot
Screamed, "Hey, what happened to my penny?"
And the teller tried to tell her but could not.

    (Or check the Risks Digest of 3 February 1992)

Re:how did it get that far?

[gmack]

You can set a time limit on the threshold. Assume 32 days in a month $50 000 would be $1562 per day that's $65 worth of micro payments in an hour. That's a lot of transactions to be spread around not very many providers.

They could flag anything over a certain amount per hour or per day and catch the worst of the offenders.

I'm guessing the only reason they haven't done that so far is because it didn't occur to anyone that the system could be gamed that way.

nice for framing someone

[0111 1110]

Instead of transferring it into your own account transfer it into the account of someone you hate. Getting someone's account number is actually not all that difficult. It's on every check they write for instance. Mmmm. The sweet taste of revenge.

Re:Superman 3?

[compro01]

Actually, IIRC, pennies and nickels are currently worth more as metal than as coins. A penny is something like 1.2 cents and a nickel is about 6 cents, at least that was the case in Sept. 2006, which is the most recent mint report I can get at the us mint site.

Re:Well Duh

[HikingStick]

He could have at least come up with a plausible cover story--something about selling his own music online and letting people send him what they thought it was worth.

Re:Superman 3?

[haystor]

that, or the sheer number of transactions was somehow costing his bank money. That would put a real quick stop to it.

Re:Comment from said "hacker"

[Chapter80]

With every ATM deposit, one can key in a slight over-amount, when specifying the deposit. If you are depositing checks for $123.45, you could key in maybe $123.54 (transposing the last two digits).

Most always, the bank sees the foolishness in sending a letter (costing at least 42 cents) to correct a small error. So they apparently just write off the difference, and leave the ATM deposit as reported.

So I get richer, cents at a time.

Kids, don't try this at home.

This may just be the missing statement, right before "4. Profit"

Re:Comment from said "hacker"

[blair1q]

Contrary to your apocryphal belief, banks have entire departments that spend more than the collection is worth to make you balance your account if it is out of balance. This discourages bigger crimes, which would cost them more just on a statistical basis.

You may get away with the "few pennies" mistake once per institution. Three or four times? They'll freeze your funds and demand you clean up your act.

Because here's a secret you should have known: When you give the bank the money, it's not yours any more. It's theirs. You lent it to them, and they owe it to you, but you can't just take it. You are nothing more than a lender, and they are a borrower. You have all the rights of a creditor. Which, you might guess, means you can spend thousands of dollars on legal hassles trying to free up the $123.45 you deposited to steal that 9 cents.