Forgot your password?
typodupeerror
The Almighty Buck Security

Stealing From Banks One Cent at a Time 313

Posted by CmdrTaco
from the not-like-atm-fees-steal-from-you dept.
JRHelgeson writes "In a story strangely reminiscent of Superman 3, a 'hacker' allegedly stole over $50,000 from PayPal, Google Checkout as well as several unnamed online brokerage firms. When opening an online brokering account it is common practice for companies such as E-trade and Schwab to send a tiny payment — ranging from only a few cents to a couple of dollars — to verify that the user has access to the bank account listed. According to the story, the attacker wrote a script that opened thousands of accounts at dozens of these providers. He was arrested not for taking the money, but for using false names in order to get it."
This discussion has been archived. No new comments can be posted.

Stealing From Banks One Cent at a Time

Comments Filter:
  • by Digital Vomit (891734) on Wednesday May 28, 2008 @11:45AM (#23571371) Homepage Journal

    When reached for comment, the "hacker" had this to say:

    "I don't want to go to jail because there are robbers and rapers and rapers who rape robbers. "
    • by s.bots (1099921) on Wednesday May 28, 2008 @11:59AM (#23571633)
      Looks like someone could be doin' time in a "Federal 'pound-me-in-the-ass' Prison"...

      Hey Mike! Watch out for your cornhole buddy!
    • by Ibiwan (763664) on Wednesday May 28, 2008 @01:06PM (#23572691) Journal
      " And I, I walked over to the, to the bench there, and there is, Group W's where they put you if you may not be moral enough to join the army after committing your special crime, and there was all kinds of mean nasty ugly looking people on the bench there. Mother rapers. Father stabbers. Father rapers! Father rapers sitting right there on the bench next to me! And they was mean and nasty and ugly and horrible crime-type guys sitting on the bench next to me. And the meanest, ugliest, nastiest one, the meanest father raper of them all, was coming over to me and he was mean 'n' ugly 'n' nasty 'n' horrible and all kind of things and he sat down next to me and said, "Kid, whad'ya get?" I said, "I didn't get nothing, I had to pay $50 and pick up the garbage." He said, "What were you arrested for, kid?" And I said, "Littering." And they all moved away from me on the bench there, and the hairy eyeball and all kinds of mean nasty things, till I said, "And creating a nuisance." And they all came back, shook my hand, and we had a great time on the bench, talkin about crime, mother stabbing, father raping, all kinds of groovy things that we was talking about on the bench. "
    • by Chapter80 (926879) on Wednesday May 28, 2008 @03:08PM (#23574565)
      With every ATM deposit, one can key in a slight over-amount, when specifying the deposit. If you are depositing checks for $123.45, you could key in maybe $123.54 (transposing the last two digits).

      Most always, the bank sees the foolishness in sending a letter (costing at least 42 cents) to correct a small error. So they apparently just write off the difference, and leave the ATM deposit as reported.

      So I get richer, cents at a time.

      Kids, don't try this at home.

      This may just be the missing statement, right before "4. Profit"

      • by blair1q (305137) on Wednesday May 28, 2008 @07:36PM (#23578697) Journal
        Contrary to your apocryphal belief, banks have entire departments that spend more than the collection is worth to make you balance your account if it is out of balance. This discourages bigger crimes, which would cost them more just on a statistical basis.

        You may get away with the "few pennies" mistake once per institution. Three or four times? They'll freeze your funds and demand you clean up your act.

        Because here's a secret you should have known: When you give the bank the money, it's not yours any more. It's theirs. You lent it to them, and they owe it to you, but you can't just take it. You are nothing more than a lender, and they are a borrower. You have all the rights of a creditor. Which, you might guess, means you can spend thousands of dollars on legal hassles trying to free up the $123.45 you deposited to steal that 9 cents.
    • by adisakp (705706)
      How could he be "Stealing from Banks" when Paypal is not a bank [slashdot.org]. Google Checkout is not a bank either.

      Neither are required to safeguard your money the same way a bank does. Paypal can and often does freeze the deposits in accounts for it's members without warning and your recourse towards unfreezing accounts leaves much to be said. I haven't heard horror stories about Google Checkout but they are not a bank either - they are a payment processor for merchants.

      FWIW, there is a new Person-to-Person paym
  • by jchillerup (1140775) on Wednesday May 28, 2008 @11:47AM (#23571403)
    What the fuck does that mean?!
    • by ReverendLoki (663861) on Wednesday May 28, 2008 @12:17PM (#23571943)

      Peter: "That virus you're always talking about, right? The one that could, uh, rip off the company for a bunch of money."
      Michael: "Yeah, what about it?"
      Peter: "Well, how does it work?"
      Michael: "It's pretty brilliant. What it does is, every time there's a bank transaction where interest is competed, you know, thousands a day, the computer ends up with these fractions of acent, which it usually rounds off. What this does is, it takes those little remainders and puts it into an account."
      Peter: "This sounds familiar."
      Michael: "Yeah, they did it in Superman III."
      Peter: "Right."
      Michael: "Yeah. Underrated movie, actually. And then there were a bunch of hackers, did it in the '70s as well. One of them got busted."
      Peter: "Well, so they check for this now."
      Michael: "No, here's the thing. Initech's so backed up with all the software we're updating for the year 2000, they'd never notice."
      Peter: "You're right. And even if they wanted to, they couldn't check all that code."
      Michael: "Thumbs up their asses. Thumbs up their asses."

  • Superman 3? (Score:5, Informative)

    by jandrese (485) <kensama@vt.edu> on Wednesday May 28, 2008 @11:47AM (#23571413) Homepage Journal
    How is this like Superman 3? I thought the point in that movie was to shave off the remainders in interest calculations. This is just a simple case of seeing someone transfer a few cents to your account when you open it and trying to abuse the system. The problem of course is that it's extremely obvious and you'll get caught, just like this guy did.
  • I have used similar services in the past. They always remove the money after the transaction. How did this guy prevent that from happening?
    • Re: (Score:3, Informative)

      by jandrese (485)
      I know Paypal lets you keep the money, I'm guessing the guy chose it and similar services.
    • Re:How did he do it? (Score:5, Informative)

      by Mark J Tilford (186) on Wednesday May 28, 2008 @11:51AM (#23571491)
      By closing the accounts before Paypal / Google Checkout could remove the money.
    • by Kamineko (851857)
      Paypal don't. You keep the tiny bit of money they give you.
  • You know... (Score:3, Funny)

    by scubamage (727538) on Wednesday May 28, 2008 @11:48AM (#23571427)
    I had this very idea a few days ago when paypal put two 40 cent payments in my checking account. Thank god I didn't go with it, eh?
  • They pay me? (Score:2, Interesting)

    by MaXMC (138127)
    No.. when I change my credit card information on PayPal they deduct 15SEK that and then I get them back on my PayPal account (from which they take a percentage?) So it's realy PayPal that steals?
    • by dintech (998802)
      It's not stealing if you agree to if first. It's just being a bastard. Also this not similar to mugging before you suggest that. :P
      • Re: (Score:2, Interesting)

        by MaXMC (138127)
        Well, the first time I did it, I did indeed agree to it. But the next time I just changed my VISA number and a few days later they had withdrawn 15 SEK.
  • by nurightshu (517038) * <rightshu@cox.net> on Wednesday May 28, 2008 @11:49AM (#23571447) Homepage Journal
    As far as I can tell, the article doesn't actually mention that Largent managed to rip off PayPal, only that PayPal, Google Checkout, et al. use the small deposit method for verification. Seriously, reading for comprehension isn't hard, people. Hell, it even mentions the scope right in the lede.
  • Well, yeah... (Score:5, Interesting)

    by Oxy the moron (770724) on Wednesday May 28, 2008 @11:49AM (#23571451)

    He was arrested not for taking the money, but for using false names in order to get it.

    Of course he wasn't arrested for taking the money. Said institutions willingly deposited that money into his account(s), yes? And these institutions did so under the pretense that this was to identify the customer? So the charge makes sense. The guy didn't steal money, it was given to him... a "him" with a fake identity.

  • First clue (Score:5, Insightful)

    by tsstahl (812393) on Wednesday May 28, 2008 @11:49AM (#23571461)
    If you have to make up a name or SSN to open the account, then in fact, you are doing something wrong. Color me simple, but that's the way I see it. :\ This is clearly a case where a novel approach to crime is still, well, criminal.
  • Well Duh (Score:5, Interesting)

    by oahazmatt (868057) on Wednesday May 28, 2008 @11:50AM (#23571463) Journal

    Largent used an automated script to open 58,000 such accounts, collecting many thousands of these small payments into a few personal bank accounts.
    As much as the bank looks oddly at a sudden amount of large withdrawls, they'd certainly take the time to wonder why someone is getting three cents continuously deposited into their account. How did he figure he would not get caught?

    When his bank contacted him about the thousands of small payments, Largent explained that he had read the terms of service of the sites he was targeting, and believed he was doing nothing wrong, claiming that he needed the money to pay off debts.
    Oh, well that's okay, then.

    Man, they'll throw the "Hacker" label on anyone these days, won't they?
    • Re: (Score:3, Insightful)

      by mollymoo (202721) *

      As much as the bank looks oddly at a sudden amount of large withdrawls, they'd certainly take the time to wonder why someone is getting three cents continuously deposited into their account.

      It doesn't strike me as at all inevitable that his bank would notice. Alarms on the automated systems which trigger human intervention would I expect be primarily based on large transactions, not small ones. I suppose there must be a specific trigger for an unusually large number of transactions, or a trigger for a re

    • Re: (Score:3, Interesting)

      by HikingStick (878216)
      He could have at least come up with a plausible cover story--something about selling his own music online and letting people send him what they thought it was worth.
  • by cortesoft (1150075) on Wednesday May 28, 2008 @11:50AM (#23571483)
    Damn it feels good to be a gangsta.
  • Relax (Score:3, Funny)

    by boristdog (133725) on Wednesday May 28, 2008 @11:50AM (#23571485)
    The most you'll do is a few years in one of those "country club" prisons, right?
  • by Guppy06 (410832) on Wednesday May 28, 2008 @11:51AM (#23571497)
    Wire fraud? Bank fraud? Don't you need to have done these actions against actual banks for these kinds of charges to get levied?
    • Re: (Score:3, Insightful)

      by plague3106 (71849)
      Well, there's always plain old fraud.
    • Re: (Score:3, Insightful)

      by gmack (197796)
      Payment systems are considered a form of banking.
      • Re: (Score:3, Informative)

        by willyhill (965620)
        No, they're not. That's why PayPal can get away with the shit they do. It's a common misconception that most people fall into, that because PayPal handles money, they must be a bank and subject to the same set of regulations you trust to put the stops on your bank if they get fresh with your money (including insurance. PayPal is not FDIC insured if you use their "high yield" holding option).

        The problem here is that the transactions involved banks. The fact that PayPal was the conduit is irrelevant in this

        • Re: (Score:3, Insightful)

          by gmack (197796)
          Not a bank but still considered a form of Banking.

          Any messing with systems involving financial transactions can get you bank fraud / wire fraud.
  • Balasts (Score:5, Funny)

    by bsDaemon (87307) on Wednesday May 28, 2008 @11:51AM (#23571499)
    At least his script didn't almost capsize the oil tankers... people would be super pissed off then.
  • by i_want_you_to_throw_ (559379) on Wednesday May 28, 2008 @11:52AM (#23571519) Homepage Journal
    Don't drop the kryptonite in the shower.
  • No flags raised? (Score:3, Insightful)

    by GBC (981160) * on Wednesday May 28, 2008 @11:53AM (#23571533)
    The amounts were being deposited into the same few bank accounts. The thing I can't figure out is, given the sheer number of transactions involved, how was this not spotted sooner?

    If there was an assumption that it wasn't worth it prior to this (due to the tiny amounts involved in a genuine authentication check), I assume now they will implement a system that flags a bank account which receives authenticating deposits over a certain number.
  • by hyperz69 (1226464) on Wednesday May 28, 2008 @11:54AM (#23571549)
    when he started using names like...

    Haywood Jablome
    Connie Lingus
    Dick Trickle
    Seymour Butts
    Hugh Jass
    Ben Dover

    Should of used a better name generator.
  • I'll assume the guy was using the same IP address to create the accounts. I wonder why the hosts don't have some kind of software to look for IP's that open multiple accounts?

    • by jimicus (737525)

      I'll assume the guy was using the same IP address to create the accounts. I wonder why the hosts don't have some kind of software to look for IP's that open multiple accounts?

      Probably wouldn't work very well seeing as most ISPs allocate IP addresses through DHCP - and even if they didn't your idea breaks as soon as someone releases a block of numbers for whatever reason and it gets taken and re-used by someone else.
      • Re: (Score:3, Interesting)

        by gmack (197796)
        You can set a time limit on the threshold. Assume 32 days in a month $50 000 would be $1562 per day that's $65 worth of micro payments in an hour. That's a lot of transactions to be spread around not very many providers.

        They could flag anything over a certain amount per hour or per day and catch the worst of the offenders.

        I'm guessing the only reason they haven't done that so far is because it didn't occur to anyone that the system could be gamed that way.

    • Re: (Score:3, Informative)

      This is what Botnets are for.
  • This is like the penny jar, except a whole lot of pennies and nobody gets hurt.
  • oh wait.... (Score:5, Funny)

    by apodyopsis (1048476) on Wednesday May 28, 2008 @11:57AM (#23571611)
    At least he did not create a script that automatically rounded every payment up to the nearest... oh wait...

    Even if he gets a fine, he can always apply to pay off the debt in small payments - say a few cents every time...

    Reminds me of a debt my father picked up from a school my sister attended for less then a week. They charged him for a whole year. Not to be deterred he promptly paid them half the amount they invoiced him for. Months later and six angry letters later he paid them half of the sum they asked for. Months later.. ah well, I am sure you can see the pattern here. Fast forward 14 years and they finally wrote of the rest of his debt (I think 1GPB) as a good will gesture (and I am reliably informed he is legend in the schools finance department). I have no idea how much the administration cost to school at the end of it, but it all seemed good natured enough.
  • $50,000? (Score:5, Funny)

    by PawNtheSandman (1238854) on Wednesday May 28, 2008 @11:58AM (#23571625)
    You know what I'd do with $50,000? 2 chicks at the same time.
  • if this is worth attempting, especially in the trading industry.

    (IANOC)

    They really don't care if $2 million goes missing on a trade, so who the hell's going notice that it's a penny short?

    Think about it, millions of trades going through the system each day and you, the IT developer, shave a single penny off each one of them. You could almost retire by the end of the month.

    Now all I have to do is wait for this Credit Crunch to end and apply for a job working in the Front Office.
  • Attacker? (Score:2, Interesting)

    Since when taking money from chumps is called an attack? Google and Paypal set up the system and they paid out carelessly, why call this ingenious programmer an attacker?
    • by oahazmatt (868057)
      I wouldn't call him "ingenious", due to the fact that he overlooked quite a few details. (Namely, using only a handful of bank accounts, and believing no one would notice the activity on the accounts.)

      He's more in trouble for misrepresenting himself and using assumed identities. It might fall under "uttering a forged instrument", but I'm not sure.
  • I remember the interest rounding hack of the 80s. Bank IT personell at a few occasions got the smart idea to transfer rounding remainders from interest calculations onto an internal bank account. The extra small micro sums (fractions of currency units) from all interest calculations would quickly add up to many millions, virtually producing money from nothing. A few got caught, but I wonder how many IT guys at banks actually got away with that.

    AFAICT the same thing should still be possible today when intere
  • by gozu (541069) on Wednesday May 28, 2008 @12:08PM (#23571781) Journal
    I don't understand how he managed to do this. He can't use 50,000 bank accounts. There aren't 50,000 payment services. So why would any of them send a few cents to the same bank account more than once?

    Can anyone explain this to me? It makes no sense at all.

    • According to the story, the attacker wrote a script that opened thousands of accounts at dozens of these providers.


      i think it also implies he created thousands of accounts at paypal/google checkout also and had each of them create new accounts at the broker firms that paid out the pocket change.
    • by saddino (183491) on Wednesday May 28, 2008 @12:33PM (#23572197)
      It makes no sense at all.

      It sounds like it made a lot of cents.
    • by patio11 (857072) on Wednesday May 28, 2008 @12:48PM (#23572437)
      Look at this from Paypal's perspective: you've got millions of people trying to sign up on your system. Statistically speaking, hundreds of thousands of them are not so bright, and will do things like forget they already tried signing up, not see their bank statement and try doing it again, etc. Since the cost of re-authenticating them is less than a buck (mostly for the ACH transfer fees) and the expected lifetime value of the account is still (for Paypal = eBay) anywhere from $10 to several hundred to depending on where you got the lead, obviously you want to let them try it again.

      So we've disposed with the rationale for prohibiting 2 verifications. Now we need to draw a line somewhere. Here's what goes through this engineer's brain: it isn't obvious to me that putting the line at 3 is any better than putting it at 2. The possibility of exploit is remote, the damage from exploit is minimal and containable, engineer time is expensive, there might be some legal/regulatory/compliance issues that prohibit me from solving this problem in a minute by arbitrarily setting MAX_VERIFICATION_TRANSFERS to 20, and any restriction multiplied by millions of customers causes support problems and the attendant costs.

      So yeah, I think that not doing the seemingly obvious thing is defensible here. The goal of Paypal/the bnaks/etc isn't to be fraud free, it is to maximize profits. Sometimes, the profit maximizing path means tolerating security risks with minor impact and non-trivial costs to address. Did it work for Paypal in this instance? Well, yeah -- they had about a decade of no problems and then when a problem finally did crop up it cost them less than a man-month to resolve. Easy peasy.
  • penniesforeveryone
  • I wonder (Score:5, Funny)

    by elrous0 (869638) * on Wednesday May 28, 2008 @12:12PM (#23571849)
    How many hours of community service do you get for 58,000 counts of petty theft?
  • C'mon now (Score:2, Insightful)

    by willyhill (965620)
    You absolutely have to tip your hat at this guy. I'm not sure if I feel bad for the financial institutions "bilked" by him (I'm sure they'll recover the money from insurance) or their CEOs that make millions while the stocks underperform, but I feel bad for him. After all he's just playing the system they set up to begin with.

    It's obvious he knew exactly what he was doing, and he knew it was wrong. But you have to acknowledge the inventiveness and sheer perseverance.

  • by tyrione (134248) on Wednesday May 28, 2008 @12:45PM (#23572387) Homepage
    if I truly wanted to...
  • by 0111 1110 (518466) on Wednesday May 28, 2008 @01:07PM (#23572699)
    Instead of transferring it into your own account transfer it into the account of someone you hate. Getting someone's account number is actually not all that difficult. It's on every check they write for instance. Mmmm. The sweet taste of revenge.
  • by MagicBox (576175) on Wednesday May 28, 2008 @01:12PM (#23572767)
    ...one cent at t time.


    Steal a penny from the Banks - go to jail - Banks steals $10 from you - calls it a "service charge".

    We need the banks (except the World Bank), but it is despicable that they are allowed to play with our money the way they do. Twice I have been locked out of my money. And it was a weekend, so the banks were closed. I asked the 24/7 help guy from India what I should do, and his advice was: Can you borrow some money from someone until Monday when the bank opens?

Put no trust in cryptic comments.

Working...