Stealing From Banks One Cent at a Time

JRHelgeson writes "In a story strangely reminiscent of Superman 3, a 'hacker' allegedly stole over $50,000 from PayPal, Google Checkout as well as several unnamed online brokerage firms. When opening an online brokering account it is common practice for companies such as E-trade and Schwab to send a tiny payment — ranging from only a few cents to a couple of dollars — to verify that the user has access to the bank account listed. According to the story, the attacker wrote a script that opened thousands of accounts at dozens of these providers. He was arrested not for taking the money, but for using false names in order to get it."

Comment from said "hacker"

[Digital+Vomit]

When reached for comment, the "hacker" had this to say:

"I don't want to go to jail because there are robbers and rapers and rapers who rape robbers. "

Re:Comment from said "hacker"

[PawNtheSandman]

What makes him a "hacker"?

Re:Comment from said "hacker"

[s.bots]

Looks like someone could be doin' time in a "Federal 'pound-me-in-the-ass' Prison"...

Hey Mike! Watch out for your cornhole buddy!

Re:Comment from said "hacker"

[rugatero]

What makes him a "hacker"?

He used a computer.

Heck he even wrote a script. In the eyes of your average Joe that makes him a diabolical hacking genius.

Re:Comment from said "hacker"

[The+Clockwork+Troll]

This is an interesting legal situation in that, technically, both the crime and its punishment could be called a "salami attack".

Re:Comment from said "hacker"

[0kComputer]

I have a client in there right now. He says the trick is to kick someone's ass the first day, or become someone's bitch.

Re:Comment from said "hacker"

[Ibiwan]

" And I, I walked over to the, to the bench there, and there is, Group W's where they put you if you may not be moral enough to join the army after committing your special crime, and there was all kinds of mean nasty ugly looking people on the bench there. Mother rapers. Father stabbers. Father rapers! Father rapers sitting right there on the bench next to me! And they was mean and nasty and ugly and horrible crime-type guys sitting on the bench next to me. And the meanest, ugliest, nastiest one, the meanest father raper of them all, was coming over to me and he was mean 'n' ugly 'n' nasty 'n' horrible and all kind of things and he sat down next to me and said, "Kid, whad'ya get?" I said, "I didn't get nothing, I had to pay $50 and pick up the garbage." He said, "What were you arrested for, kid?" And I said, "Littering." And they all moved away from me on the bench there, and the hairy eyeball and all kinds of mean nasty things, till I said, "And creating a nuisance." And they all came back, shook my hand, and we had a great time on the bench, talkin about crime, mother stabbing, father raping, all kinds of groovy things that we was talking about on the bench. "

Re:Comment from said "hacker"

[Silver+Sloth]

Nice quote, it must be the thick end of thirty years since I last heard that. Thanks for the lulz

Re:Comment from said "hacker"

When's your next conjugal visit?

Re:Comment from said "hacker"

[StarfishOne]

And I said, "Littering."

Duhh! Every hacker knows that you should always copy the garbage file when hacking the Gibson XDxD

Greetz,

AcidOne ;)

Re:Comment from said "hacker"

[Chapter80]

With every ATM deposit, one can key in a slight over-amount, when specifying the deposit. If you are depositing checks for $123.45, you could key in maybe $123.54 (transposing the last two digits).

Most always, the bank sees the foolishness in sending a letter (costing at least 42 cents) to correct a small error. So they apparently just write off the difference, and leave the ATM deposit as reported.

So I get richer, cents at a time.

Kids, don't try this at home.

This may just be the missing statement, right before "4. Profit"

Re:Comment from said "hacker"

[PitaBred]

I know KBCO here plays "Alice's Restaurant" every year on November 25th... because it's the only Thanksgiving song that really exists to the best of my knowledge ;)

Re:Comment from said "hacker"

[raddan]

When I used to bitch and moan as a child about having to accompany my parents on grocery shopping trips, they would relieve me of my pain by telling me I could go sit on the bench by the front of the store (conveniently next to the toy and candy machines), which they affectionately termed the "Group W bench". It wasn't until I was in high school and they played the record for me (apparently I was old enough to understand the humor in "father rapers") that I finally got the reference ;^)

Re:Comment from said "hacker"

[raddan]

Actually, in your case, the ??? may be "Federal PMITA Prison".

Re:Comment from said "hacker"

[Cramer]

Not any bank I've ever used. They don't send a letter; they correct your mistake and go about their day. If you're lucky, they'll note it in the monthly bank statement.

Re:Comment from said "hacker"

[Theoboley]

Isn't this exactly what they did on Office Space? Stealing from the company a fraction of a cent at a time... Someone call Lumbergh

Re:Comment from said "hacker"

[blair1q]

Contrary to your apocryphal belief, banks have entire departments that spend more than the collection is worth to make you balance your account if it is out of balance. This discourages bigger crimes, which would cost them more just on a statistical basis.

You may get away with the "few pennies" mistake once per institution. Three or four times? They'll freeze your funds and demand you clean up your act.

Because here's a secret you should have known: When you give the bank the money, it's not yours any more. It's theirs. You lent it to them, and they owe it to you, but you can't just take it. You are nothing more than a lender, and they are a borrower. You have all the rights of a creditor. Which, you might guess, means you can spend thousands of dollars on legal hassles trying to free up the $123.45 you deposited to steal that 9 cents.

Re:Comment from said "hacker"

[nametaken]

I have to say, as a bank, I'd be piling up the list of these until it was time to send you a "Ok, we're pulling $400 from your account to reconcile your deposit errors. By the way, you've been warned. Do it again and we'll make a case out of it."

Re:Comment from said "hacker"

[WK2]

No offense intended, but that kind of sound like something you made up. Or maybe you have an unusual local bank. Banks are very anal for accuracy. They have no problem sending a 42 cent (plus time, envelope, and paper) letter to correct a 1 cent mistake. Nor do they have a problem sending an account balance to an account which continually has $0.00 in it. They have regulations dictating what they do, even when it wouldn't seem to be financially the best decision. They don't "write off" incorrect deposits.

Re:Comment from said "hacker"

best Alice's restaurant placement evar

PC load letter?!

[jchillerup]

What the fuck does that mean?!

Re:PC load letter?!

[El_Muerte_TDS]

It means that you have to fill the paper cassette of the printer with paper of the "letter" size.

Re:PC load letter?!

I don't know but this guy is bound for a "federal pound me in the ass" prison for sure.

Re:PC load letter?!

[jchillerup]

Whew. Sounds like someone has a case of the Mondays.

Re:PC load letter?!

[palegray.net]

I think the subject of this article would be better served with "legal size" paper.

Re:PC load letter?!

[Facegarden]

It means that you have to fill the paper cassette of the printer with paper of the "letter" size. Haha, well played my friend, well played, i love the kind of humor that involves pretending like you think people are serious when they themselves are joking... No one EVER gets it but i think its hilarious... :) -Taylor

Re:PC load letter?!

[mrbluze]

Don't feel bad about being 'redundant'. In most cases there is a handsome payout as part of the package. Sometimes there's even some salami.

Re:PC load letter?!

[howlingfrog]

I'm jealous, your printer must actually work. My experience has been that this is more typical behavior:
If nothing is wrong at all, display "PAPER JAM" on the LCD and cancel all print jobs.
If the letter tray is empty, fail silently, releasing molten toner particles into the delicate inner workings of the printer.
If there is any other problem, including an empty legal tray, display "PC LOAD LETTR" on the LCD (because the LCD is one character shorter than its most common message) and vibrate hard enough to misalign the toner cartridge.

Superman 3?

[jandrese]

How is this like Superman 3? I thought the point in that movie was to shave off the remainders in interest calculations. This is just a simple case of seeing someone transfer a few cents to your account when you open it and trying to abuse the system. The problem of course is that it's extremely obvious and you'll get caught, just like this guy did.

Re:Superman 3?

[geoffrobinson]

No one has seen Superman 3 for years because it is such a bad movie. So it is kind of like the telephone game.

Frankly, the only good thing to come out of the movie was the concept of stealing fractions of pennies so no one notices.

Re:Superman 3?

[qoncept]

Are you serious? Do you think it would be dumb to compare a Dell laptop to an IBM because IBM uses Hitachi drives and a 32x CDROM instead of Seagate and 36x?

Since you can't figure it out, let me explain what aspects are similar. He was stealing next to nothing lots of times. Like the guy in Superman.

Re:Superman 3?

[Chysn]

> How is this like Superman 3?

Yeah, I probably would have gone with Office Space. At least that shaky comparison has a bit of pull with geeks.

Re:Superman 3?

[lesinator]

This kind of attack hardly an invention of the movies. The salami attack has been around for a long time.

Re:Superman 3?

[Otter]

I believe that the reference to Superman 3 is actually a meta-reference to Office Space. (Or maybe the reference being referenced is the meta-reference -- I'm not a philosopher.) As Office Space itself noted, the method long precedes either movie.

Re:Superman 3?

[fishbowl]

This geek didn't miss the fact that the reference to Superman 3 *was* a reference to Office Space.
The indirect reference shows a bit of finesse, and understanding that the geek will get it.

Re:Superman 3?

[Blakey+Rat]

The point isn't that Superman 3 invented it, the point is that most people first heard of it from watching Superman 3 and so when you're trying to explain to people what you're doing, you can say "you know, like Superman 3" and they know what you mean. Thus the joke in Office Space:

A:
B: "Huh?"
A: "You know, like in Superman 3."
B: "Oooh, now I get it."

It's funny, damnit. Made funnier than Superman 3 is actually a pretty awful movie. (But it's an awful movie that most everybody's seen.)

Re:Superman 3?

[owlnation]

Yes, but I'm sure someone can still claim PRYOR art.

Re:Superman 3?

[Dachannien]

It's been happening in meatspace for thousands of years (though not so much anymore). People would shave bits off of coins made of precious metals and then smelt and sell the shavings to wind up with more money than they started with. Wikipedia notes that some British silver coins would routinely be milled down to half their original weight as nearly everyone took a little bit off the edge.

Eventually, coins could be made with milled edges, which largely curbed the practice, and today, of course, most coins are made from metals that are worth very little compared to the value of the coin itself.

Re:Superman 3?

[Sneftel]

But IBM doesn't use 32x drives. And therefore I am utterly baffled by the meaning of your comment.

Re:Superman 3?

[barzok]

today, of course, most coins are made from metals that are worth very little compared to the value of the coin itself

Except for the US penny, of course.

Re:Superman 3?

[compro01]

Actually, IIRC, pennies and nickels are currently worth more as metal than as coins. A penny is something like 1.2 cents and a nickel is about 6 cents, at least that was the case in Sept. 2006, which is the most recent mint report I can get at the us mint site.

Re:Superman 3?

[Gothmolly]

Except for US pennies and nickels, which are worth in metal MORE than the face value of the coin. US Congress JUST passed a law outlawing melting down pennies for the money.

Re:Superman 3?

[g0bshiTe]

My question is the fact that it looks like he was turned in by his bank.
With current terrorist financial alerts that are present, IE moving $10,000 or more at a time, this is what flagged him. Had he done this pre 9/11, I'd wager he would have gotten away with it.

Re:Superman 3?

[bennomatic]

Best. Joke. Of. Thread.

Re:Superman 3?

[Lord+Byron+II]

I saw an article just last week on this and it now costs a lot more than 1.2 cents to make a penny.. its closing in on a nickel. I thought it was on msnbc.com, but I can't find it now.

Re:Superman 3?

[d_54321]

The problem of course is that it's extremely obvious and you'll get caught, just like this guy did. Just like in Superman 3.

Re:Superman 3?

[MostAwesomeDude]

The zinc required to make a penny costs about 2~3 cents by itself.

Re:Superman 3?

Which is why it's illegal to melt down pennies and nickels now. At least for the purpose of profit making.

Re:Superman 3?

[againjj]

That is why they switched away from pure copper pennies in 1982. It was just getting too expensive to make them.

Re:Superman 3?

[oodaloop]

Underrated movie, actually.

Re:Superman 3?

[blackfrancis75]

of course, we have no metrics on how many times it HAS worked because those people are't in the news, they're in the Bahamas.

Re:Superman 3?

[haystor]

that, or the sheer number of transactions was somehow costing his bank money. That would put a real quick stop to it.

Re:Superman 3?

[pizzach]

The parent post is right. What this guy did was extremely extremely stupid. The chances that paypal was not checking for this type of scheme longterm asymptotically approaches zero.

The dead flag for this kind of fraud is when you reach the end of the month and you notice a strange increase in accounts that bought absolutely nothing. Think about it, the number of accounts needed to be created to earn about $50,000 is ridiculous. ($50,000) * (100 cents) / (2 to 3 cents) = 1666667.

Re:Superman 3?

[A55MONKEYJUNKY]

I don't see where in the linked reference that an electronic salami attack pre-dates the 1983 release of Superman 3. Certainly, it does, especially as a concept. As mentioned down the thread, people used to shave coins. But if you are going to cite something as proof, it probably should prove your point.

Re:Superman 3?

[Intron]

That explains why I've been losing money counterfeiting pennies!

Re:Superman 3?

[jafiwam]

Banks have been voluntarily flagging for a lot less than 10k for many years, and many years BEFORE '01.

Re:Superman 3?

[rrkap]

Actually, it's not just the penny anymore due to high commodities prices.

Coin                Melt Value
Penny (current)     $0.005
Penny (pre 1982)    $0.024
Nickel (current)    $0.059
Dime                $0.021
Quarter             $0.053
Golden dollar coin  $0.065

So, the mint is only loosing money on nickels right now, and the pre-1982 pennies are worth melting down.

Re:Superman 3?

[OrangeTide]

There is a difference between how much it costs something to manufacture and how much its metals are worth. Right now the metal value of lincoln cents is around .561 cents. less than the value of a penny. You can use base metal coin calculator which tends to have current prices.

Re:Superman 3?

[Hoi+Polloi]

I guess that is why they passed this law.

Re:Superman 3?

What if I want to give it to poor children? You know, as a NPO.

Re:Superman 3?

[raddan]

The funny thing is that if he hadn't used fake names, would this still have been illegal? Considering the shit that big corporations pull with hidden fees and questionable tax practices on a regular basis, I feel like this hack is funny and clever, and somewhat warranted. Why is the little guy's clever use of loopholes "illegal" when a big corporation's is "in the interest of the shareholder"?

In case you're wondering, I did have a conversation with Sprint yesterday.

Re:Superman 3?

[maglor_83]

I haven't seen Superman 3, so could someone explain why someone with superpowers is needed to sort out a crime like this?

Re:Superman 3?

[thomasw_lrd]

I thought it has always been illegal to deface American Money. "Whoever fraudulently alters, defaces, mutilates, impairs, diminishes, falsifies, scales, or lightens any of the coins coined at the mints of the United States, or any foreign coins which are by law made current or are in actual use or circulation as money within the United States; or 4 "Whoever fraudulently possesses, passes, utters, publishes, or attempts to pass, utter, publish, or sell, or brings into the United States, any such coin, knowing the same to be altered, defaced, mutilated, impaired, diminished, falsified, scaled, or lightened http://bulk.resource.org/courts.gov/c/F2/285/285.F2d.19.6406_1.html

Re:Superman 3?

[Gothmolly]

http://abcnews.go.com/Business/story?id=2725597

Re:Superman 3?

[statemachine]

Those are the "Melt Values" not the cost of manufacturing.

Today, a penny costs $0.026, and a nickel costs $0.077 to make.

Re:Superman 3?

[WK2]

Pre-1982 pennies probably aren't really worth melting. Maybe you would get 2.4 cents if scaled, but the typical person only has a few of these, and the time it takes to sort them, and take them to wherever you would get them melted, wouldn't be worth it. Even if you have several thousand in jars, you still wouldn't get more than $100.

Nickels, however, might be worth it. You can get a roll of nickels at a bank for $2. According to your numbers, you can melt it down for $2.36. You might be able to get them in mass, somehow. You'd still have to factor in shipping, etc. Buying and then melting 10,000 rolls of nickels would net you $3600, after other fees.

However, both of these plans might end up being like returning aluminum cans in Michigan. I don't know. I'm not a financial expert. I can't even afford to stay at a Holiday Inn Express.

Re:Superman 3?

[mgblst]

Easy then, just count the number of people in the Bahamas.

Re:Superman 3?

[ejecta]

Australia's 5 cent coin actually costs us 6 cents to make now, so every single coin minted is a net loss.

Re:Superman 3?

I'm now going to the bank to buy 10,000 rolls of nickels! I'm going to melt them down and sell them back to the mint as raw metal for a $0.009 profit each... 10,000 rolls x 40 nickels in a roll x $0.009 profit each = Profit: $3600

do it once a week: $3600 profit * 52 weeks in a year = $187,200!

And all you're doing is _literally_ moving money around.

How did he do it?

[Thelasko]

I have used similar services in the past. They always remove the money after the transaction. How did this guy prevent that from happening?

Re:How did he do it?

[jandrese]

I know Paypal lets you keep the money, I'm guessing the guy chose it and similar services.

Re:How did he do it?

[joecasanova]

Perhaps he transferred the money to another account before the institutions could withdraw it?

Re:How did he do it?

[Mark+J+Tilford]

By closing the accounts before Paypal / Google Checkout could remove the money.

Re:How did he do it?

[Kamineko]

Paypal don't. You keep the tiny bit of money they give you.

Re:How did he do it?

[Sturdy]

PayPal and E*trade both leave the money.

I seem to remember others...oh wait, those were authorization charges! ("Don't worry, we'll put it back eventually.") Those appear to be the smarter companies in the bunch.

Re:How did he do it?

[OS24Ever]

PayPal and Sharebuilder don't remove the money, I've used both of those.

I always hook up my three accounts I have, sure, I get less than $1.00 each time but feels like I'm fighting the man somehow.

Re:How did he do it?

I don't how is the bank system in your country, but in the US, NOBODY cant take the money out of your bank account without your authorization.
So, I ask: how those services took the money out of your account?
I have plenty of spare cents on my bank accounts for all the Paypal verifications and such. They never took them back.

Re:How did he do it?

[somersault]

Yep, if paypal can't get the exact 2 pennies that it put into your account, they won't be taking any pennies! They probably write on them with a marker pen first before taking them along to the bank.

Re:How did he do it?

[CheeseTroll]

in the US, NOBODY cant take the money out of your bank account without your authorization

(Assuming you aren't being sly with the double-negative...)

Then you have some learnin' to do about how ACH transactions work. Authorization for withdrawals is required, but it is certainly not passed along with the transaction itself. The system relies heavily on trust. If someone challenges a transaction, and their bank demands proof of authorization, then yes, you'd better have it. But if the transaction is not challenged or rejected, then it stands.

Re:How did he do it?

[Sturdy]

I have a feeling that opening and closing bank accounts would have attracted attention long before the thousands that are mentioned.

Re:How did he do it?

[Firehed]

Indeed. Now just do it 100,000 more times and you'll be fighting the man with the soap.

You know...

[scubamage]

I had this very idea a few days ago when paypal put two 40 cent payments in my checking account. Thank god I didn't go with it, eh?

Re:You know...

[Chapter80]

Were they both 40 cents? What were the exact amounts?

And did you use the same "scubamage" login name?

They pay me?

[MaXMC]

No.. when I change my credit card information on PayPal they deduct 15SEK that and then I get them back on my PayPal account (from which they take a percentage?) So it's realy PayPal that steals?

Re:They pay me?

[dintech]

It's not stealing if you agree to if first. It's just being a bastard. Also this not similar to mugging before you suggest that. :P

Re:They pay me?

[MaXMC]

Well, the first time I did it, I did indeed agree to it. But the next time I just changed my VISA number and a few days later they had withdrawn 15 SEK.

Re:They pay me?

[bluefoxlucid]

I want SEKs, where do you live?

Re:They pay me?

[MaXMC]

Sweden... Use google much?
http://www.google.com/search?q=SEK&ie=utf-8&oe=utf-8&aq=t&client=firefox-a

Re:They pay me?

I think he wants you to be a little more specific with your address details...

Submitter gets it wrong

[nurightshu]

As far as I can tell, the article doesn't actually mention that Largent managed to rip off PayPal, only that PayPal, Google Checkout, et al. use the small deposit method for verification. Seriously, reading for comprehension isn't hard, people. Hell, it even mentions the scope right in the lede.

Re:Submitter gets it wrong

[Wister285]

The third and fourth paragraphs read:

"According to court documents, Californian Michael Largent used an automated script to open 58,000 such accounts, collecting many thousands of these small payments into a few personal bank accounts.

Largent also performed the same trick with Google's Checkout service, cashing more than $8,000 alone from the service. " [emphasis added]

Am I (and the submitter) missing something?

Re:Submitter gets it wrong

[corerunner]

They probably give you $5 to signup or something.

Re:Submitter gets it wrong

[MaXMC]

You read the article? WTF?

Re:Submitter gets it wrong

[torgis]

Seriously, reading for comprehension isn't hard, people.

Re:Submitter gets it wrong

[nurightshu]

And did I say anything about the article not saying that Largent managed to rip off Google Checkout? No. I said, "the article doesn't actually mention that Largent managed to rip off PayPal". Again, I feel it important to stress that reading for comprehension is important. So yes, you and the submitter are missing something.

He stole my idea!

[joecasanova]

Totally stole my idea. That jerk!

Re:He stole my idea!

[norminator]

But he only stole it a little bit, a whole bunch of times...

Re:He stole my idea!

[sootman]

Favorite line from Night Court:
Defense attorney: "You had a gun?"
Crook: (sheepishly) "Just a little one."
District attorney: "The term is sawed-off."

Re:He stole my idea!

Small crime = small punishment. He has to perform 58,000 seconds of service.

Well, yeah...

[Oxy+the+moron]

He was arrested not for taking the money, but for using false names in order to get it.

Of course he wasn't arrested for taking the money. Said institutions willingly deposited that money into his account(s), yes? And these institutions did so under the pretense that this was to identify the customer? So the charge makes sense. The guy didn't steal money, it was given to him... a "him" with a fake identity.

Re:Well, yeah...

So, how many of you are now doing this with a real identity? This should be a poll question.

Re:Well, yeah...

[Provocateur]

Real identity? That leaves out "Cowboy Neal", then...what fun is that?

Re:Well, yeah...

[kellyb9]

That's interesting... so if he had been upfront and not committed fraud... he would've been able to walk with the money.

Re:Well, yeah...

Lying to someone to get their money is the definition of fraud...

Re:Well, yeah...

[howlingfrog]

No, if he had been upfront and not committed fraud, they would have noticed and not given him the money in the first place.

First clue

[tsstahl]

If you have to make up a name or SSN to open the account, then in fact, you are doing something wrong. Color me simple, but that's the way I see it. :\ This is clearly a case where a novel approach to crime is still, well, criminal.

Re:First clue

So had he used his real name and SSN then it should all have been legal and there would have been no crime committed? Just an abuse of a system.

Interesting...

Re:First clue

[RpiMatty]

What if you just came up with variations on your real name...
For example you are John Doe Smith.
You could sign up with the following names.
J. Smith.
J. D. Smith.
J. Doe Smith.
Jon Smith.
Jon D. Smith.
Jon Doe Smith.
John Smith.
John D. Smith.
John Doe Smith.

Then move on to Johnny, and perhaps Johnathan.

Then you also make slight changes to your address, say you live downstairs (of a 2 family house, or yo mamma's basement)
You could live in:
Apt. 1
Appt. 1
Apartment 1
Lower
LR
Low
L
Downstairs
DN
Fl 1
Floor 1
1st Floor
1st F

Wonder how many "valid" name and address combinations one could make.

Re:First clue

Right, you've never signed up for something online with a fake name, phone number, address, or email address. Sure.

And my Kroger card isn't issued to Moe Delaun.

Re:First clue

[tsstahl]

So for about 1000 combinations you come up with the grand total of around 30 bux. I think you are better off not shaving for a day and shaking a cup of change outside the train station. If you have that kind of time on your hands, [insert altruistic cause here] :)

Re:First clue

[RMingin]

While it's not a very practical method, I suggested to my wife years ago that I should just trigger Paypal's 'verify' test as often as possible while never completing it. They would transfer an average of 50 cents each time, and they did not take it back if you never got around to finishing the verify. 50 cents every 2 weeks doesn't sound like much, but if you have 3 or 4 legit bank accounts doing it, and you can get a few hundred stupid online merchants to participate, it could add up to a free dinner out every now and then. Nothing illegal if you do it right, it's free money.

Well Duh

[oahazmatt]

Largent used an automated script to open 58,000 such accounts, collecting many thousands of these small payments into a few personal bank accounts. As much as the bank looks oddly at a sudden amount of large withdrawls, they'd certainly take the time to wonder why someone is getting three cents continuously deposited into their account. How did he figure he would not get caught?

When his bank contacted him about the thousands of small payments, Largent explained that he had read the terms of service of the sites he was targeting, and believed he was doing nothing wrong, claiming that he needed the money to pay off debts. Oh, well that's okay, then.

Man, they'll throw the "Hacker" label on anyone these days, won't they?

Re:Well Duh

[mollymoo]

As much as the bank looks oddly at a sudden amount of large withdrawls, they'd certainly take the time to wonder why someone is getting three cents continuously deposited into their account.

It doesn't strike me as at all inevitable that his bank would notice. Alarms on the automated systems which trigger human intervention would I expect be primarily based on large transactions, not small ones. I suppose there must be a specific trigger for an unusually large number of transactions, or a trigger for a review for accounts operating on the edge of the distribution curve for a variety of parameters. With no trigger no human ever looks - it's all automated. I doubt any human other than me has looked at my bank account in years.

Re:Well Duh

[HikingStick]

He could have at least come up with a plausible cover story--something about selling his own music online and letting people send him what they thought it was worth.

Re:Well Duh

[Lobster+Quadrille]

Man, they'll throw the "Hacker" label on anyone these days, won't they? Why not? He wrote a script to automate the slow task of setting up accounts, in a creative abuse of the system. That's pretty much the definition of a hacker.

I certainly wouldn't consider him much of a cracker though...

Well it is true....

[cortesoft]

Damn it feels good to be a gangsta.

Re:Well it is true....

Ohh, yeah. Office Space, first thing that I thought about... :-)

Relax

[boristdog]

The most you'll do is a few years in one of those "country club" prisons, right?

Re:Relax

[xgr3gx]

No - he'll be sentenced to a Federal "pound me in the ass" prison

What were the crimes again?

[Guppy06]

Wire fraud? Bank fraud? Don't you need to have done these actions against actual banks for these kinds of charges to get levied?

Re:What were the crimes again?

[plague3106]

Well, there's always plain old fraud.

Re:What were the crimes again?

[gmack]

Payment systems are considered a form of banking.

Re:What were the crimes again?

[willyhill]

No, they're not. That's why PayPal can get away with the shit they do. It's a common misconception that most people fall into, that because PayPal handles money, they must be a bank and subject to the same set of regulations you trust to put the stops on your bank if they get fresh with your money (including insurance. PayPal is not FDIC insured if you use their "high yield" holding option).

The problem here is that the transactions involved banks. The fact that PayPal was the conduit is irrelevant in this case, I think.

Re:What were the crimes again?

[gmack]

Not a bank but still considered a form of Banking.

Any messing with systems involving financial transactions can get you bank fraud / wire fraud.

Re:What were the crimes again?

[GigG]

The ACH system is run by the Federal Reserve. Not that it matters If I call you are in one state and I'm in another and call you on the phone and con you into sending me money it is a violation of federal wire fraud laws.

The wire fraud laws were written to update the postal fraud laws.

Re:What were the crimes again?

FWIW, Paypal is a bank in Europe. Reference.

Re:What were the crimes again?

[willyhill]

That's interesting, I didn't know that. The EU probably would have nothing of PayPal's crap so they must have been forced to do that to operate there.

Apparently though they get away with anything they want here in the US.

Thanks for the link.

Balasts

[bsDaemon]

At least his script didn't almost capsize the oil tankers... people would be super pissed off then.

Re:Balasts

[elrous0]

I hear the son of a bitch used the money to buy a Ferrari.

Re:Balasts

[doublee3]

Is this the unnamed account in the Bahamas where the money was to be stashed? 03087-08351-27H I think so :)

Re:Balasts

[MaXMC]

I really hope he didn't call himself Crash Override...

Whatever you do....

[i_want_you_to_throw_]

Don't drop the kryptonite in the shower.

No flags raised?

[GBC]

The amounts were being deposited into the same few bank accounts. The thing I can't figure out is, given the sheer number of transactions involved, how was this not spotted sooner?

If there was an assumption that it wasn't worth it prior to this (due to the tiny amounts involved in a genuine authentication check), I assume now they will implement a system that flags a bank account which receives authenticating deposits over a certain number.

Re:No flags raised?

[seh4]

... how was this not spotted sooner? Because the institutions were complicit. Why do you think the E-Trade Baby touts "1000 New Accounts Every Day!"

E-trade doesn't care if 900 of those accounts are for Hank Hill & friends.

It was over...

[hyperz69]

when he started using names like...

Haywood Jablome
Connie Lingus
Dick Trickle
Seymour Butts
Hugh Jass
Ben Dover

Should of used a better name generator.

Re:It was over...

[PawNtheSandman]

Isn't Dick Trickle a NECKCAR driver?

Re:It was over...

[maxume]

http://www.google.com/search?q=Dick+Trickle

Real guy.

Re:It was over...

[ramon_omar]

I don't know, I thought that Holden and Pat McGroyne were pretty effing brilliant. So was Howie Feltersnatcz.

Re:It was over...

[mgblst]

Peter File
Mike Hunt
Al Kay Edo

how did it get that far?

[planckscale]

I'll assume the guy was using the same IP address to create the accounts. I wonder why the hosts don't have some kind of software to look for IP's that open multiple accounts?

Re:how did it get that far?

[jimicus]

I'll assume the guy was using the same IP address to create the accounts. I wonder why the hosts don't have some kind of software to look for IP's that open multiple accounts?

Probably wouldn't work very well seeing as most ISPs allocate IP addresses through DHCP - and even if they didn't your idea breaks as soon as someone releases a block of numbers for whatever reason and it gets taken and re-used by someone else.

Re:how did it get that far?

[LnxRocks]

Not to mention that sometimes two people can share an IP address. Two college roommates can't have individual Paypal accounts?

Re:how did it get that far?

[gmack]

You can set a time limit on the threshold. Assume 32 days in a month $50 000 would be $1562 per day that's $65 worth of micro payments in an hour. That's a lot of transactions to be spread around not very many providers.

They could flag anything over a certain amount per hour or per day and catch the worst of the offenders.

I'm guessing the only reason they haven't done that so far is because it didn't occur to anyone that the system could be gamed that way.

Re:how did it get that far?

[0100010001010011]

This is what Botnets are for.

Re:how did it get that far?

[DarkOx]

That and NAT, lots of campus networks at schools and corporations use a Nat pool. You would expect to see multiple accounts operating from some IPs as normal. Now one thing you could watch for is more then say 3 or 4 accounts being opened in a small span of time from one IP. Even if the ISP is using DHCP its going to slow down an attackers script allot if he has drop his network and request a new address ever few loops.

Pound you in the ass prison...

[barfy]

This is like the penny jar, except a whole lot of pennies and nobody gets hurt.

Re:Pound you in the ass prison...

[xpuppykickerx]

How dare you judge me? I mean what are you? You think you're some kind of, like, angel here? No, you're just this penny-stealing... wanna-be criminal... man.

Re:Pound you in the ass prison...

[trrwilson]

No, that's the jar. I'm talking about the tray, the pennies for everybody.

Re:Pound you in the ass prison...

So? You banged Lundbergh!

Re:Pound you in the ass prison...

[smaerd]

Yeah, well... at least I didn't fuck Lumberg.

oh wait....

[apodyopsis]

At least he did not create a script that automatically rounded every payment up to the nearest... oh wait...

Even if he gets a fine, he can always apply to pay off the debt in small payments - say a few cents every time...

Reminds me of a debt my father picked up from a school my sister attended for less then a week. They charged him for a whole year. Not to be deterred he promptly paid them half the amount they invoiced him for. Months later and six angry letters later he paid them half of the sum they asked for. Months later.. ah well, I am sure you can see the pattern here. Fast forward 14 years and they finally wrote of the rest of his debt (I think 1GPB) as a good will gesture (and I am reliably informed he is legend in the schools finance department). I have no idea how much the administration cost to school at the end of it, but it all seemed good natured enough.

Re:oh wait....

I did this with my landlord, I overpaid 1 penny then underpaid the next month and so on.

It drives their accounting nuts as they have to track that extra and YOU ARE DOING NOTHING WRONG :)

You paid, the administrative work is on their side :)

Seriously never piss me off I have many ways of getting away with so many annoying things.

Re:oh wait....

[tha_mink]

Reminds me of a debt my father picked up from a school my sister attended for less then a week. Someone my wife knows paid $289,000 in back property taxes (that he claimed he didn't owe) in unrolled pennies. Think: dump truck. Think: 3 loads.

Re:oh wait....

[zippthorne]

Pennies are only legal tender to satisfy debts not to exceed 25 cents. Beyond that, the recipient has the option to refuse.

So, whomever he brought those pennies to must've had a giant sense of humor to accept 'em.

Re:oh wait....

There was a case a couple years back here in Canada where a guy was having a disagreement with his bank about a credit card charge. Ultimately the bank was right (under the contract terms) and the guy had to pay.

In protest, he paid his $500 credit card bill in 50,000 electronic payments of one penny. His next monthly statement is over an inch thick and the bank is very unhappy with the printing & mailing costs ...

Re:oh wait....

[YttriumOxide]

One "share house" I lived in in my late teenage years, they managed "who has paid" by the extra cents. So, housemate #1 pays $60.01, housemate #2 pays $60.02, housemate #3 pays $60.03 etc.

Because the rental agreement said we all pay $60, when I moved out, they sent me cheque for the "cents" that had added up. Somehow though, they'd made a mistake, assumed I was another guy with a different "cent" amount and then two weeks later tried to kick the OTHER guy out for not paying rent anymore.

Horrible situation (for the other guy, didn't really affect me), but it would've got even more screwed up had any of us tried your plan!

Re:oh wait....

[paintswithcolour]

Over here in the UK I'm pretty sure they passed laws to stop people from doing this kind of thing. I think anything over about 20p in low denominations isn't considered legal tender.

People used to get wheelbarrows of the things to pay council tax, only to be told it wasn't going to be taken, and they were stuck with the coins.

Re:oh wait....

[The-Ixian]

http://www.snopes.com/business/money/pennies.asp

Re:oh wait....

I did this with my landlord, I overpaid 1 penny then underpaid the next month and so on. It drives their accounting nuts as they have to track that extra and YOU ARE DOING NOTHING WRONG :)

Congratulations, you caused a fleeting and trivial inconvenience to someone who happens to work for your landlord. That really makes up for your failure in your childish quest to affect the landlord himself in any meaningful way.

Seriously never piss me off I have many ways of getting away with so many annoying things.

No you don't, you ineffectual little cretin. Your passive-aggressive bullshit does not make you the Force To Be Reckoned With that you think it does.

Re:oh wait....

[Thelasko]

Now I have to start a convenience store that only accepts Euros for payment. Unless of course, you eat the candy bar before you try to buy it, in which case I would have to accept dollars since its a debt.

Re:oh wait....

[ZERO1ZERO]

I don't get this? How does that enable you to tell who has paid?

Unless each person pays $60.00, $60.01, $60.02, $60.04, $60.08 and so on, like a kind of bitmask?

Re:oh wait....

[YttriumOxide]

We all paid individually, not collectively. So, the landlord would get a deposit in their bank for $60.03 and be able to say "Okay, YttriumOxide has paid now", and get one for $60.04 and say "Okay, Joe Bloggs has paid now", etc.

Re:oh wait....

[ZERO1ZERO]

Actually, i'm an idiot.

Re:oh wait....

So it took 14 years for the school to realize that a geometric series with a = 0.5 will equal the entire debt only after an infinite number of payments?

Prolly better your sister didn't attend for longer than a week.

Re:oh wait....

[Vegeta99]

So THATS the jerkoff who got all my utility companies started on charging a fee for credit card/bank ACH payments!

Yes, you heard write: Mailing a check that requires a person or other complicated ornery machinery to deal with: Free. VISA/MC/Discover/AMEX? $7.00, please.

So, I mail in a check with the account number on it and nothing else, just to screw em out of the extra time. Same with AT&T - they tell me I can "save money" by not getting a paper bill. They don't actually LET you save any money, so I make them send me the paper bill and then pay online (because it's still free as far as I can tell).

Re:oh wait....

[Cedric+Tsui]

Wow. That's a whole new meaning to spite.

Did he round up or down? Or did he write cheques for fractions of cents?

I really need to do this sometime.

Re:oh wait....

No you don't, you ineffectual little cretin. Your passive-aggressive bullshit does not make you the Force To Be Reckoned With that you think it does. Luckily, your Anonymous Coward-Fu lends your argument great weight, and makes you credible.

Oh, wait...

Re:oh wait....

[tha_mink]

Pennies are only legal tender to satisfy debts not to exceed 25 cents. Beyond that, the recipient has the option to refuse. That's the stupidest thing I've heard today. Where do you get your information?

"United States coins and currency (including Federal reserve notes and circulating notes of Federal reserve banks and national banks) are legal tender for all debts, public charges, taxes, and dues. Foreign gold or silver coins are not legal tender for debts. "

$50,000?

[PawNtheSandman]

You know what I'd do with $50,000? 2 chicks at the same time.

Re:$50,000?

[catdevnull]

Man, I wish I had mod points today. That's +5 Funny right there, dadgummit!

Re:$50,000?

[xpuppykickerx]

I would do absolutely nothing.

Re:$50,000?

[gmuslera]

In a few months, filling the gas tank would be another use for that amount of money. Is good that so many online services are willing to cooperate in that hard task.

Re:$50,000?

[Andreaskem]

Why blow that much money on 2 minutes of entertainment?

Re:$50,000?

Fuckin' A.

Re:$50,000?

[blindd0t]

This is Slashdot... Two minutes is a very generous compliment. ^_^

Re:$50,000?

You know what I'd do with $50,000? 2 chicks at the same time.

Client #9? Is that you?

Re:$50,000?

[CCFreak2K]

Damn. That hundred dollars could have got me one gallon of gas.

Re:$50,000?

Two minutes in heaven is better than one minute in heaven

Re:$50,000?

You know what I'd do with $50,000? 2 chicks at the same time. You vastly over-estimate the price of pussy.
You should be able to get two decent-quality chicks at the same time for under $500 in most cities in the USA.

Unless you literally meant 2 at the same time, in which case you would probably have to pay the remaining $49,500 for the plastic surgery required to give you a second dick.

Re:$50,000?

[MarkGriz]

You know what I'd do with $50,000?

2 chicks at the same time. ... and sisters, no less

"I wish I could tell you that Andy fought the good fight, and the Sisters let him be. I wish I could tell you that, but prison is no fairy-tale world"

Re:$50,000?

[xtracto]

OMG Michael Largent is my hero!

Now, that would be worth the PMITA prison hehe...

Re:$50,000?

[zanaxagoras]

Why blow that much money on 2 minutes of entertainment? To live in this world harmonously, remember: your own experience does not necessarily apply to everyone else's experience.

Re:$50,000?

[mgblst]

If I have $50,000 I would spend most of it on Drugs, Liquor and Hookers, and probably waste the rest.

I've always wondered

[Rik+Sweeney]

if this is worth attempting, especially in the trading industry.

(IANOC)

They really don't care if $2 million goes missing on a trade, so who the hell's going notice that it's a penny short?

Think about it, millions of trades going through the system each day and you, the IT developer, shave a single penny off each one of them. You could almost retire by the end of the month.

Now all I have to do is wait for this Credit Crunch to end and apply for a job working in the Front Office.

Re:I've always wondered

[somersault]

IANOC I am not on crack?

Attacker?

[140Mandak262Jamuna]

Since when taking money from chumps is called an attack? Google and Paypal set up the system and they paid out carelessly, why call this ingenious programmer an attacker?

Re:Attacker?

[oahazmatt]

I wouldn't call him "ingenious", due to the fact that he overlooked quite a few details. (Namely, using only a handful of bank accounts, and believing no one would notice the activity on the accounts.)

He's more in trouble for misrepresenting himself and using assumed identities. It might fall under "uttering a forged instrument", but I'm not sure.

Re:Attacker?

[Bloodoflethe]

Since he defrauded the companies using false identities to do it.

Re:Attacker?

Since when taking money from chumps is called an attack?

Since forever, you fucking idiot. It's called fraud. And no, the fact the word being used in the summary is "attack" doesn't change anything. Goddamn, you're a moron.

Re:Attacker?

[Vegeta99]

Why can't I tell some random company a random name? They made up THEIR name, if I decide I want to be Joe Pennystealer and Iwantur Asspennies the next day, wtf is the problem? I'm not talking under oath...

I remember the interest rounding hacks of the 80s

[Qbertino]

I remember the interest rounding hack of the 80s. Bank IT personell at a few occasions got the smart idea to transfer rounding remainders from interest calculations onto an internal bank account. The extra small micro sums (fractions of currency units) from all interest calculations would quickly add up to many millions, virtually producing money from nothing. A few got caught, but I wonder how many IT guys at banks actually got away with that.

AFAICT the same thing should still be possible today when interests are calculated. Probably such tapering is prevented by tighter controll of IT personell and independant reviewing.

However I think it's still the most elegant form of bank-'robbery'. Has anyone heard of simular more recent incidents of this sort of thing?

In other news....

[kungfoolery]

Banks:

Stealing from customers one cent at a time.

Re:In other news....

[mikael]

Daylight robbery with a smile :)

How many bank accounts did he have?

[__aailob1448]

I don't understand how he managed to do this. He can't use 50,000 bank accounts. There aren't 50,000 payment services. So why would any of them send a few cents to the same bank account more than once?

Can anyone explain this to me? It makes no sense at all.

Re:How many bank accounts did he have?

[PrescriptionWarning]

According to the story, the attacker wrote a script that opened thousands of accounts at dozens of these providers.

i think it also implies he created thousands of accounts at paypal/google checkout also and had each of them create new accounts at the broker firms that paid out the pocket change.

Re:How many bank accounts did he have?

[saddino]

It makes no sense at all.

It sounds like it made a lot of cents.

Re:How many bank accounts did he have?

I don't understand how he managed to do this. He can't use 50,000 bank accounts. There aren't 50,000 payment services. So why would any of them send a few cents to the same bank account more than once?

Can anyone explain this to me? It makes no sense at all. I realize slashdotters cannot ever RTFA but at least RTFS "the attacker wrote a script that opened thousands of accounts"

Did you just read the first sentence of the summary and then make up the rest?

Re:How many bank accounts did he have?

clearly nobody in these institutions thought it would be a problem, otherwise they would've coded for it.

Considering I once thought of doing such a thing (but not having the programming skillz to do it), they really should have thought of it, or at least coded for it, even if it wasnt 'high risk'. Thats just the problem with companies. Risk/pay off/cost assessment by bean counters is usually moronic.

I could tell you about the time I worked for a software company and someone found a show stopper bug they let through because they didnt feel it was important enough and how it bit the company in the ass, but there are plenty of those examples out there...

Re:How many bank accounts did he have?

[hawk]

I have a BofA account, created online, solely to cash checks from a client. By the time I was done arguing with their webpage, it had created not a single checking account, but a checking account *and* a checking/saving pair . . . It also failed to access the account I told it to fund these with.

As this happened over a few minutes, I doubt that creating at least several dozen accounts spread across several institutions would be a problem.

Re:How many bank accounts did he have?

Single use debit card/bank account numbers perhaps?

Does this mean we could be arrested for giving false names etc on courtesy cards, silly forms where stores require names and addresses for non-restricted purchases, etc when we are doing simple cash and carry? My name at Fry's as well as many other places is Nunya Biznest, even registered Windows under that name. These companies should be pressuring those services to set up a non-monetary confirmation system that should already exist.

This is really no different then showing up at a promotion, taking the free hot dogs or whatever and not buying anything. Many casinos will give you chips just for showing up. If giving a false name over the internet is illegal then almost everyone posting here is breaking the law. This is like a store handing you a dollar to see if you really have a pocket to put it in. They going to reach in your pocket to get it back? What if the teenage girl sticks it in her bra? Think of the children!

Re:How many bank accounts did he have?

[Zcar]

A married couple with their own PayPal accounts that work against a joint checking account?

Re:How many bank accounts did he have?

I don't understand how he managed to do this. He can't use 50,000 bank accounts. There aren't 50,000 payment services. So why would any of them send a few cents to the same bank account more than once?

Can anyone explain this to me? It makes no sense at all. Well seems like they do send to the same account more than once.
The article says that he collected the money in a few bank accounts

Re:How many bank accounts did he have?

[TheQuicksilver]

Or better yet, why don't the services require a return deposit of the amount they sent to the bank account, else they issue a chargeback and don't allow you to access your login on their site?

Re:How many bank accounts did he have?

I think he found 5-10 banks that send a small amount upon opening an account then opened 1000 different bank accounts with 1000 fake names at each bank.

And here's the perl script to do it....

Re:How many bank accounts did he have?

He opened thousands of bank accounts under false identities and then sent all of the money in those accounts to one "master" account.

Re:How many bank accounts did he have?

He did use 50,000 bank accounts. He would sign up each of those accounts on PayPal, Google Checkout, ... which would deposit the small amounts of money in to those accounts. He then transferred these small amounts of money into a single account, or a few accounts.

Re:How many bank accounts did he have?

[pjt33]

According to TFS the attacker opened thousands of accounts with services like PayPal / Google Checkout. It doesn't say anything about how many actual bank accounts he used.

Re:How many bank accounts did he have?

[Lord+Flipper]

If giving a false name over the internet is illegal then almost everyone posting here is breaking the law.

Giving a false name, by itself, is not illegal in the US, unless the use of the false name is for a fraudulent purpose. I have had the IRS except three or more W-2 forms from me that were all named differently, but with my normal Social Security number on all them. The IRS didn't care one bit, because there was no fraudy. Anyway, it's my understanding that giving an alias is fine online and off, it's all about 'intent.'

So ...

[goose-incarnated]

... does he have a script to return the money?

Re:So ...

[TheLink]

I heard he might be starting on a sentence soon.

Tagged:

[CompMD]

penniesforeveryone

Re:Tagged:

[FiloEleven]

penniesfromheaven
 
/obscure?

Re:Tagged:

[D+Ninja]

Frank Sinatra is never obscure.

I wonder

[elrous0]

How many hours of community service do you get for 58,000 counts of petty theft?

Re:I wonder

[catmistake]

Not theft, fraud. And if you saw The Firm you'd remember that each count of mail fraud alone is punishable by a $5000 fine and 2 years in jail. So, for 58,000 counts that's, uh, $290 Million, and 116,000 years in jail. The bank fraud and wire fraud charges likely carry even heavier sentences.

Re:I wonder

[hawk]

Never mind the work; imagine filling out the 58,000 sets of compliance papers :)

hawk

Re:I wonder

[elrous0]

116,000 years in jail

Yeah, but he'll be eligible for parole in 78,000.

Re:I wonder

[Mysteerie]

What if he can't even do the 78,000 years in Jail? I guess the Judge will just have to give some encouragement and let him know just to do his best. :)

C'mon now

[willyhill]

You absolutely have to tip your hat at this guy. I'm not sure if I feel bad for the financial institutions "bilked" by him (I'm sure they'll recover the money from insurance) or their CEOs that make millions while the stocks underperform, but I feel bad for him. After all he's just playing the system they set up to begin with.

It's obvious he knew exactly what he was doing, and he knew it was wrong. But you have to acknowledge the inventiveness and sheer perseverance.

Silicon Slim

Such rumors have been common, though it's rare to see documented evidence.

In the 1980's John Forster wrote "The Ballad of Silicon Slim", a country/western ballad song about a home computing thief. An excerpt:

In the dead of night he'd access each depositor's account
And from each of them he'd siphon off the teeniest amount.
And since no one ever noticed that there'd even been a crime
He stole forty million dollars -- a penny at a time!

Little Janet was only eight but she had her own account
And the seven dollars in it was to her a huge amount.
So the day that penny vanished one unhappy little tot
Screamed, "Hey, what happened to my penny?"
And the teller tried to tell her but could not.

    (Or check the Risks Digest of 3 February 1992)

Only a few personal bank accounts!

Clearly No QA process to check repeated micropayments to the same bank account number.

Or perhaps this is how he got caught?

The financial industry has such a thin veneer of sophistication.

Let's

[zoomshorts]

Sign up for a gazillion Paypal accounts, use ONE bank account, and after Paypal
deposits the money, withdraw the money and close the account.

Profit !!!!! And a fitting end to Paypal. Pennies DO add up. The transaction
costs alone would bankrupt Paypal. Somebody write a script ... hurry.

Re:Let's

[tha_mink]

Sign up for a gazillion Paypal accounts, use ONE bank account, and after Paypal deposits the money, withdraw the money and close the account. Tried it. Paypal doesn't allow multiple accounts with the same bank account information.

Re:Let's

[soldoutactivist]

Anymore.

I just wanted to add the damn quote already

[ReverendLoki]

Peter: "That virus you're always talking about, right? The one that could, uh, rip off the company for a bunch of money."
Michael: "Yeah, what about it?"
Peter: "Well, how does it work?"
Michael: "It's pretty brilliant. What it does is, every time there's a bank transaction where interest is competed, you know, thousands a day, the computer ends up with these fractions of acent, which it usually rounds off. What this does is, it takes those little remainders and puts it into an account."
Peter: "This sounds familiar."
Michael: "Yeah, they did it in Superman III."
Peter: "Right."
Michael: "Yeah. Underrated movie, actually. And then there were a bunch of hackers, did it in the '70s as well. One of them got busted."
Peter: "Well, so they check for this now."
Michael: "No, here's the thing. Initech's so backed up with all the software we're updating for the year 2000, they'd never notice."
Peter: "You're right. And even if they wanted to, they couldn't check all that code."
Michael: "Thumbs up their asses. Thumbs up their asses."

Re:I just wanted to add the damn quote already

[Joe+the+Lesser]

Peter Gibbons: I can't believe what a bunch of nerds we are. We're looking up "money laundering" in a dictionary.

Re:I just wanted to add the damn quote already

I liked that book. Too bad the big year 2000 crash did not happen :D

Re:I just wanted to add the damn quote already

Peter Gibbons: Um, the 7-Eleven, right? You take a penny from the tray.
Joanna: From the crippled children?
Peter Gibbons: No, that's the jar. I'm talking about the tray, the pennies for everybody.

Re:I just wanted to add the damn quote already

[xtracto]

Well... they could go even lower and look it in the wikipedia

=oP

Re:I just wanted to add the damn quote already

[kaen]

No crash, but it did take me a while to get a paycheck. I was doing a stint with the government at the time, and the payroll software wasn't "Y2K Compliant". Took almost a month to get my first paycheck. Felt like I was making excuses telling my landlady at the time "I can't pay you rent right now, because of the Y2K problem" hehe.

what's really stupid about this...

...where the heck are the captcha's?... if there was a solid use of captcha's on the sign-ups, it would take a serious amount of processing to ding through each sign-up. Certainly would take more than "scripts".

Dang, I had to even confirm a captcha just to post this stupid message!

Re:what's really stupid about this...

[Kris_B_04]

Looks like you only have the Captcha's on here if you aren't logged in..... ;)

Kris

PayPal is a bank?

PayPal is called a 'bank' now?

Re:Who are you arguing with?

[Pollardito]

there is someone arguing it wasn't illegal:

"Largent explained that he had read the terms of service of the sites he was targeting, and believed he was doing nothing wrong, claiming that he needed the money to pay off debts."

Well whaddaya know...

[LynnwoodRooster]

This kind of attack hardly an invention of the movies. The salami attack has been around for a long time.

Huh. Learned something new - thanks! I always thought Salami Attack was a bad 80s porn movie...

Re:Well whaddaya know...

Have you seen any /good/ porn movie, like, ever?

Re:Well whaddaya know...

[Anne_Nonymous]

>> Salami Attack was a bad 80s porn movie...

Yes, but it was better than Superman 3.

Re:Well whaddaya know...

[Mister+Whirly]

You MUST be new here.

Re:Well whaddaya know...

[nog_lorp]

The Passion of the Christ. Great production value.

Re:Well whaddaya know...

[no1home]

You want a list?

Re:Well whaddaya know...

Yes Please!

Milton

He should have burned down the interweb!

What to take away...

[brickler]

What I find interesting about this is that none of the other institutions noticed they were depositing all those separate pennies into the same account. I would think they would have safe guards that would come up and say, hey we already have made a deposit to that account; but, based on the article it was his bank that noticed....

Re:What to take away...

[Forbman]

Well, they probably do, but not for penny transactions...

Re:What to take away...

[canajin56]

Paypal does check, but apparently other places do not.

I could put Strychnine in the Guacamole...

[tyrione]

if I truly wanted to...

Deny after 1 transfer causes problems

[patio11]

Look at this from Paypal's perspective: you've got millions of people trying to sign up on your system. Statistically speaking, hundreds of thousands of them are not so bright, and will do things like forget they already tried signing up, not see their bank statement and try doing it again, etc. Since the cost of re-authenticating them is less than a buck (mostly for the ACH transfer fees) and the expected lifetime value of the account is still (for Paypal = eBay) anywhere from $10 to several hundred to depending on where you got the lead, obviously you want to let them try it again.

So we've disposed with the rationale for prohibiting 2 verifications. Now we need to draw a line somewhere. Here's what goes through this engineer's brain: it isn't obvious to me that putting the line at 3 is any better than putting it at 2. The possibility of exploit is remote, the damage from exploit is minimal and containable, engineer time is expensive, there might be some legal/regulatory/compliance issues that prohibit me from solving this problem in a minute by arbitrarily setting MAX_VERIFICATION_TRANSFERS to 20, and any restriction multiplied by millions of customers causes support problems and the attendant costs.

So yeah, I think that not doing the seemingly obvious thing is defensible here. The goal of Paypal/the bnaks/etc isn't to be fraud free, it is to maximize profits. Sometimes, the profit maximizing path means tolerating security risks with minor impact and non-trivial costs to address. Did it work for Paypal in this instance? Well, yeah -- they had about a decade of no problems and then when a problem finally did crop up it cost them less than a man-month to resolve. Easy peasy.

Re:Who are you arguing with?

[WormholeFiend]

there is someone arguing it wasn't illegal:

Why didnt he use 7-eleven defense? They're pennies for everybody!

Gangsta

[D+Ninja]

Damn it feels good to be a gangsta
Feedin' the poor and hepin out wit they bills
Although I was born in Jamaica
Now I'm in the US makin' deals

/white

//not a gangsta

Could it be done legally?

[denzacar]

Soo... Could it be done legally?

Say, a town of 10000 - 100000 (or more) humans tries to do something like this.
Say, the town needs to refurbish its community center or a kids' playground.
Set up couple of bank accounts, and have real people, with real info use them for registration.

Would that be illegal?

Re:Could it be done legally?

[egomaniac]

Of course it wouldn't be illegal.

Re:Could it be done legally?

[91degrees]

No, but each of them will only get a few cents. It's not worth the effort. The only reason it worked for this guy was that it was automated.

Re:Could it be done legally?

[denzacar]

I am talking about doing exactly the same thing - only with real people.
When I said "couple of accounts" I meant 5-10 bank accounts. Not 10000.

Re:Could it be done legally?

[Kupek]

With the amount of time and effort it would require to organize such a thing, it would be faster and easier if you instead just asked for a $1 donation from those people.

Re:Could it be done legally?

[denzacar]

Yeah, but that would come from WITHIN the community. If you manage to make them do it.

Getting it from outside is something completely different.
And "sticking it to the man" has a certain attractiveness to it.

Re:Could it be done legally?

[Kupek]

The time and effort required to organize it would also come from within the community. Generally, I'd rather fork over $1 than my time.

nice for framing someone

[0111+1110]

Instead of transferring it into your own account transfer it into the account of someone you hate. Getting someone's account number is actually not all that difficult. It's on every check they write for instance. Mmmm. The sweet taste of revenge.

Re:nice for framing someone

[ShiNoKaze]

If you really wanted lots of evidence on them, do it on their home wireless network from yo car. Wouldn't even have to spoof any IP's. Heck you could prolly even change around some computer names, mac addy's...

Too late

[hurfy]

Our credit card processor overcharges the sales tax on the monthly charge by $.01 every month...i think someone has beat you to it in most cases...

Kinda worried actually because either:
1. Someone messed with the computer and is stealing a penny each month.
2. They can't calculate the percentage correctly?!? This is all they do is figure percentages of things!!

The percent shown for tax is correct and there is nothing to round off so no rounding error. No, they don't give a damn even afteer they find out...still the same 6 months later :(

Re:Too late

[Intron]

class action suit.

How about: Banks - Stealing from clients....

[MagicBox]

...one cent at t time.


Steal a penny from the Banks - go to jail - Banks steals $10 from you - calls it a "service charge".

We need the banks (except the World Bank), but it is despicable that they are allowed to play with our money the way they do. Twice I have been locked out of my money. And it was a weekend, so the banks were closed. I asked the 24/7 help guy from India what I should do, and his advice was: Can you borrow some money from someone until Monday when the bank opens?

Re:How about: Banks - Stealing from clients....

[dargaud]

And the fact that they won't provide an invoice for that "service charge" is borderline criminal.

Re:How about: Banks - Stealing from clients....

It's far worse than you imagine. You realize that banks can create money out of thin air right? It's called fractional reserve banking. They lend out 90% of deposits but they don't remove that money from people's accounts. Then people spend that lent out money and it gets redeposited, and 90% of that gets lent out again. Even worse if they drop below the 10% reserve they can just borrow the needed deposits from the FED, who in tern creates the money out of nothing! All this extra money floating around raises everyone's prices, so the banks steal the value of your money even if you're not a customer!

Re:How about: Banks - Stealing from clients....

[KKlaus]

You signed a contract idiot.

So where he went wrong..

[konigstein]

He went wrong by not having the money all deposited in one account, then the lump sum moved over to a swiss bank account or something of that nature. I'd imagine the banks could freeze it at some point however.

Something like..

swiss account
|
temporary account
|
Many, many temporary accounts

Re:So where he went wrong..

[Lobster+Quadrille]

I heard that swiss banks aren't as private as they used to be.

/me goes off to look up "Money Laundering" on Wikipedia.

Silicon Slim, Music Pirate

[Cid+Highwind]

In the dead of night he'd access each depositor's account
And from each of them he'd siphon off the teeniest amount.
And since no one ever noticed that there'd even been a crime
He stole forty million dollars -- a penny at a time!

So you're saying he stole it once piece at a time and it didn't cost him a dime?

There's a Mr Cash on line one, something about being owed 20 years of back royalty payments on a country crime ballad.

pseudonym

[Thelasko]

He had to use fake names and addresses. Could you imagine how much junk mail he would receive if he didn't?

"Hacker" not "Cracker"!

[ivan256]

In this case, he's a hacker using the Slashdot/ESR definition, instead of the typical everyday definition. People around here should be excited.

Re:"Hacker" not "Cracker"!

Yay! One of our own is getting litigated! Woohoo!

Captcha

[kellyb9]

I wonder how the script got around any kind of user authentication? I, for one, have problems reading those Captcha things with my eyes... I wonder how you'd get around those with a script.

Re:Captcha

[Vegeta99]

I can do them pretty quickly, and if I wrote myself a tidy little program to automatically open the accounts and simply present me with two words that once I type gain me from $0.01 to $0.99, I'd be typing away until my fingers bled.

Re:Who are you arguing with?

Wait, you take them from the crippled children?

The real hacker's comments

[uberphear]

I'm not exactly a 1337 h4x0r, but I would consider myself a hacker.

Reputable sources report that the reply so far has been "mhm, mhm".

Starts slow clap -nt-

[Woundweavr]

nt

1950s - I think

[walterbyrd]

I think the Superman-3/office-space like rounding error robbery was actually done in the 1950s.

I vaugly remember reading about it in a book called "computer crime" or "computer cappers" or something like that. I read about this in the 1970s, but I sorry if my memory is a bit foggy.

Oblig Alice's Restaurant Ref

[Hoi+Polloi]

I walked over to the, to the bench there, and there is, Group W's where they put you if you may not be moral enough to join the army after committing your special crime, and there was all kinds of mean nasty ugly looking people on the bench there. Mother rapers. Father stabbers. Father rapers! Father rapers sitting right there on the bench next to me! And they was mean and nasty and ugly and horrible crime-type guys sitting on the bench next to me.

Re:Oblig Alice's Restaurant Ref

[Hoi+Polloi]

Damn, I posted before scrolling down. Didn't know there were so many Arlo Guthrie fans here.

Re:Oblig Alice's Restaurant Ref

[nobaloney]

Yes but how many have actually eaten at the restaurant?

It seems that many years ago a friend of mine had a rented barn (which he used for storage) half a mile the other side of the railroad tracks in Stockbridge, Massachusetts, where he was keeping all sorts of mean nasty ugly things ...

He was eventually deported.

For what it's worth, Alice's Retaurant wasn't the name of the restaurant; it's the name of the song. Unfortunately age is catching up with me and I no longer remember the name of the restaurant.

Wikipedia says it was named "Back Room Rest", but I couldn't attest to that.

I did once meet officer Obie, though.

Re:Oblig Alice's Restaurant Ref

[Hoi+Polloi]

You are right about the restaurant. The Boston Globe had an article a while back about the real Alice who now lives in Provincetown MA and does art. She did open a restaurant and it was in an old church but she denies sleeping around like in the movie.

Generating SSNs is Easy

Generating plausible SSNs is very easy to do. The Social Security Administration posts public info on how to verify numbers. They update that info monthly. Web pages like this one use that info to generate numbers that have probably been issued, will soon be issued and numbers that cannot possible be issued.

A hollow victory.

[b4dc0d3r]

These were my ass pennies.

Re:A hollow victory.

[ActionDesignStudios]

+1 for the UCB reference.

I liked Superman III, you insensitive clod!

[Dogtanian]

No one has seen Superman 3 for years because it is such a bad movie. I'm going to back up the one other guy who disagrees with you on this. Superman III was never that bad- I quite like it, personally.

I think it's disproportionately slated because the kind of people most likely to discuss a Superman film are Superman fans. Being less focussed on Superman, missing Lois Lane and Lex Luthor, as well as being simply less serious, they probably see this as a lightweight sellout, and not what they want from a Superman film.

I can understand that, but that doesn't mean I agree with it. Yes, it's kind of cheesy (partly in retrospect) and maybe a bit silly for the fanboys' tastes- but then, isn't the whole Superman thing faintly silly anyway?! IMHO it's a fun film, the computer stuff is interesting, and the robot woman at the end was quite scary when you were like 7 years old.

I'd say that Superman II is better if you want a "proper" Superman film, but even the "Superman goes bad and fights himself" bit in III was good in this respect. Either way, I'll take it over the overrated first movie any day.

Superman IV *was* toss on toast, though :-6

Y2K

[Ungrounded+Lightning]

Too bad the big year 2000 crash did not happen :D

Some of it did happen. But mostly only small stuff.

The big foulup didn't happen because billions were spent to fix it in advance.

(Amdahl had a two-rack mainframe available at the time for a few bux under a million and for a couple years leading up to the big day something like half their sales were to companies that wanted a completely separate machine to test their Y2K fixes without risking the live, mission-critical processes.)

Suckers

One bank I use deposits small amounts for verification purposes and then immediately withdraws them. They wouldn't fall victim to such a scam. I think it's ING Direct.

Re:oh wait.... (Oblig. XKCD)

[Lord+of+Hyphens]

Now that Snopes has come out on the field, this XKCD is obligatory.

Do you smell that? It's the karma burning.

Thousands of pennies.

[westbake]

We could make tens of dollars a day. .... Sweet!

pedantic but..

[Dare+nMc]

then in fact, you are doing something wrong.

I don't know them bastards at paypal cost me $50 that had I used a credit card I would still have in my pocket (changed their policys after I opened the account, but who reads those updates.) So if they were bending some rules to get back what was rightfully theirs in the first place...

crime is still, well, criminal.

in my book (wrong != crime != criminal). A criminal is one who is guilty of a crime, that involves getting caught (to me.) of course you can be wrong without breaking a law, and break a law without being wrong (since many laws require "mens rea" so even breaking a law is not always a crime or a criminal act)

Re:pedantic but..

[tsstahl]

OK, I'll freely stipulate that Paypal deserves their own special hell. But I still wouldn't support someone ripping them off.

This wouldn't work with TD Ameritrade

[mkraft]

Like Paypal and other banking/payment sites, TD Ameritrade deposits two transactions of a few cents each. Unlike Paypal, et al. A few days later they take back the few cents they deposited.

Yes, they're really that cheap.

An early one...

[Ungrounded+Lightning]

This kind of attack hardly an invention of the movies. The salami attack has been around for a long time.

The rounding version of the "Salami slicing" attack, actually.

One of the earliest ones that was discovered took advantage of a bank's interest computation program's method of processing the accounts in alphabetic order by primary accountholder's name. It collected the rounding fractions and deposited them in the last account processed. The program's author opened an account with a bogus last name starting with "Z" to collect the slivers. Thus there was no hard-coded account number and the extra code was small and hard to spot.

Eventually somebody whose real name started with "Z" and was further along in the alphabet opened an account with the bank. When his interest payments far exceeded his balance he contacted the bank to find out what was wrong.

Superman 3 is not awful

[Ginger+Unicorn]

i take exception to the constant kicking people give superman 3 - it's a comedy classic i tells ya! and the scene where superman fights himself in the junkyard... iconic moment. obviously superman 3 is not as classy and the first two, but it works in comic-book come to life kind of way.

Slashdot summary title totally wrong

[adisakp]

He wasn't "Stealing from Banks". As you know, Paypal is not a bank. Google Checkout is not a bank either.

Neither are required to safeguard your money the same way a bank does. Paypal can and often does freeze the deposits in accounts for it's members without warning and your recourse towards unfreezing accounts leaves much to be said.

FWIW, there is a new Person-to-Person payment competitor to Paypal that is actually run by a bank and your deposits are FDIC insured. It's called Revolution Money Exchange. It's currently free like Paypal was in the beginning but I'm sure they'll add more fees sooner or later.

Paypal is not a bank

[adisakp]

How could he be "Stealing from Banks" when Paypal is not a bank. Google Checkout is not a bank either.

Neither are required to safeguard your money the same way a bank does. Paypal can and often does freeze the deposits in accounts for it's members without warning and your recourse towards unfreezing accounts leaves much to be said. I haven't heard horror stories about Google Checkout but they are not a bank either - they are a payment processor for merchants.

FWIW, there is a new Person-to-Person payment competitor to Paypal that is actually run by a bank and your deposits are FDIC insured. It's called Revolution Money Exchange. It's currently free like Paypal was in the beginning but I'm sure they'll add more fees sooner or later.

Oh, and if you sign up for Revolution, you get a couple pennies deposited to any accounts you link to it, so don't sign up 50,000 times under a fake name or you'll be stealing from a Bank for real!!!

Re:Paypal is not a bank

[ckblackm]

Pretty cheesy of you to have the link for Revolution Money Exchange as a refer-a-friend link so that you could get a referral bonus.

Re:Paypal is not a bank

[nobaloney]

Or of course you could go here and no one gets any extra money:

https://www.revolutionmoneyexchange.com/

Though I wonder if it can ever overcome the sheer ubiquity of PayPal in the Internet mind space.

re: works both ways, apparently....

[King_TJ]

I've had a fair number of times when a credit/debit card transaction went through, and it turned out it was for 1 or 2 cents more than what I had on my original receipt.

Typically, this seems to happen with purchases made at restaurants, where you write in a tip on the receipt before leaving it with a server.

Is this really done on purpose, or perhaps just someone transposing numbers or being sloppy when keying in the amount to be billed? Wouldn't doubt some of each happens, but in any case - who is going to really put up a big fight over a penny in a case like this? Only reason I ever notice it is because I track all my finances in Quicken, and manually enter every paper receipt I bring home.

No he didn't stole any _money_...

[V!NCENT]

"How come the security has called us op? Like we're going to steal something..."
-"I stole something."
"I guess we all do..."
-"No I stole something else..."

Ugh, Groan!

[TheVelvetFlamebait]

So it's realy PayPal that steals?

No. If you care about what fees you're going to be charged, just research PayPal before getting an account.

1/2 cent movie

[gsmraxe]

This reminds me of the that movie from the 1980s with Richard Pryor (iirc) where he takes the 1/2 cent from everyone's paycheck. He gets an extra check and it's a million dollars or something like that.

Retailers?

I work for a large retailer. One day we realized that the register hardly ever figured the same sales tax as we do, even with a calculator and the right .001 of a percent. Well we came to this conclusion. It does not charge tax on the subtotal of your transaction. It charges tax on each item individually. I have heard that we are NOT the only place that does this. I honestly don't know who but if the walmarts of the world do this. You can only imagine how much money this could be in a years time.

nerdly

even lower

Meta

[zobier]

Shortest path from salami attack to anal rape
Salami attack
Fraud
Crime
Rape
3 clicks needed

Back in my bad ol' COBOL days...

[aqk]

...which is too long ago to remember - Ok, maybe it was 35 years ago - a few of us drew a bogus, and presumably funny flowchart on one of our cubicle's blackboards.
Full of the "credits" here, "debits" there, etc, lots of joke decision boxes,but with a "special subroutine" near the end.
We drew some "rounding" routine near the end, implying that all rounding was to be done to the lower cent.
All excess pennies accumulated from rounding were sent to a special fund- "Booze for the I.S. xmas office party" or some such designation.
The I.S. V.P. (probably called the CIO these days) walked in one day, and chuckled at the flowchart.
That is, until he came to that "rounding" logic. He mildly freaked, and quickly told us in no uncertain terms that if the accounting people ever saw this, there would be hell to pay, and he then erased it immediately.

Re: works both ways, apparently....

[jesboat]

I track things the same way, but I've never seen that. You might just be unlucky.