Slashdot Mirror
Stealing From Banks One Cent at a Time
JRHelgeson writes "In a story strangely reminiscent of Superman 3, a 'hacker' allegedly stole over $50,000 from PayPal, Google Checkout as well as several unnamed online brokerage firms. When opening an online brokering account it is common practice for companies such as E-trade and Schwab to send a tiny payment — ranging from only a few cents to a couple of dollars — to verify that the user has access to the bank account listed. According to the story, the attacker wrote a script that opened thousands of accounts at dozens of these providers. He was arrested not for taking the money, but for using false names in order to get it."
When reached for comment, the "hacker" had this to say:
Modern copyright is theft of culture from everyone and it retards the progress of the useful arts and sciences.
What the fuck does that mean?!
How is this like Superman 3? I thought the point in that movie was to shave off the remainders in interest calculations. This is just a simple case of seeing someone transfer a few cents to your account when you open it and trying to abuse the system. The problem of course is that it's extremely obvious and you'll get caught, just like this guy did.
I read the internet for the articles.
I had this very idea a few days ago when paypal put two 40 cent payments in my checking account. Thank god I didn't go with it, eh?
No.. when I change my credit card information on PayPal they deduct 15SEK that and then I get them back on my PayPal account (from which they take a percentage?) So it's realy PayPal that steals?
As far as I can tell, the article doesn't actually mention that Largent managed to rip off PayPal, only that PayPal, Google Checkout, et al. use the small deposit method for verification. Seriously, reading for comprehension isn't hard, people. Hell, it even mentions the scope right in the lede.
They that would sacrifice their
Of course he wasn't arrested for taking the money. Said institutions willingly deposited that money into his account(s), yes? And these institutions did so under the pretense that this was to identify the customer? So the charge makes sense. The guy didn't steal money, it was given to him... a "him" with a fake identity.
Proudly supporting the Libertarian Party.
If you have to make up a name or SSN to open the account, then in fact, you are doing something wrong. Color me simple, but that's the way I see it. :\
This is clearly a case where a novel approach to crime is still, well, criminal.
Man, they'll throw the "Hacker" label on anyone these days, won't they?
Those who believe the Internet is private,
find their privates are on the Internet.
I know Paypal lets you keep the money, I'm guessing the guy chose it and similar services.
I read the internet for the articles.
Damn it feels good to be a gangsta.
The most you'll do is a few years in one of those "country club" prisons, right?
By closing the accounts before Paypal / Google Checkout could remove the money.
-----------
100% pure freak
Wire fraud? Bank fraud? Don't you need to have done these actions against actual banks for these kinds of charges to get levied?
At least his script didn't almost capsize the oil tankers... people would be super pissed off then.
Don't drop the kryptonite in the shower.
The amounts were being deposited into the same few bank accounts. The thing I can't figure out is, given the sheer number of transactions involved, how was this not spotted sooner?
If there was an assumption that it wasn't worth it prior to this (due to the tiny amounts involved in a genuine authentication check), I assume now they will implement a system that flags a bank account which receives authenticating deposits over a certain number.
when he started using names like...
Haywood Jablome
Connie Lingus
Dick Trickle
Seymour Butts
Hugh Jass
Ben Dover
Should of used a better name generator.
At least he did not create a script that automatically rounded every payment up to the nearest... oh wait...
Even if he gets a fine, he can always apply to pay off the debt in small payments - say a few cents every time...
Reminds me of a debt my father picked up from a school my sister attended for less then a week. They charged him for a whole year. Not to be deterred he promptly paid them half the amount they invoiced him for. Months later and six angry letters later he paid them half of the sum they asked for. Months later.. ah well, I am sure you can see the pattern here. Fast forward 14 years and they finally wrote of the rest of his debt (I think 1GPB) as a good will gesture (and I am reliably informed he is legend in the schools finance department). I have no idea how much the administration cost to school at the end of it, but it all seemed good natured enough.
You know what I'd do with $50,000? 2 chicks at the same time.
But he only stole it a little bit, a whole bunch of times...
I don't understand how he managed to do this. He can't use 50,000 bank accounts. There aren't 50,000 payment services. So why would any of them send a few cents to the same bank account more than once?
Can anyone explain this to me? It makes no sense at all.
How many hours of community service do you get for 58,000 counts of petty theft?
SJW: Someone who has run out of real oppression, and has to fake it.
It's obvious he knew exactly what he was doing, and he knew it was wrong. But you have to acknowledge the inventiveness and sheer perseverance.
The twitter monologues. Click on my homepage and be amazed.
Peter: "That virus you're always talking about, right? The one that could, uh, rip off the company for a bunch of money."
Michael: "Yeah, what about it?"
Peter: "Well, how does it work?"
Michael: "It's pretty brilliant. What it does is, every time there's a bank transaction where interest is competed, you know, thousands a day, the computer ends up with these fractions of acent, which it usually rounds off. What this does is, it takes those little remainders and puts it into an account."
Peter: "This sounds familiar."
Michael: "Yeah, they did it in Superman III."
Peter: "Right."
Michael: "Yeah. Underrated movie, actually. And then there were a bunch of hackers, did it in the '70s as well. One of them got busted."
Peter: "Well, so they check for this now."
Michael: "No, here's the thing. Initech's so backed up with all the software we're updating for the year 2000, they'd never notice."
Peter: "You're right. And even if they wanted to, they couldn't check all that code."
Michael: "Thumbs up their asses. Thumbs up their asses."
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
You'll have that sometimes...
PayPal and E*trade both leave the money.
I seem to remember others...oh wait, those were authorization charges! ("Don't worry, we'll put it back eventually.") Those appear to be the smarter companies in the bunch.
You can set a time limit on the threshold. Assume 32 days in a month $50 000 would be $1562 per day that's $65 worth of micro payments in an hour. That's a lot of transactions to be spread around not very many providers.
They could flag anything over a certain amount per hour or per day and catch the worst of the offenders.
I'm guessing the only reason they haven't done that so far is because it didn't occur to anyone that the system could be gamed that way.
Huh. Learned something new - thanks! I always thought Salami Attack was a bad 80s porn movie...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
if I truly wanted to...
This is what Botnets are for.
Look at this from Paypal's perspective: you've got millions of people trying to sign up on your system. Statistically speaking, hundreds of thousands of them are not so bright, and will do things like forget they already tried signing up, not see their bank statement and try doing it again, etc. Since the cost of re-authenticating them is less than a buck (mostly for the ACH transfer fees) and the expected lifetime value of the account is still (for Paypal = eBay) anywhere from $10 to several hundred to depending on where you got the lead, obviously you want to let them try it again.
So we've disposed with the rationale for prohibiting 2 verifications. Now we need to draw a line somewhere. Here's what goes through this engineer's brain: it isn't obvious to me that putting the line at 3 is any better than putting it at 2. The possibility of exploit is remote, the damage from exploit is minimal and containable, engineer time is expensive, there might be some legal/regulatory/compliance issues that prohibit me from solving this problem in a minute by arbitrarily setting MAX_VERIFICATION_TRANSFERS to 20, and any restriction multiplied by millions of customers causes support problems and the attendant costs.
So yeah, I think that not doing the seemingly obvious thing is defensible here. The goal of Paypal/the bnaks/etc isn't to be fraud free, it is to maximize profits. Sometimes, the profit maximizing path means tolerating security risks with minor impact and non-trivial costs to address. Did it work for Paypal in this instance? Well, yeah -- they had about a decade of no problems and then when a problem finally did crop up it cost them less than a man-month to resolve. Easy peasy.
Help poke pirates in the eyepatch, arr.
which is totally what she said
Instead of transferring it into your own account transfer it into the account of someone you hate. Getting someone's account number is actually not all that difficult. It's on every check they write for instance. Mmmm. The sweet taste of revenge.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
in the US, NOBODY cant take the money out of your bank account without your authorization
(Assuming you aren't being sly with the double-negative...)
Then you have some learnin' to do about how ACH transactions work. Authorization for withdrawals is required, but it is certainly not passed along with the transaction itself. The system relies heavily on trust. If someone challenges a transaction, and their bank demands proof of authorization, then yes, you'd better have it. But if the transaction is not challenged or rejected, then it stands.
A post a day keeps productivity at bay.
...one cent at t time.
Steal a penny from the Banks - go to jail - Banks steals $10 from you - calls it a "service charge".
We need the banks (except the World Bank), but it is despicable that they are allowed to play with our money the way they do. Twice I have been locked out of my money. And it was a weekend, so the banks were closed. I asked the 24/7 help guy from India what I should do, and his advice was: Can you borrow some money from someone until Monday when the bank opens?
The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
In this case, he's a hacker using the Slashdot/ESR definition, instead of the typical everyday definition. People around here should be excited.
Yeah, well... at least I didn't fuck Lumberg.
Favorite line from Night Court:
Defense attorney: "You had a gun?"
Crook: (sheepishly) "Just a little one."
District attorney: "The term is sawed-off."
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Indeed. Now just do it 100,000 more times and you'll be fighting the man with the soap.
How are sites slashdotted when nobody reads TFAs?
Now that Snopes has come out on the field, this XKCD is obligatory.
Do you smell that? It's the karma burning.
"I've spent my whole life figuring out crazy ways to do things. It'll work." -- Montgomery Scott, "Relics"
How could he be "Stealing from Banks" when Paypal is not a bank. Google Checkout is not a bank either.
Neither are required to safeguard your money the same way a bank does. Paypal can and often does freeze the deposits in accounts for it's members without warning and your recourse towards unfreezing accounts leaves much to be said. I haven't heard horror stories about Google Checkout but they are not a bank either - they are a payment processor for merchants.
FWIW, there is a new Person-to-Person payment competitor to Paypal that is actually run by a bank and your deposits are FDIC insured. It's called Revolution Money Exchange. It's currently free like Paypal was in the beginning but I'm sure they'll add more fees sooner or later.
Oh, and if you sign up for Revolution, you get a couple pennies deposited to any accounts you link to it, so don't sign up 50,000 times under a fake name or you'll be stealing from a Bank for real!!!