Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stealing From Banks One Cent at a Time

Posted by CmdrTaco on from the not-like-atm-fees-steal-from-you dept.

JRHelgeson writes "In a story strangely reminiscent of Superman 3, a 'hacker' allegedly stole over $50,000 from PayPal, Google Checkout as well as several unnamed online brokerage firms. When opening an online brokering account it is common practice for companies such as E-trade and Schwab to send a tiny payment — ranging from only a few cents to a couple of dollars — to verify that the user has access to the bank account listed. According to the story, the attacker wrote a script that opened thousands of accounts at dozens of these providers. He was arrested not for taking the money, but for using false names in order to get it."

59 of 313 comments (clear)

  1. Comment from said "hacker" by Digital+Vomit · · Score: 5, Funny

    When reached for comment, the "hacker" had this to say:

    "I don't want to go to jail because there are robbers and rapers and rapers who rape robbers. "
    --
    Modern copyright is theft of culture from everyone and it retards the progress of the useful arts and sciences.
    1. Re:Comment from said "hacker" by s.bots · · Score: 5, Funny

      Looks like someone could be doin' time in a "Federal 'pound-me-in-the-ass' Prison"...

      Hey Mike! Watch out for your cornhole buddy!

    2. Re:Comment from said "hacker" by rugatero · · Score: 5, Funny

      What makes him a "hacker"?

      He used a computer.

      Heck he even wrote a script. In the eyes of your average Joe that makes him a diabolical hacking genius.

      --
      This comment is for entertainment purposes only. Any similarity to real insight or information is purely coincidental.
    3. Re:Comment from said "hacker" by The+Clockwork+Troll · · Score: 5, Funny

      This is an interesting legal situation in that, technically, both the crime and its punishment could be called a "salami attack".

      --

      There are no karma whores, only moderation johns
    4. Re:Comment from said "hacker" by 0kComputer · · Score: 5, Funny

      I have a client in there right now. He says the trick is to kick someone's ass the first day, or become someone's bitch.

      --
      Top 10 Reasons To Procrastinate
      10.
    5. Re:Comment from said "hacker" by Ibiwan · · Score: 5, Funny

      " And I, I walked over to the, to the bench there, and there is, Group W's where they put you if you may not be moral enough to join the army after committing your special crime, and there was all kinds of mean nasty ugly looking people on the bench there. Mother rapers. Father stabbers. Father rapers! Father rapers sitting right there on the bench next to me! And they was mean and nasty and ugly and horrible crime-type guys sitting on the bench next to me. And the meanest, ugliest, nastiest one, the meanest father raper of them all, was coming over to me and he was mean 'n' ugly 'n' nasty 'n' horrible and all kind of things and he sat down next to me and said, "Kid, whad'ya get?" I said, "I didn't get nothing, I had to pay $50 and pick up the garbage." He said, "What were you arrested for, kid?" And I said, "Littering." And they all moved away from me on the bench there, and the hairy eyeball and all kinds of mean nasty things, till I said, "And creating a nuisance." And they all came back, shook my hand, and we had a great time on the bench, talkin about crime, mother stabbing, father raping, all kinds of groovy things that we was talking about on the bench. "

      --
      -- //no comment
    6. Re:Comment from said "hacker" by Chapter80 · · Score: 5, Interesting
      With every ATM deposit, one can key in a slight over-amount, when specifying the deposit. If you are depositing checks for $123.45, you could key in maybe $123.54 (transposing the last two digits).

      Most always, the bank sees the foolishness in sending a letter (costing at least 42 cents) to correct a small error. So they apparently just write off the difference, and leave the ATM deposit as reported.

      So I get richer, cents at a time.

      Kids, don't try this at home.

      This may just be the missing statement, right before "4. Profit"

    7. Re:Comment from said "hacker" by blair1q · · Score: 4, Interesting

      Contrary to your apocryphal belief, banks have entire departments that spend more than the collection is worth to make you balance your account if it is out of balance. This discourages bigger crimes, which would cost them more just on a statistical basis.

      You may get away with the "few pennies" mistake once per institution. Three or four times? They'll freeze your funds and demand you clean up your act.

      Because here's a secret you should have known: When you give the bank the money, it's not yours any more. It's theirs. You lent it to them, and they owe it to you, but you can't just take it. You are nothing more than a lender, and they are a borrower. You have all the rights of a creditor. Which, you might guess, means you can spend thousands of dollars on legal hassles trying to free up the $123.45 you deposited to steal that 9 cents.

  2. PC load letter?! by jchillerup · · Score: 5, Funny

    What the fuck does that mean?!

    1. Re:PC load letter?! by jchillerup · · Score: 5, Funny

      Whew. Sounds like someone has a case of the Mondays.

    2. Re:PC load letter?! by palegray.net · · Score: 3, Funny

      I think the subject of this article would be better served with "legal size" paper.

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
  3. Superman 3? by jandrese · · Score: 5, Informative

    How is this like Superman 3? I thought the point in that movie was to shave off the remainders in interest calculations. This is just a simple case of seeing someone transfer a few cents to your account when you open it and trying to abuse the system. The problem of course is that it's extremely obvious and you'll get caught, just like this guy did.

    --

    I read the internet for the articles.
    1. Re:Superman 3? by geoffrobinson · · Score: 3, Insightful

      No one has seen Superman 3 for years because it is such a bad movie. So it is kind of like the telephone game.

      Frankly, the only good thing to come out of the movie was the concept of stealing fractions of pennies so no one notices.

      --
      Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
    2. Re:Superman 3? by qoncept · · Score: 4, Insightful

      Are you serious? Do you think it would be dumb to compare a Dell laptop to an IBM because IBM uses Hitachi drives and a 32x CDROM instead of Seagate and 36x?

      Since you can't figure it out, let me explain what aspects are similar. He was stealing next to nothing lots of times. Like the guy in Superman.

      --
      Whale
    3. Re:Superman 3? by lesinator · · Score: 4, Informative

      This kind of attack hardly an invention of the movies. The salami attack has been around for a long time.

    4. Re:Superman 3? by Otter · · Score: 3, Informative

      I believe that the reference to Superman 3 is actually a meta-reference to Office Space. (Or maybe the reference being referenced is the meta-reference -- I'm not a philosopher.) As Office Space itself noted, the method long precedes either movie.

      --
      What I'm listening to now on Pandora...
    5. Re:Superman 3? by Blakey+Rat · · Score: 3, Informative

      The point isn't that Superman 3 invented it, the point is that most people first heard of it from watching Superman 3 and so when you're trying to explain to people what you're doing, you can say "you know, like Superman 3" and they know what you mean. Thus the joke in Office Space:

      A:
      B: "Huh?"
      A: "You know, like in Superman 3."
      B: "Oooh, now I get it."

      It's funny, damnit. Made funnier than Superman 3 is actually a pretty awful movie. (But it's an awful movie that most everybody's seen.)

      --
      Comment of the year
    6. Re:Superman 3? by owlnation · · Score: 5, Funny

      Yes, but I'm sure someone can still claim PRYOR art.

    7. Re:Superman 3? by Dachannien · · Score: 4, Informative

      It's been happening in meatspace for thousands of years (though not so much anymore). People would shave bits off of coins made of precious metals and then smelt and sell the shavings to wind up with more money than they started with. Wikipedia notes that some British silver coins would routinely be milled down to half their original weight as nearly everyone took a little bit off the edge.

      Eventually, coins could be made with milled edges, which largely curbed the practice, and today, of course, most coins are made from metals that are worth very little compared to the value of the coin itself.

    8. Re:Superman 3? by Sneftel · · Score: 3, Funny

      But IBM doesn't use 32x drives. And therefore I am utterly baffled by the meaning of your comment.

      --
      The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
    9. Re:Superman 3? by compro01 · · Score: 3, Interesting

      Actually, IIRC, pennies and nickels are currently worth more as metal than as coins. A penny is something like 1.2 cents and a nickel is about 6 cents, at least that was the case in Sept. 2006, which is the most recent mint report I can get at the us mint site.

      --
      upon the advice of my lawyer, i have no sig at this time
    10. Re:Superman 3? by blackfrancis75 · · Score: 4, Insightful

      of course, we have no metrics on how many times it HAS worked because those people are't in the news, they're in the Bahamas.

    11. Re:Superman 3? by Intron · · Score: 3, Funny

      That explains why I've been losing money counterfeiting pennies!

      --
      Intron: the portion of DNA which expresses nothing useful.
    12. Re:Superman 3? by rrkap · · Score: 4, Informative

      Actually, it's not just the penny anymore due to high commodities prices.

      Coin                Melt Value
      Penny (current)     $0.005
      Penny (pre 1982)    $0.024
      Nickel (current)    $0.059
      Dime                $0.021
      Quarter             $0.053
      Golden dollar coin  $0.065

      So, the mint is only loosing money on nickels right now, and the pre-1982 pennies are worth melting down.

      --
      I like my beverages with warning labels!
    13. Re:Superman 3? by statemachine · · Score: 3, Informative

      Those are the "Melt Values" not the cost of manufacturing.

      Today, a penny costs $0.026, and a nickel costs $0.077 to make.

  4. Submitter gets it wrong by nurightshu · · Score: 3, Informative

    As far as I can tell, the article doesn't actually mention that Largent managed to rip off PayPal, only that PayPal, Google Checkout, et al. use the small deposit method for verification. Seriously, reading for comprehension isn't hard, people. Hell, it even mentions the scope right in the lede.

    --
    They that would sacrifice their .sig space for that cliched Franklin quote deserve neither.
    1. Re:Submitter gets it wrong by Wister285 · · Score: 3, Informative

      The third and fourth paragraphs read:

      "According to court documents, Californian Michael Largent used an automated script to open 58,000 such accounts, collecting many thousands of these small payments into a few personal bank accounts.

      Largent also performed the same trick with Google's Checkout service, cashing more than $8,000 alone from the service. " [emphasis added]

      Am I (and the submitter) missing something?

    2. Re:Submitter gets it wrong by MaXMC · · Score: 4, Funny

      You read the article? WTF?

  5. Well, yeah... by Oxy+the+moron · · Score: 5, Interesting

    He was arrested not for taking the money, but for using false names in order to get it.

    Of course he wasn't arrested for taking the money. Said institutions willingly deposited that money into his account(s), yes? And these institutions did so under the pretense that this was to identify the customer? So the charge makes sense. The guy didn't steal money, it was given to him... a "him" with a fake identity.

    --

    Proudly supporting the Libertarian Party.

  6. First clue by tsstahl · · Score: 4, Insightful

    If you have to make up a name or SSN to open the account, then in fact, you are doing something wrong. Color me simple, but that's the way I see it. :\ This is clearly a case where a novel approach to crime is still, well, criminal.

  7. Well Duh by oahazmatt · · Score: 4, Interesting

    Largent used an automated script to open 58,000 such accounts, collecting many thousands of these small payments into a few personal bank accounts. As much as the bank looks oddly at a sudden amount of large withdrawls, they'd certainly take the time to wonder why someone is getting three cents continuously deposited into their account. How did he figure he would not get caught?

    When his bank contacted him about the thousands of small payments, Largent explained that he had read the terms of service of the sites he was targeting, and believed he was doing nothing wrong, claiming that he needed the money to pay off debts. Oh, well that's okay, then.

    Man, they'll throw the "Hacker" label on anyone these days, won't they?
    --
    Those who believe the Internet is private,
    find their privates are on the Internet.
  8. Well it is true.... by cortesoft · · Score: 5, Funny

    Damn it feels good to be a gangsta.

  9. Re:How did he do it? by Mark+J+Tilford · · Score: 4, Informative

    By closing the accounts before Paypal / Google Checkout could remove the money.

    --
    -----------
    100% pure freak
  10. Balasts by bsDaemon · · Score: 4, Funny

    At least his script didn't almost capsize the oil tankers... people would be super pissed off then.

  11. Whatever you do.... by i_want_you_to_throw_ · · Score: 5, Funny

    Don't drop the kryptonite in the shower.

  12. No flags raised? by GBC · · Score: 3, Insightful

    The amounts were being deposited into the same few bank accounts. The thing I can't figure out is, given the sheer number of transactions involved, how was this not spotted sooner?

    If there was an assumption that it wasn't worth it prior to this (due to the tiny amounts involved in a genuine authentication check), I assume now they will implement a system that flags a bank account which receives authenticating deposits over a certain number.

  13. It was over... by hyperz69 · · Score: 4, Funny

    when he started using names like...

    Haywood Jablome
    Connie Lingus
    Dick Trickle
    Seymour Butts
    Hugh Jass
    Ben Dover

    Should of used a better name generator.

  14. oh wait.... by apodyopsis · · Score: 5, Funny

    At least he did not create a script that automatically rounded every payment up to the nearest... oh wait...

    Even if he gets a fine, he can always apply to pay off the debt in small payments - say a few cents every time...

    Reminds me of a debt my father picked up from a school my sister attended for less then a week. They charged him for a whole year. Not to be deterred he promptly paid them half the amount they invoiced him for. Months later and six angry letters later he paid them half of the sum they asked for. Months later.. ah well, I am sure you can see the pattern here. Fast forward 14 years and they finally wrote of the rest of his debt (I think 1GPB) as a good will gesture (and I am reliably informed he is legend in the schools finance department). I have no idea how much the administration cost to school at the end of it, but it all seemed good natured enough.

    1. Re:oh wait.... by The-Ixian · · Score: 3, Informative

      http://www.snopes.com/business/money/pennies.asp

      --
      My eyes reflect the stars and a smile lights up my face.
    2. Re:oh wait.... by ZERO1ZERO · · Score: 5, Insightful

      Actually, i'm an idiot.

  15. $50,000? by PawNtheSandman · · Score: 5, Funny

    You know what I'd do with $50,000? 2 chicks at the same time.

    1. Re:$50,000? by gmuslera · · Score: 5, Funny

      In a few months, filling the gas tank would be another use for that amount of money. Is good that so many online services are willing to cooperate in that hard task.

    2. Re:$50,000? by Andreaskem · · Score: 5, Funny

      Why blow that much money on 2 minutes of entertainment?

  16. Re:He stole my idea! by norminator · · Score: 5, Funny

    But he only stole it a little bit, a whole bunch of times...

  17. How many bank accounts did he have? by __aailob1448 · · Score: 5, Interesting

    I don't understand how he managed to do this. He can't use 50,000 bank accounts. There aren't 50,000 payment services. So why would any of them send a few cents to the same bank account more than once?

    Can anyone explain this to me? It makes no sense at all.

    1. Re:How many bank accounts did he have? by saddino · · Score: 4, Funny

      It makes no sense at all.

      It sounds like it made a lot of cents.

  18. I wonder by elrous0 · · Score: 4, Funny

    How many hours of community service do you get for 58,000 counts of petty theft?

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  19. I just wanted to add the damn quote already by ReverendLoki · · Score: 5, Funny

    Peter: "That virus you're always talking about, right? The one that could, uh, rip off the company for a bunch of money."
    Michael: "Yeah, what about it?"
    Peter: "Well, how does it work?"
    Michael: "It's pretty brilliant. What it does is, every time there's a bank transaction where interest is competed, you know, thousands a day, the computer ends up with these fractions of acent, which it usually rounds off. What this does is, it takes those little remainders and puts it into an account."
    Peter: "This sounds familiar."
    Michael: "Yeah, they did it in Superman III."
    Peter: "Right."
    Michael: "Yeah. Underrated movie, actually. And then there were a bunch of hackers, did it in the '70s as well. One of them got busted."
    Peter: "Well, so they check for this now."
    Michael: "No, here's the thing. Initech's so backed up with all the software we're updating for the year 2000, they'd never notice."
    Peter: "You're right. And even if they wanted to, they couldn't check all that code."
    Michael: "Thumbs up their asses. Thumbs up their asses."

    --
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
    1. Re:I just wanted to add the damn quote already by Joe+the+Lesser · · Score: 5, Funny

      Peter Gibbons: I can't believe what a bunch of nerds we are. We're looking up "money laundering" in a dictionary.

      --
      "I only speak the truth"
      Karma: null(Mostly affected by an unassigned variable)
  20. Re:Let's by tha_mink · · Score: 5, Informative

    Sign up for a gazillion Paypal accounts, use ONE bank account, and after Paypal deposits the money, withdraw the money and close the account. Tried it. Paypal doesn't allow multiple accounts with the same bank account information.
    --
    You'll have that sometimes...
  21. Re:What were the crimes again? by willyhill · · Score: 3, Informative
    No, they're not. That's why PayPal can get away with the shit they do. It's a common misconception that most people fall into, that because PayPal handles money, they must be a bank and subject to the same set of regulations you trust to put the stops on your bank if they get fresh with your money (including insurance. PayPal is not FDIC insured if you use their "high yield" holding option).

    The problem here is that the transactions involved banks. The fact that PayPal was the conduit is irrelevant in this case, I think.

    --
    The twitter monologues. Click on my homepage and be amazed.
  22. Well whaddaya know... by LynnwoodRooster · · Score: 4, Funny
    This kind of attack hardly an invention of the movies. The salami attack has been around for a long time.

    Huh. Learned something new - thanks! I always thought Salami Attack was a bad 80s porn movie...

    --
    Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    1. Re:Well whaddaya know... by Anne_Nonymous · · Score: 5, Funny

      >> Salami Attack was a bad 80s porn movie...

      Yes, but it was better than Superman 3.

  23. Deny after 1 transfer causes problems by patio11 · · Score: 4, Insightful

    Look at this from Paypal's perspective: you've got millions of people trying to sign up on your system. Statistically speaking, hundreds of thousands of them are not so bright, and will do things like forget they already tried signing up, not see their bank statement and try doing it again, etc. Since the cost of re-authenticating them is less than a buck (mostly for the ACH transfer fees) and the expected lifetime value of the account is still (for Paypal = eBay) anywhere from $10 to several hundred to depending on where you got the lead, obviously you want to let them try it again.

    So we've disposed with the rationale for prohibiting 2 verifications. Now we need to draw a line somewhere. Here's what goes through this engineer's brain: it isn't obvious to me that putting the line at 3 is any better than putting it at 2. The possibility of exploit is remote, the damage from exploit is minimal and containable, engineer time is expensive, there might be some legal/regulatory/compliance issues that prohibit me from solving this problem in a minute by arbitrarily setting MAX_VERIFICATION_TRANSFERS to 20, and any restriction multiplied by millions of customers causes support problems and the attendant costs.

    So yeah, I think that not doing the seemingly obvious thing is defensible here. The goal of Paypal/the bnaks/etc isn't to be fraud free, it is to maximize profits. Sometimes, the profit maximizing path means tolerating security risks with minor impact and non-trivial costs to address. Did it work for Paypal in this instance? Well, yeah -- they had about a decade of no problems and then when a problem finally did crop up it cost them less than a man-month to resolve. Easy peasy.

    --
    Help poke pirates in the eyepatch, arr.
  24. Re:I've always wondered by somersault · · Score: 5, Funny

    IANOC I am not on crack?
    --
    which is totally what she said
  25. Re:How did he do it? by CheeseTroll · · Score: 3, Informative

    in the US, NOBODY cant take the money out of your bank account without your authorization

    (Assuming you aren't being sly with the double-negative...)

    Then you have some learnin' to do about how ACH transactions work. Authorization for withdrawals is required, but it is certainly not passed along with the transaction itself. The system relies heavily on trust. If someone challenges a transaction, and their bank demands proof of authorization, then yes, you'd better have it. But if the transaction is not challenged or rejected, then it stands.

    --
    A post a day keeps productivity at bay.
  26. How about: Banks - Stealing from clients.... by MagicBox · · Score: 4, Insightful

    ...one cent at t time.


    Steal a penny from the Banks - go to jail - Banks steals $10 from you - calls it a "service charge".

    We need the banks (except the World Bank), but it is despicable that they are allowed to play with our money the way they do. Twice I have been locked out of my money. And it was a weekend, so the banks were closed. I asked the 24/7 help guy from India what I should do, and his advice was: Can you borrow some money from someone until Monday when the bank opens?

    --

    The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
  27. "Hacker" not "Cracker"! by ivan256 · · Score: 5, Funny

    In this case, he's a hacker using the Slashdot/ESR definition, instead of the typical everyday definition. People around here should be excited.

  28. Re:He stole my idea! by sootman · · Score: 4, Funny

    Favorite line from Night Court:
    Defense attorney: "You had a gun?"
    Crook: (sheepishly) "Just a little one."
    District attorney: "The term is sawed-off."

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.