Slashdot Mirror

← Back to Stories (view on slashdot.org)

21 Million German Bank Accounts For Sale

Posted by kdawson on from the black-marks dept.

anerva writes "Black market criminals are offering to sell details on 21 million German bank accounts for €12M ($15.3M), according to an investigative report (German; Google translation) published Saturday. In November reporters for WirtschaftsWoche (Economic Week) had a face-to-face meeting with criminals in a Hamburg hotel, according to the magazine. Posing as buyers working for a gambling business, the journalists were able to strike a price of €0.55 per record, or €12M for all the data. They were given a CD containing the 1.2 million accounts when they asked for assurances that the information they would be buying was legitimate." 21 million is three in four existing German bank accounts.

8 of 302 comments (clear)

  1. Re:On your marks (no pun intended) by OrangeTide · · Score: 4, Informative

    bank account and routing numbers never was considered secure. the only thing protecting your bank account (weakly) from fraud is a paper trail.

    --
    “Common sense is not so common.” — Voltaire
  2. Re:So what by henni16 · · Score: 4, Informative

    You have to keep in mind the differences between countries.
    In Germany, the most popular way to order stuff online is to give your bank account number to the merchant who will then charge your account.
    It works just like a credit card number and stores rarely check if the number (account) really belongs to the person that's making the order.

    The only time I have encountered such a check was with Paypal:
    they do two small test transactions (just Cents) and you have to ..I actually don't remember right now..either enter the correct amounts into a form on Paypal's site or to send the cents back to prove that you really have access to that account.

  3. Re:So what by EvilIdler · · Score: 4, Informative

    Wow, that's so behind. In Norway, there's no way to charge an account without full ID. This means either approving a direct debit by showing up at the bank with your picture ID, or logging on through the (relatively) secure website.

    Just allowing anyone to put a charge on a bank account number like that opens up for all sorts of abuse. Tiny transactions can go unnoticed for a long time.

    Of course, debit cards in stores aren't really any safer. Nobody has ever checked the signature on one while I've used them. A signature is required when the system for some reason can't contact the bank and verify the PIN. I've used other people's cards just fine (with permission, of course, but the banks might find me signing my name a bit funky ;).

    Anything but cash is broken, obviously :(

  4. Re:Exactly by Corporate+Troll · · Score: 5, Informative

    No, he means exactly that. Wire transfers cost nothing in Europe (at least not in my country) and international wire transfers only require you to use an IBAN account number (which are already standard in some countries) and the SWIFT/BIC code. All this information is typically provided on every bill you get.

    National transfers, you only need the account number that you with to wire money to. In most countries, the "bank code" is part of the account number. It most certainly is encoded in the IBAN. (Can you tell, that I implemented the IBAN code for a major bank?) IBAN is a wonderful system: a bit reading material

  5. Re:Hmmm... by jdrugo · · Score: 4, Informative

    You'd think they'd have gotten the police involved instead of trying to scoop a story...

    From the article:

    Wie so viele Kontonummern illegal in Umlauf gelangen konnten, muss in den nächsten Wochen die Staatsanwaltschaft Düsseldorf klären. Die WirtschaftsWoche übergab den Ermittlern am vergangenen Donnerstag die CD mit den 1,2 Millionen Datensätzen und Kontonummern.

    which roughly means:

    How that many account number reached circulation illegally is to be clarified over the next weeks by the prosecuting authorities of Düsseldorf. Reporters of the WirtschaftsWoche handed the CD with the 1.2 million data sets and account numbers to the investigators last Thursday.

    So, they firstly contacted the responsible branch of jurisdiction and after that published the article.

  6. Re:Exactly by RMH101 · · Score: 5, Informative
    Conjecture: you have information on 21M bank accounts. Presumably this includes account number, sort code and possibly other more sensitive information such as date of birth.
    You then arrange the stealing/pickpocketing of cards. More likely, you request freshly stolen cards from a specialist. Some of those cards are going to marry up with the information you already hold, and may be enough to leverage funds.
    Don't believe criminals are this organised? An example from personal experience. Turns out a machine at my other half's work was compromomised with a keystroke/screenshot recorder infection. First we haerd of it was when all our accounts were cleared out - someone had been organised enough to patiently continue recording "please enter X and Y character of your password" long enough to piece together the full password. They'd then used this on a saturday before a bank holiday to transfer all of our funds into another account at the same bank - this clears instantly and has less restrictions. They had then coordinated with someone in the UK who could provide them with a stolen debit card issued by the same bank, transferred our money into that account, and got a stooge to go into the bank just before it shut on saturday and take all that money out in cash - within hours of initial transfer.

    End result? We were cleaned out, some innocent who had their card nicked had their bank account abused, and the criminals got our money in cash, untraceably. 6-8 weeks later, we were refunded but it was a long and unpleasant experience that taught me several things:
    1) Don't assume your bank has a coherent identity theft/fraud department. Expect to get bounced around outsourced call centers that don't communicate with each other or the police. Don't expect them to be interested in IP logs or anything else you think might help them catch the hackers, either
    2) "Organised crime" isn't just a phrase. They're quite advanced now, even outsourcing the donkeywork on the ground to other organisations
    3) Two-factor authentication is a Good Thing with online banking
    4) Don't do online banking on someone elses' computer

  7. Re:Hmmm... by Anonymous Coward · · Score: 5, Informative

    No, they're referring to this raid on Crytek with the riot police:

    http://www.quartertothree.com/game-talk/showthread.php?t=31767

  8. Re:Hmmm... by swillden · · Score: 4, Informative

    Uhm... no? No such thing as Good Samaritan laws here.

    Good Samaritan laws have nothing to do with reporting crime, they're laws that shield those who try to help injured people from civil liability for anything that goes wrong. They're a response to the problem of people refusing to help because they're afraid they'll get sued.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.