Slashdot Mirror

← Back to Stories (view on slashdot.org)

21 Million German Bank Accounts For Sale

Posted by kdawson on from the black-marks dept.

anerva writes "Black market criminals are offering to sell details on 21 million German bank accounts for €12M ($15.3M), according to an investigative report (German; Google translation) published Saturday. In November reporters for WirtschaftsWoche (Economic Week) had a face-to-face meeting with criminals in a Hamburg hotel, according to the magazine. Posing as buyers working for a gambling business, the journalists were able to strike a price of €0.55 per record, or €12M for all the data. They were given a CD containing the 1.2 million accounts when they asked for assurances that the information they would be buying was legitimate." 21 million is three in four existing German bank accounts.

32 of 302 comments (clear)

  1. How to pay... by LingNoi · · Score: 5, Funny

    Couldn't you just buy one to begin with and then use that German bank account to buy the rest?

    1. Re:How to pay... by Ihmhi · · Score: 5, Funny

      And then we can beat the crap out of the office printer and dance to rap music!

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
  2. Hmmm... by RobertM1968 · · Score: 4, Interesting

    You'd think they'd have gotten the police involved instead of trying to scoop a story...

    Nah, guess not.

    --
    StarTrekPhase2 - The Five Year Mission Continues!
    1. Re:Hmmm... by LingNoi · · Score: 4, Funny

      The police are too busy raiding game developer buildings with shotguns and listening in on Skype calls.

    2. Re:Hmmm... by jdrugo · · Score: 4, Informative

      You'd think they'd have gotten the police involved instead of trying to scoop a story...

      From the article:

      Wie so viele Kontonummern illegal in Umlauf gelangen konnten, muss in den nächsten Wochen die Staatsanwaltschaft Düsseldorf klären. Die WirtschaftsWoche übergab den Ermittlern am vergangenen Donnerstag die CD mit den 1,2 Millionen Datensätzen und Kontonummern.

      which roughly means:

      How that many account number reached circulation illegally is to be clarified over the next weeks by the prosecuting authorities of Düsseldorf. Reporters of the WirtschaftsWoche handed the CD with the 1.2 million data sets and account numbers to the investigators last Thursday.

      So, they firstly contacted the responsible branch of jurisdiction and after that published the article.

    3. Re:Hmmm... by Anonymous Coward · · Score: 5, Informative

      No, they're referring to this raid on Crytek with the riot police:

      http://www.quartertothree.com/game-talk/showthread.php?t=31767

    4. Re:Hmmm... by swillden · · Score: 4, Informative

      Uhm... no? No such thing as Good Samaritan laws here.

      Good Samaritan laws have nothing to do with reporting crime, they're laws that shield those who try to help injured people from civil liability for anything that goes wrong. They're a response to the problem of people refusing to help because they're afraid they'll get sued.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  3. On your marks (no pun intended) by pin0chet · · Score: 5, Insightful

    In theory, if the banking system were known to be compromised in such a huge way, and there were no way of knowing if your own bank account was compromised or not, shouldn't there be a massive bank run? Because everyone wants to withdraw their money right away to minimize the chance that this ridiculous security leak negatively affects them, right? Such a massive erosion of confidence can completely destroy a banking system.

    1. Re:On your marks (no pun intended) by OrangeTide · · Score: 4, Informative

      bank account and routing numbers never was considered secure. the only thing protecting your bank account (weakly) from fraud is a paper trail.

      --
      “Common sense is not so common.” — Voltaire
    2. Re:On your marks (no pun intended) by John+Hasler · · Score: 5, Funny

      > In theory, if the banking system were known to be compromised in such a huge way, and
      > there were no way of knowing if your own bank account was compromised or not, shouldn't
      > there be a massive bank run?

      This is Germany. There will be no bank run until it is properly planned, organized, and regulated.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  4. Gotta love the germans by sleeponthemic · · Score: 5, Funny

    Even their criminality is impressively efficient :-)

    --
    I record my sleeptalking
  5. Re:So what by Anonymous Coward · · Score: 5, Funny

    Yah, ho hum. I mean, I bought my first 21 million German bank accounts YEARS AGO. Nothing to see here folks.

  6. Tomorrow's News by Bentov · · Score: 5, Funny

    This morning the entire banking system in Germany collapsed due to 3 in 4 Germans transferring money out of the country to banks in neighboring countries....

  7. ohshiza? by Stormie · · Score: 4, Funny

    I think the taggers in this story need to learn how to spell "Scheiße"

  8. Re:So what by henni16 · · Score: 5, Funny

    Who wants a mass list anyway, you can't target spam at people just because they're German and they have a bank account, and stealing that many identities begs the question, "why?"

    Yeah, who could have use for the equivalent of 21 million valid direct debit cards.

  9. Exactly by tomhudson · · Score: 5, Insightful

    But an account number is not the equivalent of a direct debit card. It's not that easy to withdraw money from an account when all you have is the account number.

    Every time you write a check, you're giving the recipient your bank address, bank account number ... AND a specimen of your signature. OMG! Quick - millions of people compromised their bank accounts today!

    1. Re:Exactly by enrevanche · · Score: 4, Insightful

      A wire transfer typically costs $25 outgoing and $12 incoming and you need to know the receiver's bank account # & routing number. I seriously doubt that it is used that much by most people.

      You probably mean direct deposit/automated withdrawal. Sometimes, these can be a real pain to cancel once authorized. For a "reputable" vendor, I suppose it is OK, but using a VISA/MC debit card is a lot easier to fix.

    2. Re:Exactly by Corporate+Troll · · Score: 5, Informative

      No, he means exactly that. Wire transfers cost nothing in Europe (at least not in my country) and international wire transfers only require you to use an IBAN account number (which are already standard in some countries) and the SWIFT/BIC code. All this information is typically provided on every bill you get.

      National transfers, you only need the account number that you with to wire money to. In most countries, the "bank code" is part of the account number. It most certainly is encoded in the IBAN. (Can you tell, that I implemented the IBAN code for a major bank?) IBAN is a wonderful system: a bit reading material

    3. Re:Exactly by dropadrop · · Score: 5, Insightful

      Wire transfer does not cost anything in Europe. I have a close friend from the US living here, and can't stop wondering at how the way your banks work are so 1980...

    4. Re:Exactly by svunt · · Score: 4, Funny

      I manage a team of payment processing staff who do work for superannuation companies, local councils, payroll companies, etc, and we process around 17,000 cheques every evening, which is roughly three metric fucktons. We're one of nine offices in the country, one of many such companies, and I'm in Australia, which has a population of about eighty people, I think. There are lots of cheques, they're just not part of most slashdotters' lives.

    5. Re:Exactly by RMH101 · · Score: 5, Informative
      Conjecture: you have information on 21M bank accounts. Presumably this includes account number, sort code and possibly other more sensitive information such as date of birth.
      You then arrange the stealing/pickpocketing of cards. More likely, you request freshly stolen cards from a specialist. Some of those cards are going to marry up with the information you already hold, and may be enough to leverage funds.
      Don't believe criminals are this organised? An example from personal experience. Turns out a machine at my other half's work was compromomised with a keystroke/screenshot recorder infection. First we haerd of it was when all our accounts were cleared out - someone had been organised enough to patiently continue recording "please enter X and Y character of your password" long enough to piece together the full password. They'd then used this on a saturday before a bank holiday to transfer all of our funds into another account at the same bank - this clears instantly and has less restrictions. They had then coordinated with someone in the UK who could provide them with a stolen debit card issued by the same bank, transferred our money into that account, and got a stooge to go into the bank just before it shut on saturday and take all that money out in cash - within hours of initial transfer.

      End result? We were cleaned out, some innocent who had their card nicked had their bank account abused, and the criminals got our money in cash, untraceably. 6-8 weeks later, we were refunded but it was a long and unpleasant experience that taught me several things:
      1) Don't assume your bank has a coherent identity theft/fraud department. Expect to get bounced around outsourced call centers that don't communicate with each other or the police. Don't expect them to be interested in IP logs or anything else you think might help them catch the hackers, either
      2) "Organised crime" isn't just a phrase. They're quite advanced now, even outsourcing the donkeywork on the ground to other organisations
      3) Two-factor authentication is a Good Thing with online banking
      4) Don't do online banking on someone elses' computer

  10. How to use??? by It+doesn't+come+easy · · Score: 4, Interesting

    21 million is a lot of accounts. No one person or group has time to abuse all 21 million accounts in a timely fashion. More likely, one would need to rely on the lackadaisical attitude most people have when it comes to security coupled with a low volume approach to the number of transactions to an external account in order to profit from purchasing all 21 million accounts.

    The purchaser would also have to consider just how many accounts would be accessible and for how long. It might not be practical to expect to make significantly more than 12 million euros even with 21 million accounts, since most accounts would probably have low balances or have their passwords, etc., changed rather quickly if the account had a high balance.

    So to use this many accounts, one would need to set up a number of new accounts in other banks (a few at a time and more than one so that the number of transactions to a given account would not be too high), then siphon a little bit of money off a few stolen accounts to some of the new accounts, withdraw the money, then close the new accounts almost immediately. The amount withdrawn would need to be random and small enough to escape detection for at least a few days. Anything faster would surely raise suspicion and cause automatic transaction blocking (at least, if the banks have some kind of working fraud prevention), especially since the announcement of the stolen data up for sale. I can also imagine adding a fraud check for a slurry of never-seen-before transactions to new accounts. Wire transfers would be quickest, yet they would also stand out more (since a bunch of new wire transfers from accounts which had never made a wire transfer before would be unusual -- the likely case for most accounts).

    The 12 million price tag seems like a number arrived at by the thieves after taking into account the difficulties to be faced in exploiting the 21 million accounts while they are still exploitable. It seems likely that any purchaser would in turn sell them again in smaller blocks (a lot safer that way, relatively speaking).

    Wonder if we'll ever find out what eventually happens?

    --
    The NSA: The only part of the US government that actually listens.
  11. mmm... that means that ... by Jerry · · Score: 4, Funny

    the Linux desktop market share in Germany is only 25%.

    --

    Running with Linux for over 20 years!

  12. Re:So what by joocemann · · Score: 4, Funny

    lmao.

    buying bank accounts in bulk is soo..... 2007...

  13. Re:So what by henni16 · · Score: 4, Informative

    You have to keep in mind the differences between countries.
    In Germany, the most popular way to order stuff online is to give your bank account number to the merchant who will then charge your account.
    It works just like a credit card number and stores rarely check if the number (account) really belongs to the person that's making the order.

    The only time I have encountered such a check was with Paypal:
    they do two small test transactions (just Cents) and you have to ..I actually don't remember right now..either enter the correct amounts into a form on Paypal's site or to send the cents back to prove that you really have access to that account.

  14. Re:May I introduce you to rule 36? by Jeff+DeMaagd · · Score: 4, Insightful

    OK, so you're saying that government isn't going to protect us, so the answer is to demand that financial institutions be held accountable to laws passed by a government that you said won't protect us?

  15. Re:May I introduce you to rule 36? by Cl1mh4224rd · · Score: 4, Insightful

    The government will never shield you, only pretend to do so. This is a harbinger of dangers to come, and reason to demand with some vigor that your financial institution be held accountable by law for the protection of your information.

    Bolding mine, to highlight a serious disconnect in the parent's preaching.

    You're suggesting that people demand that banks be held accountable to laws enforced by the very government you said won't protect them?

    --
    People will pass up steak once a week, for crap every day.
  16. I did it last week by ZiggyM · · Score: 5, Interesting

    I live in Lima Peru. Last week a teller at my bank made me wait 10 minutes while she waited for the safe to open to give me some cash. In the meantime I went to a computer terminal without a keyboard, and access to only a webpage with the bank rates (windows, no start menu, no access to desktop etc). The machine was supposedly locked so that you couldnt navigate away or do anything except scroll the page and click a few links. Well, they forgot do disable right-click. 7 steps later I was able to access their internal network, and had access to a lot of internal information on individual machines. I went to the branch manager and showed him. He was surprised and embarassed, and took note of the steps I took. It was amazing how easy was to do it. The 7 steps were clever, but not impossible.

  17. Hmm... by sootman · · Score: 5, Funny

    21 million is three in four existing German bank accounts.

    I have for sale EVERY VISA NUMBER EVER ISSUED! From 4000 0000 0000 0000 to 4999 9999 9999 9999! (Note: some numbers may not be valid.)

    I will sell them for US $1,000,000 MILLIONS US DOLLARS. Contact me via this website.

    Act now and I'll throw in every Master Card ever issued. (5000 0000 0000 0000 to 5999 9999 9999 9999) (Same disclaimer as above.) And no identity thief would be complete without a REAL SOCIAL SECURITY NUMBER to go with it, eh? Guess what? That's right--I'VE GOT THEM ALL TOO! (001-01-0001 to 999-99-9999)

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  18. Re:21 million is 3/4 of accounts? by quarrel · · Score: 5, Interesting

    I had the same reaction re the number of accounts. It is small.

    However, Germany isn't all that small.

    So some back of the envelope calcs:

    They claim 21/.75 = 28M bank accounts in Germany

    It's got roughly 80M people. Assume something like 2.2 people per househould (dunno what it is in Germany), and you get 36M. You gotta figure each household has at least one. I don't know how things really work in Germany, but I assume they're like the rest of the developed world and you essentially can't function without a bank account.

    Then there are businesses. Even very small businesses will run several accounts.

    I think the 28M bank accounts is just bullshit. It's gotta be heaps higher.

    Surely 100M wouldn't be that big a figure even?

    --Q

  19. Re:So what by EvilIdler · · Score: 4, Informative

    Wow, that's so behind. In Norway, there's no way to charge an account without full ID. This means either approving a direct debit by showing up at the bank with your picture ID, or logging on through the (relatively) secure website.

    Just allowing anyone to put a charge on a bank account number like that opens up for all sorts of abuse. Tiny transactions can go unnoticed for a long time.

    Of course, debit cards in stores aren't really any safer. Nobody has ever checked the signature on one while I've used them. A signature is required when the system for some reason can't contact the bank and verify the PIN. I've used other people's cards just fine (with permission, of course, but the banks might find me signing my name a bit funky ;).

    Anything but cash is broken, obviously :(

  20. Re:So what by scubamage · · Score: 4, Funny

    Plus, in Norway there were Vikings. And Vikings rank only slightly behind Pirates and Ninjas on the Cool-O-Meter (tm, patent pending).