21 Million German Bank Accounts For Sale 302
anerva writes "Black market criminals are offering to sell details on 21 million German bank accounts for €12M ($15.3M), according to an investigative report (German; Google translation) published Saturday. In November reporters for WirtschaftsWoche (Economic Week) had a face-to-face meeting with criminals in a Hamburg hotel, according to the magazine. Posing as buyers working for a gambling business, the journalists were able to strike a price of €0.55 per record, or €12M for all the data. They were given a CD containing the 1.2 million accounts when they asked for assurances that the information they would be buying was legitimate." 21 million is three in four existing German bank accounts.
Re:On your marks (no pun intended) (Score:5, Informative)
bank account and routing numbers never was considered secure. the only thing protecting your bank account (weakly) from fraud is a paper trail.
Re:So what (Score:5, Informative)
You have to keep in mind the differences between countries.
In Germany, the most popular way to order stuff online is to give your bank account number to the merchant who will then charge your account.
It works just like a credit card number and stores rarely check if the number (account) really belongs to the person that's making the order.
The only time I have encountered such a check was with Paypal: ..I actually don't remember right now..either enter the correct amounts into a form on Paypal's site or to send the cents back to prove that you really have access to that account.
they do two small test transactions (just Cents) and you have to
Re:21 million accounts on the wall (Score:3, Informative)
Re:So what (Score:2, Informative)
Re:So what (Score:5, Informative)
Wow, that's so behind. In Norway, there's no way to charge an account without full ID. This means either approving a direct debit by showing up at the bank with your picture ID, or logging on through the (relatively) secure website.
Just allowing anyone to put a charge on a bank account number like that opens up for all sorts of abuse. Tiny transactions can go unnoticed for a long time.
Of course, debit cards in stores aren't really any safer. Nobody has ever checked the signature on one while I've used them. A signature is required when the system for some reason can't contact the bank and verify the PIN. I've used other people's cards just fine (with permission, of course, but the banks might find me signing my name a bit funky ;).
Anything but cash is broken, obviously :(
Re:On your marks (no pun intended) (Score:3, Informative)
None of that is truly secret information in the first place. Every business prints its address, bank account number and bank routing number on each of its invoices. When you buy something on eBay, the seller will usually give you his name, address and bank account number and bank routing number: It's the information you need to send him the money.
There is a way of transferring money which is called "Lastschrift" or "Bankeinzug". Basically the recipient tells his bank that the sender has agreed to let the recipient debit a due amount directly from the senders bank account. The bank makes the transaction solely based on that promise. The bank does not require any form of proof that the sender has actually agreed to that transaction. In practice the recipient doesn't even have to get the name right. The transaction will go through even if the named sender doesn't match the bank account number. This seems like a major security problem, doesn't it?
It isn't a big problem because the sender can always reverse the charge. If the charge is reversed in a reasonable time frame (1-2 months), no questions will be asked. Reversing the charge is always free for the "sender", the sender's bank is paid by the recipient's bank for the reversal, which in turn will charge the recipient of the Lastschrift a (hefty) fee. Because of that, the recipient's bank treats amounts gained by "Lastschrift" like credit. You can't just debit someone else's bank account and make off with the money. That's exactly like getting a credit line over the same amount and making off with that.
Let's assume that you count on the carelessness of the people who don't regularly check their bank account transactions. Because the bank will not give you the money right away, unless you have a history of using the Lastschrift-system without problem with them, all it takes to stop the money from reaching you is a few people who do check their account transactions and report the fraudulent transactions to the police, which will then put a hold on the money and investigate you.
Re:Exactly (Score:5, Informative)
No, he means exactly that. Wire transfers cost nothing in Europe (at least not in my country) and international wire transfers only require you to use an IBAN account number (which are already standard in some countries) and the SWIFT/BIC code. All this information is typically provided on every bill you get.
National transfers, you only need the account number that you with to wire money to. In most countries, the "bank code" is part of the account number. It most certainly is encoded in the IBAN. (Can you tell, that I implemented the IBAN code for a major bank?) IBAN is a wonderful system: a bit reading material [wikipedia.org]
It's not just numbers, ya know! (Score:3, Informative)
I have for sale EVERY VISA NUMBER EVER ISSUED! From 4000 0000 0000 0000 to 4999 9999 9999 9999! (Note: some numbers may not be valid.)
Well, do you also have the personal data belonging to those VISA numbers? Like, say, owner, expiration date, etc? Because that's what this 21M bank account list is all about: it contains not just account numbers, but also all associated identifying data (names, addresses, dates of birth, in some cases even a balance).
Armed with that, criminals can easily charge those accounts and EVERYONE in Germany MUST now check their accounts at least every 6 weeks and issue reverse-charges if they discovered fraudulent activity. And that's not always obvious, because criminals can charge small amounts and label them rather innocuously, so they could go undetected (or rather: unnoticed) for longer than mere 6 weeks.
Re:21 million is 3/4 of accounts? (Score:2, Informative)
The article says 3 in 4 households, not accounts. Take the exaggeration factor of a newspaper into account and it works out.
Re:Hmmm... (Score:4, Informative)
You'd think they'd have gotten the police involved instead of trying to scoop a story...
From the article:
Wie so viele Kontonummern illegal in Umlauf gelangen konnten, muss in den nächsten Wochen die Staatsanwaltschaft Düsseldorf klären. Die WirtschaftsWoche übergab den Ermittlern am vergangenen Donnerstag die CD mit den 1,2 Millionen Datensätzen und Kontonummern.
which roughly means:
How that many account number reached circulation illegally is to be clarified over the next weeks by the prosecuting authorities of Düsseldorf. Reporters of the WirtschaftsWoche handed the CD with the 1.2 million data sets and account numbers to the investigators last Thursday.
So, they firstly contacted the responsible branch of jurisdiction and after that published the article.
Re:I did it last week (Score:3, Informative)
If you lived in the US, you would be sitting in a jail cell right now facing felony charges FYI. Never help anyone with their computer in the US. It's not worth it.
Eh, that's not always true.
I was stuck in a Wells Fargo branch for a bit 3-4 years ago, and their kiosks would only go to wellsfargo.com. Being the enterprising person that I am, I immediately typed the HTML for a hyperlink into the search box, it worked just fine.
When I got home, I whipped up a quick Proof of Concept that abused JavaScript to do some nasty things (Cross Site Scripting attack). I contacted Wells Fargo, gave them the details (as well as how to fix it) - it was fixed in a couple days, and they called and said "thanks".
I was careful to keep it proof of concept - tested only against my own account. I also phrased it carefully - "An unscrupulous attacker could...", rather than "I could...". Furthermore, I pointed out that as a Wells Fargo customer, it is in my best interest that the environment be as secure as possible - it's my money too. When you look like a threat, they treat you like one. When you look like a concerned customer protecting your (and their) interests, there is little incentive to silence or harass you.
Re:6 weeks reversal (Score:3, Informative)
If they can't, because it's some other bank or because the business would be able to fight it, they ponder what's more hassle: Duking it out with you or with them.
Now guess who's less likely to be able to mount a lengthy legal battle, you or the other bank.
I'm British, but Germany is similar.
We have consumer protection laws that prevent that kind of thing. And also a legal system that isn't quite so in favour of big businesses.
Re:On your marks (no pun intended) (Score:3, Informative)
In theory, if the banking system were known to be compromised in such a huge way, and there were no way of knowing if your own bank account was compromised or not, shouldn't there be a massive bank run?
In practice, this isn't much of a problem. Actually, there are two ways to earn money with this. You can commit old-school pen and paper wire transfer fraud, i.e., you fill out forms directing the bank to transfer funds from one account to another. However, there are two problems with that. First, you need to have a valid signature on the form and banks are required to check that (whether they actually do it is the banks' problem). Second, this scales not too well and if you dump 21M forms the bank will surely notice.
The second approach is to setup a fraudulent business and take part in the direct debit [wikipedia.org] program. However, not everyone can participate in this and banks do some background checks. And even if there is a fradulent transfer from your account you can get your money back by a single call to your bank.
So in a nutshell, these methods can only be used to defraud negligent banks, not the customer. Oh, and all this typically doesn't work with saving accounts that hold the real money. That's why there is no reason to withdraw your money.
Re:So what (Score:1, Informative)
Actually, its fairly safe, you can request the bank to return any money taken from your account this way, and then the onus is on the retailer to prove you recieved the goods they charged you for.
Re:Exactly (Score:5, Informative)
You then arrange the stealing/pickpocketing of cards. More likely, you request freshly stolen cards from a specialist. Some of those cards are going to marry up with the information you already hold, and may be enough to leverage funds.
Don't believe criminals are this organised? An example from personal experience. Turns out a machine at my other half's work was compromomised with a keystroke/screenshot recorder infection. First we haerd of it was when all our accounts were cleared out - someone had been organised enough to patiently continue recording "please enter X and Y character of your password" long enough to piece together the full password. They'd then used this on a saturday before a bank holiday to transfer all of our funds into another account at the same bank - this clears instantly and has less restrictions. They had then coordinated with someone in the UK who could provide them with a stolen debit card issued by the same bank, transferred our money into that account, and got a stooge to go into the bank just before it shut on saturday and take all that money out in cash - within hours of initial transfer.
End result? We were cleaned out, some innocent who had their card nicked had their bank account abused, and the criminals got our money in cash, untraceably. 6-8 weeks later, we were refunded but it was a long and unpleasant experience that taught me several things:
1) Don't assume your bank has a coherent identity theft/fraud department. Expect to get bounced around outsourced call centers that don't communicate with each other or the police. Don't expect them to be interested in IP logs or anything else you think might help them catch the hackers, either
2) "Organised crime" isn't just a phrase. They're quite advanced now, even outsourcing the donkeywork on the ground to other organisations
3) Two-factor authentication is a Good Thing with online banking
4) Don't do online banking on someone elses' computer
Re:Exactly (Score:2, Informative)
Re:Exactly (Score:4, Informative)
It take 1 or 3 days because they make interests on your money during this time.
Re:Hmmm... (Score:5, Informative)
No, they're referring to this raid on Crytek with the riot police:
http://www.quartertothree.com/game-talk/showthread.php?t=31767
Re:So what (Score:3, Informative)
No, it's very common in Germany since credit cards are actually pretty uncommon (people can pay with debit cards in stores and you can get cash in forgein countires with German debit cards at Maestro-enabled ATMs).
And debit cards don't have a particular key-card number so these don't work for such transactions.
Furthermore, the payment from the account is actually pretty risk-free. You have several weeks to issue a "charge-back" with no conditions or costs attachted. The transaction fees for these charge-backs usually go with the store which issued the transaction in first place. So as long as you check your account regularily you are pretty much safe.
Re:Exactly (Score:3, Informative)
Ah! The example that confirms the rule ;-) Intra-EU, it's free... The other poster is right about the reason why it takes three days, by the way....
Re:Hmmm... (Score:3, Informative)
...um, they did? I didn't RTFA since I'm German anyway and have heard more about this case than I care to know already, but they DID go to the police. Getting a good scoop for your magazine or paper and going to the police aren't mutually exclusive, you know.
Re:Exactly (Score:4, Informative)
A wire transfer typically costs $25 outgoing and $12 incoming
Even Fortis isn't that expensive... Try more something more like â3. And you have the appropriate plan ("Global Club"), you get a number of free wire transfers per quarter.
and you need to know the receiver's bank account # & routing number.
Which surprise most people do. Bank routing numbers (BIC) are published by the banks themselves, and account numbers of people wanting to receive such transfers (shops, charities, admistrations ...) are public too. And if it's family or friends, they can give you their account number easily. Oh, and usually the account number is only enough if you want to put money on an account. If you want to remove money from an account, you'll need something more, such as a password, a signature plus id, etc.
I seriously doubt that it is used that much by most people.
Well, here in Europe, it is used very commonly, for all kinds of things.
Re:Exactly (Score:2, Informative)
A wire transfer typically costs $25 outgoing and $12 incoming and you need to know the receiver's bank account # & routing number. I seriously doubt that it is used that much by most people.
In Germany, in the majority of cases wire transfers are free. This is even so for most of the transfers within the EU.
You will have a hard time to find anyone in Germany who even knows how to fill out a check, let alone have one available.
Most retailers probably won't even know what to do with it any more.
Re:So what (Score:3, Informative)
??? WTF? A bank allows ANYONE to debit from your account WITHOUT any authorisation?
No. At least not in theory. The person/corporation/entity charging yout account has to get your permission
to do that first (called "Einzugsermächtigung"). Then, everyone wanting to do such charging has to get it approved
with their bank, which is not completely automatic - non-commercial entities need a very good reason to be
allowed to do that.
However, the existence of such an "Einzugsermächtigung" is not checked by the banks, so if you claim to have one, the default is
to believe you. But this also means that if such a charge happens without one, it can be reversed indefinitely. Banks like to
tell teir custemers that there is a six week limit on this, but this is only valid for charge reversals on charges that were done by
someone actually having the account holder's permission.
The whole system works surprisingly well.
Re:It's not just numbers, ya know! (Score:3, Informative)
Armed with that, criminals can easily charge those accounts and EVERYONE in Germany MUST now check their accounts at least every 6 weeks and issue reverse-charges if they discovered fraudulent activity.
No. Charges without an "Einzugsermächtigung" (a permission by the account holder to the charging entity to do such charges)
can be reversed indefinitely. Some banks like to hide this fact from their customers, but every single case that went
to court was won by the customer, and most of the time it is enough to insist on that fact.
Re:Hmmm... (Score:5, Informative)
Uhm... no? No such thing as Good Samaritan laws here.
Good Samaritan laws have nothing to do with reporting crime, they're laws that shield those who try to help injured people from civil liability for anything that goes wrong. They're a response to the problem of people refusing to help because they're afraid they'll get sued.
Re:Exactly (Score:3, Informative)
Re:Exactly (Score:4, Informative)
Three day transfers are not called wires in the US. They are called ACH transfers. They are free - treated the same as checks, using the same clearing house that checks route through. Wires are instantaneous bank-to-bank transfers - you send the money at 9:47 am and it arrives at 9:47 am, usually costing a ridiculous amount of money, $5-$75 depending on your banking relationships.
Re:Exactly (Score:3, Informative)