21 Million German Bank Accounts For Sale

anerva writes "Black market criminals are offering to sell details on 21 million German bank accounts for €12M ($15.3M), according to an investigative report (German; Google translation) published Saturday. In November reporters for WirtschaftsWoche (Economic Week) had a face-to-face meeting with criminals in a Hamburg hotel, according to the magazine. Posing as buyers working for a gambling business, the journalists were able to strike a price of €0.55 per record, or €12M for all the data. They were given a CD containing the 1.2 million accounts when they asked for assurances that the information they would be buying was legitimate." 21 million is three in four existing German bank accounts.

Hmmm...

[RobertM1968]

You'd think they'd have gotten the police involved instead of trying to scoop a story...

Nah, guess not.

How to use???

[It doesn't come easy]

21 million is a lot of accounts. No one person or group has time to abuse all 21 million accounts in a timely fashion. More likely, one would need to rely on the lackadaisical attitude most people have when it comes to security coupled with a low volume approach to the number of transactions to an external account in order to profit from purchasing all 21 million accounts.

The purchaser would also have to consider just how many accounts would be accessible and for how long. It might not be practical to expect to make significantly more than 12 million euros even with 21 million accounts, since most accounts would probably have low balances or have their passwords, etc., changed rather quickly if the account had a high balance.

So to use this many accounts, one would need to set up a number of new accounts in other banks (a few at a time and more than one so that the number of transactions to a given account would not be too high), then siphon a little bit of money off a few stolen accounts to some of the new accounts, withdraw the money, then close the new accounts almost immediately. The amount withdrawn would need to be random and small enough to escape detection for at least a few days. Anything faster would surely raise suspicion and cause automatic transaction blocking (at least, if the banks have some kind of working fraud prevention), especially since the announcement of the stolen data up for sale. I can also imagine adding a fraud check for a slurry of never-seen-before transactions to new accounts. Wire transfers would be quickest, yet they would also stand out more (since a bunch of new wire transfers from accounts which had never made a wire transfer before would be unusual -- the likely case for most accounts).

The 12 million price tag seems like a number arrived at by the thieves after taking into account the difficulties to be faced in exploiting the 21 million accounts while they are still exploitable. It seems likely that any purchaser would in turn sell them again in smaller blocks (a lot safer that way, relatively speaking).

Wonder if we'll ever find out what eventually happens?

Seriously, but seriously

[Anonymous Coward]

This is the scariest headline I've read in a long, long time. If this information allows remote access to the accounts then a concerted group effort could _completely_ destroy most German depository institutions by conducting mass withdrawals.

If German banks have reserve requirements similar to American banks (10%) then they would only have enough capitol to cover 1/6th of the potential withdrawals. Not only would this lead the banks not to have any working capitol (the life-blood of every bank. See: 02008 financial crisis), but would leave nothing left over for uncompromised account holders. Deposit insurance notwithstanding, I'm sure you know what would happen if the general public found out about this.

Organized criminals smart enough to buy 24M bank accounts are probably also smart enough to know this and take advantage of the corresponding extortionary power. I seriously cannot believe we are reading about this. If I was in German law enforcement there's absolutely no way I'd let this story see press. The fact that it was undercover reporters and not cops in that meeting amazes me.

I really, really hope that the cops and banks react more swiftly to this story than the German public. I'm also praying that the mechanism by which this information was stolen is limited to Germany...

I did it last week

[ZiggyM]

I live in Lima Peru. Last week a teller at my bank made me wait 10 minutes while she waited for the safe to open to give me some cash. In the meantime I went to a computer terminal without a keyboard, and access to only a webpage with the bank rates (windows, no start menu, no access to desktop etc). The machine was supposedly locked so that you couldnt navigate away or do anything except scroll the page and click a few links. Well, they forgot do disable right-click. 7 steps later I was able to access their internal network, and had access to a lot of internal information on individual machines. I went to the branch manager and showed him. He was surprised and embarassed, and took note of the steps I took. It was amazing how easy was to do it. The 7 steps were clever, but not impossible.

Re:21 million is 3/4 of accounts?

[quarrel]

I had the same reaction re the number of accounts. It is small.

However, Germany isn't all that small.

So some back of the envelope calcs:

They claim 21/.75 = 28M bank accounts in Germany

It's got roughly 80M people. Assume something like 2.2 people per househould (dunno what it is in Germany), and you get 36M. You gotta figure each household has at least one. I don't know how things really work in Germany, but I assume they're like the rest of the developed world and you essentially can't function without a bank account.

Then there are businesses. Even very small businesses will run several accounts.

I think the 28M bank accounts is just bullshit. It's gotta be heaps higher.

Surely 100M wouldn't be that big a figure even?

--Q

6 weeks reversal

[krischik]

As trampel pointed out: you have a 6 weeks reveal time frame. What trampel missed is: A real fraudster will have moved the money onwards by then. Which puts the loss to the bank.

Of course: As with riding without a ticket in the end we the honest customers will pay through higher bank/ticket changes.

Re:So what

[ben0207]

I live in Germany. It really is like that here. Some shops (Beate Uhse is one I can name off the top of my head) even give you 14 days to transfer the money.

I just bought a new MacBook from Apple.de using Bank Transfer. Took a day or two longer, but I'm typing it on it now :)

Re:So what

[MPolo]

Yep. That is essentially the system. It is your responsibility to check each month that the charges that were made were in fact authorized. As I understand, they are very good about chargebacks (suprisingly), though I have never had to actually do this. I have used this method of payment primarily with Amazon and with airlines, but it's very often an option. Germans don't particularly like credit cards (partly because German banks don't really "get" them -- most "credit" cards actually automatically suck the full amount of the bill out of your account on the due date... which means you're not worried about exhorbitant interest rates, but you're only barely buying on credit. It's actually more of a delayed debit card.)

Re:So what

[skolima]

Strange, in Poland Paypal withdraws money from your credit card to verify that you are indeed the holder...

Re:21 million is 3/4 of accounts?

[Xelios]

Because as TFA says it's "3 out of 4 households" that might be affected, not 3 out of 4 accounts.

Re:So what

[Anonymous Coward]

Pfft. We recently moved to Norway. The envelope of letter that my gf can now fetch the card from the bank was not closed. Additionally, she did no have to show her ID/passport when fetching the card.
I suppose Germans are way more sensitive and bureaucratic ;)

Re:So what

[the_other_chewey]

Wow, that's so behind. In Norway, there's no way to charge an account without full ID.

Yes there is. I've been quite scared to learn that it is possible to charge my account using my Maestro card
without its PIN code in Norway. I've been asked "Do you have a PIN code for that card?" regularly when
paying with it all over Norway - apparently, it is quite common for norwegians to have cards without them. In
such a case, the store clerk is supposed to check the ID. Guess how good or how reliably this works, especially
with foreign IDs...

Re:Exactly

[Lumpy]

Checks have to be hand processed. Mailed in checks haveto have a Person paid to open it and key it in and then hand carried to a bank.

Yet when I pay electronically on the internet where NO costs in labor are had, I am CHARGED a convience fee for doing so.

Only because of Fradulent tactics by businesses and banks are paper checks still in heavy use. If these companies were not blatently trying to rip me off, I'd pay via online all the time. Instead I send them a paper check that costs them more money to process.

Paying my Gas bill is more expensive online with a bank card payment than me sending them a check or even the bill WITH my bankcard info on it for them to process. I refuse to pay $10.00US convience fee to make their life easier and cheaper.

Re:Exactly

[b0bby]

Checks are such a pain that our bank gave us a check scanner (optical recognition for the amounts, magnetic for account / routing numbers) so we do the processing ourselves. We scan them in through a web connection, then file them away for a month or so before shredding. The bank never touches them, and we never have to go into the branch anymore.