Forgot your password?
typodupeerror
Security The Almighty Buck

21 Million German Bank Accounts For Sale 302

Posted by kdawson
from the black-marks dept.
anerva writes "Black market criminals are offering to sell details on 21 million German bank accounts for €12M ($15.3M), according to an investigative report (German; Google translation) published Saturday. In November reporters for WirtschaftsWoche (Economic Week) had a face-to-face meeting with criminals in a Hamburg hotel, according to the magazine. Posing as buyers working for a gambling business, the journalists were able to strike a price of €0.55 per record, or €12M for all the data. They were given a CD containing the 1.2 million accounts when they asked for assurances that the information they would be buying was legitimate." 21 million is three in four existing German bank accounts.
This discussion has been archived. No new comments can be posted.

21 Million German Bank Accounts For Sale

Comments Filter:
  • by LingNoi (1066278) on Monday December 08, 2008 @10:33PM (#26042657)

    Couldn't you just buy one to begin with and then use that German bank account to buy the rest?

  • Hmmm... (Score:5, Interesting)

    by RobertM1968 (951074) on Monday December 08, 2008 @10:33PM (#26042661) Homepage Journal

    You'd think they'd have gotten the police involved instead of trying to scoop a story...

    Nah, guess not.

    • Re:Hmmm... (Score:5, Funny)

      by LingNoi (1066278) on Monday December 08, 2008 @10:36PM (#26042687)

      The police are too busy raiding game developer buildings with shotguns and listening in on Skype calls.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      That's not their job or function in society.

      • That's funny, I always thought it was a citizen's (of the USA at least) duty to report crimes to the police if you witness them.
        • by thegnu (557446)

          Yeah, journalists are sort of exempt, and it allows them to provide the free flow of information without getting a cap in their ass for trying to talk to gangsters.
          yeah.

        • by afabbro (33948)

          That's funny, I always thought it was a citizen's (of the USA at least) duty to report crimes to the police if you witness them.

          That would be funny. Fortunately, it's not true, at least in a legal sense. You are under no obligation to report a crime you witness.

    • Re:Hmmm... (Score:4, Informative)

      by jdrugo (449803) on Tuesday December 09, 2008 @04:03AM (#26044269)

      You'd think they'd have gotten the police involved instead of trying to scoop a story...

      From the article:

      Wie so viele Kontonummern illegal in Umlauf gelangen konnten, muss in den nächsten Wochen die Staatsanwaltschaft Düsseldorf klären. Die WirtschaftsWoche übergab den Ermittlern am vergangenen Donnerstag die CD mit den 1,2 Millionen Datensätzen und Kontonummern.

      which roughly means:

      How that many account number reached circulation illegally is to be clarified over the next weeks by the prosecuting authorities of Düsseldorf. Reporters of the WirtschaftsWoche handed the CD with the 1.2 million data sets and account numbers to the investigators last Thursday.

      So, they firstly contacted the responsible branch of jurisdiction and after that published the article.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      ...um, they did? I didn't RTFA since I'm German anyway and have heard more about this case than I care to know already, but they DID go to the police. Getting a good scoop for your magazine or paper and going to the police aren't mutually exclusive, you know.

  • by pin0chet (963774) on Monday December 08, 2008 @10:37PM (#26042701)
    In theory, if the banking system were known to be compromised in such a huge way, and there were no way of knowing if your own bank account was compromised or not, shouldn't there be a massive bank run? Because everyone wants to withdraw their money right away to minimize the chance that this ridiculous security leak negatively affects them, right? Such a massive erosion of confidence can completely destroy a banking system.
    • by OrangeTide (124937) on Monday December 08, 2008 @10:49PM (#26042783) Homepage Journal

      bank account and routing numbers never was considered secure. the only thing protecting your bank account (weakly) from fraud is a paper trail.

    • by henni16 (586412)

      In practice, it will be the banks' problem.
      Instead of running to your bank to get your money, you monitor your bank account and dispute/charge back possible fraudulent transactions.

    • by John Hasler (414242) on Monday December 08, 2008 @11:48PM (#26043165) Homepage

      > In theory, if the banking system were known to be compromised in such a huge way, and
      > there were no way of knowing if your own bank account was compromised or not, shouldn't
      > there be a massive bank run?

      This is Germany. There will be no bank run until it is properly planned, organized, and regulated.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      None of that is truly secret information in the first place. Every business prints its address, bank account number and bank routing number on each of its invoices. When you buy something on eBay, the seller will usually give you his name, address and bank account number and bank routing number: It's the information you need to send him the money.

      There is a way of transferring money which is called "Lastschrift" or "Bankeinzug". Basically the recipient tells his bank that the sender has agreed to let the re

    • Re: (Score:3, Informative)

      by hweimer (709734)

      In theory, if the banking system were known to be compromised in such a huge way, and there were no way of knowing if your own bank account was compromised or not, shouldn't there be a massive bank run?

      In practice, this isn't much of a problem. Actually, there are two ways to earn money with this. You can commit old-school pen and paper wire transfer fraud, i.e., you fill out forms directing the bank to transfer funds from one account to another. However, there are two problems with that. First, you need to have a valid signature on the form and banks are required to check that (whether they actually do it is the banks' problem). Second, this scales not too well and if you dump 21M forms the bank will sur

  • by sleeponthemic (1253494) on Monday December 08, 2008 @10:40PM (#26042721) Homepage
    Even their criminality is impressively efficient :-)
    • Rule 36 [encycloped...matica.com] states:

      There will always be even more fucked up shit than what you just saw

      Now, I've been saying this all along, but nay sayers think the sky will never fall, and that the government is not out to get them. I've got bad news for you: It will, and they are, and if those two problems are not enough there will always be people willing to steal your stuff. period. no exceptions.

      The fact that they have not stolen yours yet is merely an oversight on "their" part. It will happen at some point. Security is myth. Do not trust those that want to protect you. The government wi

      • by Jeff DeMaagd (2015) on Monday December 08, 2008 @11:46PM (#26043153) Homepage Journal

        OK, so you're saying that government isn't going to protect us, so the answer is to demand that financial institutions be held accountable to laws passed by a government that you said won't protect us?

      • by Cl1mh4224rd (265427) on Monday December 08, 2008 @11:47PM (#26043161)

        The government will never shield you, only pretend to do so. This is a harbinger of dangers to come, and reason to demand with some vigor that your financial institution be held accountable by law for the protection of your information.

        Bolding mine, to highlight a serious disconnect in the parent's preaching.

        You're suggesting that people demand that banks be held accountable to laws enforced by the very government you said won't protect them?

      • Rule W15 states:

        There will always be a number less than 1, but greater than the number less than 1 you just saw.

        Rule 36 doesn't imply that fuckedupness is unbounded above. Go make another tinfoil suit; they're about to get through this one!

  • by Bentov (993323) on Monday December 08, 2008 @10:46PM (#26042763)
    This morning the entire banking system in Germany collapsed due to 3 in 4 Germans transferring money out of the country to banks in neighboring countries....
  • ohshiza? (Score:5, Funny)

    by Stormie (708) on Monday December 08, 2008 @10:49PM (#26042787) Homepage
    I think the taggers in this story need to learn how to spell "Scheiße"
  • by txoof (553270) on Monday December 08, 2008 @10:51PM (#26042803) Homepage

    It is possible that not all of the 21 million work, or are valid. If I were in the criminal's position, I would offer a CD where about 70% were valid. And then when the payment was made, provide a data set that had only a few working accounts and a bunch of garbage.

    In any case, it's pretty scary to think that there might that much personal data out there.

    • Or, release "honey pot" numbers to the criminals. Mix them in with the real ones (they already know that info so you aren't comprimising anything). Anyone who accesses those dummy accounts must be a criminal and can be targeted for investigation.

  • dann kamen sie fur meine Kreditkartennummer- und Provider-Kennworter.

    Ich zahlte 10 Euro und aller, den ich erhielt, war Orion Blastar' Konto-LOGON und -kennwort s-Slashdot.

    Just kidding, Babelfish doesn't translate it quite right.

  • ...they analyzed the bank accounts and the combined total in them is less than $1 million?
  • How to use??? (Score:5, Interesting)

    by It doesn't come easy (695416) * on Monday December 08, 2008 @11:30PM (#26043059) Journal
    21 million is a lot of accounts. No one person or group has time to abuse all 21 million accounts in a timely fashion. More likely, one would need to rely on the lackadaisical attitude most people have when it comes to security coupled with a low volume approach to the number of transactions to an external account in order to profit from purchasing all 21 million accounts.

    The purchaser would also have to consider just how many accounts would be accessible and for how long. It might not be practical to expect to make significantly more than 12 million euros even with 21 million accounts, since most accounts would probably have low balances or have their passwords, etc., changed rather quickly if the account had a high balance.

    So to use this many accounts, one would need to set up a number of new accounts in other banks (a few at a time and more than one so that the number of transactions to a given account would not be too high), then siphon a little bit of money off a few stolen accounts to some of the new accounts, withdraw the money, then close the new accounts almost immediately. The amount withdrawn would need to be random and small enough to escape detection for at least a few days. Anything faster would surely raise suspicion and cause automatic transaction blocking (at least, if the banks have some kind of working fraud prevention), especially since the announcement of the stolen data up for sale. I can also imagine adding a fraud check for a slurry of never-seen-before transactions to new accounts. Wire transfers would be quickest, yet they would also stand out more (since a bunch of new wire transfers from accounts which had never made a wire transfer before would be unusual -- the likely case for most accounts).

    The 12 million price tag seems like a number arrived at by the thieves after taking into account the difficulties to be faced in exploiting the 21 million accounts while they are still exploitable. It seems likely that any purchaser would in turn sell them again in smaller blocks (a lot safer that way, relatively speaking).

    Wonder if we'll ever find out what eventually happens?
  • by Jerry (6400) on Monday December 08, 2008 @11:34PM (#26043079)

    the Linux desktop market share in Germany is only 25%.

  • I did it last week (Score:5, Interesting)

    by ZiggyM (238243) on Tuesday December 09, 2008 @12:16AM (#26043307)
    I live in Lima Peru. Last week a teller at my bank made me wait 10 minutes while she waited for the safe to open to give me some cash. In the meantime I went to a computer terminal without a keyboard, and access to only a webpage with the bank rates (windows, no start menu, no access to desktop etc). The machine was supposedly locked so that you couldnt navigate away or do anything except scroll the page and click a few links. Well, they forgot do disable right-click. 7 steps later I was able to access their internal network, and had access to a lot of internal information on individual machines. I went to the branch manager and showed him. He was surprised and embarassed, and took note of the steps I took. It was amazing how easy was to do it. The 7 steps were clever, but not impossible.
    • by Anpheus (908711)

      It's probably a lot easier with Internet Explorer, because typing C:\ takes you... guess where?

      And if they have some trivial block on using that path mapping, you can always just do \\127.0.0.1\C$

  • Hmm... (Score:5, Funny)

    by sootman (158191) on Tuesday December 09, 2008 @12:43AM (#26043463) Homepage Journal

    21 million is three in four existing German bank accounts.

    I have for sale EVERY VISA NUMBER EVER ISSUED! From 4000 0000 0000 0000 to 4999 9999 9999 9999! (Note: some numbers may not be valid.)

    I will sell them for US $1,000,000 MILLIONS US DOLLARS. Contact me via this website.

    Act now and I'll throw in every Master Card ever issued. (5000 0000 0000 0000 to 5999 9999 9999 9999) (Same disclaimer as above.) And no identity thief would be complete without a REAL SOCIAL SECURITY NUMBER to go with it, eh? Guess what? That's right--I'VE GOT THEM ALL TOO! (001-01-0001 to 999-99-9999)

    • I have for sale EVERY VISA NUMBER EVER ISSUED! From 4000 0000 0000 0000 to 4999 9999 9999 9999! (Note: some numbers may not be valid.)

      Well, do you also have the personal data belonging to those VISA numbers? Like, say, owner, expiration date, etc? Because that's what this 21M bank account list is all about: it contains not just account numbers, but also all associated identifying data (names, addresses, dates of birth, in some cases even a balance).

      Armed with that, criminals can easily charge those accoun

      • Re: (Score:3, Informative)

        Armed with that, criminals can easily charge those accounts and EVERYONE in Germany MUST now check their accounts at least every 6 weeks and issue reverse-charges if they discovered fraudulent activity.

        No. Charges without an "Einzugsermächtigung" (a permission by the account holder to the charging entity to do such charges)
        can be reversed indefinitely. Some banks like to hide this fact from their customers, but every single case that went
        to court was won by the customer, and most of the time it is enough to insist on that fact.

  • In November reporters ... had a face-to-face meeting with criminals

    So, where were the cops? How do you say "Denny's" in German?

    Seriously, most of our local police force is working undercover at the local titty club, buying lap dances.

  • I would find it to be completely unsurprising to find that the source of this information is someone within the German government, an employee, had collected and made available to criminals this information. It would seem an information pool this large could only come from such a source. Other data compromises, in my view, would seem individually unlikely to product a rate as high as 75% of all.

    If I am right in this guess, it would show a strong reason why any government should not be collecting this kind

You know, the difference between this company and the Titanic is that the Titanic had paying customers.

Working...