E-trade, Schwab, Google fall victim to "Office Space/Superman 3" attack

E-trade, Schwab, Google fall victim to "Office Space/Superman 3" attack

Summary: A great example of an attack where Web Application Firewalls (WAFs), simple scanning tools, HackerSafe certifications, and PCI (it might through some financial controls I'm not aware of) are not going to help you stay secure was posted by Kevin Poulsen over at the crime blog at blogs.wired.

SHARE:

Office SpaceA great example of an attack where Web Application Firewalls (WAFs), simple scanning tools, HackerSafe certifications, and PCI (it might through some financial controls I'm not aware of) are not going to help you stay secure was posted by Kevin Poulsen over at the crime blog at blogs.wired.com.  Poulsen's article states:

A California man has been indicted for an inventive scheme that allegedly siphoned $50,000 from online brokerage houses E-trade and Schwab.com in six months -- a few pennies at a time.

Michael Largent, of Plumas Lake, California, allegedly exploited a loophole in a common procedure both companies follow when a customer links his brokerage account to a bank account for the first time. To verify that the account number and routing information is correct, the brokerages automatically send small "micro-deposits" of between two cents to one dollar to the account, and ask the customer to verify that they've received it.  

Largent allegedly used an automated script to open 58,000 online brokerage accounts, linking each of them to a handful of online bank accounts, and accumulating thousands of dollars in micro-deposits.

Wow, sound like "Office Space" anyone?  Right down to this guy jacking the scheme up as well... I wonder if it was a decimal point error, just like the movie.  If you haven't seen "Office Space" and have no idea what I'm talking about, you have your homework assignment for the weekend (you will enjoy it), but basically the story include a scheme that dumps the remainder of a rounding operation into a bank account through the use of a trojan.  Of course, the programmer of the trojan makes a decimal point error and hillarity ensues. 

Seriously though, if this guy had been less greedy and did this over a longer period of time, I don't know if anyone would've noticed it.  Of course, he was greedy, and they did notice it, as Poulsen mentions:

A May 7 Secret Service search warrant affidavit (.pdf) says Largent tried the same thing with Google's Checkout service, accumulating $8,225.29 in eight different bank accounts at Bancorp Bank.

When the bank asked Largent about the thousands of small transfers, he told them that he'd read Google's terms of service, and that it didn't prohibit multiple e-mail addresses and accounts. "He stated he needed the money to pay off debts and stated that this was one way to earn money, by setting up multiple accounts having Google submit the two small deposits."

The Google caper is not charged in the indictment. (.pdf)

According to the government, Largent was undone by the USA Patriot Act's requirement that financial firms verify the identity of their customers. Schwab.com was notified in January that more than 5,000 online accounts had been opened with bogus information. When the Secret Service investigated, they found some 11,385 Schwab accounts were opened under the name "Speed Apex" from the same five IP addresses, all of them tracing back to Largent's internet service from AT&T.

The Patriot Act, seriously?  Wow.  I wonder why Google is not included in the indictment.  Very interesting stuff, but the kicker to this is to remember that there's nothing that tools could've done to prevent this.  It's likely; however, that a good consultant performing a source code review would've found this.

-Nate

Topics: Google, Banking, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • So did they break agreements somewhere?

    If the companies agree to send this small deposit for free then what did they do wrong? Or is this just the normal case of an individual being chastised for exploiting a loophole while companies do it all day? We really have some screwed up thinking in this country.
    storm14k
    • Patriot Act

      I mean, that's what it seems like right? Except, I'm not an expert on the Patriot Act, it sounds like this guy is getting chastised for creating "fake" accounts.

      This is where having a legal degree would come in handy. You'd think a good lawyer could get him off of these charges.

      -Nate
      nmcfeters
      • Couple of thoughts

        The whole Patriot Act thing deals with reporting excessive financial ttransactions. Large quantities of transactions (IIRC) as well as any transaction over $10k will get automagically flagged for review. In case you are working with/for/whatever terrorists.

        A lot of these companies (including PayPal) will dump some quantity between 1 and 99 cents in your account. If you can report back with the exact amount, they consider you to be the rightful owner.

        I think the issue here was the quantity of transactions tied to a single account. Not sure how you do this and make it profitable short under the current rules. Anyway, it was a nice try. He should enjoy pondering his ways from the inside of jail.
        mtgarden
        • Ok good

          I was worried that the law wouldn't be strong enough to get a prosecution.

          -Nate
          nmcfeters
        • 10K limit on bank reporting

          That is the number the bank tells you they report; however, it is actually much lower, more like 2-3K in a day. The Feds say it is to prevent curcumventing the 10k limit; it really is more to track anyone with more than small transactions moving money for any reason. I have had several people tell me this, having a good friend working at a bank alerting them to this unpublished limit. Ask your friendly bank employee and see which limit they give you. BTW, the 10K limit used to be posted in every bank, but not anymore; wonder why?
          Pennyman2
    • Actually ....

      It's not screwed up thinking that will put this guy in jail. It is the intent to defraud a company for personal gain.

      The link to the indictment is provided and you can easily see that what they are charging him with is defrauding these companies in order to have monetary gain without the prospect of doing legitimate business.

      On a technical footnote, it is interesting to me that these firms need to have a "micro" deposit to confirm that the account is there. Doesn't this seem a bit excessive? Is there not a better digital or programmatic way of account verification on the back end?
      YZFDude11
    • A "good faith" agreement?

      Th transaction is done as an effort to ensure that the money the [i]customer[/i] will earn makes it to [i]their[/i] account once they start trading, not as a means to to pocket 50,000 dollars of the company's money.

      Kind of like taking 20 free "sample size" bottles of shampoo to get the equivilent amount of the full size one they're selling.
      AllKnowingAllSeeing
  • Did anyone notice what his last name means?

    Michael Largent steels money. The french word "L'argent"
    means money. Funny how those are connected.
    OmarHash
  • RE: E-trade, Schwab, Google fall victim to

    Unless you could prove that the Patriot Act's provisions, or the actions of the police, somehow violated the US Constitution's search and siezure provisions, I'm pretty sure you won't have grounds to exclude the evidence.

    For instance, the cops might be investigating a murder, and find evidence of a bank robbery. Even if the person is innocent of the murder, the robbery investigation would be valid UNLESS the defendant would prove that the evidence wasn't found per the rules (fruit of a poison tree).

    Therefore, I'd think that an investigation of possible foreign funding of terrorists (which is what the Patriot Act addresses) that uncovers activity like this would still be able to prosecute this situation under the laws that prohibit these activities, even if there was no activities that fall under the Patriot Act.
    geek49203_z
    • So

      Obviously what he did SHOULD be against the law. I was worried that the Patriot Act wouldn't have enough muscle to cover it. Hopefully common sense prevails.

      -Nate
      nmcfeters
  • Office space was terrible movie

    Yeah it had some funny parts but it was painful to watch between them. As well it suffered from the commercials displaying the funny parts before the movie was released. I think a new generation might find it better not having is spoiled.
    voska1
    • Message has been deleted.

      itanalyst2
    • Yeah, I'm just going to have to sort of disagree with you there. [nt]

      [nt]
      olePigeon
      • Yeeeeeeeeeeeaaaaaaaaaahhhhhhhhhhhhhhhhhh n/t

        n/t
        justgold79
  • RE: E-trade, Schwab, Google fall victim to

    I see nothing wrong with an inventive use of these (often predatory) institutions' practices. The guy is going to jail because the companies don't like having been caught out. The government backs them because the government does whatever big money tells it to do.
    cwgregory
    • It is fraud

      He opened up over 50,000 bogus accounts and stole small payments that were intended to verify that "customer" accounts had the correct account number, routing code and could electronically accept and pay money out. He was not a customer. These accounts have to be closed and the links to the bank accounts need to be severed. That alone takes up resources and will cost money to clean everything up.

      When I opened an account with PayPal and other institutions, I got credited with 2 small deposits but also had 2 identical withdrawals so there was no net gain.
      mystic100
  • Largent = TheMoney

    It's funny that his name is Largent. In
    french "l'argent" means "the money" :)
    zpdixon 42
  • Google Checkout, PayPal, etc. aren't considered banks...

    Google Checkout, PayPal, etc. aren't considered banks, so
    they're not subject to the PATRIOT act. They're also not FDIC
    insured despite merchants holding thousands of dollars in
    their "accounts."
    olePigeon
    • which is exactly...

      ...why he would have gotten off had he used offshore accounts and a single computer offshore to automate the transactions.

      It is fraud, no matter how you cut it, however, committed over the internet it has now prosecutable context without the presumption of security, and moreover, when offshore, there is no jurisdiction for the FBI and SS to investigate (Note: the only two agencies allowed to operate offshore are legally authorized to operate under a single pretext: national security), anything else and it's...

      ..."not guilty."

      Combine that offshore account with an ATM card or good ol' laundering and you're good to go.

      Of course, this case will raise attention and online value account providers will cry foul for legislation to close this loophole and eventually they [meaning the current and/or future incompetents on Capitol Hill] shall.
      kckn4fun
  • RE: E-trade, Schwab, Google fall victim to

    "Um, we have sort of a problem here...."

    For me I think Office Space had to viewed a few times to appreciate it. I was particularly interested in this when I heard about it because I recalled the cartoon shorts on SNL.

    [EDIT] Oops, I meant to reply to another thread. "Sh*t, I always do that, I always mess up some mundane detail."
    rlarsen1