A work colleague had her bank account emptied over the past weekend, 10-thousand bucks gone in six separate transfers of about €1,600 each into the scammer’s account.
I’ve always touted the advantages of the safety of online banking in Germany, simply because they make it such a pain in the ass to transfer funds.
For my account in Canada, all I have to do is log on to the site, enter my password, and transfer away. I’d often thought the Canadian bank should make their site safer by setting up the system they have in Germany.
In Germany, you not only have to first log onto the site via password, but every time you do a payment or transfer you must first receive a text message on your cellphone with a 6-digit code number. You then key in that code number on the site to OK the transaction.
I’d always thought that extra hoop to jump through meant that my German account was pretty well bomb-proof, but it seems there’s a huge flaw in that system, and no - it’s not phishing.
In my colleague’s case, the criminals set up an account at the same bank as hers, I suppose to speed up the transaction time.
To transfer the funds they used the same forms we used to fill out with a pen all the time when we actually had to get up off our butts and walk in a building to do our banking. They took the forms off a pile at the bank, filled them out in her name and bank details, faked a signature, and dropped them into a slot to be processed later. Just like cheque fraud in days of old, only they didn’t even have to get their hands on any of her cheques.
They must have opened their account in a fake name, which is another thing I find quite unbelievable. How could the bank be so lax?
I also hear that, in contrast with days of old, those forms are nowadays mostly machine-read. That’s another bank failure to ensure proper handling of customer funds.
By the time my colleague noticed the fat hole in her bank balance the money had already been transferred.
She called her bank right away and they immediately stopped payment, so she’ll get her money back, but what if she’d been on holiday or leave of absence for a few weeks or months and never noticed? Would she have had to have eaten the loss?
And what about all those strangers who have access to our full name and account numbers? You have to give them away if you’ve ever bought or sold anything on eBay without using PayPig. Not to mention the thousands of supposedly honest bank and store employees who have access to your account details.
Oh, and a bonus if you haven’t heard yet: should anyone in Germany receive a transfer of funds in the amount of one cent from an unknown party, contact your bank and the police. Scammers have been known to shoot off computer-generated transfers to thousands of randomly generated account numbers in the amount of one cent. Should they fail to receive notice their transfer did not go through, they know they’ve hit on a real account and can let the plundering begin.
The banner photograph shows the town of Britannia Beach, BC, Canada, where I grew up. It's home. But I don't live there anymore.
I experienced somewhat the same thing after losing a credit card. In my case the bank notified me about the frequent withdrawals and ended up paying me back all the money promptly. In your case the bank is also paying back the money, which seems to be the case if the money was withdrawn through false signature. If the scammers had got a hold of her password to her credit card and made withdrawals on ATMs, she would not receive her money back. I think that no matter where you live there are scammers, very sophisticated and scary ones. The only difference is how promptly and fairly the bank deals with customers who have been scammed.
Thing is, they always talk about how great their online security is, but forget about the old-fashioned way of transferring funds. It’s a real loophole.
Wow. It’s weird how people *cough* mother in law *cough* always grumble about how unsafe today’s technology is. “How can you trust the computer to do banking?!” People often forget that thieves have always existed and that computers don’t really make a difference. If a person is hell bent on stealing money, they’ll do it. Whether it means faking a signature, or stealing your password. Glad to hear your colleague got their money back. Thanks for the heads up bout the penny transfer, hadn’t heard of it.
p.s. Just to add that I hate! those darn extra pin numbers for German banking
I keep loosing the darn paper they’re on.
@manny,
I used to get those TAN numbers printed on a great long sheet of 100 of them, but then the bank pretty well forced me to go the text-message route by putting a limit of 1000 euros on any transaction unless it was via text-message TAN. You will probably prefer it that way because there’s no more paper to get shuffled. Err… unless you lose your phone.
@Jul + G — I didn’t think of that, but you’re right – they make it too easy to purchase via bank transfer. Somehow I guess they figure it’s cheaper to try to recover the money or eat the losses than set up a more secure system for everyone.
I bought some airline tickets online the other day and I was surprised that all the info I needed to enter was my bank account number and PLZ. Tons of people have access to this information – it’s practically public domain. It served as a reminder to check over my bank statements more carefully here.
I check my account weekly because I just can’t get over how easy it is to move money around here: that’s what I used to do for a living (with a few more zeroes at the end), ut we had a few more levels of security. As Jul said, it’s very easy to buy on-line with just a name and Konto number.
The .01 transfer is the same in the US as well- it’s what banks do when you set up transfer accounts to ensure the routing is correct, although I usually send a bit more. My bank used .37 and.52 last time.
Since I have gone through the motions of opening up a bank account a couple of years ago: While it probably is possible to open one in a fake name, these days you have to somehow show official ID (read Personalausweis or passport). Mind you, that’s not to protect anyone but rather to fight money laundry.
The motions in my case was going to the German embassy in Oslo and have them stamp a form (in Germany proper the banks can use the postal service to check your ID) which, in good German fashion, the embassy plainly and rudely refused to do. Made me feel really good about emigrating …
I suppose I shouldn’t be surprised thieves have adapted the techniques of mass-marketing phone calls. If you get one hit out of ten thousand, you’re still ahead of the game.
I’ve adjusted my life in some ways to cyber crime. For example, I never, ever use a credit card in a restaurant. Our area is still overrun with people who can grab your numbers and then send it by phone to an accomplice, who buys a couple thousand dollars worth of stuff online before you’re out of the restaurant.
But that’s still a crime of opportunity. These other folks have turned it into a cottage industry. Good grief.
On our credit cards we have a three-digit code on the back, but that wouldn’t stop crime like that, I guess. For online purchases, my Mastercard has a password called the SecureCode that I have to key in on the site when it pops up just before completion of the transaction. I suppose that will be hacked sooner or later, too, but for now I feel pretty safe with it.
Scary post Ian