[ISN] Man Allegedly Bilks E-trade, Schwab of $50, 000 by Collecting Lots of Free 'Micro-Deposits'

From: InfoSec News (alerts@private)
Date: Wed May 28 2008 - 00:14:14 PDT


By Kevin Poulsen 
Threat Level
May 27, 2008 

A California man has been indicted for an inventive scheme that 
allegedly siphoned $50,000 from online brokerage houses E-trade and 
Schwab.com in six months -- a few pennies at a time.

Michael Largent, of Plumas Lake, California, allegedly exploited a 
loophole in a common procedure both companies follow when a customer 
links his brokerage account to a bank account for the first time. To 
verify that the account number and routing information is correct, the 
brokerages automatically send small "micro-deposits" of between two 
cents to one dollar to the account, and ask the customer to verify that 
they've received it.

Largent allegedly used an automated script to open 58,000 online 
brokerage accounts, linking each of them to a handful of online bank 
accounts, and accumulating thousands of dollars in micro-deposits.

I know it's only May, but I think the competition for Threat Level's 
Caper of the Year award is over.

Largent's script allegedly used fake names, addresses and Social 
Security numbers for the brokerage accounts. Largent allegedly favored 
cartoon characters for the names, including Johnny Blaze, King of the 
Hill patriarch Hank Hill, and Rusty Shackelford. That last name is 
doubly-fake -- it's the alias commonly used by the paranoid exterminator 
Dale Gribble on King of the Hill.

The banks involved included Capital One, Metabank, Greendot and 
Skylight. Largent allegedly cashed out by channeling the money into 
pre-paid debit cards.

A May 7 Secret Service search warrant affidavit (.pdf) [1] says Largent 
tried the same thing with Google's Checkout service, accumulating 
$8,225.29 in eight different bank accounts at Bancorp Bank.

When the bank asked Largent about the thousands of small transfers, he 
told them that he'd read Google's terms of service, and that it didn't 
prohibit multiple e-mail addresses and accounts. "He stated he needed 
the money to pay off debts and stated that this was one way to earn 
money, by setting up multiple accounts having Google submit the two 
small deposits."

The Google caper is not charged in the indictment. (.pdf) [2]

According to the government, Largent was undone by the USA Patriot Act's 
requirement that financial firms verify the identity of their customers. 
Schwab.com was notified in January that more than 5,000 online accounts 
had been opened with bogus information. When the Secret Service 
investigated, they found some 11,385 Schwab accounts were opened under 
the name "Speed Apex" from the same five IP addresses, all of them 
tracing back to Largent's internet service from AT&T.

Largent is free on bail. He's charged in federal court in Sacramento 
with four counts each of computer fraud, wire fraud and mail fraud. He 
didn't return repeated phone calls Tuesday; Representatives of E-trade, 
Schwab.com and Google also didn't return phone calls.

[1] http://blog.wired.com/27bstroke6/files/largent_affidavit.pdf
[2] http://blog.wired.com/27bstroke6/files/largent_indictment.pdf

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Wed May 28 2008 - 00:22:32 PDT