Clever Micro-Deposit Scam

This is clever:

Michael Largent, 22, of Plumas Lake, California, allegedly exploited a loophole in a common procedure both companies follow when a customer links his brokerage account to a bank account for the first time. To verify that the account number and routing information is correct, the brokerages automatically send small "micro-deposits" of between two cents to one dollar to the account, and ask the customer to verify that they've received it.

Largent allegedly used an automated script to open 58,000 online brokerage accounts, linking each of them to a handful of online bank accounts, and accumulating thousands of dollars in micro-deposits.

Posted on June 5, 2008 at 1:25 PM • 25 Comments

Comments

BMurrayJune 5, 2008 1:37 PM

Better than clever -- I'm not sure it's even illegal. I knew those Perl books would pay off one day.

IdiotJune 5, 2008 1:40 PM

And another script kiddies bites the dust...

He registered them all from his own internet connection, with AT&T as his ISP no less. We all know how hard the gubmnt has to twist *their arms to get customer data, haha.

Good lord, hasn't he heard of WiFi at <insert_local_bourgeoisie_cafe>

Free GoodiesJune 5, 2008 1:52 PM

There is this particular website in my country that has online shopping. They also have a games section where you can win points, that can be used as money on the shopping portal.

A few lines of perl code later, I have gotten over 10,000 $ worth of free stuff. Its not illegal either, TOC says nothing about playing the games automatically.

We need to start focusing beyond SQL Injections and more towards Logic Flaws. They are the real killers ;)

samJune 5, 2008 1:59 PM

By using financial corporations and hence supplying fake social security numbers it probably was illegal.

bobJune 5, 2008 2:03 PM

Is this a microdeposit (or set of 2 such) to establish the identity of an account? Dont they automatically re-withdaw the money at the same time? They have in all the (admittedly few) ones I have set up.

Right Said FredJune 5, 2008 2:08 PM

With two microdeposits per account, and an average of 51 cents per microdeposit, his 58 thousand accounts only nets him about 58 thousand dollars.

But the crimes committed, if/when he is caught, nets him at least 5 years in jail, maybe 10.

Risk benefit analysis says this crime does not net enough money to be worth the risk.

SethJune 5, 2008 2:50 PM

Most of the places that verified my linkage with micro-deposits took the money back. A few didn't (all the recent ones did).

He was busted because of false ID used to open the accounts.

tonyJune 5, 2008 3:10 PM

"Largent allegedly used an automated script to open 58,000 online brokerage accounts, linking each of them to a handful of online bank accounts"

Surely the banks should have noticed this when thousands of accounts were connected to each of these accounts. I'm sure that Paypal did this kind of verification (because I opened a Paypal account and then forgot the password ... when I tried to create a new account attached to the same bank account it told me that I couldn't ... that was several years ago).

JilaraJune 5, 2008 3:20 PM

The individual deposits, because of their small size, are only a misdemeanor. It's like writing a thousand bad checks for $10 is still only a misdemeanor.

However, the fraudulent credentials open up the potential for more major charges.

Davi OttenheimerJune 5, 2008 4:11 PM

The illegal part is related to the falsification of data to get paid. He did not use his "real" names, which is said to constitute fraud. Apparently tens of thousands of accounts were setup under a limited number of cartoon character names instead.

Davi OttenheimerJune 5, 2008 4:14 PM

@ Right Said Fred

"Risk benefit analysis says this crime does not net enough money to be worth the risk."

Ah, but he was utterly convinced and even argued with the Bank that he was not doing anything illegal.

CameramanJune 5, 2008 5:17 PM

I think this was the plot of the movie "Office Space". In fact, a plot point of that movie was the fact that the characters got the idea from the movie Superman III.

So, 10 points for audacity, 0 points for originality.

Wired Comments are DumbJune 5, 2008 6:02 PM

@Cameraman

To you, and the other 300+ Wired comments saying the same thing, I'd like to point out that both Office Space and Superman III used a technique commonly known as 'Salami Slicing', which is not falsely registering for 50k+ fake brokerage accounts, it is collecting the extra fractions of a cent in a transaction by flooring the initial transaction amount to the nearest cent, and depositing the remainder fraction somewhere else... millions of times over.

What this guy did could be viewed as a *type of Salami Slicing in that he was taking small, measured steps to achieve a larger, otherwise unattainable goal, but it really has nothing to do with Office Space or Superman III. Those were very specific methods of fraud... not even the transaction amounts are close... they are off by a good order of magnitude.

So bleh.

SteveJJune 5, 2008 6:46 PM

@ Right Said Fred

"Risk benefit analysis says this crime does not net enough money to be worth the risk."

You'd think. But if criminals only committed crimes where you or I thought that the cash benefit justified the potential jail sentence, then all we'd have to do to stop crime would be to jack up the sentences.

Some criminals are rational by my reckoning, or else have little to lose in the first place that my valuations don't come close to applying. Most criminals (at least the ones we read about, who've been caught) have with the benefit of hindsight made some crucial miscalculation. And of course getting caught is the big question - in this case it seems to me exceedingly likely he would be caught eventually, but Davi says he planned to claim innocence.

So never mind his profit and loss analysis, he should have taken better legal advice.

People who think they can get away with crime are, by self selection, over-represented among criminals. Courts see a steady progression of folks who (figuratively speaking) multiplied the potential punishment by too small a number before comparing it to the expected gain. It's no great surprise to hear about yet another bad plan ;-)

AlcuithJune 5, 2008 9:54 PM

He opened 58,000 accounts over 6 months (or 320 per day) to yield $50,000 - equates to 86 cents per account. Pretty tough way to make money...

He'd be better off stealing the coin donations at the bottom of fountains or perhaps even getting a job???

DoTheMathJune 6, 2008 12:52 AM

@Alcuith

It's automated. He didn't have to do anything beyond the initial automation. Coins in fountains are a more difficult scripting or automation prospect.

An income stream of $50k over 6 mos is $100k/yr. For an initial automation outlay and no additional work, that's a worthwhile ROI.

Modulo the legal aspects, of course.

Wicked LadJune 6, 2008 8:06 AM

A year or two ago, the company I work for got hit by someone executing a similar scheme, but apparently using a genuine identity. Our lawyers saw nothing illegal in his actions. We stopped doing business with him, but he walked away with the money, fair and square.

JeffHJune 6, 2008 10:18 AM

@Cameraman
And Superman III may have stolen that part of the plot from "The Adolescence of P-1" (http://en.wikipedia.org/wiki/The_Adolescence_of_P-1) that I remember reading back in high school.

AnonymousJune 6, 2008 2:39 PM

I think he is in court because he use fake information on those account. If he would have used true information it migth have been legal

a personJune 7, 2008 2:53 AM

Though it is certainly not legal, and arguably not profitable, the fact that it got on this site (and others) means at least _someone_ considered it novel and unique. For arguments sake, let's say most people on this site are moral and upright, the fact that it is under discussion, means most people reading this probably wish deep down that they themselves at least thought of it.

It's the creativity, ingenuity, and (at least temporary) success that leads to others interest, if not at least slight envy.

Peter E RetepJune 7, 2008 5:31 PM

At last a motive for politicians to support micro-transactions!

Grad_StudentJune 10, 2008 4:09 PM

I thought of the same scam when I first learnt of this. It's not just online brokerage firms, but any time you link a bank account to any other service (Paypal, online saving account etc). But it was also clear that there is a high likelihood of being detected. All those deposits going into the same account? It's easy to assume someone would notice. Besides, I would assume that most companies making the micro-deposits would restrict deposits to unique accounts only.

TimothyDecember 3, 2009 3:02 PM

Good stuff! He really did need to use a bit more security; proxy servers, other people's internet, the whole 9 yards.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..