Pages:
Author

Topic: Dwolla Fraud - How it happened - page 2. (Read 7980 times)

legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
July 29, 2011, 12:46:44 PM
#8
Are $0.00 deposits allowed? The search space may be 11*11=121 ..So you only need to comprise 60.5 accounts (on average) Edit: Nevemind: "$0.12 or less" includes $.12.
member
Activity: 80
Merit: 10
July 29, 2011, 12:43:35 PM
#7
I am 99% sure I am correct.  I know that they allowed multiple guesses and know there were people verifying their own bank accounts by guessing the deposits so they could shorten the time period required to obtain BTC.
newbie
Activity: 27
Merit: 0
July 29, 2011, 12:43:17 PM
#6
12*12 / two attempts = 72.

So potentially, for every 72 bank accounts you have access to, you can steal from Dwolla?

In the world of fraud and with a big enough list of bank accounts, those odds aren't that bad.....
newbie
Activity: 27
Merit: 0
July 29, 2011, 12:41:41 PM
#5
even if dwolla lets you guess only twice, with enough compromised accounts, eventually you are bound to be able to guess correctly.

But it is possible that the perp did have access to the persons online bank account, or dumpster dove for a statement to confirm, or hacked an email account, etc....

sr. member
Activity: 321
Merit: 250
Firstbits: 1gyzhw
July 29, 2011, 12:40:42 PM
#4
12*12 / two attempts = 72.

So potentially, for every 72 bank accounts you have access to, you can steal from Dwolla?
sr. member
Activity: 476
Merit: 250
moOo
July 29, 2011, 12:34:21 PM
#3
hmmm I find it highly unlikely that dwolla would give you too many chances to guess the two under 12 cent numbers(which is how paypal does it and they dont seem to have the dwolla problem)

How about, perp gets POS bank account using fake id.. perp then knows the deposits...

I just dont see dwolla let you guess more than twice.... NOW I AM ASSUMING.. I DONT KNOW FOR SURE.. i just dont think this is how it went down.
newbie
Activity: 27
Merit: 0
July 29, 2011, 12:32:05 PM
#2
In my opinion, dwolla has had long enough to address this issue and your post is absolutely necessary at this point.  thank you.
member
Activity: 80
Merit: 10
July 29, 2011, 12:27:22 PM
#1
I have been on the fence as to if this should be posted or not.  Normally I think information like this should be kept from public view but being that it looks like the security hole is still open even after the Tradehill incident so Dwolla may need to be pushed to make their service more secure.  In the interim I would suggest that no one use Dwolla.

Tradehill has stated that Dwolla got defrauded by a "known scammer" and posted the persons name on their blog.  It is highly unlikely that the person whose name they posted was involved in the fraud at all.  In fact that person was probably a victim of identity theft where the perpetrator exploited a weakness in the Dwolla bank account verification process that makes it easy to verify a bank account that you don't actually have access to.

Here is how the fraud likely works

1. Perp has knowledge of Victims bank account information off of a paper check
2. Perp creates a Dwolla account in Victims name
3. Perp adds Victims bank account to the Dwolla account
4. Perp correctly guesses the two $.12 or less deposits that were made to the Victims bank account
5. Victims bank account is now linked to the Dwolla account.  Perp initiates a transfer from Victims bank account to Dwolla
6. Perp transfers from Dwolla to Bitcoin exchange of their choice
7. Perp buys Bitcoins and immediately removes them from account at chosen exchange
8. Victim notices money missing from bank account and has the unauthorized ACH reversed

The ability to execute this fraud is wholly dependent on the ability to randomly guess the verification deposits that Dwolla makes into a persons bank account with no regard to failed attempts.  The people who's bank accounts are getting linked to a Dwolla account in their name probably have no idea what Dwolla is. Seeing a deposit like "ACH Electronic Credit Jul 01 05:15 Dwolla Dwolla    $ 0.02" is going to go unnoticed by the victim most of the time.  It is not until money starts leaving the account that anything would be reported.

The reason the ACH transactions are being reversed is because Dwolla doesn't do enough to verify the customer and/or the transaction.  The good thing for Tradehill and other companies who are now having credited transactions reversed is that this liability is almost certainly 100% Dwolla's.

Pages:
Jump to: