Information Security News
mailing list archives
German TV Hackers Crack Bank Server - Lawsuit Possible
From: InfoSec News <isn () c4i org>
Date: Thu, 20 Sep 2001 04:15:24 -0500 (CDT)
By Ned Stafford, Newsbytes
17 Sep 2001, 4:51 PM CST
HypoVereinsbank, one of Germany's largest banks, is considering legal
action against a popular consumer high-tech TV show that hired hackers
to break into the bank's online banking servers, according to a bank
Cornelia Klaila, a spokeswoman for HypoVereinsbank in Munich, told
Newsbytes: "It is illegal what they did. It is very illegal."
The "they" she is referring to is a TV show called Technical Adviser,
which is produced by ARD, one of Germany's two public TV networks.
Technical Adviser hired some young hackers in August to break into
HypoVereinsbank's online banking servers and download information
about customer accounts.
The information included names, account numbers, PIN numbers and
Internet IP addresses, which are important for secure online banking.
The story was broadcast Sunday evening.
Bernd Leptihn, head of the Technical Adviser (Ratgeber Technik) news
team in Hamburg, told Newsbytes he was not worried about a lawsuit
Leptihn, who was anchorman for Technical Adviser for 27 years but now
works behind the camera, quipped: "You know, I have done illegal
stories for 30 years now. I have had lawsuits before and, up to now, I
have never lost a case."
He said ARD's legal department says that such investigative journalism
is allowed under German law if it is "in the interest of the public."
Leptihn, a well-known personality in Germany, said he thinks that
informing the public of the holes in HypoVereinsbank's computers was
very much in the public interest.
"With the (bank account) information we had, we could have been
anyplace in the world with millions and millions of euros," he said.
Leptihn said that research indicated that HypoVereinsbank had some big
security holes. He said the bank used Microsoft's Internet Information
Server (IIS 4.0).
"This is a very, very low quality server," he said.
Technical Adviser hired a team of four hackers. He declined to say how
much they were paid, but said it was "not much." The young hackers
were more interested in gaining publicity for their start-up Internet
security consulting company, he said.
One of those four is Stephan Weide, who at 22 is a managing director
of the company, called Multimedia Network Systems in Leinefelde.
Weide told Newsbytes that it only took two to three days to break into
"It was no problem," he said. "Anybody could have done it."
After Technical Adviser aired Sunday night on TV, Weide said he and
his team participated in a teleconference phone call with
HypoVereinsbank technicians to tell them how they could patch the
When asked if the technicians expressed anger about the hacking, he
said: "They said no angry words. I think they were afraid of losing
Weide and Leptihn said that HypoVereinsbank's online banking Web site
was shut down beginning late Sunday night for about 6 hours.
Klaila, the bank's spokeswoman, emphatically disputed this.
"No," she said. "That is not correct."
She said the Web site was shut down for routine regular maintenance,
and not to patch security holes.
She also said that HypoVereinsbank this summer had put a new banking
Web site online, and that this site is a "state-of-the-art" system
that is secure. During the month of August, she said both the old and
new sites were online, and the hackers had broken into the old Web
site, not the new site. The old site was taken offline at the
beginning of September.
Leptihn, from Technical Adviser, disputes that the new site was secure
before last night.
"Our hackers tried again on the new site and got in," he maintained.
Klaila said both criminal and civil damage proceedings against
Technical Adviser are possible.
"We have yet to decide what we are going to do," she said.
HypoVereinsbank Home Page http://www.hypovereinsbank.de
Multimedia Network Systems Home Page:
Technical Adviser Home Page (German language)
Bernd Leptihn Photo
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- German TV Hackers Crack Bank Server - Lawsuit Possible InfoSec News (Sep 20)