September 17, 2001

By Ned Stafford, Newsbytes

HypoVereinsbank, one of Germany's largest banks, is considering legal action against a popular consumer high-tech TV show that hired hackers to break into the bank's online banking servers, according to a bank spokeswoman.

Cornelia Klaila, a spokeswoman for HypoVereinsbank in Munich, told Newsbytes: "It is illegal what they did. It is very illegal."

The "they" she is referring to is a TV show called Technical Adviser, which is produced by ARD, one of Germany's two public TV networks. Technical Adviser hired some young hackers in August to break into HypoVereinsbank's online banking servers and download information about customer accounts.

The information included names, account numbers, PIN numbers and Internet IP addresses, which are important for secure online banking. The story was broadcast Sunday evening.

Bernd Leptihn, head of the Technical Adviser (Ratgeber Technik) news team in Hamburg, told Newsbytes he was not worried about a lawsuit from HypoVereinsbank.

Leptihn, who was anchorman for Technical Adviser for 27 years but now works behind the camera, quipped: "You know, I have done illegal stories for 30 years now. I have had lawsuits before and, up to now, I have never lost a case."

He said ARD's legal department says that such investigative journalism is allowed under German law if it is "in the interest of the public." Leptihn, a well-known personality in Germany, said he thinks that informing the public of the holes in HypoVereinsbank's computers was very much in the public interest.

"With the (bank account) information we had, we could have been anyplace in the world with millions and millions of euros," he said.

Leptihn said that research indicated that HypoVereinsbank had some big security holes. He said the bank used Microsoft's Internet Information Server (IIS 4.0).

"This is a very, very low quality server," he said.

Technical Adviser hired a team of four hackers. He declined to say how much they were paid, but said it was "not much." The young hackers were more interested in gaining publicity for their start-up Internet security consulting company, he said.

One of those four is Stephan Weide, who at 22 is a managing director of the company, called Multimedia Network Systems in Leinefelde.

Weide told Newsbytes that it only took two to three days to break into HypoVereinsbank's computers.

"It was no problem," he said. "Anybody could have done it."

After Technical Adviser aired Sunday night on TV, Weide said he and his team participated in a teleconference phone call with HypoVereinsbank technicians to tell them how they could patch the holes.

When asked if the technicians expressed anger about the hacking, he said: "They said no angry words. I think they were afraid of losing their jobs."

Weide and Leptihn said that HypoVereinsbank's online banking Web site was shut down beginning late Sunday night for about 6 hours.

Klaila, the bank's spokeswoman, emphatically disputed this.

"No," she said. "That is not correct."

She said the Web site was shut down for routine regular maintenance, and not to patch security holes.

She also said that HypoVereinsbank this summer had put a new banking Web site online, and that this site is a "state-of-the-art" system that is secure. During the month of August, she said both the old and new sites were online, and the hackers had broken into the old Web site, not the new site. The old site was taken offline at the beginning of September.

Leptihn, from Technical Adviser, disputes that the new site was secure before last night.

"Our hackers tried again on the new site and got in," he maintained.

Klaila said both criminal and civil damage proceedings against Technical Adviser are possible.

"We have yet to decide what we are going to do," she said.

[an error occurred while processing this directive]