Press release April 10, 2001

Summary of the TAN challenge of Nutzwerk GmbH
"We pay DM 10,000 for stealing a TAN"

This challenge, which Nutzwerk GmbH advertised on January 30, was triggered by ARD TV program "Ratgeber Technik" on January 29, 2001. This program claimed that everybody with average computer knowledge could break into any PC in order to steal data for online banking.

No problem at all? – We have tested it – DM 10,000 reward – Theft without punishment and approved by the owner

The challenge was announced on the title pages of Spiegel Online, ZDNet, Süddeutsche Zeitung Online, Yahoo! Germany Headlines, at radio and TV interviews. It resulted in more than 9000 accesses to our public internet server at www.nutzwerk.de by hackers and interested persons.

We have registered a few attacks, a few eMails had to be deleted, but otherwise no harm was done. We did not take any additional safety measures during the TAN challenge and continued to make all our money transactions per online banking.

We were surprised that most hackers expected our online banking software to reside on our virtual WWW server. It would hardly be suitable for doing banking business. Our internal company server can be accessed via the public internet server by password query. But nobody managed to break in there – something we had expected at least of real hackers.

Legally breaking into somebody else's PC and allowed theft sounded exciting at least to numerous freaks and average computer users. Nutzwerk was flooded with eMails day after day, there were many who would have liked to earn DM 10,000 (about 5,000 euros). Some wrote we should create "normal conditions" for the TAN challenge and publish account number and bank connection; somebody even wanted to get a TAN from us for test purposes. Another person considered our challenge an invitation to criminal offense. However, nearly all people were sympathizers and welcomed the challenge because finally somebody took action against public scare tactics about internet use.

In spite of countless attempts, nobody managed to break into our online banking system – not even for DM 10,000 and without punishment. The internet does not seem to be as insecure as the TV report presented it – we already knew that. Of course, a lot is possible and nothing is a hundred percent sure, but the result should always be worth the effort.