2010/07/26

DEHSt at fault, says German phishing victim

 

  DEHSt at fault, says German phishing victim

13 Jul 2010 23:35:01 | edcm

 

German paper maker Drewsen Spezialpapiere, the company that was robbed of 88,000 EU allowances (EUAs) from its carbon registry account, remains confident it has a legal case against the registry for poor security.

Earlier this month the German carbon registy, DEHSt, said it was unfazed by the threat of legal action, as sufficient security measures had been in place at the time of the theft (see EDCM 2 July 2010).

Three supporting arguments

Thomas Katzenmayer, managing director at Drewsen, told ICIS Heren that three key points put the liability for the theft - the result of a phishing attack - on DEHSt, and not with his company.

Katzenmayer said a key argument in the legal case would be the registy's delay in telling account holders phishing e-mails had been sent out: "DEHSt knew about the phishing e-mails at 08:30 on 28 January, yet [German] account holders were not contacted until 17:00." Drewsen's account was targeted at 16:30.

While other European registries had already closed in the morning, German account holders were some of the last to know of the problem, Katzenmayer added.

Secondly, the paper company believes the security measures put in place by DEHSt were not tight enough.

Compared with a bank account, access to the registry accounts was relatively lax, Katzenmayer said.

The registry earlier said extra security measures were in place - Drewsen had simply chosen not to use them.

But Katzenmayer said that though he was now aware it was possible to hide the company's contact details, this measure was introduced in 2008 and not highly publicised at the time.

Drewsen's third argument is that DEHSt had done nothing to help it, or the other five German companies that fell victim to the phishing scam, to regain their lost EUAs, which for the paper company had a market value of €1.2m

DEHSt previously told ICIS Heren that it was working with all six companies to retrieve a total of 250,000 EUAs, but was unwilling to comment further when contacted on Tuesday, due to the threat of legal action.

Victim solidarity

Drewsen is to date the only German company that has gone public with its case.

According to Katzenmayer some of the other victims are significantly larger firms, which is why they have so far remained anonymous.

Drewsen is currently trying to persuade the other victims to go public too and strengthen the case against DEHSt.

The larger companies may also support the case financially, Katzenmayer added.

Growing frustration

Almost immediately after Drewsen became aware of the theft of its allowances, it traced the EUAs to the Danish registry.

The EUAs were then transferred to a British company which has only Russian contact details.

The fact that the allowances have been traced, yet little can be done about the situation is a source of growing frustration for the company, Katzenmayer admitted.

To make matters worse, the German investigation into the phishing theft has now hit a wall, as it has been unable to convince the UK authorities to take up the lead.

"Never before had I thought working with official authorities would be so frustrating," Katzenmayer remarked. TMM