Minnow, I believe what you described is EXACTLY what is happening.
The Neteller API makes it possible on the merchant side for money to be moved from an account. All they need is an account number and a secure id. They do not need your password.
It's a complete guess on my part, but I think most people didn't use Neteller as a place to keep their money. Just an avenue to move it. In my own case money would be in my account only for as long as it took me to either move it to a book or move it to my checking account. If anyone had my secure id they would have had to catch me during the 10 minutes or so when money was actually IN my Neteller account.
The thing is this didn't start happening until there were a lot of Neteller accounts with money sitting in them that customers couldn't move. If a thief has your account number and secure id under those circumstances you are literally a sitting duck.
From the perspective of a book, the book should be able to produce logs that show WHO was logged into the Neteller API at the time of the transaction. If it's a current employee then of course they have him. But, books have been downsizing. No? My guess is it has to be somebody who had compromised a database at one of the books and who was subsequently given his walking papers. Pure conjecture on my part, but given the weakness of the API that is the one scenario that makes the most sense to me.
-jp
.  |