since noone here seems to bother to actually find out what was going on:

german banks do use a two factor authentication scheme:
- to log in you need your account number and a five digit pin
- to authorize a transaction after logging in, you need one out of 100 one-time-use 4 digit pins; The bank issues you 100 of those at a time, and then chooses one of them randomly when you enter a transaction ("Please enter pin number 17").

In this particular case the victim had:
- fallen for a phising website / trojan / keylogger, even after all the warnings in the german IT press (how else would the crooks get his account number and superpin)
- entered at least ten different PINs on one page, which the banksspecifically tell customers to NEVER do. all the bank pages have a big fat "We NEVER ask you for more than one pin" warning labels.

In other news: man drank nitroglycerine then went to jump around on a trampoline, widow sues maker of nitroglycerine.

anyone got a link to a working mirror of that other page, the http://flag.codeforamerica.org/ one? seems to be /.ed to death.