> My bank had around 20,000 customers using smsTAN and 3 (I was the 4th lol) using HBCI.
He is German, of college age and an early customer at one of 2 or 3 banks that provide HBCI. Consider him nailed.
I also bet he has published security related work under his real name at some point, especially since he has been applying for jobs. Most people in the security industry applying for legit work who don't have qualifications pad out their resumes with online research (or speaking at conferences, etc.).
You have 17 bits left. Use them wisely.
He's probably lying too.