[Dataloss] Hackers Zero In on Online Stock Accounts

[Richard Forno]

Hackers Zero In on Online Stock Accounts
http://www.washingtonpost.com/wp-dyn/content/article/2006/10/23/AR2006102301
257_pf.html

By Ellen Nakashima
Washington Post Staff Writer
Tuesday, October 24, 2006; A01

Hackers have been breaking into customer accounts at large online brokerages
in the United States and making unauthorized trades worth millions of
dollars as part of a fast-growing new form of online fraud under
investigation by federal authorities.

E-Trade Financial Corp., the nation's fourth-largest online broker, said
last week that "concerted rings" in Eastern Europe and Thailand caused their
customers $18 million in losses in the third quarter alone.

Another company, TD Ameritrade, the third-largest online broker, also has
suffered losses from customer account fraud, but a spokeswoman declined to
quantify the amount yesterday. "It is an industry problem," spokeswoman
Katrina Becker said. "It does continue to grow."

Federal regulators cited recent cases in which hackers gained access to
customer accounts at several large online brokers and used the customers'
funds to buy certain stocks. The hackers appeared to be trying to drive up
share prices so they could sell those stocks at a profit, regulators said.

The Securities and Exchange Commission and the FBI are looking into
E-Trade's cases, chief executive Mitchell H. Caplan said in an earnings
conference call with reporters last week. Spokesmen for the SEC and FBI
declined to discuss details of those cases.

Both E-Trade and TD Ameritrade have guaranteed that they will cover their
clients' losses, even though they are not required to do so by law. But the
problem is growing faster than public awareness of it, federal regulators
said, noting that the fraud is fed by the rising use of the Internet for
personal finance and the easy availability of snooping software that allows
hackers to steal personal account information.

"Although these schemes cleverly combine aspects of securities fraud,
identity theft and hacking, what they really boil down to is outright
thievery," said John Reed Stark, chief of the Office of Internet Enforcement
at the SEC. "In the last couple of months we have seen a marked increase in
online brokerage account intrusions."

More than 10 million people have bought or sold investments online in the
United States in the last few months, according to Avivah Litan, a
securities analyst for the Stamford, Conn.-based Gartner Inc.

The scams typically begin with a hacker obtaining customer passwords and
user names, experts said. One way is by placing keystroke-monitoring
software on any public computer in a library, hotel business center or
airport. With the software, all keystrokes entered on the computer can be
recorded and e-mailed anywhere in the world.

Experts said all hackers have to do is wait until anyone types in the Web
address of E-Trade, Ameritrade or another online broker, and then watch the
next several dozen keystrokes, which are likely to include someone's
password and login name.

These emerging Internet stock schemes appear to be new versions of the
widely used "pump-and-dump" e-mail scams, in which spammers send out mass
e-mails containing bogus news alerts intended to manipulate stock prices.

Stark said perpetrators are breaking into customer accounts and buying
shares of thinly traded, microcap securities, also known as penny stocks.
The hacker gains access using the customer's user name and password, then
liquidates that person's existing stock holdings and uses the proceeds to
buy shares in the microcap. The goal, regulators said, is to boost the price
of a stock the hacker has already bought at a lower price in another
account. The hacker then liquidates the stock and wires the money either to
an offshore account or through a series of straw men, or dummy corporations,
Stark said. The straw man may not know he is participating in fraud; he may
have been told he is helping, say, an offshore business.

The entire operation can take a matter of minutes, or at most, hours.

"The unwitting victim opens the account in the morning and finds he or she
owns thousands of shares in a microcap company that they have never heard
of," Stark said.

Caplan said E-Trade recently made operational changes and added technology
to thwart the criminals. "We've seen that level of fraud in the last three
weeks or so reduced to almost zero . . . ," he said in the conference call.

Glen Mathison, a spokesman for Charles Schwab Corp., the largest online
broker, said losses due to online identity theft and fraud have not reached
"a material level" that would require disclosure to investors. But he added
that Schwab also guarantees to reimburse clients for online losses caused by
fraud.

Unlike banks, brokerage accounts are not protected by Federal Deposit
Insurance Corp. and other federal banking rules that ensure consumers get
their money back, so the consumer must rely on the company to cover any
losses.

Ameritrade's Becker said the company advises clients to make sure they have
good spyware detection software on their computers. Ameritrade's Web site
also offers clients free software that helps detect or eliminate snooping
programs.

In Canada, the Investment Dealers Association, the self-regulatory arm of
Canada's securities industry, is looking into similar scams.

Online financial fraud has grown so serious that the Federal Financial
Institutions Examination Council, a government entity that establishes
standards for banks, has given U.S. financial institutions until Dec. 31 to
tighten security measures for accessing online accounts.

"This thing is so widespread and it has such a significant impact on the
industry at large . . . that I think you're going to end up seeing
structural changes in the industry," Caplan said.

Staff researchers Richard Drezen and Karl Evanzz contributed to this report.