Computerworld - Overseas hackers broke into customer accounts at two popular online stock brokerages, TD Ameritrade Holding Corp. and E-Trade Financial Corp., in a "pump and dump" stock-trading scheme that led to at least $22 million in losses.
The attacks, which took place during the last three months, were launched by identity thieves in Eastern Europe and Asia who primarily used keylogging software delivered via Trojan horses or other malware to steal users' confidential information as they logged onto public computers or their own infected machines, TD Ameritrade CIO Jerry Bartlett said in an interview today.
The hackers then logged into existing customer accounts -- or created dummy accounts -- to buy shares in little-traded stocks, driving prices up so they could sell their own previously purchased shares for a profit.
TD Ameritrade said in its investor conference call today that it had spent $4 million to compensate customers who suffered losses after their accounts were broken into.
E-Trade confirmed in an investor conference call on Oct. 18 that it had spent $18 million to compensate customers. CEO Mitchell Caplan told investors that E-Trade has cut its losses to "almost zero" in the past three weeks after beefing up its security. The FBI, U.S. Securities and Exchange Commission and the National Association of Securities Dealers are working together to uncover the fraud.
"This is an industrywide issue," said TD Ameritrade Chief Operating Officer Randy MacDonald.
Charles Schwab Corp., the largest online broker in terms of assets, told Bloomberg News it did not suffer significant losses, while Fidelity Investments declined to comment.
E-Trade ranked 17th out of 23 financial institutions for its efforts to protect consumers from identity theft, according to a study released earlier this month by Javelin Strategy & Research of Pleasanton, Calif. The study, which mostly ranked banks, did not rank TD Ameritrade.
Identity theft in all of its forms last year caused an estimated $56.6 billion in losses, according to Javelin, with one in 25 people affected by it.
"Fighting identity theft is a cat and mouse game -- there's always room for improvement," said James Van Dyke, president of Javelin.
While the Federal Deposit Insurance Corp. covers bank accounts with up to $100,000 against fraud or bank bankruptcy, brokerages get no such protection. E-Trade and TD Ameritrade both guarantee customers against losses caused by fraud.
E-Trade said it is unsure whether its losses will be covered by insurance. TD Ameritrade's CFO, Bill Gerber, said he is confident the company could "get a nice healthy chunk of the $4 million back if we can prove the fraud was from the same source."
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
