ID Thefts Slam Online Brokers

Customer accounts accessed in fraud scheme; losses total $22M at two firms

Two of the top online stock brokerages in the U.S. disclosed that overseas hackers broke into some of their customer accounts during the past three months, resulting in combined losses of at least $22 million and leading both firms to take steps to bolster their security measures.

Jerry Bartlett, CIO at TD Ameritrade Holding Corp., said in an interview last week that the attacks were launched by identity thieves in Eastern Europe and Asia who used keylogging software delivered via Trojan horses or other malware to steal the account information of users logging onto public computers or their own infected PCs.

Jerry Bartlett, CIO at TD Ameritrade Holding Corp

Jerry Bartlett, CIO at TD Ameritrade Holding CorpThe hackers then used existing accounts or created dummy ones to buy shares in little-traded stocks, driving the prices up so they could sell previously purchased shares at a profit. Customers of ETrade Financial Corp. were also victimized by the so-called pump-and-dump scheme, according to ETrade officials.

Bartlett said no data was stolen from TD Ameritrade’s own databases, nor were its servers breached during the attacks. But he acknowledged that the company’s antifraud efforts, which include a security team that uses special software to monitor for anomalous activity such as users logging in from unusual IP addresses, failed to detect the stock scams quickly enough.

As a result, TD Ameritrade has installed new technology and reconfigured its existing tools to monitor for pump-and-dump activity, Bartlett said. “We could identify it [before], but certainly not to the sophistication of what we can do now,” he added. He declined to discuss the new capabilities in detail or disclose which security tools his firm uses to guard against online fraud.

ETrade has also beefed up its online security in response to the recent attacks, CEO Mitchell Caplan said during an Oct. 18 conference call on the company’s third-quarter financial results. Caplan said ETrade had cut the amount of fraudulent activity to “almost zero” over the previous three weeks as a result of the security changes.

The inability of ETrade and TD Ameritrade to promptly detect the hackers is hitting them in their pocketbooks. Although the money in brokerage accounts isn’t insured, both firms guarantee customers against losses caused by fraud.

ETrade officials said during the earnings call that the company had spent $18 million to compensate customers for losses from the attacks. Last week, TD Ameritrade disclosed during a conference call on its fourth-quarter results that it had reimbursed a total of $4 million to its customers.

To help it monitor accounts for unusual behavior, ETrade uses antifraud software developed by Cyota Inc., which is now a part of EMC Corp.’s RSA Security Inc. division.

Since February 2005, ETrade has also offered its customers a two-factor authentication option based on RSA’s SecurID token technology. The tokens generate new six-digit codes every 60 seconds. Customers must enter the codes along with their usernames and passwords when logging in, according to an ETrade spokeswoman.

She declined to say how many ETrade customers are using the RSA tokens and whether the hackers accessed any accounts guarded by the SecurID technology.

Persistent Challenges

Ryan Sherstobitoff, chief technology officer at security tools vendor Panda Software International SL, said skillful hackers can trick software such as Cyota’s, which relies in part on checking whether users are logging in from their usual IP addresses. And tokens are ineffective against identity thieves who use names and Social Security numbers to create new bank or stock-trading accounts, he said.

“We can protect against certain scenarios now, but there are certain ones we can’t protect well against at all,” Sherstobitoff said.

In a report released last month, Javelin Strategy & Research in Pleasanton, Calif., ranked ETrade 17th out of 24 financial institutions on efforts to protect consumers from identity theft. Javelin didn’t rank TD Ameritrade as part of its security scorecard, which primarily involved banks.

Identity theft in all its forms resulted in an estimated $56.6billion in losses in the U.S. last year, according to Javelin, with one in 25 people being affected by it. “Fighting identity theft is a cat-and-mouse game — there’s always room for improvement,” said Javelin President James Van Dyke.

Bartlett said new antifraud tools on the horizon could help bolster corporate defenses. “It’s been a lot of back and forth between vendors and the bad guys,” he said. “But I’ve recently seen a lot of products in beta that should leapfrog [hacking tools] and keep vendors ahead in the arms race.”

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon