24 October 2006

Online Trading Account Thefts

Hackers Cost TD Ameritrade $4 million in Q4

MarketWatch, Robert Schroeder, 24 October 2006

Leading online financial services firm TD Ameritrade said Tuesday it took a $4 million charge the fourth quarter because of identity theft-fraud, highlighting the financial cost of a growing problem plaguing online businesses.

While no clients lost assets thanks to the company's reimbursement policy, the loss underscored a thorny issue for online brokers and retailers: how to safeguard the identities of their clients, especially from suspects overseas.

TD Ameritrade is not alone: Last week E-Trade reported that thieves in Eastern Europe and Thailand cost their customers $18 million in losses in the third quarter.

"This seems to be something happening overseas. People are traveling and allowing their log-ins and their user IDs to be obtained. It mostly seems to be through wireless systems," Chief Operating Officer Randy MacDonald said on a conference call Tuesday.

Omaha, Neb.-based TD Ameritrade made the disclosure as part of its fourth quarter earnings report.

The online broker, which is the country's third-largest, said fourth-quarter profit rose 36%, driven by a large acquisition made earlier in the year. Trading results, commissions and net income were a bit weaker than expected.

Ameritrade executives said they and other firms are working as an industry to protect people's passwords and log-ins.
The Toronto Star, Tara Perkins, 24 October 2006

The Investment Dealers Association of Canada plans to meet with brokerages and security experts in the next month as regulators and law enforcement agencies in Canada and the United States try to tackle growing losses caused by identity-theft scams that target individual investors' online trading accounts.

The association also plans to issue a notice to members, asking them to review their insurance coverage. These scams are often not covered under fraud provisions, which generally apply only to fraud committed by employees.

The issue has been gaining attention as incidents have increased. Last week, ETrade Financial Corp. revealed it spent $18 million (U.S.) on fraud losses in the third quarter. The company said that, "like a number of our competitors, (ETrade) experienced a significant increase in losses resulting from fraud relating to identity theft."

John Stark, chief of the United States Securities and Exchange Committee's office of Internet enforcement, said in an interview that "it is a growing concern of ours, and we have seen more complaints about it and more incidents of it in recent months, and we currently have a slew of investigations concerning unauthorized intrusions into online brokerage accounts.

"It's so nascent, it's hard to know exactly how much there is in losses," he added.

Canadian industry sources said the problem doesn't appear to have snowballed as quickly here.

In late August, the Canadian investment dealers association issued a warning to online traders after two accounts were broken into and wiped out. The hijackers reinvested the money in penny stocks. Authorities suspected the aim was to manipulate the price of the penny stocks. It appeared the hijackers had learned the clients' passwords.

Yesterday, Alex Popovic, vice-president of enforcement at the dealers association, said he's now aware of 10 cases.

"We're just in the process of setting up a meeting with the members to discuss this issue," he said.

"We're looking at bringing in some consultants to talk about security and provide some expertise and knowledge on how to beef up security."

JoAnne Hayes, spokeswoman for the Bank of Montreal, said its BMO InvestorLine has had "less than a handful of instances."

"We did reimburse clients," she said.

Lisa Hodgins, spokeswoman for TD Bank Financial Group, which runs TD Waterhouse, said "around August, we were investigating a few reports of unusual activity... but we're not currently investigating any claims."

The brokerage, like many, now has a security guarantee for customers who lose money due to fraud.

TD Waterhouse has not had any proven incidents, Hodgins said.

Popovic said the frauds are happening in numerous ways.

"We've seen all of it. We've seen the viruses, where somebody downloads it onto your home computer.... We have seen situations where people have been asked in an email to go to a website and put in their login.

"We have also tracked some of the false webpages.

"We saw them go as far as Germany, and then we hit a wall," he said.

The investment dealers association refers the incidents to law enforcement agencies.

The perpetrators are becoming more sophisticated, experts said.

"I looked at one of the bank-owned examples, and everything looks exactly the same," Popovic said. "You'd have to be really familiar with the original website to notice that there is a difference."

The international origins of many of the operations make them very difficult to shut down.

The U.S. regulator's Stark said arrangements with various countries allow U.S. authorities to obtain information, "but it involves a lot of co-operation.

"It's not going to move as quickly as it would if the wrongful conduct occurred here in the United States. But, having said that, we're not precluded. We can work with foreign countries to try to do what we can, and we are."

The commission has been warning about fraud directed at online brokerages for more than a year. Originally, the regulator was seeing the criminals liquidate investors' securities and wire the money out to a bank, Stark said.

"Lately, we've been seeing more of these manipulation intrusion kind of schemes — what the IDA is describing — which is when the hacker owns a bunch of some microcap stock, and then goes into an account, liquidates the securities and then buys up enough of that microcap stock to pump up its price," he said.

The hacker then sells, or dumps, previously obtained shares into an artificially inflated market.

TD Ameritrade spokeswoman Katrina Becker said the problem has been increasing, but declined to give figures.

"This is a widespread issue. It's not just online brokerages. It's financial services."

Dean Turner, senior manager for Symantec Security Response, said more than 80 per cent of all "phishing" attacks target financial services.

"The financial-services sector is the Number 2 targeted sector globally in terms of targeted attacks. The only reason they are Number 2 is because the Number 1 target are home users," he said in an interview.

"We certainly don't want to go out saying the sky is falling; that's not the case," Turner said. "I don't think we have accurate numbers on the amounts of dollar losses," he added. "I think it's probably much higher than what's reported."