By Ellen Nakashima
Washington Post Staff Writer
October 24, 2006
Hackers have been breaking into customer accounts at large online
brokerages in the United States and making unauthorized trades worth
millions of dollars as part of a fast-growing new form of online fraud
under investigation by federal authorities.
E-Trade Financial Corp., the nation's fourth-largest online broker, said
last week that "concerted rings" in Eastern Europe and Thailand caused
their customers $18 million in losses in the third quarter alone.
Another company, TD Ameritrade, the third-largest online broker, also
has suffered losses from customer account fraud, but a spokeswoman
declined to quantify the amount yesterday. "It is an industry problem,"
spokeswoman Katrina Becker said. "It does continue to grow."
Federal regulators cited recent cases in which hackers gained access to
customer accounts at several large online brokers and used the
customers' funds to buy certain stocks. The hackers appeared to be
trying to drive up share prices so they could sell those stocks at a
profit, regulators said.
The Securities and Exchange Commission and the FBI are looking into
E-Trade's cases, chief executive Mitchell H. Caplan said in an earnings
conference call with reporters last week. Spokesmen for the SEC and FBI
declined to discuss details of those cases.
Both E-Trade and TD Ameritrade have guaranteed that they will cover
their clients' losses, even though they are not required to do so by
law. But the problem is growing faster than public awareness of it,
federal regulators said, noting that the fraud is fed by the rising use
of the Internet for personal finance and the easy availability of
snooping software that allows hackers to steal personal account
"Although these schemes cleverly combine aspects of securities fraud,
identity theft and hacking, what they really boil down to is outright
thievery," said John Reed Stark, chief of the Office of Internet
Enforcement at the SEC. "In the last couple of months we have seen a
marked increase in online brokerage account intrusions."
More than 10 million people have bought or sold investments online in
the United States in the last few months, according to Avivah Litan, a
securities analyst for the Stamford, Conn.-based Gartner Inc.
The scams typically begin with a hacker obtaining customer passwords and
user names, experts said. One way is by placing keystroke-monitoring
software on any public computer in a library, hotel business center or
airport. With the software, all keystrokes entered on the computer can
be recorded and e-mailed anywhere in the world.
Experts said all hackers have to do is wait until anyone types in the
Web address of E-Trade, Ameritrade or another online broker, and then
watch the next several dozen keystrokes, which are likely to include
someone's password and login name.
These emerging Internet stock schemes appear to be new versions of the
widely used "pump-and-dump" e-mail scams, in which spammers send out
mass e-mails containing bogus news alerts intended to manipulate stock
Stark said perpetrators are breaking into customer accounts and buying
shares of thinly traded, microcap securities, also known as penny
stocks. The hacker gains access using the customer's user name and
password, then liquidates that person's existing stock holdings and uses
the proceeds to buy shares in the microcap. The goal, regulators said,
is to boost the price of a stock the hacker has already bought at a
lower price in another account. The hacker then liquidates the stock and
wires the money either to an offshore account or through a series of
straw men, or dummy corporations, Stark said. The straw man may not know
he is participating in fraud; he may have been told he is helping, say,
an offshore business.
The entire operation can take a matter of minutes, or at most, hours.
"The unwitting victim opens the account in the morning and finds he or
she owns thousands of shares in a microcap company that they have never
heard of," Stark said.
Caplan said E-Trade recently made operational changes and added
technology to thwart the criminals. "We've seen that level of fraud in
the last three weeks or so reduced to almost zero . . . ," he said in
the conference call.
Glen Mathison, a spokesman for Charles Schwab Corp., the largest online
broker, said losses due to online identity theft and fraud have not
reached "a material level" that would require disclosure to investors.
But he added that Schwab also guarantees to reimburse clients for online
losses caused by fraud.
Unlike banks, brokerage accounts are not protected by Federal Deposit
Insurance Corp. and other federal banking rules that ensure consumers
get their money back, so the consumer must rely on the company to cover
Ameritrade's Becker said the company advises clients to make sure they
have good spyware detection software on their computers. Ameritrade's
Web site also offers clients free software that helps detect or
eliminate snooping programs.
In Canada, the Investment Dealers Association, the self-regulatory arm
of Canada's securities industry, is looking into similar scams.
Online financial fraud has grown so serious that the Federal Financial
Institutions Examination Council, a government entity that establishes
standards for banks, has given U.S. financial institutions until Dec. 31
to tighten security measures for accessing online accounts.
"This thing is so widespread and it has such a significant impact on the
industry at large . . . that I think you're going to end up seeing
structural changes in the industry," Caplan said.
Staff researchers Richard Drezen and Karl Evanzz contributed to this
Copyright 2006 The Washington Post Company
Visit the InfoSec News store!