By Rob Carrick
August 14, 2007
It's time to start thinking about security, and not just commission fees
and service, when you decide which online broker to use.
The Investment Dealers Association of Canada says its members are
reporting about two to three instances of hackers gaining access to
client accounts each month, and the results can be costly both in
dollars lost and aggravation. That's the message from a woman who
contacted this column last week about an incident on July 30 in which a
hacker gained access to her account, sold her holdings and began buying
shares of a Nasdaq-listed company.
"I was just shocked when I heard this happened," said the woman, who
asked that her name not be used. "I'm not very computer savvy and I
didn't know that this was a risk that I was taking when I traded with a
discount broker online."
The woman's broker, Montreal-based TradeFreedom Securities, had as of
yesterday promised to restore her account to the state it was in before
the intrusion. But her experience has led her to wonder if she'd be
better off with a broker that offers a security guarantee against losses
Her brush with a hacker began two weeks ago when she was unable to log
into her account online. She said she was told by her broker after
calling in that someone had gained access to her account, sold her
holdings and purchased 11,400 shares of SourceForge Inc., an Internet
company. She recalls being told that her account had been frozen when
TradeFreedom's internal systems noticed some trading anomalies.
Presumably, the fraudster was trying a version of the pump-and-dump
scam, where big purchases are used to bid up the price of a stock. The
fraudster then sells his own personal position in the stock, taking
advantage of the upward price move.
SourceForge's share price didn't tank after the unauthorized purchases
in the woman's account, as sometimes happens. However, she said she
missed out on a rise in a core stock in her portfolio that was sold by
the hacker. "What gets me is that it was my intention not to sell the
stock," she said.
The key question here, of course, is how a hacker got access to the
woman's username and password, which are needed to access an account
online. Experts say your personal data can be stolen if you click on
strange e-mails that introduce spyware or viruses to your computer, but
the woman said she has anti-virus software on her computer, and that she
hasn't opened any suspect e-mails. TradeFreedom is still investigating.
So it goes with security problems such as these. It's difficult to know
exactly how they happened and who's at fault. If you're victimized, all
you want is for the problem to go away.
This brings us to security guarantees, which are now fairly standard in
the credit card world through zero-liability policies that eliminate the
risk of having to pay for fraudulent transactions. In the online
brokerage world, security guarantees are slowly starting to catch on.
Among the firms that offer them are TD Waterhouse, the country's largest
online broker, RBC Direct Investing, E-Trade Canada and Qtrade Investor.
Note: these guarantees are not bulletproof. They may require you to
notify your broker within a few days of an account intrusion and to
co-operate fully in providing information to your broker. Also, they may
not cover you if you failed to take reasonable precautions to keep your
Still, having a security guarantee at least suggests a level of
commitment to protecting clients against fraud. Without one, customers
can't be sure of where they stand if they've been victimized.
Consider the case of the woman whose account was hacked - she said she
was told initially that TradeFreedom would not restore her account to
the way it was before the intrusion. Then, the firm decided to step up.
"Generally, our policy is if a customer has unknowingly or unwittingly
been victimized, we help the customer out," said Bruce Seago,
People in the investment industry say online fraud isn't a major problem
in Canada, but the situation in the United States suggests it could
easily get worse. E-Trade Financial's annual report says the company's
fraud losses tripled to $31.2-million (U.S.) last year.
Your first line of defence as an investor is to take all possible
precautions. Then, on the off chance a hacker nails you, consider using
a broker with a security guarantee.
Take it from a woman who has lived through the experience of being a
victimized investor: "There's enough risk out there without this sort of
Here are some suggestions for protecting the username and password
required to log into your online brokerage account. This personal data
can be captured by hackers who use it for frauds that involve
unauthorized trading in your account.
* Don't share your username or password with anyone.
* Avoid accessing your account using wireless Internet access in a
* Use anti-virus and anti-spyware programs on your computer, and keep it
* Steer clear of "phishing" e-mails, which direct you to phony websites
where you're asked to provide your username and password.
* Be cautious in clicking on attachments in e-mails.
* Clear the cache on your Web browser after logging out.
* Review your account statements to ensure all transactions were
authorized by you.
Source: TradeFreedom Securities
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!