Invasion Of The Stock Hackers

An alarmed SEC says that teams of thieves are lifting passwords from home PCs -- and emptying online brokerage accounts

Arriving home from a five-week trip to Belgium and India on Aug. 14, a jet-lagged Korukonda L. Murty picked up his mail -- and got the shock of his life. Two monthly statements from online brokerage E*Trade Financial Corp. showed that securities worth $174,000 -- the bulk of his and his wife's savings -- had vanished. During July 13-26, stocks and mutual funds had been sold, and the proceeds wired out of his account in six transactions of nearly $30,000 apiece. Murty, a 64-year-old nuclear engineering professor at North Carolina State University, could only think it was a mistake. He hadn't sold any stock in months.

Murty dialed E*Trade the moment its call center opened at 7 a.m. A customer service rep urged him to change his password immediately. Too late. E*Trade says the computer in Murty's Cary (N.C.) home lacked antivirus software and had been infected with code that enabled hackers to grab his user name and password. The cybercriminals, pretending to be Murty, directed E*Trade to liquidate his holdings. Then they had the brokerage wire the proceeds to a phony account in his name at Wells Fargo Bank (WFC ). The New York-based online broker says the wire instructions appeared to be legit because they contained the security code the company e-mailed to Murty to execute the transaction. But the cyberthieves had gained control of Murty's e-mail, too.


E*Trade recovered some of the money from the Wells Fargo account and returned it to Murty. In October, the Indian-born professor reached what he calls a satisfactory settlement with the firm, which says it did nothing wrong. Still, Murty suffered many sleepless nights. "I'm shocked. We didn't know people could play these kinds of tricks."

Increasingly, they can -- and do. In the latest, most pernicious twist yet on Internet securities fraud, online brokerage accounts are being looted by hackers who exploit the weaknesses of investors' computers rather than the firms' systems. It's a new scam, but it's mushrooming. Six months ago, Securities & Exchange Commission investigators say, such schemes weren't even on their radar screen; now, the agency is knee-deep in them.

Alarmed, the SEC and FBI are hot on the trail of the cyberperps, with dozens of investigations in progress. To head off more attacks, the SEC is posting a warning on its Web site with tips on safeguarding online trading accounts. "It's a new and growing area that is more intricate and more complicated than other Internet-related securities frauds," warns John Reed Stark, the SEC's chief of Internet enforcement. "And it is still evolving."

So far, the reported losses from online brokerage accounts are modest: no more than $20 million stolen in the past year. But Web investing is a target-rich environment for thieves: Consumers have $1.7 trillion worth of assets with online brokerages, says TowerGroup, a financial research and consulting firm.

As with the Murtys, brokerages often help customers recover their money, or reimburse them for losses. But the hit on the industry could be enormous, especially if hacker attacks drive investors off-line. "The real cost of security lapses is the loss of confidence," says Ravi Ganesan, CEO of TriCipher Inc., a San Mateo (Calif.) developer of authentication systems. That's why brokers are offering customers an array of free or discounted security measures. "If we want our company to continue to be successful, people have got to feel safe and secure when they come here," says E*Trade President R. Jarrett Lilien.


Home PC users are frighteningly vulnerable. The spread of high-speed and wireless connections has made it easier than ever for hackers to barge in. Even so, an October, 2004, survey by America Online and the National Cyber Security Alliance found 84% of computer users keep sensitive personal information, including financial data, on their home PCs.

To hijack brokerage accounts, hackers have raised their game to a new level. These invasions, law enforcers say, involve hacking or phishing to extract customers' information combined with identity theft, and securities fraud in complex scams executed by gangs. "Generally, it's two or three people working together," says an FBI expert. "The usual profile is people with graduate degrees in finance or banking." The FBI, Secret Service, and private security firms believe most online stock thieves are based in Eastern Europe.

Fortunately, some customers spot hacker intrusions before financial disaster strikes. George Rodriguez, 41, was working from his Waxhaw, (N.C.) home at 9:31 a.m. on May 5 when a series of e-mail messages from Ameritrade Inc. started flashing across his computer screen. Within minutes his holdings in Home Depot, Ford Motor, Duke Power (DUK ), and Pfizer were all sold. Some $60,000 worth of blue-chip stocks were drained from an account that Rodriguez had traded actively in the dot-com days but largely ignored since 2001.

What saved Rodriguez: The crooks somehow failed to change the e-mail address for trade confirmations. "If they had done that, or if I had been on vacation, I could have been wiped out," says Rodriguez, a partner at real estate investors Waterstone Capital Advisors in Charlotte, N.C. Ameritrade "said they would cancel the orders 'as a courtesy,"' he says, so he didn't lose any money. Says a spokeswoman for the Omaha broker: "The unfortunate events that happened to [Rodriguez] are an issue that Ameritrade and the financial industry have to deal with."

Still, brokers say customers must protect themselves. Crooks "are sniffing the information from the customers' computers, not getting it from our networks," says David S. Kalt, chief executive of online broker OptionsXpress Holdings. Federal investigators agree with this. "The integrity of brokerage firm computers seems to be flawless," says an FBI source.

But even if investors are careless, online brokers know that e-trading could dry up if users get spooked. That's why Ameritrade offers customers a program that scans a PC for malicious code when they log on to the Internet. E*Trade in April began offering ID tokens, devices that generate a new six-digit log-in code every 60 seconds, to investors with $50,000 or more in their accounts. More than 10% of daily log-ons to E*Trade use the devices. In January, E*Trade will unveil still newer trading safeguards that President Lilien promises "will make our secure ID program look old-fashioned."

Online brokers could take a page from banks, which next year will be required to use state-of-the-art safeguards. Many cyberexperts believe that, instead of blaming customers, the brokerage and high-tech industries need to take the lead educating customers and supplying them with the gear and software they need to make their trading secure. Says Robert K. West, CEO of Echelon One LLC, cybersecurity consultants in Mason, Ohio: "In a society that can't set the clocks on its VCRs, it's nuts to expect people to keep up with all these patches and firewalls." Hackers, of course, are hoping investors stay in the dark.

By Amy Borrus, with Mike McNamee in Washington, Brian Grow in Atlanta, and Adrienne Carter in Chicago

    Before it's here, it's on the Bloomberg Terminal.