Us Expat Defrauded Of Us$30,000 While Trading Online

[goatfarmer]

BIG THREAT TO ONLINE TRADERS USING UNPROTECTED PC'S

A US expat was defrauded of US$30k last week while using his online account with a US broker.

He was trading blue chips such as Yahoo and Broadcom. However, the next day, when opening his account, he discoverd that the account contained numerous transactions pertaining to a stock trading at less than 1 cent.

On checking the value of the stock and the trading report on his account, he discoverd that his account had been used to run up the price of the stock, by purchasing at ever higher amounts. He was left holding the stock at day high. The stock finished the day at half of the price that his account had been used to purchase the stock. (ie, his account showed 0.005 cents purchase price; at the end of the day, the stock was trading at 0.0025 cents.)

Someone had hacked into his account and used his account to run up the price of the stock. By the time the account holder got rid of the stock, he had lost US$30,000.

The trader was using an internet cafe in Bangkok. Most of these cafes use pirate Windows XP. During the last couple of months, Microsoft has made a campaign to sign up users of pirated XP. They have turned off security settings and do not provide security updates to pirated software.

The hacker in question has taken advantage of this recent development. The hacker will most likely strike again. Steps we must take are:

1. Do not operate trading accounts from internet cafes using pirate software;

2. Only operate trading accounts from computers with a fire wall. As mentioned in this forum, Zone Labs offers a free firewall which I have just installed and which seems to be working well. (The free home use version is not mentioned on the http://www.zonelabs.com homepage. But it's on the download option.) There are a few things to get used to. But there is good online support. Might be worth forking the fifty bucks and getting their Pro version.

3. Change trading passwords frequently. Your passwords might already be stored on some hacker's computer, waiting for the ideal time to strike.

[Oleg_Rus]

What a load of ****!

don't use girls if you don't have condoms

don't play with matches if you don't know the basics

don't trade online if you don't have money to buy pc for your own

....

[rcm]

What a load of ****!

don't trade online if you don't have money to buy pc for your own

....

Absolutely agree on that point....at least have a laptop if you're on the move and trade online.

rcm

[percy2]

BIG THREAT TO ONLINE TRADERS USING UNPROTECTED PC'S

A US expat was defrauded of US$30k last week while using his online account with a US broker.

He was trading blue chips such as Yahoo and Broadcom. However, the next day, when opening his account, he discoverd that the account contained numerous transactions pertaining to a stock trading at less than 1 cent.

On checking the value of the stock and the trading report on his account, he discoverd that his account had been used to run up the price of the stock, by purchasing at ever higher amounts. He was left holding the stock at day high. The stock finished the day at half of the price that his account had been used to purchase the stock. (ie, his account showed 0.005 cents purchase price; at the end of the day, the stock was trading at 0.0025 cents.)

Someone had hacked into his account and used his account to run up the price of the stock. By the time the account holder got rid of the stock, he had lost US$30,000.

The trader was using an internet cafe in Bangkok. Most of these cafes use pirate Windows XP. During the last couple of months, Microsoft has made a campaign to sign up users of pirated XP. They have turned off security settings and do not provide security updates to pirated software.

The hacker in question has taken advantage of this recent development. The hacker will most likely strike again. Steps we must take are:

1. Do not operate trading accounts from internet cafes using pirate software;

2. Only operate trading accounts from computers with a fire wall. As mentioned in this forum, Zone Labs offers a free firewall which I have just installed and which seems to be working well. (The free home use version is not mentioned on the http://www.zonelabs.com homepage. But it's on the download option.) There are a few things to get used to. But there is good online support. Might be worth forking the fifty bucks and getting their Pro version.

3. Change trading passwords frequently. Your passwords might already be stored on some hacker's computer, waiting for the ideal time to strike.

Stick to goats mate

[Phil Conners]

And try to make it a problem with piracy software. It has nothing to do with that and everything to do with sloppy management of the PC's in the internet cafe.

[Firefan]

Sloppy management? Or maybe very CLEVER management....

Cheers!

[goatfarmer]

Thanks for the encouragement. What a fine bunch you are. The aim of this posting is to warn and assist the ignorant, not condemn them.

The victim in this case is a retired expat of modest means who has been defrauded of a substantial portion of his retirement savings. Smirking at his loss is despicable.

The civic thing to do is to warn the ignorant, not deride them and suggest that they deserve to be defrauded. Shame on you Oleg, Rcm and subsequent creatures.

As a lawyer, I am offering to help the victim. If anyone can contribute positive suggestions to this discussion, I would be grateful. In particular, if there are any lawyers, with a knowledge of US securities law, who would be willing to assist on this case, please PM me.

Edited July 30, 2006 by goatfarmer

[ronz28]

I would immediately notify the U.S. Broker of the unauthorized trades because they usually take 3 trading days to settle (T+3=trade date plus 3 days to settle). Perhaps they can kill the trades before settlement, report the fraud to the SEC and find out and go after who was on the other side of those trades. Act fast.

[taxout]

Agree that you need to notify the broker of these unauthorised trades immediately, both informally (telephone call or e-mail) -- and formally (registered mail).

Of course get out the agreement that was signed when the account was opened. It will probably tell you where to give notices, say something about liability for unauthorised trades, and cover dispute resolution, which will probably be limited to binding arbitration in the US.

Because most customer complaints against brokers are settled by mutual agreement or resolved by binding private arbitration, there's not much in the public domain disclosing how these disputes are customarily settled.

Your friend will have the burden of demonstrating that he did not in fact authorise the trades and he should start assembling a record -- documentary and narrative -- now while memories are fresh.

[IMA_FARANG]

BIG THREAT TO ONLINE TRADERS USING UNPROTECTED PC'S

A US expat was defrauded of US$30k last week while using his online account with a US broker.

He was trading blue chips such as Yahoo and Broadcom. However, the next day, when opening his account, he discoverd that the account contained numerous transactions pertaining to a stock trading at less than 1 cent.

On checking the value of the stock and the trading report on his account, he discoverd that his account had been used to run up the price of the stock, by purchasing at ever higher amounts. He was left holding the stock at day high. The stock finished the day at half of the price that his account had been used to purchase the stock. (ie, his account showed 0.005 cents purchase price; at the end of the day, the stock was trading at 0.0025 cents.)

Someone had hacked into his account and used his account to run up the price of the stock. By the time the account holder got rid of the stock, he had lost US$30,000.

The trader was using an internet cafe in Bangkok. Most of these cafes use pirate Windows XP. During the last couple of months, Microsoft has made a campaign to sign up users of pirated XP. They have turned off security settings and do not provide security updates to pirated software.

The hacker in question has taken advantage of this recent development. The hacker will most likely strike again. Steps we must take are:

1. Do not operate trading accounts from internet cafes using pirate software;

2. Only operate trading accounts from computers with a fire wall. As mentioned in this forum, Zone Labs offers a free firewall which I have just installed and which seems to be working well. (The free home use version is not mentioned on the http://www.zonelabs.com homepage. But it's on the download option.) There are a few things to get used to. But there is good online support. Might be worth forking the fifty bucks and getting their Pro version.

3. Change trading passwords frequently. Your passwords might already be stored on some hacker's computer, waiting for the ideal time to strike.

The problem has nothing to do with pirate software, or Microsoft XP. What might be happening is that someone has (maybe delibrately) installed a program known as a KEYLOGGER MONITOR on the server that is used in the internet cafe to interface with the local service provider. I have posted a notice about finding a keystroke monitor (last October) on an internet cafe in BKK. I told the Thai woman who was running the cafe that I had found the program, and gave her the specifics (including program name on the server) that was causing the problem. She said it was a problem with Hotmail and Yahoo mail in BKK, However, I came back 2 days later, and somehow the KEYLOGGER had been removed by the administrator. (what a coincidence!) The admin denied any knowledge of what I was talking about.

What this KEYSTROKE LOGGER/MONITOR does is wait and intercept keystrokes coming in from the keyboards. When it detects a request for a password it stores the response (password and user name). It then sends a error message back to the person who entered the password. This makes the user think his password entry failed. He then re-enters the password and the program this time passes the password out to wherever it is supposed to go. The intercepted Password & User name are stored in a buffer in the server. The program has a backdoor access and whoever has installed it can access the password and user name data through connecting to the server by the backdoor.

Upshot: NEVER use an internet cafe to connect to any password access site. If this site is used for anything that involves financial data, your password can be copied and used by others to defraud you.

I know that at least one internet cafe in BKK had one of the well known keyword monitor/logger worms installed in October 2005. According to one of my "tech geek" friends a lot of similar programs are commonly found in BKK on internet cafe sites.

Edited July 30, 2006 by IMA_FARANG

[udon]

Hi goatfarmer,

it begs the question: why didn't your friend buy a small laptop or desktop?

I'm sorry he got screwed.

[Gary A]

My first thought is that he forgot to log out of his account. The second thought is that he was a victim of a keylogger program. Most Internet cafe owners know nothing about key loggers or computers and anyone who uses an Internet cafe to manage his bank or stock trading account is simply asking for problems. Not so long ago a young farang was caught making his rounds collecting information from all the key logger programs he had installed in a number of Internet cafes. One owner was savvy enough to have installed programs to detect spying programs and they caught the thief. I never heard any more about it so I have no idea what happened to the guy.

[andrewryan108]

Risks of using ones own laptop on wifi at an intenet cafe/restaurant/other public place?

If logging into a password protected place, what risks if any would one be taking? ie someone intercepting ones pasword, other confidential information etc.

[Beavis and Butthead]

This is a major drag that this occurred. Certainly it could happen to anyone. I always hate the jackoffs who say things like "he shoulda done this" or "why didnt he do that". Those jerks are an enormous help now aren't they? The guy was likely not tech savvy and thought it was safe to access his acct from a net cafe. If you're a trader you need to check your holdings and make moves at a moments notice all the time. Like the guy is going to have a laptop bolted to his back 12 hours every trading day. I'm sure he wants to lug the thing from bar to bar on a night out. This guy has my sympathy 100%. I take my share of risks in this regard because I am out and need to make trades. In fact I have done some recently and this thread reminded me to change my password. Thank you Goat for this thread and to the A-holes like Percy and the others, dont bother posting here because you offer nothing

[Beavis and Butthead]

Hi goatfarmer,

it begs the question: why didn't your friend buy a small laptop or desktop?

I'm sorry he got screwed.

He's probably got 2 each. You just don't get trading. Trading is impulsive and opportunistic. You can't be sure when you will need to make a trade. He likely went into the cafe and saw yahoo was down 25% and knew he should grab some immediately. By the time he goes home to his puter, yahoo is up 5%.

A suggestion to the guy for next time is to do the trading by phone. Commissions are higher but takes out the risk factor.

Ronz28 has great suggestion. I would get on that

[Beavis and Butthead]

I know a guy who accessed his US bank acct at a BKK net cafe. The next time he couldn't log in. He called his bank and the address had been changed to somewhere in the UK. His $50K was still intact. He was shaken up. He had never heard of keyloggers

[Soju]

I would agree with the others about priated XP not likely being the problem. The problem is almost certainly a keylogger or other logging software that could be installed regardless of whether the XP was a legal version or not.

But you bring up an interesting issue. If in fact the loss of his money could be proved to be due to Microsoft denying proper security updates to pirated versions of XP, but there is no warning to users such as him at internet cafes, then perhaps he would have some legal recourse with Mircosoft. If he has installed a priated version on his own computer and such a thing happened, then he should bare full responsibility. But if it happened at a net cafe and he was unaware of it, then the owner of the net cafe and/or Microsoft could possibly be liable. However, being that he seems to already know that the XP at the net cafe is pirated and lacking proper security updates, I guess he has no real claim....just if he wasn't aware of it before the incident.

[rcm]

The guy was likely not tech savvy and thought it was safe to access his acct from a net cafe. If you're a trader you need to check your holdings and make moves at a moments notice all the time. Like the guy is going to have a laptop bolted to his back 12 hours every trading day. I'm sure he wants to lug the thing from bar to bar on a night out. This guy has my sympathy 100%.

We are All sorry for what happened to him , but honestly if he needs to make a move at a moments notice why not getting a PDA? They can do almost anything as a laptop can (yes even trading )and you can take it with you at ALL times. Nobody needs to be tech savy to use them . When you deal with anything related to Money do not use and internet Cafe . Use the Internet cafe to send emails to noi , nok or tess, or have an online chat , but don't use it for Banking or for anything that leads to personal details ,Credit card nrs..... And i am sure he has heard about this before too.

rcm

[boppia]

Another method could be the cafe owner has a small camera over the computer with which he can record websites and passwords. It would be easy for the cafe owner to direct a tourist or farang to that particular terminal in order to get info from them. Watch out.

[calibanjr.]

OK guys, you've pointed out some problems about working at internet cafes, keyloggers, securities, etc. Does anybody believe you can "run up" any realistic public stock on a 30k account, even leveraged? This is just a piss-take (one of my favorite phrases that I've learned from the cousins).

[Phil Conners]

Not so long ago a young farang was caught making his rounds collecting information from all the key logger programs he had installed in a number of Internet cafes.

VERY unlikely. Most keyloggers immediately mail off the information to a (free, anonymous) mailbox where the hacker read the information.

Another method could be the cafe owner has a small camera over the computer with which he can record websites and passwords. It would be easy for the cafe owner to direct a tourist or farang to that particular terminal in order to get info from them. Watch out.

Why bother making things so complicated? It takes 2 seconds and cost virtually nothing to install a keylogger - and most people would never know it was there.

[LaReina]

The guy was likely not tech savvy and thought it was safe to access his acct from a net cafe. If you're a trader you need to check your holdings and make moves at a moments notice all the time. Like the guy is going to have a laptop bolted to his back 12 hours every trading day. I'm sure he wants to lug the thing from bar to bar on a night out. This guy has my sympathy 100%.

We are All sorry for what happened to him , but honestly if he needs to make a move at a moments notice why not getting a PDA? They can do almost anything as a laptop can (yes even trading )and you can take it with you at ALL times. Nobody needs to be tech savy to use them . When you deal with anything related to Money do not use and internet Cafe . Use the Internet cafe to send emails to noi , nok or tess, or have an online chat , but don't use it for Banking or for anything that leads to personal details ,Credit card nrs..... And i am sure he has heard about this before too.

rcm

Good point RCM.

For about 20,000 baht, you can get a wifi PDA (ben Q, qtek 9000, and others) and can install a wireless firewall (zone alarm) thus eliminating the need to go to an internet cafe as there are several wifi hot spots in bangkok.

Your pda will come with a legitimate IE thus eliminating the fear of bootlegged software.

AND at home you can always turn off the feature in your IE that sends messages to Microsoft checking out your computer.

[Taggart]

The guy was likely not tech savvy and thought it was safe to access his acct from a net cafe. If you're a trader you need to check your holdings and make moves at a moments notice all the time. Like the guy is going to have a laptop bolted to his back 12 hours every trading day. I'm sure he wants to lug the thing from bar to bar on a night out. This guy has my sympathy 100%.

We are All sorry for what happened to him , but honestly if he needs to make a move at a moments notice why not getting a PDA? They can do almost anything as a laptop can (yes even trading )and you can take it with you at ALL times. Nobody needs to be tech savy to use them . When you deal with anything related to Money do not use and internet Cafe . Use the Internet cafe to send emails to noi , nok or tess, or have an online chat , but don't use it for Banking or for anything that leads to personal details ,Credit card nrs..... And i am sure he has heard about this before too.

rcm

Good point RCM.

For about 20,000 baht, you can get a wifi PDA (ben Q, qtek 9000, and others) and can install a wireless firewall (zone alarm) thus eliminating the need to go to an internet cafe as there are several wifi hot spots in bangkok.

Your pda will come with a legitimate IE thus eliminating the fear of bootlegged software.

AND at home you can always turn off the feature in your IE that sends messages to Microsoft checking out your computer.

Some PDA's have MAC O/S. Would they not be more secure for accessing bank/brokerage accounts?

[Charma]

Surely any reputable banking or trading site should never require a user to enter a full password. It should use a random partial selection for final entry authorisation which should reduce the risk from keyloggers/cameras.

[Khun Jean]

What happened is not really a fault of any OS.

It is just a very weak authentication from the broker/bank.

A simple username/password is not sufficient. Switching to another broker with a more advanced authentication is necessary.

There are several methods that work good, one of them is a key generator. Looks like a small calculator. Everytime you login or want to perform a trade you need to use the key generator to confirm that you are the right person. The key generator has a pincode so even if you loose it it will stop working after 3 failed attempts.

Even walking away from an open session wil not be good to anybody. The moment you want to place an order or transfer money you need the generator again. Keyloggers can log all they want, they will never get access.

If one person/company is responsible for the loss it is the broker for having a faulty authentication procedure. They have to protect the 'normal' people who most of the time have no deep technical knowledge about computers and authentication procedures.

[Soju]

Surely any reputable banking or trading site should never require a user to enter a full password. It should use a random partial selection for final entry authorisation which should reduce the risk from keyloggers/cameras.

If I understand correctly the security measure you are proposing, then I would never do business with such a bank or trading site as I would think of them as being anything but reputable for using what I would consider to be a totally unsecure method. Users very often make multiple logins to their account from the same computer. It may be the same computer over multiple sessions, or it could even be in a single session. So let's say in the first login they are asked for the first 4 digits of a 10-digit password. The next time they are asked for the middle 4 digits. The last time they are asked for the last 4 digits. The hacker now has their complete password and and can access the account. Another problem with this method is that for some people it would be very difficult for them to be able to enter a partial password without first writing down the entire password and seeing it visually in order to extract the partial password. Writing down the entire password gives yet another opportunity for the password to fall into someone else's hands.

If the security measure you are proposing is just part of a multi-stage login, then it might be ok, but certainly under some conditions it is no more secure than entering the full password. If you can guarantee the the user will never login more than once from any given internet cafe, and that they will not write down their full password as part of them extracting the partial password, then the method should be secure. But I doubt that is very practical or enforceable upon the users.

On the internet banking systems that I use, the user's password is not the primary security measure. A hardware device, or some other method of asking for a randomly generated number completely independent of the password is the primary security measure.

I'd be very interested to hear more details about this security measure, especially if it's one actually being used and any comments about how it gets around the problems I've outlined.

[KhunPadThai]

I wondered how long it was going to take the criminals to figure out the real money is in the brokerage accounts. If you do not always follow these precautions you are leaving yourself open to a large loss. Unlike the credit card companies, the brokers and banks don't have a policy or a regulation limiting your loss in the event of fraud.

1. Never, ever, under any circumstances, even the most pressing instance of trading inspiration, access a money account from any computer other than your own, at home. Not your friend's or the one you use every day at the office or any other.

2. Make sure that your operating system is always up-to-date with patches.

3. Make sure that your computer always has up-to-date virus protection.

4. Make sure that your computer has a firewall installed and configured for maximum security. Configure the screen saver to lock after ten minutes of inactivity and requre the password to unlock.

5. Never use Internet Explorer. Use the Firefox browser with a java script blocker extension. Do not permit the browser to save passwords to log you in automatically.

6. Stop and restart the browser before going to a financial website.

7. Stop and restart the browser after logging off a financial website.

8. If you have a little computer savvy, download the Knoppix Linux CD and boot from that before accessing your financial website. This method is the gold standard since nothing can be saved and you can be sure that it is not running a keystroke logger. However, rule #1 above still applies.

9. Or use a Macintosh instead of Linux, but all the other rules still apply.

10. Change the passwords to your financial accounts every three months at the longest. Use a unique password for each account. Download a random password generator program to create the passwords which use at least three kinds of characters: lower case, upper case, numerals and punctuation. Don't store them in a file on the computer. Keep them on a piece of paper in your wallet without the url or login id.

12. Reconcile your accounts monthly from a paper statement mailed to your home. Do not download transactions from an online source into your home accounting system since you eliminate even the possibility of doing a reconciliation if you don't maintain your own data. You do have a home accounting system, don't you?

In my opinion, these steps are the minimum to reduce the risk of a thief getting access to your money accounts from you. There still remains the substantial risk that the financial institution will fail to safeguard your money, but there is not much you can do there except choose the company as wisely as you can. If you can find a company that offers two-factor authentication choose that company. Two-factor authentication means you need to have something you know, usually a password, and something you have, usually a one-time password device such as SecuriD, but could also be a biometric device, for instance.

Anyone who does not take these steps is courting ruin, once again in my opinion. Last year, according to the New York Times, two million bank accounts were looted electronically in the US. Those who pay attention and adapt to the ever-changing threats online will have the best chance. Those who suffer losses will be almost entirely from the population of people who can't be bothered trying to keep secure and who couldn't possibly sacrifice the convenience features that pose the threats that he can't see.

[Charma]

Surely any reputable banking or trading site should never require a user to enter a full password. It should use a random partial selection for final entry authorisation which should reduce the risk from keyloggers/cameras.

If I understand correctly the security measure you are proposing, then I would never do business with such a bank or trading site as I would think of them as being anything but reputable for using what I would consider to be a totally unsecure method. Users very often make multiple logins to their account from the same computer. It may be the same computer over multiple sessions, or it could even be in a single session. So let's say in the first login they are asked for the first 4 digits of a 10-digit password. The next time they are asked for the middle 4 digits. The last time they are asked for the last 4 digits. The hacker now has their complete password and and can access the account. Another problem with this method is that for some people it would be very difficult for them to be able to enter a partial password without first writing down the entire password and seeing it visually in order to extract the partial password. Writing down the entire password gives yet another opportunity for the password to fall into someone else's hands.

If the security measure you are proposing is just part of a multi-stage login, then it might be ok, but certainly under some conditions it is no more secure than entering the full password. If you can guarantee the the user will never login more than once from any given internet cafe, and that they will not write down their full password as part of them extracting the partial password, then the method should be secure. But I doubt that is very practical or enforceable upon the users.

On the internet banking systems that I use, the user's password is not the primary security measure. A hardware device, or some other method of asking for a randomly generated number completely independent of the password is the primary security measure.

I'd be very interested to hear more details about this security measure, especially if it's one actually being used and any comments about how it gets around the problems I've outlined.

Of course it is better than entering the full password! That would just be silly. All such systems are also (obviously) part of a multi stage login (they need to know some things before they can test your password). The fact that they are random means that the characters do not come 1-4, 5-8 etc. Of course (obviously) anyone who writes down their password is an idiot and will not be protected.

With a password of 8 characters and a random request for 3 of them, you would have to site under the same camera and complete the login around 350 times to be sure of covering every possible combination. They would also need to be able to read/capture the screen.

I have been with an internet bank for 16 years using this method. I am not aware of any incidences where they have been defrauded without some foolishness on the part of the user.

You mention some sort of hardware device. Not sure that many people use these nowadays or that they are very practical. If you could describe the other way of asking for a randomly generated number independent of the password, I would be interested. But then I would also be interested to know what the purpose of the password would be, seeing that it it not used!

[Soju]

Of course it is better than entering the full password! That would just be silly. All such systems are also (obviously) part of a multi stage login (they need to know some things before they can test your password).

What sort of things need to be known before they test the password? User name? Date of Birth? ID number? Telephone number? Any of these items don't give any real added security as they'll all be recorded by a keylogger. The real security MUST be some randomly generated code that will not be repeated on successive logins.

The fact that they are random means that the characters do not come 1-4, 5-8 etc. Of course (obviously) anyone who writes down their password is an idiot and will not be protected.

For me, it would be no problem to enter some random digts of my password. I could just pull them out mentally as I went mentally go through the digits. But for some people just remembering their password is all they can do and asking them for the 3rd, 5th and 7th digits is just too much for them. They may not be the brightest among us, but they are part of the bank's customer base and these days with the proliferation of computers, they are also computer users.

With a password of 8 characters and a random request for 3 of them, you would have to site under the same camera and complete the login around 350 times to be sure of covering every possible combination. They would also need to be able to read/capture the screen.

That 350 times is totally misleading. It would take at most a few logins before a hacker would have an excellent chance of hacking the account. Let's say in your 8-digit password, you are asked for digts 3,5, and 7 the first time. Then 1 4, 7 the next. Then 2, 5, 6 the next. You then have supplied digits 1,2,3,5,6,7. Chances are that even if the unknown digts, 4 and 8, were asked for when the hacker tried to login, they could just quit and try again and very quickly they'd get a login that didn't request those digits. Such would be a piece of cake for a hacker. Reading/capturing the screen is trivial these days with high-speed CPUs and lots of memory and hard disc space. There's a huge selection of programs that can do this without the user being aware of it.

You mention some sort of hardware device. Not sure that many people use these nowadays or that they are very practical. If you could describe the other way of asking for a randomly generated number independent of the password, I would be interested. But then I would also be interested to know what the purpose of the password would be, seeing that it it not used!

I don't know what the bank's cost is for these hardware devices, but from my involvement in the electronics industry I know that the material cost is likely well below 1USD, so IMHO they are very practical to give out to customers considering the alternative of being faced with perhaps having to reimburse a customer's loss due to fraud. To my knowledge, all HSBC customers are now using these devices. Another bank of mine gives me a security card. It's just a plastic card with about 30 sequential codes printed on it. I believe the codes are unique to me, so another customer will have different codes. After logging in with my username and password, I'm asked for a random code, let's say code number 19. I look on the card at number 19 and enter the code next to it. If I get the code wrong 3 times in a row, I need to make a personal visit to my branch to reset my account before using it again. Being there are only 30 different codes, I don't think this method is very secure. As with your method, if I log in enough times on the same computer, a hacker will have a good chance of getting a login asking for a code I've already used before. The number of logins needed to hack my account will be higher than with your method, but still within the range that many users would be vulnerable. A card with let's say 1,000 codes, none of which are repeated until all 1,000 codes have been used once, would be much more secure, but the problem is the card would be too big to be wallet sized. An alternative solution would be to have multiple cards. Let's say I'm given 20 cards sequentially numbered, with 30 codes on each. When I've used all 30 codes on card number 1, it will prompt me to change to use security card number 2 for my next logins, and so forth. Once I've finished with the 20 cards, I either get a new set of cards from the bank or go back to card number 1. With the hardware device, I'm guessing that it's probably generating unique codes each time, perhaps based on some sort of random sequence unique to my customer number, so that any previously used codes will never be repeated again in the future.

The purpose of the password is just to keep snoopers or novice hackers from accessing your primary security screen and causing your account to be locked until you visit your bank. If the password was not required, a malicious person could write a program to randomly generate login names and then when a successful login name was found, enter some random code 3 times to try to gain access. Chances are that access would be denied, but it would create a major inconvenience for the bank and the customer.

I have been with an internet bank for 16 years using this method. I am not aware of any incidences where they have been defrauded without some foolishness on the part of the user.

Do you mean to say that you are a customer with this internet bank or that you work for them. Banks typically keep extremely quiet about bank fraud for fear of scaring off customers. Bank fraud happens everyday without any public announcement. Unless you are working in the bank and are responsible for bank security, you'd never know to what extent this might be a problem. Extended security measures for internet banking are just now becoming commonplace. The HSBC hardware security devices are new only in the past 1 to 2 years. Prior to that they just had a simple login. There's lots of phising scams these days, with the frequency constantly increasing, with hackers sending emails randomly to customers pretending to be the bank and asking that the user verify some information by logging onto a bogus site with their username and password. Even if your particular bank hasn't had any serious incident, I'm sure many if not most of the major banks have been victims of this fraud and an multi-stage login with some verification independent of the password is absolutely necessary to protect the bank.

[Soju]

I wondered how long it was going to take the criminals to figure out the real money is in the brokerage accounts. If you do not always follow these precautions you are leaving yourself open to a large loss. Unlike the credit card companies, the brokers and banks don't have a policy or a regulation limiting your loss in the event of fraud.

1. Never, ever, under any circumstances, even the most pressing instance of trading inspiration, access a money account from any computer other than your own, at home. Not your friend's or the one you use every day at the office or any other.

2. Make sure that your operating system is always up-to-date with patches.

3. Make sure that your computer always has up-to-date virus protection.

4. Make sure that your computer has a firewall installed and configured for maximum security. Configure the screen saver to lock after ten minutes of inactivity and requre the password to unlock.

5. Never use Internet Explorer. Use the Firefox browser with a java script blocker extension. Do not permit the browser to save passwords to log you in automatically.

6. Stop and restart the browser before going to a financial website.

7. Stop and restart the browser after logging off a financial website.

8. If you have a little computer savvy, download the Knoppix Linux CD and boot from that before accessing your financial website. This method is the gold standard since nothing can be saved and you can be sure that it is not running a keystroke logger. However, rule #1 above still applies.

9. Or use a Macintosh instead of Linux, but all the other rules still apply.

10. Change the passwords to your financial accounts every three months at the longest. Use a unique password for each account. Download a random password generator program to create the passwords which use at least three kinds of characters: lower case, upper case, numerals and punctuation. Don't store them in a file on the computer. Keep them on a piece of paper in your wallet without the url or login id.

12. Reconcile your accounts monthly from a paper statement mailed to your home. Do not download transactions from an online source into your home accounting system since you eliminate even the possibility of doing a reconciliation if you don't maintain your own data. You do have a home accounting system, don't you?

In my opinion, these steps are the minimum to reduce the risk of a thief getting access to your money accounts from you. There still remains the substantial risk that the financial institution will fail to safeguard your money, but there is not much you can do there except choose the company as wisely as you can. If you can find a company that offers two-factor authentication choose that company. Two-factor authentication means you need to have something you know, usually a password, and something you have, usually a one-time password device such as SecuriD, but could also be a biometric device, for instance.

Anyone who does not take these steps is courting ruin, once again in my opinion. Last year, according to the New York Times, two million bank accounts were looted electronically in the US. Those who pay attention and adapt to the ever-changing threats online will have the best chance. Those who suffer losses will be almost entirely from the population of people who can't be bothered trying to keep secure and who couldn't possibly sacrifice the convenience features that pose the threats that he can't see.

KhunPadThai,

Some good advice. But one piece of advice that I haven't seen yet, which I personally use for accounts with large balances, is to have a portable hard drive with a clean install of Windows, plus all the security measures, and which I only use for online financial transactions. If I want to do access one of these financial sites, I turn off my computer and boot from my portable hard drive with my primary hard drive disabled. I do the financial transaction, log off, then immediately turn off the computer and disconnect the portable hard drive. I never ever visit any other websites using the portable hard drive, or run any windows programs, or check any sort of email. So in my mind the system is very secure from any attack. I'm sure my normal system is at times slightly vulnerable due to all the websites I visit and programs I download, but I don't worry about it too much. At most a hacker will get access to my personal email which doesn't have any detailed personal or financial information. It cost me a bit over a hundred dollars for the dedicated portable hard drive, and a bit of my time, but I think for my peace of mind it's worth it.