Jump to content

Recommended Posts

Posted

I have been with an internet bank for 16 years using this method. I am not aware of any incidences where they have been defrauded without some foolishness on the part of the user.

Do you mean to say that you are a customer with this internet bank or that you work for them. Banks typically keep extremely quiet about bank fraud for fear of scaring off customers. Bank fraud happens everyday without any public announcement. Unless you are working in the bank and are responsible for bank security, you'd never know to what extent this might be a problem. Extended security measures for internet banking are just now becoming commonplace. The HSBC hardware security devices are new only in the past 1 to 2 years. Prior to that they just had a simple login. There's lots of phising scams these days, with the frequency constantly increasing, with hackers sending emails randomly to customers pretending to be the bank and asking that the user verify some information by logging onto a bogus site with their username and password. Even if your particular bank hasn't had any serious incident, I'm sure many if not most of the major banks have been victims of this fraud and an multi-stage login with some verification independent of the password is absolutely necessary to protect the bank.

Funnily enough, my bank is HSBC and they have none of the features you mention. The codes on the card - in your wallet - are hardly secure are they? My initial point was simply that passwords should never be entered in full. Obviously nothing is foolproof but random selection is better.

The point I made was that fraud is usually carried out following some sort of silly action by the user. So things like writing down passwords, using internet cafes (and repeatedly going to the same ones) and replying to email scams is obviously going to increase the risk. If you have followed all your banks instructions for your account and your money is still taken, they have a duty to reimburse you. And as you pointed out, they will probably do this to keep you quiet.

  • 4 weeks later...
Posted

The following from this morning's Toronto Star, will be of interest to those who have online brokerage accounts in Canada or the U.S.

Thieves drain two online accounts

IDA says tens of thousands taken Warning issued

to Internet traders

Aug. 25, 2006. 07:06 AM

TARA PERKINS

BUSINESS REPORTER

The Investment Dealers Association of Canada issued a warning to online traders yesterday after two accounts were broken into and wiped out in recent days, and the hijacker or hijackers reinvested the money in over-the-counter stocks.

Authorities suspect the aim was to manipulate the price of the over-the-counter stocks that had been invested in, at least one of which was issued by a Canadian-based company.

Passwords had been obtained to get into the discount brokerage trading accounts, but the IDA isn't sure how.

One possibility is that invasive software was used to monitor keystrokes on home computers.

Another theory is that an individual or individuals were "phishing" for the passwords and log on information by sending an email that purported to be from the discount brokerage firm and asked the victims to confirm their identity details.

Another possibility is that corporate websites were compromised so that when clients attempted to log in, their information was captured on a pirate site.

The Investment Dealers Association said that at this point there is "no suggestion that the security of member firms' online systems has been compromised."

It said the clients may have inadvertently given up the information to persons who subsequently hijacked the individuals' accounts.

Alex Popovic, vice-president of enforcement at the IDA, said the association recently got a call from a U.S. regulator warning of a similar problem at a U.S. firm.

"A U.S. regulator called us and asked for assistance on something they're working on, and almost simultaneously we had two of our firms call us to say that this happened at their firms," Popovic said.

"It's a cluster. We had the American call, we had two of our own calls, all within a few days of each other and figured that we should try to pre-empt it and try to pre-empt losses by clients," he said.

The individuals had "tens of thousands of dollars" in their accounts, he said.

In the two incidents that were brought to the IDA's attention, the client's portfolios were sold out.

The credit was then used to place buy orders for specific securities listed on the OTC Bulletin Board or Nasdaq pink sheets — two U.S. exchanges that list companies from the United States and abroad.

"It appears the purpose was to manipulate the price of shares in the issuer," the IDA said in a statement.

Popovic said he's aware that one of the companies whose shares were purchased was based in Canada, but he declined to name the firm. The IDA is in constant contact with agencies including the RCMP and FBI, and informs them of security issues, he added.

The IDA said that some of the trades were settled before the clients were even aware that there had been an online breach of their account. Firms are now receiving client complaints concerning these unauthorized activities."

It added that "investors who have online accounts should be aware of this risk. Clients should contact their firm regarding any unusual activities in their account."

"Hopefully the criminal authorities will follow up," Popovic said. "There are only two accounts, but once is too many," he said.

Popovic said victims could examine contract details with the brokerages.

  • 1 month later...
Posted

Bloomberg today says Thailand users have been a target.....

E*Trade, TD Ameritrade Are Targeted in Online Brokerage Fraud

By Bradley Keoun

Oct. 23 (Bloomberg) -- Customer accounts at online brokers including E*Trade Financial Corp. and TD Ameritrade Holding Corp. have been infiltrated by computer hackers in Eastern Europe and Asia in one of the biggest cases of identity theft to strike the U.S. securities industry.

The Federal Bureau of Investigation, the Securities and Exchange Commission and the NASD are trying to unravel the fraud, which has cost New York-based E*Trade at least $18 million and caused losses at Ameritrade of Omaha, Nebraska, company officials said. In one ``pump-and-dump'' scheme the SEC uncovered, thieves used customers' money to drive up the prices of little-traded stocks and then sold shares they bought earlier at a profit.

``The perpetrators were more organized, and it was a bigger issue this quarter than it had ever been before,'' E*Trade Chief Operating Officer Jarrett Lilien said in an interview. ``It wasn't just hitting one company, it was hitting everybody.''

The case shows how criminals who ply the Internet from countries beyond the reach of U.S. law enforcers are turning to financial markets to commit fraud. Online brokers are a growing target for identity theft, a crime that in all its forms will cost Americans $56.6 billion this year, according to Javelin Strategy & Research of Pleasanton, California, which has prepared similar estimates for the Federal Trade Commission.

``Identity thieves appear to be directing increased attention to the securities business, and their attacks are growing in sophistication,'' said John Walsh, chief counsel in the SEC's office of compliance inspections and examinations, at an industry conference in Phoenix on Oct. 5.

Customers Compensated

E*Trade disclosed on a conference call last week that it spent $18 million in the third quarter to compensate customers affected by trading fraud. The company, the fourth-largest discount broker by assets, is cooperating with the federal investigation and the probe by the NASD, E*Trade spokeswoman Pam Erickson said. NASD is the industry's self-regulator for more than 5,100 brokerages.

TD Ameritrade, the third-largest online broker, also suffered losses because of bogus trading by unauthorized users who pried their way into customer accounts, said spokeswoman Katrina Becker. She declined to specify an amount. TD Ameritrade may provide more details tomorrow when it reports fiscal fourth- quarter earnings.

Charles Schwab Corp., the biggest online broker, didn't experience ``anything unusual enough to warrant a financial disclosure,'' said spokesman Glen Mathison. The San Francisco- based company reported earnings on Oct. 16. Adam Banker, a spokesman for closely held Fidelity Investments of Boston, the second-largest discount broker, declined to comment.

`Global Problem'

E*Trade Chief Executive Officer Mitchell Caplan told investors that investigators traced the illicit trading to ``concerted rings'' in Eastern Europe and Thailand. The company hasn't determined whether the reimbursement costs will be covered by insurance, he said. TD Ameritrade also was targeted by cyber- criminals in Eastern Europe and Asia, spokeswoman Becker said.

``Internet crimes that result in the theft of personal and financial data from consumers continue to be a significant and global problem,'' FBI spokesman Paul Bresson said. ``We work closely with our foreign law-enforcement counterparts to pursue these cases with all applicable laws.''

Bresson declined to comment on the FBI investigation. John Heine, a spokesman for the SEC, and NASD's Herb Perone also declined to comment.

Some of the losses were straight theft. In his presentation, Walsh of the SEC explained how criminals use personal information such as Social Security numbers to break into accounts. Once in control, they loot the accounts by selling securities and wiring out the proceeds far from the U.S.

`Pump and Dump'

The online version of the ``pump-and-dump'' fraud sets off few security alerts at brokerage firms because no money is withdrawn from the compromised accounts, Walsh explained.

``This is an increasingly popular variation,'' he said in Phoenix. ``If you are looking for a single `hot topic' in the world of identity theft, this is it.''

In ``alias fraud,'' a thief opens an account in an individual's name, then uses it for illegal trading or money- laundering. Because the victim's name is on the account, he or she appears responsible for the crimes.

Walsh said the SEC recently began a ``sweep examination'' of brokerage firms to determine if they have adequate technology and staff training to prevent and detect online fraud.

``This thing is so widespread and has such a significant impact on the industry at large,'' E*Trade's Caplan said. `You're going to end up seeing structural changes in the industry.''

Reducing the Fraud

Caplan told investors E*Trade reduced the fraud to ``almost zero'' in the past three weeks after beefing up security for electronic trading. The company declined to say how many accounts were infiltrated or explain the security enhancements.

While the Federal Deposit Insurance Corp. covers bank accounts against fraud or insolvency for as much as $100,000, brokerages get no such protection.

E*Trade promised in January that it would reimburse customers for any losses due to fraud in an effort to allay concerns about trading over the Internet or keeping cash in online bank accounts. TD Ameritrade and Schwab offered similar guarantees in February and Fidelity followed in May.

To contact the reporter on this story: Bradley Keoun in New York at [email protected] .

Last Updated: October 23, 2006 00:04 EDT

Posted

Key logger are good toys.

Well, they are good tools, but are used for toying, such as get the hotmail password of your gf.

People who did that are organised and big. They will not rely on key loggers decimated in several internet caffe in thailand. They will use more technical approach.

a MAM attack, or a physing attack seems likely the way used. For exemple everytime I use my paypal developper account, the day after I get 3 emails asking me to contact paypal becaue my account was used by a third party; one of those emails send me to a japanese BDSM site (well the URI, the address given beeing URI/paypalverif.html), the other send me to a rusian website about the great patriotic war, the third is always a 404 error.

there is people skilled enoought to be able to intercept the ip packets send on internet, even with SSL, the sending by and going too are still written andreadable, so it's quite easy to start a scam. The weakness is mostly a Cisco weakness, by so uneasy to correct.

What those people are looking for is for pattern : someone who is logged in 24 hours a day (by so not a broker nor a pro), someone who do not use systematically the IP address (using cyber, wan, PDA ...) because it will help to hide when the scam will start, the real scam. People doing that will not do it for 30 000$ the real scam is move up a quote (not take money from someone) and then get the big bucks. For doing that, you have to be extra carefull, equiped and well organised, far of what the usual cyber owner (anywhere in the world) is. Maybe a chinese mafia organisation (triads?) pressuring the local cyber is able to put that , compensing the brute force of verifying each and every record by a big worforce motly russian hackers are qorking in small teams).

Posted
The aim of this posting is to warn and assist the ignorant, not condemn them.
It is pretty amazing that people would trade over an internet cafe connection, heh. The only relevant experience I have with warning people concerned their logging on to random, unsecured WiFi networks to use email and make purchases while traveling. I've been in the business long enough that I guess the rationale behind not doing things like this is obvious to me, but, surprisingly, when I tried to pass along a couple of friendly warnings to travelers I got the rolling eyeballs of condescension. The truth about security - both in the personal and the business online spheres - is that people generally don't take it seriously unless they've got professional knowledge about the reality of what goes on, they're paranoid or they've had a bad experience that has taught them a lesson. I've seen grandmothers who are lunatics about security and worked with organizations that keep Access credit card databases on their desktop computers. There seems to be no rhyme, reason or moderation to it.
Posted
A US expat was defrauded of US$30k last week while using his online account with a US broker.

Someone had hacked into his account and used his account to run up the price of the stock.

Was he in Thailand when his account was hacked into?

Your lengthy report is bit clear on that.

---------------

Maestro

Posted

Toronto Star

Investment dealers to fight Web thefts

Growing concern over account hackers

Oct. 24, 2006. 07:33 AM

TARA PERKINS

BUSINESS REPORTER

The Investment Dealers Association of Canada plans to meet with brokerages and security experts in the next month as regulators and law enforcement agencies in Canada and the United States try to tackle growing losses caused by identity-theft scams that target individual investors' online trading accounts.

The association also plans to issue a notice to members, asking them to review their insurance coverage. These scams are often not covered under fraud provisions, which generally apply only to fraud committed by employees.

The issue has been gaining attention as incidents have increased. Last week, ETrade Financial Corp. revealed it spent $18 million (U.S.) on fraud losses in the third quarter. The company said that, "like a number of our competitors, (ETrade) experienced a significant increase in losses resulting from fraud relating to identity theft."

John Stark, chief of the United States Securities and Exchange Committee's office of Internet enforcement, said in an interview that "it is a growing concern of ours, and we have seen more complaints about it and more incidents of it in recent months, and we currently have a slew of investigations concerning unauthorized intrusions into online brokerage accounts.

"It's so nascent, it's hard to know exactly how much there is in losses," he added.

Canadian industry sources said the problem doesn't appear to have snowballed as quickly here.

In late August, the Canadian investment dealers association issued a warning to online traders after two accounts were broken into and wiped out. The hijackers reinvested the money in penny stocks. Authorities suspected the aim was to manipulate the price of the penny stocks. It appeared the hijackers had learned the clients' passwords.

Yesterday, Alex Popovic, vice-president of enforcement at the dealers association, said he's now aware of 10 cases.

"We're just in the process of setting up a meeting with the members to discuss this issue," he said.

"We're looking at bringing in some consultants to talk about security and provide some expertise and knowledge on how to beef up security."

JoAnne Hayes, spokeswoman for the Bank of Montreal, said its BMO InvestorLine has had "less than a handful of instances."

"We did reimburse clients," she said.

Lisa Hodgins, spokeswoman for TD Bank Financial Group, which runs TD Waterhouse, said "around August, we were investigating a few reports of unusual activity... but we're not currently investigating any claims."

The brokerage, like many, now has a security guarantee for customers who lose money due to fraud.

TD Waterhouse has not had any proven incidents, Hodgins said.

Popovic said the frauds are happening in numerous ways.

"We've seen all of it. We've seen the viruses, where somebody downloads it onto your home computer.... We have seen situations where people have been asked in an email to go to a website and put in their login.

"We have also tracked some of the false webpages.

"We saw them go as far as Germany, and then we hit a wall," he said.

The investment dealers association refers the incidents to law enforcement agencies.

The perpetrators are becoming more sophisticated, experts said.

"I looked at one of the bank-owned examples, and everything looks exactly the same," Popovic said. "You'd have to be really familiar with the original website to notice that there is a difference."

The international origins of many of the operations make them very difficult to shut down.

The U.S. regulator's Stark said arrangements with various countries allow U.S. authorities to obtain information, "but it involves a lot of co-operation.

"It's not going to move as quickly as it would if the wrongful conduct occurred here in the United States. But, having said that, we're not precluded. We can work with foreign countries to try to do what we can, and we are."

The commission has been warning about fraud directed at online brokerages for more than a year. Originally, the regulator was seeing the criminals liquidate investors' securities and wire the money out to a bank, Stark said.

"Lately, we've been seeing more of these manipulation intrusion kind of schemes — what the IDA is describing — which is when the hacker owns a bunch of some microcap stock, and then goes into an account, liquidates the securities and then buys up enough of that microcap stock to pump up its price," he said.

The hacker then sells, or dumps, previously obtained shares into an artificially inflated market.

TD Ameritrade spokeswoman Katrina Becker said the problem has been increasing, but declined to give figures.

"This is a widespread issue. It's not just online brokerages. It's financial services."

Dean Turner, senior manager for Symantec Security Response, said more than 80 per cent of all "phishing" attacks target financial services.

"The financial-services sector is the Number 2 targeted sector globally in terms of targeted attacks. The only reason they are Number 2 is because the Number 1 target are home users," he said in an interview.

"We certainly don't want to go out saying the sky is falling; that's not the case," Turner said. "I don't think we have accurate numbers on the amounts of dollar losses," he added. "I think it's probably much higher than what's reported."

Posted

Oh, now I see from the first post that “the trader was using an internet cafe in Bangkok”

I suspect a key logger, something that has been reported here quite often.

More sophisticated login procedures could avoid such problem, but many online banks and brokers – not just in USA – do not yet use modern technology.

---------------

Maestro

Posted
Oh, now I see from the first post that “the trader was using an internet cafe in Bangkok”

I suspect a key logger, something that has been reported here quite often.

More sophisticated login procedures could avoid such problem, but many online banks and brokers – not just in USA – do not yet use modern technology.

---------------

Maestro

Part of a transcript posted by David Berlind at ZDNet:

April 28, 2006

Authenticators:

"What's really scary about this is that for something as sensitive as online banking, even the best banks in the US are still using little more than single factor security to grant you access to your bank account. Two years ago, a friend from The Netherlands who was visiting asked if he could use one of our PCs to do some online banking. As he began to login to his bank's Web site, he pulled a credit-card sized authenticator out of his wallet. Hardware-based authenticators like RSA's keyfob-esque SecurID 700 generate a random sequence of numbers at regular time intervals (eg: every 60 seconds). The way this works is, at any point in time when yo login to your banking system, you have to use your authenticator to randomly generate a key. I watched my friend as he pressed a button on his authenticator and then, from authenticator's LCD display, he read-off and keyed-in (on the keyboard) a long string of randomly generated digits.

If you had something similar and you were using one of RSA's authenticators, then, the bank would have an RSA-built appliance on its internal network that's generating matching keys for your account. The only way someone can log into your account is if they have your UserID, your password, and your authenticator. Randomly generated keys are only good for a minute or so. So, even if someone gets a hold of your UserID, password, and one of the randomly generated keys (eg: if they watched you key it on your keyboard), by the time they got to a computer to pretend to be you, the randomly generated key would have expired.

This to me is secure. I asked my friend how much it costs to have the added level of security. "Nothing" he said. While I'm sure the cost gets absorbed somewhere and is passed along to customers, it comes with the account (much the same way you get a free ATM card in the US). I'm not sure if every European bank does this. But apparently, a bunch do. After observing my friend in action, I started asking knowledgeable people why US banks don't do the same thing. The consensus answer, I'm afraid, is a sad commentary about our culture rather than some technological roadblock. There are, of course, plenty of Americans who would gladly exchange this bit of friction in the system for the security it offers. I'm one of them. But America is a culture of convenience and additional friction — especially friction that requires you to carry more gear with you — apparently doesn't fly with most Americans."

Posted
Oh, now I see from the first post that “the trader was using an internet cafe in Bangkok”

I suspect a key logger, something that has been reported here quite often.

More sophisticated login procedures could avoid such problem, but many online banks and brokers – not just in USA – do not yet use modern technology.

---------------

Maestro

I have an account with E*Trade and they issued me a keyfob with a number that changes every 60 seconds. I have to add that number to my password to login. Makes it so even if a guy grabs my PW if he does not login during that minute the pw will not work any more. I wish more banks, etc. would go to a system like this.

Posted

Oh, now I see from the first post that “the trader was using an internet cafe in Bangkok”

I suspect a key logger, something that has been reported here quite often.

More sophisticated login procedures could avoid such problem, but many online banks and brokers – not just in USA – do not yet use modern technology.

---------------

Maestro

I have an account with E*Trade and they issued me a keyfob with a number that changes every 60 seconds. I have to add that number to my password to login. Makes it so even if a guy grabs my PW if he does not login during that minute the pw will not work any more. I wish more banks, etc. would go to a system like this.

Jackbox:

I'm assuming you're referring to E*Trade in the U.S. Did E*Trade charge you for the keyfob or was it already part of the account package?

Anyone else have an account in North America with a similar login procedure from a financial institution based there? Haven't heard of anything like it in Canada as of yet, and we have E*Trade Canada here.

Posted
I'm assuming you're referring to E*Trade in the U.S. Did E*Trade charge you for the keyfob or was it already part of the account package?

I thought I saw it on the E*Trade website some months ago, went to look for it now, and here it is, at least for the USA.

---------------

Maestro

Posted
I'm assuming you're referring to E*Trade in the U.S. Did E*Trade charge you for the keyfob or was it already part of the account package?

I thought I saw it on the E*Trade website some months ago, went to look for it now, and here it is, at least for the USA.

---------------

Maestro

My account is with E*Trade in the USA. The stupid thing is that they do not issue them to everyone and you have to request it. Power E*Trade members get them for free upon request and the batteries in them are guaranteed to last three years. I inflated how much I trade when I joined so they made me an instant Power E*Trade customer and I got the RSA SecureID keyfob for free. If you are not a Power customer then you have to pay $25.00 for the device. That is shortsided on E*Trade's part. They should have just given them to all customers for free and made them mandatory to use. They could have avoided this 18 million in losses they paid back to customers. How much can one of these cheap little devices cost them per unit?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...