[ISN] Invasion of the Stock Hackers

[InfoSec News]

http://www.businessweek.com/technology/content/nov2005/tc20051103_565150.htm

By Amy Borrus, with Mike McNamee in Washington, 
Brian Glow in Atlanta, and Adrienne Carter in Chicago.
BusinessWeek Online
November 3, 2005

Arriving home from a five-week trip to Belgium and India on Aug. 14, a
jet-lagged Korukonda L. Murty picked up his mail -- and got the shock
of his life. Two monthly statements from online brokerage E*Trade
Financial (ET) showed that securities worth $174,000 -- the bulk of
his and his wife's savings -- had vanished.

During July 13-26, stocks and mutual funds had been sold, and the
proceeds wired out of his account in six transactions of nearly
$30,000 apiece. Murty, a 64-year-old nuclear engineering professor at
North Carolina State University, could only think it was a mistake. He
hadn't sold any stock in months.

"I'M SHOCKED".  Murty dialed E*Trade the moment its call center opened
at 7 a.m. A customer service rep urged him to change his password
immediately. Too late. E*Trade says the computer in Murty's Cary
(N.C.) home lacked antivirus software and had been infected with code
that enabled hackers to grab his user name and password.

The cybercriminals, pretending to be Murty, directed E*Trade to
liquidate his holdings. Then they had the brokerage wire the proceeds
to a phony account in his name at Wells Fargo Bank. The New York-based
online broker says the wire instructions appeared to be legit because
they contained the security code the company e-mailed to Murty to
execute the transaction. But the cyberthieves had gained control of
Murty's e-mail, too.

E*Trade recovered some of the money from the Wells Fargo account and
returned it to Murty. In October, the Indian-born professor reached
what he calls a satisfactory settlement with the firm, which says it
did nothing wrong. Still, Murty suffered many sleepless nights. "I'm
shocked. We didn't know people could play these kinds of tricks."

TARGET-RICH.  Increasingly, they can -- and do. In the latest, most
pernicious twist yet on Internet securities fraud, online brokerage
accounts are being looted by hackers who exploit the weaknesses of
investors' computers rather than the firms' systems. It's a new scam,
but it's mushrooming. Six months ago, Securities & Exchange Commission
investigators say, such schemes weren't even on their radar screen;  
now, the agency is knee-deep in them.

Alarmed, the SEC and FBI are hot on the trail of the cyberperps, with
dozens of investigations in progress. To head off more attacks, the
SEC is posting a warning on its Web site with tips on safeguarding
online trading accounts. "It's a new and growing area that is more
intricate and more complicated than other Internet-related securities
frauds," warns John Reed Stark, the SEC's chief of Internet
enforcement.

So far, the reported losses from online brokerage accounts are modest:  
no more than $20 million stolen in the past year. But Web investing is
a target-rich environment for thieves: Consumers have $1.7 trillion
worth of assets with online brokerages, says TowerGroup, a financial
research and consulting firm. "And it is still evolving."

LOOK TO EASTERN EUROPE.  As with the Murtys, brokerages often help
customers recover their money, or reimburse them for losses. But the
hit on the industry could be enormous, especially if hacker attacks
drive investors off-line. "The real cost of security lapses is the
loss of confidence," says Ravi Ganesan, CEO of TriCipher Inc., a San
Mateo (Calif.) developer of authentication systems.

That's why brokers are offering customers an array of free or
discounted security measures. "If we want our company to continue to
be successful, people have got to feel safe and secure when they come
here," says E*Trade President R. Jarrett Lilien.

Home PC users are frighteningly vulnerable. The spread of high-speed
and wireless connections has made it easier than ever for hackers to
barge in. Even so, an October, 2004, survey by America Online and the
National Cyber Security Alliance found 84% of computer users keep
sensitive personal information, including financial data, on their
home PCs.

To hijack brokerage accounts, hackers have raised their game to a new
level. These invasions, law enforcers say, involve hacking or phishing
to extract customers' information, combined with identity theft and
securities fraud in complex scams executed by gangs. "Generally, it's
two or three people working together," says an FBI expert. "The usual
profile is people with graduate degrees in finance or banking." The
FBI, Secret Service, and private security firms believe most online
stock thieves are based in Eastern Europe.

ONUS ON CUSTOMERS.  Fortunately, some customers spot hacker intrusions
before financial disaster strikes. George Rodriguez, 41, was working
from his Waxhaw (N.C.) home at 9:31 a.m. on May 5 when a series of
e-mail messages from Ameritrade (AMTD ) started flashing across his
computer screen. Within minutes his holdings in Home Depot, Ford
Motor, Duke Power, and Pfizer were all sold. Some $60,000 worth of
blue-chip stocks were drained from an account that Rodriguez had
traded actively in the dot-com days but largely ignored since 2001.

What saved Rodriguez: The crooks somehow failed to change the e-mail
address for trade confirmations. "If they had done that, or if I had
been on vacation, I could have been wiped out," says Rodriguez, a
partner at real estate investors Waterstone Capital Advisors in
Charlotte, N.C. Ameritrade "said they would cancel the orders 'as a
courtesy,'" he says, so he didn't lose any money. Says a spokeswoman
for the Omaha broker: "The unfortunate events that happened to
[Rodriguez] are an issue that Ameritrade and the financial industry
have to deal with."

Still, brokers say customers must protect themselves. Crooks "are
sniffing the information from the customers' computers, not getting it
from our networks," says David S. Kalt, chief executive of online
broker OptionsXpress Holdings. Federal investigators agree with this.  
"The integrity of brokerage firm computers seems to be flawless," says
an FBI source.

TAKE THE LEAD.  But even if investors are careless, online brokers
know that e-trading could dry up if users get spooked. That's why
Ameritrade offers customers a program that scans a PC for malicious
code when they log on to the Internet. E*Trade in April began offering
ID tokens, devices that generate a new six-digit log-in code every 60
seconds, to investors with $50,000 or more in their accounts. More
than 10% of daily log-ons to E*Trade use the devices. In January,
E*Trade will unveil still newer trading safeguards that President
Lilien promises "will make our secure ID program look old-fashioned."

Online brokers could take a page from banks, which next year will be
required to use state-of-the-art safeguards. Many cyberexperts believe
that, instead of blaming customers, the brokerage and high-tech
industries need to take the lead educating customers and supplying
them with the gear and software they need to make their trading
secure.

Says Robert K. West, CEO of Echelon One, cybersecurity consultants in
Mason, Ohio: "In a society that can't set the clocks on its VCRs, it's
nuts to expect people to keep up with all these patches and
firewalls." Hackers, of course, are hoping investors stay in the dark.