Hackers Zero In on Online Stock Accounts

By Ellen Nakashima
Washington Post Staff Writer
Tuesday, October 24, 2006

Hackers have been breaking into customer accounts at large online brokerages in the United States and making unauthorized trades worth millions of dollars as part of a fast-growing new form of online fraud under investigation by federal authorities.

E-Trade Financial Corp., the nation's fourth-largest online broker, said last week that "concerted rings" in Eastern Europe and Thailand caused their customers $18 million in losses in the third quarter alone.

Another company, TD Ameritrade, the third-largest online broker, also has suffered losses from customer account fraud, but a spokeswoman declined to quantify the amount yesterday. "It is an industry problem," spokeswoman Katrina Becker said. "It does continue to grow."

Federal regulators cited recent cases in which hackers gained access to customer accounts at several large online brokers and used the customers' funds to buy certain stocks. The hackers appeared to be trying to drive up share prices so they could sell those stocks at a profit, regulators said.

The Securities and Exchange Commission and the FBI are looking into E-Trade's cases, chief executive Mitchell H. Caplan said in an earnings conference call with reporters last week. Spokesmen for the SEC and FBI declined to discuss details of those cases.

Both E-Trade and TD Ameritrade have guaranteed that they will cover their clients' losses, even though they are not required to do so by law. But the problem is growing faster than public awareness of it, federal regulators said, noting that the fraud is fed by the rising use of the Internet for personal finance and the easy availability of snooping software that allows hackers to steal personal account information.

"Although these schemes cleverly combine aspects of securities fraud, identity theft and hacking, what they really boil down to is outright thievery," said John Reed Stark, chief of the Office of Internet Enforcement at the SEC. "In the last couple of months we have seen a marked increase in online brokerage account intrusions."

More than 10 million people have bought or sold investments online in the United States in the last few months, according to Avivah Litan, a securities analyst for the Stamford, Conn.-based Gartner Inc.

The scams typically begin with a hacker obtaining customer passwords and user names, experts said. One way is by placing keystroke-monitoring software on any public computer in a library, hotel business center or airport. With the software, all keystrokes entered on the computer can be recorded and e-mailed anywhere in the world.

Experts said all hackers have to do is wait until anyone types in the Web address of E-Trade, Ameritrade or another online broker, and then watch the next several dozen keystrokes, which are likely to include someone's password and login name.

These emerging Internet stock schemes appear to be new versions of the widely used "pump-and-dump" e-mail scams, in which spammers send out mass e-mails containing bogus news alerts intended to manipulate stock prices.

Stark said perpetrators are breaking into customer accounts and buying shares of thinly traded, microcap securities, also known as penny stocks. The hacker gains access using the customer's user name and password, then liquidates that person's existing stock holdings and uses the proceeds to buy shares in the microcap. The goal, regulators said, is to boost the price of a stock the hacker has already bought at a lower price in another account. The hacker then liquidates the stock and wires the money either to an offshore account or through a series of straw men, or dummy corporations, Stark said. The straw man may not know he is participating in fraud; he may have been told he is helping, say, an offshore business.

The entire operation can take a matter of minutes, or at most, hours.

"The unwitting victim opens the account in the morning and finds he or she owns thousands of shares in a microcap company that they have never heard of," Stark said.

Caplan said E-Trade recently made operational changes and added technology to thwart the criminals. "We've seen that level of fraud in the last three weeks or so reduced to almost zero . . . ," he said in the conference call.

Glen Mathison, a spokesman for Charles Schwab Corp., the largest online broker, said losses due to online identity theft and fraud have not reached "a material level" that would require disclosure to investors. But he added that Schwab also guarantees to reimburse clients for online losses caused by fraud.

Unlike banks, brokerage accounts are not protected by Federal Deposit Insurance Corp. and other federal banking rules that ensure consumers get their money back, so the consumer must rely on the company to cover any losses.

Ameritrade's Becker said the company advises clients to make sure they have good spyware detection software on their computers. Ameritrade's Web site also offers clients free software that helps detect or eliminate snooping programs.

In Canada, the Investment Dealers Association, the self-regulatory arm of Canada's securities industry, is looking into similar scams.

Online financial fraud has grown so serious that the Federal Financial Institutions Examination Council, a government entity that establishes standards for banks, has given U.S. financial institutions until Dec. 31 to tighten security measures for accessing online accounts.

"This thing is so widespread and it has such a significant impact on the industry at large . . . that I think you're going to end up seeing structural changes in the industry," Caplan said.

Staff researchers Richard Drezen and Karl Evanzz contributed to this report.

© 2006 The Washington Post Company