Overseas hackers broke into customer accounts at two popular online stock brokerages, TD Ameritrade Holding and E-Trade Financial, in a "pump and dump" stock-trading scheme that led to at least US$22 million in losses.
The attacks, which took place during the last three months, were launched by identity thieves in Eastern Europe and Asia who primarily used keylogging software delivered via Trojan horses or other malware to steal users' confidential information as they logged onto public computers or their own infected machines, TD Ameritrade CIO Jerry Bartlett said in an interview Tuesday.
The hackers then logged into existing customer accounts -- or created dummy accounts -- to buy shares in little-traded stocks, driving prices up so they could sell their own previously purchased shares for a profit.
TD Ameritrade said in its investor conference call Tuesday that it had spent US$4 million to compensate customers who suffered losses after their accounts were broken into.
E-Trade confirmed in an investor conference call on Oct. 18 that it had spent $18 million to compensate customers. CEO Mitchell Caplan told investors that E-Trade has cut its losses to "almost zero" in the past three weeks after beefing up its security. The FBI, U.S. Securities and Exchange Commission and the National Association of Securities Dealers are working together to uncover the fraud.
"This is an industrywide issue," said TD Ameritrade Chief Operating Officer Randy MacDonald.
Charles Schwab Corp., the largest online broker in terms of assets, told Bloomberg News it did not suffer significant losses, while Fidelity Investments declined to comment.
E-Trade ranked 17th out of 23 financial institutions for its efforts to protect consumers from identity theft, according to a study released earlier this month by Javelin Strategy & Research of Pleasanton, Calif. The study, which mostly ranked banks, did not rank TD Ameritrade.
Identity theft last year caused an estimated US$56.6 billion in losses, according to Javelin, and the number of people affected by online identity crime has risen from fewer than one in 125 to an estimated one in 65.
"Fighting identity theft is a cat and mouse game -- there's always room for improvement," said James Van Dyke, president of Javelin.
While the Federal Deposit Insurance Corp. covers bank accounts with up to US$100,000 against fraud or bank bankruptcy, brokerages get no such protection. E-Trade and TD Ameritrade both guarantee customers against losses caused by fraud.
E-Trade said it is unsure whether its losses will be covered by insurance. TD Ameritrade's CFO, Bill Gerber, said he is confident the company could "get a nice healthy chunk of the $4 million back if we can prove the fraud was from the same source."
Bartlett said that while account fraud using customers' personal details is an "ongoing" problem, he emphasized that no data had been stolen from TD Ameritrade's own databases, nor had its servers been breached, during this incident.
But he acknowledged that the company's antifraud efforts, which include a dedicated security team using special software to monitor for anomalous activity such as users logging in from unusual IP addresses and large withdrawals of money, had failed to detect the stock scams quickly enough. "We could identify it, but certainly not to the sophistication of what we can do now," he said.
Bartlett declined to say what technology TD Ameritrade uses to protect against identity fraud. E-Trade uses antifraud software from Cyota, now a part of RSA Security Inc., that helps it monitor accounts for unusual behavior. Since February 2005, E-Trade has also offered optional RSA tokens that generate six-digit codes that change every 60 seconds and that users must enter with their usernames and passwords when logging in, according to Tina Martineau, an E-Trade spokeswoman.
But Ryan Sherstobitoff, CTO at security vendor Panda Software, said that software such as Cyota, which relies in part on checking whether purported users are logging in from their usual IP address, can be tricked by skillful hackers. Meanwhile, tokens are ineffective against identity thieves who use names and Social Security numbers to create new bank or stock trading accounts, he said.
"I think it's half-and-half. We can protect against certain scenarios now, but there are certain ones we can't protect well against at all," Sherstobitoff said. Even so, Bartlett said a new generation of anti-fraud tools on the horizon could help bolster companies' defenses. "It's been a lot of back and forth between vendors and the bad guys," he said. "But I've recently seen a lot of products in beta that should leapfrog and keep vendors ahead in the arms race."