A few weeks ago, two well-known online discount brokers, E-trade and TD Ameritrade, revealed that online fraud had cost them a combined $22 million. The amount of money here is clearly substantial and what is probably even scarier is that it only represents what two firms experienced from one set of attacks.
The purported mechanism by which the financial loss took place was a “pump-and-dump” scheme; the details of which are as follows. The perpetrators first managed to steal the passwords for a victim’s online brokerage account. (We’ll get into how they accomplished this step shortly.) The perpetrators then purchased a large number of small-cap low-volume stocks through an already existing brokerage account. Next, they logged into the compromised account, liquidated the account holder’s assets, and used the proceeds to purchase these same stocks—thereby driving up the price. The perpetrators heavily profited by dumping the previously acquired shares.
In addition to being highly profitable for the perpetrators, the scheme also simultaneously used the stock market as a vehicle for laundering the proceeds. The perpetrators apparently stole the end users’ passwords by getting them to sign on to their accounts on computers that had keystroke-logging software installed on them. The computers could have been those often found in Internet cafés or other public computer clusters. Another possibility is that the victims were duped into installing keystroke logging software on their machines. Such keystroke logging software typically monitors a user’s key strokes and waits for him or her to type some juicy piece of information, such as a credit card number or password. This information is then sent to the perpetrator over the Internet.
It’s important to keep in mind that keystroke loggers are only one type of basic application that can steal sensitive information. Another technique we’ve seen is the use of “screen-scraping” software. Such software can literally capture whatever is on your screen and send that to an attacker. So, even if your online brokerage account uses a graphical password – that is, a password that does not rely on you typing something through your keyboard – you’re still not out of the woods. It’s amazing how many otherwise technically savvy people fail to realize this important point.
Fortunately, the victims whose money disappeared during this attack were reimbursed by their brokerage firms. I would commend both E-trade and TD Waterhouse for being up-front about what happened. Very few fraud victims divulge such information. This generous act makes it seem like the brokerage houses are the only ones to blame. Quite frankly, I don’t think the blame here is so one-sided. Undoubtedly, it would have helped if the brokerage houses detected the anomalous transactions involving these small-cap stocks.
There are number of different ways to detect that a transaction is suspicious. For example:
• The transaction could be originating from a geographic location that differs from where the legitimate customer normally does business. There are several ways to check this.
• The transaction might occur at some strange time of the day when the legitimate customer normally does not do business.
• The transaction might involve a much larger dollar amount or volume than the consumer normally engages in.
And, the list goes on. Many of the more reputable brokerage firms do have back-end fraud monitoring systems in place and I think it is highly likely that both of the ones involved in this attack did as well. However, such systems are only meant as an additional line of defense. They are by no means perfect. In this case, it turned out they could be circumvented. Perhaps it was due to the fact that the attack did not involve actually withdrawing money from an account.
At the same time, the victims here should have been more careful and not logged into their accounts from spyware-infested machines. It’s like handing your house keys to a burglar and then blaming your home alarm system after you get robbed.
I would give the following advice to people who regularly engage in online financial activity, whether it is banking or stock trading:
• Make sure you have antivirus and antispyware software installed on your machine and ensure that these software packages are updated. Also, make sure your machine is updated with the latest security patches.
• Avoid logging into your accounts from unknown computers, like those in Internet cafés. You may not know the last time such a computer was checked for viruses or spyware and the last thing you want is to find out the hard way. If you do use an Internet café, always do so with the realization that every keystroke, mouse click, and image on the screen might be recorded and sent to someone whose has malicious plans.
• Try to use different passwords for different online activities. While it can be challenging to have a completely different password for each activity, at the very least have a different password for each desired security level. For example, the password you use to check email should be different than the one you use for online financial transactions. (This way, if one password is compromised, the rest of your accounts are safe.)
• Be careful when visiting less reputable Web sites. Many sites often include malicious code that can get installed on to your machine without your consent. Such code might exploit a vulnerability in your Web browser, for example. Also, be careful when opening attachments or any file that is sent to you. Never open an attachment that contains some form of executable file. If you do open an attachment, make sure that it’s at least a document you were expecting and that it came from a reliable source.
In this case, the end users were lucky in that they were reimbursed. However, there may be other times when they will not be as lucky. There is no reason to leave these things up to chance. For further reading, have a look at this Computer World article that covers this online fraud story.