July 06, 2005

George's story - watching my Ameritrade account get phished out in 3 minutes

On the morning of May 5 2005, I decided to work from home [writes George Rodriguez in a great expose of how phishing is spreading through American retail finance].

As I'm checking emails I start receiving email notifications from my on-line broker Ameritrade. The email notifications kept coming one after the other, you just sold out of Duke, you just sold out of Home Depot, you just sold out of Ford, I watched on my screen as the flurry of emails kept coming across my screen, pretty much my entire portfolio of Stocks was being sold out right before my eyes. I took notice of the time when I received the first email confirmation, it was 9:31AM and as you know the equity market opens up at 9:30AM. My heart was racing, I was stunned and I said to myself this can be happening to me, I'm a business and technology savvy as I've worked for major investment banks and brokers as a consultant in the areas of technology trading for equity and fixed income markets.


I looked at my watch and it was now 9:34AM, it seemed like hours have gone by. I picked up the phone and called Ameritrade and spoke to a client-rep and walked him through the entire activities to my account. As I'm the phone with the client rep, I continue to get more email notifications selling out more stocks in my portfolio. I also noticed an email that was sent to me by Ameritrade, you requested and have changed your primary email address to some hotmail address I did not recognize, the interesting piece of information on the email was the time it was sent, 4:45AM. I quickly related this information to the client rep and asked him what bank information he had on file. He went on to say, you requested to have your bank account changed from Wachovia bank to Bank of America in Dallas Texas. I said well let's get on the phone with Bank of America and see who's behind the account. Well Ameritrade said we can't do that. I said wait a minute, someone is committing bank fraud, internet fraud as we speak and you can't represent me your client? No sir the client rep responded, you need to call your local authorities, you mean the Sheriff as I live out in Union County. I responded fine, well please give me the account number and routing number for Bank of America I will call them myself, oh and by the way cancel all these fraudulent trades and freeze the account, I do not want any funds to move. Luckily in the equity markets it takes three days for the trades to settle before the cash is moved out, so much for straight through processing and trying to settle and move cash on the same day, a goal the industry is trying to move towards.

My first call was to Bank of America and it took a while to get though to their fraud department and then trying to explain that it was not the Bank of America brokerage arm but my on-line broker Ameritrade where the fraudulent trades were placed. I gave the BoA fraud department the BoA account number now on file with my Ameritrade broker and they confirmed it was their account but no available information will be provided as it was not my account. Due to the Privacy Act they need it to protect their customers, who's getting protected here I said the thieves or the innocent victims. I quickly hung up the phone and called the Union County Sheriff and within 20 minutes a patrol car was at my driveway, a bit weird for white collar crime but nevertheless a police report was in order. I greeted the officer, we sat in my office and I gave him copies of all the emails, Ameritrade and bank information for him to follow up with all parties. He said, love to help you but after I finish typing this up I will turn it over to the detective and someone will be in touch with you. I did receive a police report number right away from him. As soon as the police officer left I filed a complaint with the Federal Trade Commission and an electronic identity theft report with the FBI. I got a call back from the detective on Monday May 9, and we discussed the details of the fraudulent activities.

I can't imaging what would have happened if I was away on vacation and had no access to email for several days, over $50,000 would have left my Ameritrade brokerage account and moved out to the fraudulent Bank of America account which I'm sure would have been cleaned out right away. I'm sure I can't be the only one who has had this problem as these on-line brokers have millions of accounts. I'm not sure how my userid and password were stolen, perhaps it is an inside job, my account is a passive account as I only logged every six to eight weeks to check the account, I don't day trade anymore since the dot.com crash. But another scenario can be I was hacked on my home computer as I have timewarner road runner and a wireless network. I run Norton Anti-Virus on my machines but unfortunately I don't have a secured firewall running, again I'm not sure how secure these products can safe proof your computer. I'm now waiting for the local authorities, the FBI, Ameritrade and Bank of America to provide me with information on how and who is behind this attack.

George Rodriguez
Waterstone Capital Advisors
Partner
Email: george.rodriguez at waterstonecap.com

Posted by iang at July 6, 2005 03:38 PM | TrackBack
Comments

I realise that this remark is beside the point of the George's report, but this isn't phishing is it? Thanks to the e-mail alerts he was able to intervene, rather then being enticed to give up id related info.

gr

Posted by: Twan at July 6, 2005 06:28 PM

Good point. I think the answer is "yes and no". Strictly speaking, the phish occurred earlier, if it had indeed occurred. And, it could very well have been a hack of Ameritrade, an insider sale, or a trojan into George's machine, so it technically might not have been phishing at all.

But why let facts hold back a salacious title? I think it's such a good example of how far reaching the attacks go that I decided to post it even though I couldn't quite pick the title of the story.

;-)

Posted by: Iang at July 6, 2005 06:31 PM

I guess these things are inevitable - they'll hit the place that's got your money. But it's still very disturbing! You would think that the balance between risk and convenience is going to be different for high value accounts. Who would legitimately want to sell out their entire portfolio inside of an hour?

Posted by: Thomas Barker at July 6, 2005 09:35 PM

Who cares who would want to sell their entire portfolio.

Amaeritrade cares if they get the fees. Ameritrade could have IMMEDIATELY stopped the fraud but since it is not required to by law they dump it on the customer and police.

Reality check. _THAT_ is the way the market works. Risks are transferred when transfer is cheaper than mitigation. Your suggestion that they refuse trades when they take no loss assumes an irrational concern for the customer.

thanks,
Jean

Posted by: L Jean Camp at July 7, 2005 03:07 PM

Not really. They're not really in the business of dealing shares. They are in the business of providing a facility for share ownership and accumilation. If people can't do this because Ameritrade don't provide a safe environment, they will take their business elsewhere.

It depends on the environment. In the UK banks are pretty uncompetitive, so our online security sucks. Many banks legally place all their security risks back onto the customer. In Switzerland, banks have a stronger duty of care, so they use challenge-response access tokens.

In the long-term, on-line brokerage accounts will never be used as serious savings mechanism if this sort of thing isn't fixed. I will just scare too many people off. The numbers on your web browser mean nothing if the operator cannot make a credible commitment to let you spend them on real things in the future.

(Interestingly, Ameritrade's Amerivest facility doesn't make money from dealing fees. It charges a flat 35 basis points per year for managing an ETF portfolio.)

Posted by: Thomas Barker at July 7, 2005 06:04 PM

What is the outcome? Was the OP protected? Did he find out how the account data was stolen?

Why aren't there "opt in/out" verifications for actions such as changing your bank number or selling/buying stocks?

Posted by: RMM at July 8, 2005 08:34 AM

If we truely wish to stop these frauds, we must firmly place the risk, by law, on the actors who can prevent the harm. No one can successfully claim that the individuals whose accounts are being robbed actually have the ability to prevent the fraud. Therefor, the trading companies and the banks must be held responsible. Similarly, for "identity theft", the credit granting agencies must be made, by law, to shoulder the burden. Nothing less can work.

Dick

Posted by: Dick Karpinski at July 8, 2005 09:51 AM

If this guy’s technical ability is anything like his writing skills, he should be advised to sell his computer and never touch one again. Some people surf with a big bull’s-eye. I love to hear these people start throwing out terms like “firewall” and “anti-virus” when the instrument of exploitation was merely social engineering and the victim quite obviously clueless.

Posted by: Joseph Broke at July 8, 2005 10:54 AM

George, in his article, tells a tale that should have us all worried, what with all the identity and other digital data theft that is of such a major and growing concern.

I think it would be productive if someone can offer specifics here regarding several areas:

----------(1) Precisely what mechanisms and steps might have been at the root of writer George's Ameritrade account being illegally accessed?

I.e., where along the line did the error -- or errors -- occur? Was it a single event or a combination of events that enabled the theft? Was the root and sole cause George's error in that he may have failed to properly protect his computer or digital transmissions from intrusion? What specific actions could he have taken, if any, to make such a digital theft impossible?

Did his cable provider, via which he connected to his online broker, play a role in allowing his data to be hacked (if indeed his data was hacked somewhere en route between his computer and the online broker)? If so, how did this occur?

Did the cause lie with the broker, and if so, where and how did the broker's system fail to maintain 100% security on George's account? For example, was the security-failure at the portal-level, or was it deeper within the system -- and if so, what might have happened there that enabled this theft to occur?

Did the two banks involved in George's story play any role in enabling this theft to occur, or were they merely outside the periphery of the crime? If their security or identity-verification systems were at all involved, how and where did they fall down on the job?

Was the theft enabled not by one single action but by a coordination of several necessary actions? What might those have been?

----------(2) For each of these possible causes, what specific measures could George -- or the broker -- or the banks -- or the cable provider -- have taken to block such a theft from occurring? Similarly -- and perhaps this will bring the same answer -- what steps should all of them (and the rest of us, in our own situtations) take to ensure that this kind of thing cannot happen in the future?

----------(3) What, specifically, is actually REQUIRED, by law or regulations, of brokers (whether online or not) and banks -- and perhaps other such business entities involved -- as follows:

What is actually REQUIRED, by law or regulations, of brokers, banks, and perhaps other such business entities involved --

(a) to ensure 100% protection (digital and otherwise) of their client's accounts,

(b) to assume full responsibility & liability for thefts (digital etcetera) that occur somewhere in THEIR -- not their CLIENTS' -- systems,

(c) to take immediate and thorough actions -- at THEIR and not at their CLIENTS' cost --

[i] to block and stop the theft,
[ii] to retrieve and replace what was stolen,
[iii] to fully indemnify and remunerate their clients for whatever damage was caused,
[iv] to do everything possible to ensure that such a theft (if it was enabled by that institution) cannot happen again,
[v] to take all necessary measures to also ensure that the victim's CREDIT DATA, at credit bureaus and perhaps elsewhere, has not been altered or damaged as a consequence of this theft.

----------(4) Also, if indeed there ARE legal or regulatory mechanisms in place that DO provide for even SOME measure of consumer protection in the above instances, then --

(a) What are those measures? Can someone perhaps provide URL links to them, or synopsize any that might help us?
(b) IF any such protective laws or regulations DO exist, was George's broker, and any others along the line in his tale who seemed to be bureaucratically passing-the-buck (and passing it back to him), actually knowingly or unknowingly violations those laws or regulations by their somewhat dismissive attitudes or actions?
(c) IF such consumer-protective measures DO exist, and George or any of us find ourselves in a similar digital-theft situation and OUR broker or bank (etc.) says "Sorry, Customer, we won't help you", what can WE then do to require that they DO help us and that they DO fulfill their obligation to fully and without delay resolve the problem?

----------(5) Lastly: If the existing legislation and regulations, whether national or otherwise, are currently insufficient to protect our accounts and digital data, and are lacking in sufficient requirements that the institutions and agencies that may have enabled the theft to occur assume the full burden of proactively protecting our data and repairing the damage, then what can we, as citizens -- and as potential clients (and potential victims) -- do to ensure that the regulations and laws are changed so that WE are PROTECTED and that the ENABLER(S) of the theft is (are) the one (or ones) RESPONSIBLE FOR REPAIRING the damage that was caused by their having enabled that theft?

Any suggestions?

-- SJS
NYC, NY
07-08-05.

Posted by: SJS at July 8, 2005 01:38 PM

George
Get a firewall. There are several out there that are free for personal use.
Without one you can get bit by any Malware, Spyware, and/or hacker, trojans, virus, ect.
A friend of mine trying to update XP from a fresh machine got bit by 1 virus and 1 trojan. And that was just using a dialup connection.
Personal oppion, You got malware on your computer. MS offers a free Beta version for spyware. Get it checked.

Posted by: Scott Mills at July 8, 2005 07:48 PM

Hey Joseph, I love it when tech experts like you can give us penetrating analysis like "quite obviously clueless" and can identify "the instrument of exploitation was merely social engineering".

Because it suggests one of two possibilities:
1. you were the identity thief
2. you're not too good at discerning meaning from the written word. Because the "instrument of exploitation" was clearly stated as unknown.

Clueless? Hmmm.

David

Posted by: David Glover at July 9, 2005 06:05 AM

George, contrary to what he says, does not know if he was phished (or maybe he does and isn't saying). As someone else commented, George may have been phished, or his account access information simply stolen, or he got careless and either told someone, or left the information where others could see it. A "war driver" could have broken into his laptop when he was using a wireless connection. a number of other things could have happened, but in any event, his identity was stolen.

The real problem is that while George may be tech savvy to some degree, based on the information given, he is far from savvy in matters of PC/laptop security. Going without a firewall is an open invitation to break into a computer. (The most recent info is that it only takes 12 minutes to crack an unprotected computer. The cracker only then needs to install a keylogger, and have the keystrokes sent "home", where the data can be analyzed and access information (logins, passwords, etc) can be extracted. Not only didn't George even have a firewall, but he didn't even mention if he had any up-to-date anti-spyware programs on his laptop, leading me to believe that he did not have any. He did not mention whether or not his Norton anti-virus was up to date or not. He should have also been using an Intrusion Prevention/Detection program, like Prevx or Abtrusion that would have alerted him if something he did not ask for was trying to install on his laptop. Yes, he could have been phished, or it could very well have been a friend or acquaintance who stole his confidential information. Much identity theft is done by "friends", acquaintances or co-workers, i.e., an inside job. George doesn't say whether he ever told anyone his access information or placed it where it was available to the eyes of others. In short he was very, very lucky....this time.
A virus will ruin your entire day....identity theft can ruin your entire life.

Posted by: Al Johnson at July 9, 2005 11:38 AM

Isn't there any transaction monitoring of this kind of strange activity?
Shouldn't the brokerages and banks be looking after their customers?

Posted by: Hank Schader at July 10, 2005 08:35 AM

Last week I noticed a charge to my Wachovia Bank account of $24.95 by Cybernet Ventures. Since I had not authorized the charge, I checked out Cybernet Ventures which is an adult sex site and found a series of complaints about similar charges and the fact that the monthly charges could not be stopped.

I have notified the Wachovia fraud division and canceled the related Visa card, but I have no idea how they got mt account number.

Posted by: Ken Noakes at July 11, 2005 10:51 PM

Lucky the fraudster wasn't very smart - after all, he didn't change the email address the trade notifications were coming to, or George wouldn't have known anything until (in 6-8 weeks) he couldn't log in to his account.

Posted by: F Hirsch at July 12, 2005 03:49 PM

The tipoff may be that he is not running a firewall.

Going on line without a firewall is like having high-risk sex without a condom, only the effects are swifter. It is estimated by The Register that the half life of an unprotected computer on the internet is now less than 15 minutes or so. After that, you should assume that spyware, adware, or other malware has infected it.

Also I note that he uses Norton AntiVirus. Norton is widely thought to be deficient when compared with something like Trend Micro's PC-cillin software. In addition, PC-cillin includes a dandy little firewall. I have used both and prefer PC-cillin; it found malware that Norton missed (I have no financial interest in Trend Micro.).

If his computer was hacked, the right software could have saved him. On the other hand, if it was Ameritrade that got hacked, that's a different story and much more chilling.

Posted by: James Brinton at July 12, 2005 04:03 PM

David Glover,

Joseph had a good point. The guy's written English is terribly poor and this is usually a pretty good indicator of social intelligence. Poor social intelligence plus money has always equalled a con-man's dream ticket.

Ara

Posted by: Cor. Ara at July 12, 2005 06:01 PM

There's no particular reason a brokerage would question orders placed over a supposedly secure Web interface. There may not even be any mechanism by which they could do so. These orders normally get executed within seconds of being placed. And people do, on occasion, decide to sell off their holdings and go to cash, for any of a number of reasons, like buying a house or a boat or just because they don't like the way they're positioned in the market. Ameritrade really can't be faulted for executing the orders they were given.

Of course, if the thieves got access to the account by hacking Ameritrade's servers, that's Ameritrade's responsibility, but it's far more likely, as several have said, that Rodriguez' computer was hacked.

It's scary. Anyone accessing an online brokerage account from a PC is at risk unless they know how to protect themselves, which hardly anyone does. Rodriguez won't be the last victim.

Posted by: Scott Burson at July 12, 2005 07:38 PM

Use Interactive Brokers. They give traders special phisical security device without which noone can withdraw money from an account.

Posted by: IlyaD at July 12, 2005 09:54 PM

F Hirsch: The hacker actually did change the email address, but because of a lucky glitch in the system it didn't get changed.

Posted by: ichigo at July 14, 2005 11:40 AM

There have been many interesting remarks above.

The sneering ones are uncalled for. The guy goes through this experience and he gets grammar criticism? The personal insults are not only rude but wrong. He is obviously intelligent, and he gave practical details of how he followed up with the bank, which would be more useful in a situation like this than would a deep knowledge of cryptography.

He may not know technically why this happened, and it may or may not be a case of phishing per se, but his story is worth hearing about.

Thanks George for sharing the pain ;|

Posted by: Lori Petty at July 15, 2005 08:09 PM

My heart goes to those who have suffer because of Bank of America and their CIRMINALS EMPLOYEES
Its unspeakable what this Bank has done to me.

Press Conference will be held very soon
Please look forward for the date and time.

Please read this Website very IMPORTANT.


www.bankofamericaextortioninsidejob.com

Send your comments to lailasltn@yahoo.com

Posted by: lailasultan at November 20, 2005 09:58 PM

My heart goes to those who have suffer because of Bank of America and their CIRMINALS EMPLOYEES
Its unspeakable what this Bank has done to me.

Press Conference will be held very soon
Please look forward for the date and time.

Please read this Website very IMPORTANT.


www.bankofamericaextortioninsidejob.com

Send your comments to lailasltn@yahoo.com

Posted by: Lailasultan at November 20, 2005 10:02 PM

Either someone took over my yahoo accounts or my password got scrambled! I have three accounts floating out there. Been sending yahoo 5 emails an hr for over 24 hrs now, all I get is auto replies!
I don't know what else to do!
I have pictures of my kids on those accounts, personal emails!
Someone please help.
Thanks,
Sasy

Posted by: Sasy at January 21, 2006 07:38 PM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.