Comments: George's story - watching my Ameritrade account get phished out in 3 minutes

I realise that this remark is beside the point of the George's report, but this isn't phishing is it? Thanks to the e-mail alerts he was able to intervene, rather then being enticed to give up id related info.

gr

Posted by Twan at July 6, 2005 06:28 PM

Good point. I think the answer is "yes and no". Strictly speaking, the phish occurred earlier, if it had indeed occurred. And, it could very well have been a hack of Ameritrade, an insider sale, or a trojan into George's machine, so it technically might not have been phishing at all.

But why let facts hold back a salacious title? I think it's such a good example of how far reaching the attacks go that I decided to post it even though I couldn't quite pick the title of the story.

;-)

Posted by Iang at July 6, 2005 06:31 PM

I guess these things are inevitable - they'll hit the place that's got your money. But it's still very disturbing! You would think that the balance between risk and convenience is going to be different for high value accounts. Who would legitimately want to sell out their entire portfolio inside of an hour?

Posted by Thomas Barker at July 6, 2005 09:35 PM

Who cares who would want to sell their entire portfolio.

Amaeritrade cares if they get the fees. Ameritrade could have IMMEDIATELY stopped the fraud but since it is not required to by law they dump it on the customer and police.

Reality check. _THAT_ is the way the market works. Risks are transferred when transfer is cheaper than mitigation. Your suggestion that they refuse trades when they take no loss assumes an irrational concern for the customer.

thanks,
Jean

Posted by L Jean Camp at July 7, 2005 03:07 PM

Not really. They're not really in the business of dealing shares. They are in the business of providing a facility for share ownership and accumilation. If people can't do this because Ameritrade don't provide a safe environment, they will take their business elsewhere.

It depends on the environment. In the UK banks are pretty uncompetitive, so our online security sucks. Many banks legally place all their security risks back onto the customer. In Switzerland, banks have a stronger duty of care, so they use challenge-response access tokens.

In the long-term, on-line brokerage accounts will never be used as serious savings mechanism if this sort of thing isn't fixed. I will just scare too many people off. The numbers on your web browser mean nothing if the operator cannot make a credible commitment to let you spend them on real things in the future.

(Interestingly, Ameritrade's Amerivest facility doesn't make money from dealing fees. It charges a flat 35 basis points per year for managing an ETF portfolio.)

Posted by Thomas Barker at July 7, 2005 06:04 PM

What is the outcome? Was the OP protected? Did he find out how the account data was stolen?

Why aren't there "opt in/out" verifications for actions such as changing your bank number or selling/buying stocks?

Posted by RMM at July 8, 2005 08:34 AM

If we truely wish to stop these frauds, we must firmly place the risk, by law, on the actors who can prevent the harm. No one can successfully claim that the individuals whose accounts are being robbed actually have the ability to prevent the fraud. Therefor, the trading companies and the banks must be held responsible. Similarly, for "identity theft", the credit granting agencies must be made, by law, to shoulder the burden. Nothing less can work.

Dick

Posted by Dick Karpinski at July 8, 2005 09:51 AM

If this guy’s technical ability is anything like his writing skills, he should be advised to sell his computer and never touch one again. Some people surf with a big bull’s-eye. I love to hear these people start throwing out terms like “firewall” and “anti-virus” when the instrument of exploitation was merely social engineering and the victim quite obviously clueless.

Posted by Joseph Broke at July 8, 2005 10:54 AM

George, in his article, tells a tale that should have us all worried, what with all the identity and other digital data theft that is of such a major and growing concern.

I think it would be productive if someone can offer specifics here regarding several areas:

----------(1) Precisely what mechanisms and steps might have been at the root of writer George's Ameritrade account being illegally accessed?

I.e., where along the line did the error -- or errors -- occur? Was it a single event or a combination of events that enabled the theft? Was the root and sole cause George's error in that he may have failed to properly protect his computer or digital transmissions from intrusion? What specific actions could he have taken, if any, to make such a digital theft impossible?

Did his cable provider, via which he connected to his online broker, play a role in allowing his data to be hacked (if indeed his data was hacked somewhere en route between his computer and the online broker)? If so, how did this occur?

Did the cause lie with the broker, and if so, where and how did the broker's system fail to maintain 100% security on George's account? For example, was the security-failure at the portal-level, or was it deeper within the system -- and if so, what might have happened there that enabled this theft to occur?

Did the two banks involved in George's story play any role in enabling this theft to occur, or were they merely outside the periphery of the crime? If their security or identity-verification systems were at all involved, how and where did they fall down on the job?

Was the theft enabled not by one single action but by a coordination of several necessary actions? What might those have been?

----------(2) For each of these possible causes, what specific measures could George -- or the broker -- or the banks -- or the cable provider -- have taken to block such a theft from occurring? Similarly -- and perhaps this will bring the same answer -- what steps should all of them (and the rest of us, in our own situtations) take to ensure that this kind of thing cannot happen in the future?

----------(3) What, specifically, is actually REQUIRED, by law or regulations, of brokers (whether online or not) and banks -- and perhaps other such business entities involved -- as follows:

What is actually REQUIRED, by law or regulations, of brokers, banks, and perhaps other such business entities involved --

(a) to ensure 100% protection (digital and otherwise) of their client's accounts,

(b) to assume full responsibility & liability for thefts (digital etcetera) that occur somewhere in THEIR -- not their CLIENTS' -- systems,

(c) to take immediate and thorough actions -- at THEIR and not at their CLIENTS' cost --

[i] to block and stop the theft,
[ii] to retrieve and replace what was stolen,
[iii] to fully indemnify and remunerate their clients for whatever damage was caused,
[iv] to do everything possible to ensure that such a theft (if it was enabled by that institution) cannot happen again,
[v] to take all necessary measures to also ensure that the victim's CREDIT DATA, at credit bureaus and perhaps elsewhere, has not been altered or damaged as a consequence of this theft.

----------(4) Also, if indeed there ARE legal or regulatory mechanisms in place that DO provide for even SOME measure of consumer protection in the above instances, then --

(a) What are those measures? Can someone perhaps provide URL links to them, or synopsize any that might help us?
(b) IF any such protective laws or regulations DO exist, was George's broker, and any others along the line in his tale who seemed to be bureaucratically passing-the-buck (and passing it back to him), actually knowingly or unknowingly violations those laws or regulations by their somewhat dismissive attitudes or actions?
(c) IF such consumer-protective measures DO exist, and George or any of us find ourselves in a similar digital-theft situation and OUR broker or bank (etc.) says "Sorry, Customer, we won't help you", what can WE then do to require that they DO help us and that they DO fulfill their obligation to fully and without delay resolve the problem?

----------(5) Lastly: If the existing legislation and regulations, whether national or otherwise, are currently insufficient to protect our accounts and digital data, and are lacking in sufficient requirements that the institutions and agencies that may have enabled the theft to occur assume the full burden of proactively protecting our data and repairing the damage, then what can we, as citizens -- and as potential clients (and potential victims) -- do to ensure that the regulations and laws are changed so that WE are PROTECTED and that the ENABLER(S) of the theft is (are) the one (or ones) RESPONSIBLE FOR REPAIRING the damage that was caused by their having enabled that theft?

Any suggestions?

-- SJS
NYC, NY
07-08-05.

Posted by SJS at July 8, 2005 01:38 PM

George
Get a firewall. There are several out there that are free for personal use.
Without one you can get bit by any Malware, Spyware, and/or hacker, trojans, virus, ect.
A friend of mine trying to update XP from a fresh machine got bit by 1 virus and 1 trojan. And that was just using a dialup connection.
Personal oppion, You got malware on your computer. MS offers a free Beta version for spyware. Get it checked.

Posted by Scott Mills at July 8, 2005 07:48 PM

Hey Joseph, I love it when tech experts like you can give us penetrating analysis like "quite obviously clueless" and can identify "the instrument of exploitation was merely social engineering".

Because it suggests one of two possibilities:
1. you were the identity thief
2. you're not too good at discerning meaning from the written word. Because the "instrument of exploitation" was clearly stated as unknown.

Clueless? Hmmm.

David

Posted by David Glover at July 9, 2005 06:05 AM

George, contrary to what he says, does not know if he was phished (or maybe he does and isn't saying). As someone else commented, George may have been phished, or his account access information simply stolen, or he got careless and either told someone, or left the information where others could see it. A "war driver" could have broken into his laptop when he was using a wireless connection. a number of other things could have happened, but in any event, his identity was stolen.

The real problem is that while George may be tech savvy to some degree, based on the information given, he is far from savvy in matters of PC/laptop security. Going without a firewall is an open invitation to break into a computer. (The most recent info is that it only takes 12 minutes to crack an unprotected computer. The cracker only then needs to install a keylogger, and have the keystrokes sent "home", where the data can be analyzed and access information (logins, passwords, etc) can be extracted. Not only didn't George even have a firewall, but he didn't even mention if he had any up-to-date anti-spyware programs on his laptop, leading me to believe that he did not have any. He did not mention whether or not his Norton anti-virus was up to date or not. He should have also been using an Intrusion Prevention/Detection program, like Prevx or Abtrusion that would have alerted him if something he did not ask for was trying to install on his laptop. Yes, he could have been phished, or it could very well have been a friend or acquaintance who stole his confidential information. Much identity theft is done by "friends", acquaintances or co-workers, i.e., an inside job. George doesn't say whether he ever told anyone his access information or placed it where it was available to the eyes of others. In short he was very, very lucky....this time.
A virus will ruin your entire day....identity theft can ruin your entire life.

Posted by Al Johnson at July 9, 2005 11:38 AM

Isn't there any transaction monitoring of this kind of strange activity?
Shouldn't the brokerages and banks be looking after their customers?

Posted by Hank Schader at July 10, 2005 08:35 AM

Last week I noticed a charge to my Wachovia Bank account of $24.95 by Cybernet Ventures. Since I had not authorized the charge, I checked out Cybernet Ventures which is an adult sex site and found a series of complaints about similar charges and the fact that the monthly charges could not be stopped.

I have notified the Wachovia fraud division and canceled the related Visa card, but I have no idea how they got mt account number.

Posted by Ken Noakes at July 11, 2005 10:51 PM

Lucky the fraudster wasn't very smart - after all, he didn't change the email address the trade notifications were coming to, or George wouldn't have known anything until (in 6-8 weeks) he couldn't log in to his account.

Posted by F Hirsch at July 12, 2005 03:49 PM

The tipoff may be that he is not running a firewall.

Going on line without a firewall is like having high-risk sex without a condom, only the effects are swifter. It is estimated by The Register that the half life of an unprotected computer on the internet is now less than 15 minutes or so. After that, you should assume that spyware, adware, or other malware has infected it.

Also I note that he uses Norton AntiVirus. Norton is widely thought to be deficient when compared with something like Trend Micro's PC-cillin software. In addition, PC-cillin includes a dandy little firewall. I have used both and prefer PC-cillin; it found malware that Norton missed (I have no financial interest in Trend Micro.).

If his computer was hacked, the right software could have saved him. On the other hand, if it was Ameritrade that got hacked, that's a different story and much more chilling.

Posted by James Brinton at July 12, 2005 04:03 PM

David Glover,

Joseph had a good point. The guy's written English is terribly poor and this is usually a pretty good indicator of social intelligence. Poor social intelligence plus money has always equalled a con-man's dream ticket.

Ara

Posted by Cor. Ara at July 12, 2005 06:01 PM

There's no particular reason a brokerage would question orders placed over a supposedly secure Web interface. There may not even be any mechanism by which they could do so. These orders normally get executed within seconds of being placed. And people do, on occasion, decide to sell off their holdings and go to cash, for any of a number of reasons, like buying a house or a boat or just because they don't like the way they're positioned in the market. Ameritrade really can't be faulted for executing the orders they were given.

Of course, if the thieves got access to the account by hacking Ameritrade's servers, that's Ameritrade's responsibility, but it's far more likely, as several have said, that Rodriguez' computer was hacked.

It's scary. Anyone accessing an online brokerage account from a PC is at risk unless they know how to protect themselves, which hardly anyone does. Rodriguez won't be the last victim.

Posted by Scott Burson at July 12, 2005 07:38 PM

Use Interactive Brokers. They give traders special phisical security device without which noone can withdraw money from an account.

Posted by IlyaD at July 12, 2005 09:54 PM

F Hirsch: The hacker actually did change the email address, but because of a lucky glitch in the system it didn't get changed.

Posted by ichigo at July 14, 2005 11:40 AM

There have been many interesting remarks above.

The sneering ones are uncalled for. The guy goes through this experience and he gets grammar criticism? The personal insults are not only rude but wrong. He is obviously intelligent, and he gave practical details of how he followed up with the bank, which would be more useful in a situation like this than would a deep knowledge of cryptography.

He may not know technically why this happened, and it may or may not be a case of phishing per se, but his story is worth hearing about.

Thanks George for sharing the pain ;|

Posted by Lori Petty at July 15, 2005 08:09 PM

My heart goes to those who have suffer because of Bank of America and their CIRMINALS EMPLOYEES
Its unspeakable what this Bank has done to me.

Press Conference will be held very soon
Please look forward for the date and time.

Please read this Website very IMPORTANT.


www.bankofamericaextortioninsidejob.com

Send your comments to lailasltn@yahoo.com

Posted by lailasultan at November 20, 2005 09:58 PM

My heart goes to those who have suffer because of Bank of America and their CIRMINALS EMPLOYEES
Its unspeakable what this Bank has done to me.

Press Conference will be held very soon
Please look forward for the date and time.

Please read this Website very IMPORTANT.


www.bankofamericaextortioninsidejob.com

Send your comments to lailasltn@yahoo.com

Posted by Lailasultan at November 20, 2005 10:02 PM

Either someone took over my yahoo accounts or my password got scrambled! I have three accounts floating out there. Been sending yahoo 5 emails an hr for over 24 hrs now, all I get is auto replies!
I don't know what else to do!
I have pictures of my kids on those accounts, personal emails!
Someone please help.
Thanks,
Sasy

Posted by Sasy at January 21, 2006 07:38 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55d161551c40) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.