401(k) Account Hacked & Vaporized In An Instant - $180,0000

Discussion in 'Wall St. News' started by ByLoSellHi, Jan 6, 2007.

  1. http://redtape.msnbc.com/2007/01/one_moment_dave.html#posts


    Posted: Friday, January 5 at 04:00 am CT by Bob Sullivan

    One moment Dave DeSmidt had $179,000 in his 401(k) retirement account, the next he had nothing. In an instant, 25 years of savings had disappeared.

    With a few clicks, someone raided DeSmidt’s retirement account with J.P. Morgan & Co and ordered a full disbursement to a private checking account.

    Then came the really bad news. While credit card and online banking accounts are legally protected in the event of fraud, DeSmidt’s brokerage account came with no such insurance. Two months after the theft, his balance still read $0.

    With hacking of brokerage accounts increasing, the legal gap facing DeSmidt and other victims has regulators and critics debating the need for new consumer protections.

    ‘I don’t have a clue’
    The theft was the shock of a lifetime for DeSmidt, who plans to retire in a few years with his wife in their Mukwonango, Wis., home.

    "That was a pretty good chunk of what we were going to retire on," DeSmidt said. "I don't have a clue how it happened."

    The theft occurred on Oct. 23, while DeSmidt was on assignment for his company in China, near Shanghai. Just before lunch, someone else logged onto J.P. Morgan's Web site from a computer connected to the Internet through Comcast Cable Communications in Cherry Hill, N.J., and entered DeSmidt's user ID and personal access code.

    While DeSmidt slept on the other side of the world, his imposter found that he had a balance of $179,000.43 in his account. A few more clicks, and the DeSmidts’ linked checking account was changed to a Bank of America account and an electronic transfer of all available funds was requested.

    A report by J.P. Morgan suggests the criminal was a bit anxious, perhaps disbelieving the good fortune of hacking such a valuable account. The imposter logged in again from the same computer 41 minutes later, at 1:06 p.m., and again at 11:30 p.m. to review the pending transaction.

    The next day, the money was sent to Bank of America. The name on the checking account didn't match the name on the 401(k) account, but that discrepancy didn’t raise a red flag high enough to halt the transfer.

    DeSmidt didn't know it yet, but a quarter century worth of savings and investment gains had just disappeared.

    The theft wasn’t tax-efficient. Since DeSmidt isn't yet of retirement age -- he’s 57 -- there were severe penalties for the early 401(k) withdrawal, and J.P. Morgan held back about $35,800.09 to pay these taxes. Still, it was a good day's work for the hacker. The company sent the remaining balance -- $143,200.34 -- to an account under his or her control.

    SEC: Brokerage attacks ‘on the rise’
    Computer criminals have made the logical progression from credit card fraud to online bank attacks and now to big-ticket brokerage accounts, analysts say.

    Hacker attacks on brokerage accounts make sense from a criminal’s point of view. Brokerage accounts tend to have higher balances, making them worthwhile targets. And while a six-figure transfer out of a checking account would surely trigger fraud pattern detection software, large transfers from brokerage accounts are fairly standard.

    John Reed Stark, chief of the Securities and Exchange Commission’s Office of Internet Enforcement, acknowledged that online brokerage hacking is “on the rise” and warned of possible consequences for consumers.

    With simple credit card fraud, customers need only call their bank and refuse to pay for an item, he said, but brokerage account hacking is much more dramatic.

    “People need to understand this kind of fraud,” Stark said. “This is very serious stuff. … People wake up in the morning, look in their account, and their money is all gone.”

    Stark said any consumers who have encountered brokerage account fraud should contact his office for assistance at enforcement@sec.gov.

    Covering tracks
    Criminals who target brokerage accounts clearly know their craft. A day after successfully transferring DeSmidt’s money out of the 401(k) account, the hacker started trying to cover his or her tracks.

    On Oct. 25, logging in through an SBC Internet Services connection in San Francisco, the criminal deleted the Bank of America account information from DeSmidt's account. Four hours later, using a Cox Communications connection out of Atlanta, the hacker re-entered DeSmidt's original checking account information. Other than the zero balance, there were no obvious signs remaining of the hacker’s visits.

    A few days later, DeSmidt checked his retirement balance online, as he does regularly, and spotted the theft. Then the paperwork nightmare began.

    "This has been very stressful,” he said. “My wife is going crazy."

    A flurry of e-mail, faxes and registered letters followed. JP Morgan ordered an investigation, and sent the results to DeSmidt on Dec. 1.

    "J.P. Morgan concludes there was no external or internal breach of controls with the J.P. Morgan environment," the report said. "Access and authentication controls established within J.P. Morgan worked appropriately."

    The report dismissed the possibility that the crime was an inside job, as the request came from outside computers and the criminal knew DeSmidt's user name and password.

    The report's conclusion: "Investigation Status: Closed."

    It wasn't clear to DeSmidt what that meant; the firm never said it wouldn't issue a refund. But he was stuck in limbo, awaiting further instructions.

    Promised a refund
    Two more weeks passed, and DeSmidt started to fear his retirement money was indeed gone for good. By the time he contacted MSNBC.com, he said he had written to every government agency he could think of to no avail and hadn’t been able to find a lawyer willing to take his case.

    "I can find lots of attorneys that will defend me if I am the one accused of the crime," he wrote.

    DeSmidt's story, however, had a happy ending.

    When MSNBC.com contacted J.P. Morgan, the firm said its continuing investigation had borne fruit. Spokeswoman Mary Sedara said the stolen funds had been recovered and would be refunded in time for Christmas. The firm would even make good on any market gains DeSmidt missed out on while the money was missing, she said.

    The story didn't have to end this way, though.

    Few consumers appreciate the fact that, unlike credit card and checking account transactions, there are no federal consumer regulations specifically protecting consumers in the event of brokerage account hacking, said Gartner fraud analyst Avivah Litan. And with hackers targeting investment accounts more frequently, the legal loophole could leave investors with some ugly surprises.

    'They need to protect the assets'
    "This should be a call to action for the regulators," she said. "They are never going to protect against all the (criminal) methods. They need to protect the assets."

    Both credit card transactions and electronic account transfers, such as online banking payments, are governed by Federal Reserve regulations that strictly limit consumers’ losses from theft. Consumers who report credit card fraud are only liable for $50; liability for fraudulent checking account transfers is capped at $500 if the consumer reports the theft within 60 days. Refunds for checking account thefts must generally be issued within 10 days.

    The regulations are designed to boost confidence in the systems. But the Federal Reserve doesn't regulate investment firms, and the Securities and Exchange Commission doesn't mandate any similar protections for brokerage accounts.

    And Desmidt's tale is hardly an anomaly. Last year, several trading firms revealed they were hit by hackers. E-trade, for example, reported in October that it had lost $18 million to crime rings based in Eastern Europe and Thailand.

    Despite the lack of legal compulsion, some investment firms have taken to offering broad consumer protections anyway. Both e-trade and Charles Schwab offer credit-card style guarantees. Money stolen from Charles Schwab's Web site will be returned to consumers as long as the theft is reported in a timely way, said Schwab's Greg Gable.

    'We want people to feel secure'
    "There is a fundamental business need to do it," Gable said. "We don't want clients concerned about the safety of their assets. … We want people to feel secure."

    Gable wouldn't say how many Schwab customers had asked for theft refunds, saying only such cases were "very rare."

    Stark said that in every recent case of brokerage hacking he’s familiar with, consumers who complained have received full refunds. But the largesse is voluntary – unless the brokerage makes a clear promise like Schwab or e-Trade -- and it may not last forever.

    “Firms are reimbursing everyone (who) has that kind of loss,” he said. “But they didn’t always do that (and) I don’t know how long they can continue doing it.”

    Brokerage account hijacking has the attention of regulators, but at the same time criminals are getting cleverer. In late December, the SEC moved to stop a pump-and-dump scheme involving an Estonian firm.

    The SEC said the firm's Russian owner earned $350,000 by purchasing penny stocks, then hacking into other investors' accounts and purchasing large blocks of the stock before selling his own shares at inflated prices.

    Web-based investing scams have DeSmidt's attention, too. He is grateful JP Morgan promised to return his funds, but he's not about to let lightning strike twice. He told the company to shut down Web access to his accounts.

    "I prefer to keep the account access only over the telephone for now," he said.
  2. bylow---i think you got proxied---you have fallen into the trap of someone else`s agenda---come on--when you wire transfer money out of accounts--their is a paper trail a mile long--with 9/11 terrorist changes--it would be easy to catch any idiot trying that scam--this seems like one of those pr based stories pushed to promote one of many possible parties agendas. You notice how it was written with a bunch of "setup/manipulation" like oh...no this guy lost his life savings----all that drama up front---nothing happened---these cases are very bizarre and very rare---it seems their promotion is more of a tool for certain agendas--than an actual legitimate worry right now for account holders.
  3. rwk


    I tend to agree with BlueStreek. Unauthorized withdrawal is the most obvious -- and least likely -- threat to one's money. The worst threats are much more subtle, like entering unauthorized trades to pump a stock, or the holder of the funds skips town.
  4. The real crime is he's 57 and obly had $180,000 in a 401k after working and saving for 25 years. How do you retire on $400,000-$500,000 in another seven or eight years?
  5. While DeSmidt slept on the other side of the world, his imposter found that he had a balance of $179,000.43 in his account. A few more clicks, and the DeSmidts’ linked checking account was changed to a Bank of America account and an electronic transfer of all available funds was requested.

    The guys brokerage was also criminally negligent.

    The next day, the money was sent to Bank of America. The name on the checking account didn't match the name on the 401(k) account, but that discrepancy didn’t raise a red flag high enough to halt the transfer.

    The brokerage needs to reimburse him. Even IB requires one to confirm a bank account change via your registered email account. And what happened to finding out whose Bank Of America account the money went to? with the current super stringent anti-terrorist banking systems, the feds should have been able to find out in a couple of minutes. One has to question what these new laws are really being used for.

    This is what happens when you access your personal data from a public terminal.
  6. You'd be surprised how many baby boomers are facing retirement with not so much as a penny in savings. Not everyone is a successful futures trader who makes $50,000 per trading day. People are generally poor.

  7. Artie21


    Maybe the guy is perpetrating the fraud himself. Nice alibi. "I was in China"
  8. clacy


    This guys is WAY ahead of the majority of his peers. Which is exactly why social security needs to go private, yesterday.
  9. I would venture to guess that 90% of gainfully employed Americans are two paychecks away from bankruptcy (to those Americans that are unemployed, they worry not about retirement).

    Debt can build an economy, and it can destroy an economy.

    We are a nation of debtors, with a negative savings rate, while Chinese, Japanese and Germans save 50%, 25% and 20% of their incomes, respectively.
  10. Actually...
    You missed the point of the article... which was repeated about 10 times.

    The point of the article is that you have NO legal protection...
    Other than the goodwill of your broker.

    If you broker simply ignores you...
    You're only recourse is a costly, multi-year legal battle.

    What has happened primarily with "internet brokers"...
    Is that automation has created major security holes that did not exist 10 years ago.

    That wire transfer in the story could NEVER have happened 10 years ago...
    Because a Margin Clerk would have taken 2 minutes of time...
    And called you on the phone to confirm such an unusual transaction.
    #10     Jan 6, 2007