TechWeb

Compromised PC Leads To Big Fraud Losses For E-Trade

Oct 25, 2006 (04:10 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=193402349


A compromised PC opened the door for cyberattackers to wreak havoc on online broker E-Trade. The Securities and Exchange Commission, the FBI, and other government enforcement agencies are investigating the crime, in which thieves conducted fraudulent transactions that cost the brokerage millions of dollars to cover customer losses.

E-Trade CEO Mitchell Caplan this week acknowledged during a conference call with financial analysts that his company "experienced a significant increase in losses resulting from fraud relating to identify theft." The fraudulent activity contributed to the $18 million in fraud losses the company reported during its third financial quarter. The company acknowledged in a statement that "the vast majority of online fraud is identity-theft related and is a result of a compromised personal computer."

Other online brokers are likewise falling victim to a variety of schemes aimed at stealing client information in order to conduct fraudulent transactions. TD Ameritrade acknowledged that it had to cover $4 million in fraudulent transactions for its most recent quarter, ended Sept. 30. A spokeswoman for TD Ameritrade, which says it has 6 million clients, says that while an unspecified number of its clients have been victims of identity fraud, the company has "never had a breach or intrusion" in its history.

The online brokerages are just the latest victims in the new economy that has sprung up around the demand for stolen personal information, which can be used to bleed bank accounts, run up victims' credit, and now apparently to pull off so-called pump-and-dump scams where a thief inflates the price of a stock for personal gain. In this case, authorities are investigating the possibility that cybercriminals used funds from customers of E-Trade and other brokerages to drive up the prices of stocks so that the criminals could sell off their shares for a large profit, leaving brokerage customers with a bunch of relatively worthless shares. While E-Trade has traced the source of the fraud to a ring of criminals operating out of Eastern Europe and Thailand, TD Ameritrade's spokeswoman said it was unclear whether the company was hit by the same group.

Cyberthieves are deploying increasingly sophisticated phishing and spyware campaigns to defeat defensive measures. One relatively new phishing technique involves faking the browser "chrome" around a Web page. The chrome includes a Web page's Window frames, menus, toolbars, scroll bars, SSL indicator, and any other elements that make up the page's borders--details that not many Web surfers scrutinize, but which make a fake page look more authentic. Such phishing attacks have only been on the security community's radar screen for less than a month, says Sioux Fleming, CA's director of product management.

Businesses will have to adapt, regardless of how quickly new phishing techniques emerge. Only a handful of states, including Arkansas, California, New York, Utah, and Virginia, have anti-phishing laws to act as a deterrent. And a federal law is unlikely to be passed because lawmakers "can't agree on whether to make businesses liable for losses, in addition to the phishers," says Jeffrey Neuburger, a partner with the law firm Brown Raysman Millstein Felder & Steiner.

In the meantime, law enforcement is encouraging businesses hit by cybercrime to come forward, much the way E*Trade has done. "There's a huge issue with the underreporting of cyberattacks in the corporate world," Mark Mershon, assistant director in charge of the FBI's New York office, said this week at the InfoSecurity conference.

The authorities are getting some tools on their side to compel businesses to report stolen data and breaches, in particular state breach-notification laws that have been passed in more than 30 states. Until law enforcement gets full cooperation from the victims of cybercrime, they'll continue to be in reactive mode to cyberthreats, since they're not going away. "Greed and the thirst for money always outpaces the ability to stop it," says FBI Special Agent Milan Patel.