IN AN INSTANT, RETIREMENT SAVINGS VANISH
Posted: Friday, January 5 at 04:00 am CT by Bob Sullivan
One moment Dave DeSmidt had $179,000 in his 401(k) retirement account, the next he had nothing. In an instant, 25 years of savings had disappeared.
With a few clicks, someone raided DeSmidt’s retirement account with J.P. Morgan & Co and ordered a full disbursement to a private checking account.
Then came the really bad news. While credit card and online banking accounts are legally protected in the event of fraud, DeSmidt’s brokerage account came with no such insurance. Two months after the theft, his balance still read $0.
With hacking of brokerage accounts increasing, the legal gap facing DeSmidt and other victims has regulators and critics debating the need for new consumer protections.
‘I don’t have a clue’
The theft was the shock of a lifetime for DeSmidt, who plans to retire in a few years with his wife in their Mukwonango, Wis., home.
"That was a pretty good chunk of what we were going to retire on," DeSmidt said. "I don't have a clue how it happened."
The theft occurred on Oct. 23, while DeSmidt was on assignment for his company in China, near Shanghai. Just before lunch, someone else logged onto J.P. Morgan's Web site from a computer connected to the Internet through Comcast Cable Communications in Cherry Hill, N.J., and entered DeSmidt's user ID and personal access code.
While DeSmidt slept on the other side of the world, his imposter found that he had a balance of $179,000.43 in his account. A few more clicks, and the DeSmidts’ linked checking account was changed to a Bank of America account and an electronic transfer of all available funds was requested.
A report by J.P. Morgan suggests the criminal was a bit anxious, perhaps disbelieving the good fortune of hacking such a valuable account. The imposter logged in again from the same computer 41 minutes later, at 1:06 p.m., and again at 11:30 p.m. to review the pending transaction.
The next day, the money was sent to Bank of America. The name on the checking account didn't match the name on the 401(k) account, but that discrepancy didn’t raise a red flag high enough to halt the transfer.
DeSmidt didn't know it yet, but a quarter century worth of savings and investment gains had just disappeared.
The theft wasn’t tax-efficient. Since DeSmidt isn't yet of retirement age -- he’s 57 -- there were severe penalties for the early 401(k) withdrawal, and J.P. Morgan held back about $35,800.09 to pay these taxes. Still, it was a good day's work for the hacker. The company sent the remaining balance -- $143,200.34 -- to an account under his or her control.
SEC: Brokerage attacks ‘on the rise’
Computer criminals have made the logical progression from credit card fraud to online bank attacks and now to big-ticket brokerage accounts, analysts say.
Hacker attacks on brokerage accounts make sense from a criminal’s point of view. Brokerage accounts tend to have higher balances, making them worthwhile targets. And while a six-figure transfer out of a checking account would surely trigger fraud pattern detection software, large transfers from brokerage accounts are fairly standard.
John Reed Stark, chief of the Securities and Exchange Commission’s Office of Internet Enforcement, acknowledged that online brokerage hacking is “on the rise” and warned of possible consequences for consumers.
With simple credit card fraud, customers need only call their bank and refuse to pay for an item, he said, but brokerage account hacking is much more dramatic.
“People need to understand this kind of fraud,” Stark said. “This is very serious stuff. … People wake up in the morning, look in their account, and their money is all gone.”
Stark said any consumers who have encountered brokerage account fraud should contact his office for assistance at enforcement@sec.gov.
Covering tracks
Criminals who target brokerage accounts clearly know their craft. A day after successfully transferring DeSmidt’s money out of the 401(k) account, the hacker started trying to cover his or her tracks.
On Oct. 25, logging in through an SBC Internet Services connection in San Francisco, the criminal deleted the Bank of America account information from DeSmidt's account. Four hours later, using a Cox Communications connection out of Atlanta, the hacker re-entered DeSmidt's original checking account information. Other than the zero balance, there were no obvious signs remaining of the hacker’s visits.
A few days later, DeSmidt checked his retirement balance online, as he does regularly, and spotted the theft. Then the paperwork nightmare began.
"This has been very stressful,” he said. “My wife is going crazy."
A flurry of e-mail, faxes and registered letters followed. JP Morgan ordered an investigation, and sent the results to DeSmidt on Dec. 1.
"J.P. Morgan concludes there was no external or internal breach of controls with the J.P. Morgan environment," the report said. "Access and authentication controls established within J.P. Morgan worked appropriately."
The report dismissed the possibility that the crime was an inside job, as the request came from outside computers and the criminal knew DeSmidt's user name and password.
The report's conclusion: "Investigation Status: Closed."
It wasn't clear to DeSmidt what that meant; the firm never said it wouldn't issue a refund. But he was stuck in limbo, awaiting further instructions.
Promised a refund
Two more weeks passed, and DeSmidt started to fear his retirement money was indeed gone for good. By the time he contacted MSNBC.com, he said he had written to every government agency he could think of to no avail and hadn’t been able to find a lawyer willing to take his case.
"I can find lots of attorneys that will defend me if I am the one accused of the crime," he wrote.
http://redtape.msnbc.com/2007/01/one_moment_dave.html#posts
Author
Topic: Protect Passwords (Read 820 times)