Hackers break into online broker accounts in USA

High-tech crooks using spyware are costing U.S. discount brokerages millions of dollars to repay clients who have been victimized by fraud
The U.S. Securities and Exchange Commission warned earlier this month that scammers were hijacking online brokerage accounts using spyware and operating from remote locations.
TD Ameritrade Holding Corp. on Tuesday became the latest brokerage to confirm the problem. It said it cost $4 million in the third quarter to make whole customers whose accounts had been hacked.
Harder hit was rival E*Trade Financial Corp., which said its fraud losses ballooned by $18 million in the third quarter from swindlers who stole clients' identities and manipulated their accounts.
Both brokerages guarantee to repay clients who lose money through such frauds. A spokesman for a third discount brokerage, Charles Schwab Corp., said the company hasn't seen "anything unusual enough to merit a disclosure."
"During the quarter E*Trade, like a number of our competitors, experienced a significant increase in losses resulting from fraud relating to identity theft," said Jarrett Lilien, president and chief operating officer, on last week's conference call.
TD Ameritrade Chief Executive Joseph Moglia told Reuters that all those who stole clients' identities did so by using public computers rather than hacking into the Omaha, Nebraska-based company's internal systems.
He called the $4 million hit "not material at all." "This gets a lot of attention but it's not affecting the share price," he said.
TD Ameritrade shares fell 79 cents, or 4.8 percent, to close at $15.84, making them the top decliner on the Amex Securities Broker Dealer index. Moglia blamed the share price fall on a cut on its projections for 2007 earnings. Both firms said they were strengthening their defenses.
"We've seen that level of fraud in the last three weeks or so reduced to almost zero as a result of the changes we're making," E*Trade CEO Mitchell Caplan said in last week's conference call.
But Gwenn Bezard, an analyst with Boston-based consultant Aite Group, said E*Trade had previously made big efforts to bolster security and the $18 million increase was a sign of hackers' resiliency in flouting fraud prevention efforts.
"It's a reminder that though you may have stronger authentication it may not protect you from other types of scams," he said.
Both E*Trade and TD Ameritrade said they are working with investigators at the SEC, U.S. Federal Bureau of Investigation and other agencies to crack down on the scammers.
About 25 percent of U.S. retail stock trades are made by online investors through roughly 10 million online accounts, according to brokerages regulator NASD.
In many of the schemes outlined recently by SEC officials, crooks will load a victim's computer or a public PC with a spy program to monitor a user's activities and capture vital information, such as account numbers and passwords. The program then e-mails the stolen information back to the thief, who can use it to open victim accounts.
Once inside, the thief may sell off an account's portfolio and take the proceeds. Or electronically hijacked accounts may be used for "pump-and-dump" schemes to manipulate stock prices for profit, SEC officials have said.

By- Jonathan Keehner and Kevin Drawbaugh (Reuters)

Collaborate for Security

Closely working with Telecom Service Providers will help security agencies contain terrorists misuse of networks.

As responsible citizens of the world, we are all equal stakeholders in the society. It is our duty, therefore, to do our bit towards building a healthier and fearless society.
Terrorism and organized crime are the nemesis of today’s world. Terrorists exchange information to organize, plan, coordinate and execute their activities. Security agencies need to tap this information to take pre-emptive action and prevent terrorists from causing damage and loss to property and lives of the innocent people.
Lawful interception plays a crucial role in helping law enforcement agencies to combat against criminal activity by monitoring and intercepting communication between terrorist groups. While this has become a top priority globally after the incident of September 11, certain countries like Israel, India, and the US, that are prime targets of the militants, need to take more steps and be even more alert.
Although there are different standards for lawful interception, like CALEA (in the US) and ETSI (in Europe), security agencies in every country have different expectations and telecommunication service providers in each country have to build systems to meet the country’s legislations. However, there are certain genuine issues that service providers face while helping the security agencies in their mission to track terrorist activities.
A lot of information exchange happens through e-mails, Net telephony and VoIP over dedicated leased lines that bypass PSTN switches
The first and foremost issue is of lack of clarity in the exact requirements of lawful interception. This, coupled with unavailability of right solutions, has already delayed service rollouts of several NLD/ILD service providers. Unless and until the requirements are frozen, the right solution cannot even be thought of, let alone being developed.
The whole thing was much simpler earlier before Internet became prevalent, when only voice calls were intercepted. This process was as follows:
Security agencies provided the telecom service provider details of the phone number or group of numbers that had to be intercepted
The service provider programmed the switch to monitor those number(s)
Whenever a call was made from or to that number, the service provider would connect to the security agencies who could hear it live or/and record it as well
In the modern Internet world, this becomes very complex, where lot of information exchange happens through e-mails , Internet telephony and VoIP over dedicated leased lines that directly connect to the Internet cloud, bypassing the PSTN switches.
In India, the current scenario of lawful interception is quite fluid due to the following reasons:
Security requirements and solutions for TDM voice services are reasonably in place. However, for newer services like VoIP over IPLCs, there are no standard specifications defined for lawful interception
Liberation of telecom market in India is seeing large number of new private SPs entering the scenario. Security agencies that earlier dealt with only BSNL/VSNL are now trying to play it safe and make the security specifications as exhaustive as possible
Security agencies are still finalizing their expectations from SPs
In developed countries, where similar solutions have been deployed, usually the onus is on the security agencies to define the specifications and requirements for lawful interception. In fact, there the security agencies are the owners of the required monitoring systems and equipment and the respective governments provide subsidies for this project, as it is a matter of the nation’s security. The service provider is responsible only for providing access to the network traffic by tapping information at the entry/exit point of the network. This approach is followed in other countries based on two perspectives.

Confidentiality: Process and capability of monitoring remains fully confidential with security agencies.

Customized Solutions: The monitoring equipment are not available off the shelf. They are highly customized solutions, which require extra development efforts to meet the requirements and hence are very expensive.
Additional costs prevent SPs from lowering the tariffs and pass on the cost benefit to end consumers. Perhaps a phase-wise approach can give service providers sufficient time for implementation. But the key to successful implementation lies in a collective approach—involving service providers and security agencies.
By - Jagbir Singh