Sell-Side Electronic Trading:
Industry Reacts to New Generation of Hackers | A New Way to Attack Market Data Costs | The Hidden Cost of Trading | In Fixed Income, FIX Is a Post-trade Solution | Algorithms Multiply to Match Trading Strategies |
Industry Reacts to New Generation of Hackers
November 21, 2006
Online security breaches remain a persistent problem, and two online brokers are feeling the pain from hackers who used keystroke log-in and phishing programs to steal customer IDs and passwords. E-Trade Financial Corp. disclosed in October that its fraud losses totaled $18 million in the third quarter. Competitor TD Ameritrade Holding Corp. said it spent $4 million to reimburse customers for losses they suffered from online fraud during the quarter.
There has been no letup in measures to counteract cybercrimes. Industrywide spending on online authentication and fraud detection will rise to $88 million in 2010 from $58 million in 2007 and $22 million in 2006, according to Boston-based research firm Aite Group.
The increased spending couldn't come at a better time, given the modes of attack on E-Trade and TD Ameritrade. John Reed Stark, director of Internet enforcement for the Securities and Exchange Commission, said that once the hackers broke in to the accounts, they either liquidated the proceeds or used their access to purchase shares of a microcap stock to pump up its value. This enabled the hackers to book a profit on their holdings in these thinly traded shares.
The nature of these attacks underscores how the hacking threat has changed. "Five or ten years ago, a hacker did this to become notorious," said Aite analyst Gwenn Bezard. "Today's hackers are doing this to make money." Organized techno-crime rings are getting into the act. All of this "highlights the need of all firms to redouble their efforts to protect customer information," Lori Richards, director of the SEC's office of compliance inspections and examinations, told Securities Industry News,.
Stark took it as a good sign that the hacking hasn't breached the infrastructure of the online brokers. "They're just stealing user names and passwords," he said, adding, "The securities industry is working closely with us on this. I believe they are taking this very seriously, because they want to protect their customers." Since the agency implemented Regulation S-P in 2001, which codified security rules for Internet transactions, brokers and investment companies must have written policies that safeguard client information.
Travis Larson, a spokesperson for the Securities Industry Association (SIA), said members of the group's privacy and technology and regulation committees and its electronic authentication working group have been meeting with the SEC to discuss solutions. In addition to adhering to Reg S-P, Larson said some SIA members are also using guidelines published in the "Information Technology Examination Handbook" from the joint regulator for the banking industry, the Federal Financial Institutions Examination Council, as a model for their own best practices.
He also noted that many brokers already take basic steps such as monitoring customers' account activity and the Internet protocol addresses they use. The SIA advises retail customers to apply caution and common sense and avoid risky practices, such as not logging on to their accounts via Wi-Fi connections in public places such as airports, or using shared PCs in libraries.
To put a stop to further hacks, banks and brokers are making their biggest investments in systems for fraud detection and user identification. Of 50 large banks and ten brokerages that Aite surveyed for its October report, "Online Banking and Brokerage Security," 92 percent said they either have installed such systems or selected vendors to provide them.
