One moment Dave DeSmidt had $179,000 in his 401(k) retirement account, the next he had nothing. In an instant, 25 years of savings had disappeared.
With a few clicks, someone raided DeSmidt’s retirement account with J.P. Morgan & Co and ordered a full disbursement to a private checking account.
Then came the really bad news. While credit card and online banking accounts are legally protected in the event of fraud, DeSmidt’s brokerage account came with no such insurance. Two months after the theft, his balance still read $0.
With hacking of brokerage accounts increasing, the legal gap facing DeSmidt and other victims has regulators and critics debating the need for new consumer protections.
‘I don’t have a clue’
The theft was the shock of a lifetime for DeSmidt, who plans to retire in a few years with his wife in their Mukwonango, Wis., home.
"That was a pretty good chunk of what we were going to retire on," DeSmidt said. "I don't have a clue how it happened."
The theft occurred on Oct. 23, while DeSmidt was on assignment for his company in China, near Shanghai. Just before lunch, someone else logged onto J.P. Morgan's Web site from a computer connected to the Internet through Comcast Cable Communications in Cherry Hill, N.J., and entered DeSmidt's user ID and personal access code.
While DeSmidt slept on the other side of the world, his imposter found that he had a balance of $179,000.43 in his account. A few more clicks, and the DeSmidts’ linked checking account was changed to a Bank of America account and an electronic transfer of all available funds was requested.
A report by J.P. Morgan suggests the criminal was a bit anxious, perhaps disbelieving the good fortune of hacking such a valuable account. The imposter logged in again from the same computer 41 minutes later, at 1:06 p.m., and again at 11:30 p.m. to review the pending transaction.
The next day, the money was sent to Bank of America. The name on the checking account didn't match the name on the 401(k) account, but that discrepancy didn’t raise a red flag high enough to halt the transfer.
DeSmidt didn't know it yet, but a quarter century worth of savings and investment gains had just disappeared.
The theft wasn’t tax-efficient. Since DeSmidt isn't yet of retirement age -- he’s 57 -- there were severe penalties for the early 401(k) withdrawal, and J.P. Morgan held back about $35,800.09 to pay these taxes. Still, it was a good day's work for the hacker. The company sent the remaining balance -- $143,200.34 -- to an account under his or her control.
SEC: Brokerage attacks ‘on the rise’
Computer criminals have made the logical progression from credit card fraud to online bank attacks and now to big-ticket brokerage accounts, analysts say.
Hacker attacks on brokerage accounts make sense from a criminal’s point of view. Brokerage accounts tend to have higher balances, making them worthwhile targets. And while a six-figure transfer out of a checking account would surely trigger fraud pattern detection software, large transfers from brokerage accounts are fairly standard.
John Reed Stark, chief of the Securities and Exchange Commission’s Office of Internet Enforcement, acknowledged that online brokerage hacking is “on the rise” and warned of possible consequences for consumers.
With simple credit card fraud, customers need only call their bank and refuse to pay for an item, he said, but brokerage account hacking is much more dramatic.
“People need to understand this kind of fraud,” Stark said. “This is very serious stuff. … People wake up in the morning, look in their account, and their money is all gone.”
Stark said any consumers who have encountered brokerage account fraud should contact his office for assistance at email@example.com.
Criminals who target brokerage accounts clearly know their craft. A day after successfully transferring DeSmidt’s money out of the 401(k) account, the hacker started trying to cover his or her tracks.
On Oct. 25, logging in through an SBC Internet Services connection in San Francisco, the criminal deleted the Bank of America account information from DeSmidt's account. Four hours later, using a Cox Communications connection out of Atlanta, the hacker re-entered DeSmidt's original checking account information. Other than the zero balance, there were no obvious signs remaining of the hacker’s visits.
A few days later, DeSmidt checked his retirement balance online, as he does regularly, and spotted the theft. Then the paperwork nightmare began.
"This has been very stressful,” he said. “My wife is going crazy."
A flurry of e-mail, faxes and registered letters followed. JP Morgan ordered an investigation, and sent the results to DeSmidt on Dec. 1.
"J.P. Morgan concludes there was no external or internal breach of controls with the J.P. Morgan environment," the report said. "Access and authentication controls established within J.P. Morgan worked appropriately."
The report dismissed the possibility that the crime was an inside job, as the request came from outside computers and the criminal knew DeSmidt's user name and password.
The report's conclusion: "Investigation Status: Closed."
It wasn't clear to DeSmidt what that meant; the firm never said it wouldn't issue a refund. But he was stuck in limbo, awaiting further instructions.
Promised a refund
Two more weeks passed, and DeSmidt started to fear his retirement money was indeed gone for good. By the time he contacted MSNBC.com, he said he had written to every government agency he could think of to no avail and hadn’t been able to find a lawyer willing to take his case.
"I can find lots of attorneys that will defend me if I am the one accused of the crime," he wrote.
DeSmidt's story, however, had a happy ending.
When MSNBC.com contacted J.P. Morgan, the firm said its continuing investigation had borne fruit. Spokeswoman Mary Sedara said the stolen funds had been recovered and would be refunded in time for Christmas. The firm would even make good on any market gains DeSmidt missed out on while the money was missing, she said.
The story didn't have to end this way, though.
Few consumers appreciate the fact that, unlike credit card and checking account transactions, there are no federal consumer regulations specifically protecting consumers in the event of brokerage account hacking, said Gartner fraud analyst Avivah Litan. And with hackers targeting investment accounts more frequently, the legal loophole could leave investors with some ugly surprises.
'They need to protect the assets'
"This should be a call to action for the regulators," she said. "They are never going to protect against all the (criminal) methods. They need to protect the assets."
Both credit card transactions and electronic account transfers, such as online banking payments, are governed by Federal Reserve regulations that strictly limit consumers’ losses from theft. Consumers who report credit card fraud are only liable for $50; liability for fraudulent checking account transfers is capped at $500 if the consumer reports the theft within 60 days. Refunds for checking account thefts must generally be issued within 10 days.
The regulations are designed to boost confidence in the systems. But the Federal Reserve doesn't regulate investment firms, and the Securities and Exchange Commission doesn't mandate any similar protections for brokerage accounts.
And Desmidt's tale is hardly an anomaly. Last year, several trading firms revealed they were hit by hackers. E-trade, for example, reported in October that it had lost $18 million to crime rings based in Eastern Europe and Thailand.
Despite the lack of legal compulsion, some investment firms have taken to offering broad consumer protections anyway. Both e-trade and Charles Schwab offer credit-card style guarantees. Money stolen from Charles Schwab's Web site will be returned to consumers as long as the theft is reported in a timely way, said Schwab's Greg Gable.
'We want people to feel secure'
"There is a fundamental business need to do it," Gable said. "We don't want clients concerned about the safety of their assets. … We want people to feel secure."
Gable wouldn't say how many Schwab customers had asked for theft refunds, saying only such cases were "very rare."
Stark said that in every recent case of brokerage hacking he’s familiar with, consumers who complained have received full refunds. But the largesse is voluntary – unless the brokerage makes a clear promise like Schwab or e-Trade -- and it may not last forever.
“Firms are reimbursing everyone (who) has that kind of loss,” he said. “But they didn’t always do that (and) I don’t know how long they can continue doing it.”
Brokerage account hijacking has the attention of regulators, but at the same time criminals are getting cleverer. In late December, the SEC moved to stop a pump-and-dump scheme involving an Estonian firm.
The SEC said the firm's Russian owner earned $350,000 by purchasing penny stocks, then hacking into other investors' accounts and purchasing large blocks of the stock before selling his own shares at inflated prices.
Web-based investing scams have DeSmidt's attention, too. He is grateful JP Morgan promised to return his funds, but he's not about to let lightning strike twice. He told the company to shut down Web access to his accounts.
"I prefer to keep the account access only over the telephone for now," he said.