Previous
Hostage Trade: Taliban Officials Released in Exchange for Italian Journalist
Next
Cockfighting: Centuries-Old Blood Sport on Its Way Out
Mar 20, 2007 5:00am

Russian Criminals Targeting U.S. 401ks and Online Traders

Cybercriminal rings in Russia and Eastern Europe have stolen tens of millions of dollars by breaking into and looting U.S. 401k and online stock trading accounts, FBI and SEC officials tell ABC News. "You could wake up one morning and find all your money in your retirement account or in your trading account is gone," said John Reed Stark, Chief of Internet Enforcement at the Securities and Exchange Commission. Read the E-mail Exchange Between a Russian Hacker and an ABC News Intern. In addition to the Russian rings, authorities have also seen hackers in India, Hong Kong and Malaysia going after similar online accounts. THE BLOTTER RECOMMENDS Blotter SEC Crackdown on ‘Pump and Dump’ Scams Blotter Feds Move Against Online Trading Criminals Click Here to Check Out the Latest Brian Ross Slideshows The criminals either cash out the stocks and wire the money to their own account or sell off the stock holdings to buy shares in worthless stock they control, an Internet version of the classic "pump and dump" scheme. In many cases, American victims have had their user IDs and passwords stolen when they use computers at hotel business centers and other Internet connection points. Click Here for Full Blotter Coverage. The FBI says the criminals secretly bug the computers with programs to record every key typed. "So that when you access your financial account, you are in fact giving the bad guy your account name, your password, your account number and essentially the keys to the kingdom," explained Shawn Henry, Deputy Director of the FBI’s Cybercrimes Division. Victims have included customers of E-trade, Scott Trade, Ameritrade, Fidelity, Merrill Lynch, Charles Schwab and Vanguard. As part of an ABCNews.com investigation, a Russian speaking ABC News intern logged on to a Moscow-based hackers forum and was offered the user IDs and passwords of six U.S. trading accounts for a cost of $350. The six accounts had almost $100,000 in value. The online criminal even offered ABC News a free sample, the user ID and password of an Ameritrade account owned by a man in Fremont, Calif.  When contacted, the California man confirmed it was his account and agreed to quickly change his password. The FBI’s Henry offered the following advice to avoid becoming a victim of such Internet theft: l. Always use a trusted computer when conducting financial transactions. 2. Going into a hotel or an airport or an Internet cafe, assume you may be at risk. 3. Closely scrutinize reports from your online trading firm to make sure the reported trades are ones you authorized. 4. Frequently change your password and when traveling, consider using a special program that will change your password every 10 seconds.    5. Make sure your own computer has anti-virus protection.

Previous
Hostage Trade: Taliban Officials Released in Exchange for Italian Journalist
Next
Cockfighting: Centuries-Old Blood Sport on Its Way Out

User Comments

I just watched this on ABC,so if you travel away from home ,computers in Hotels etc can get to you also The fbi says don t leave your computer on when your not using it. Doris H.

Posted by: Doris Haught | March 20, 2007, 7:56 am 7:56 am

Im glad to hear the News Networks and FBI is making the public more aware of computer fraud. But the real truth, is that computer user’s have been fooled into beliveing that the residence Antivirus program on there computer will keep them safe… SO WRONG, The big Antivirus Companys have Lied and they know it… A computer use today Needs Mutiple Protection tools. To keep there computer safe. Im a member of a International computer help group, and we test and use mutiple tools. The public needs to know this if they wish to keep there computers truly SAFE.

Posted by: L.Palmer | March 20, 2007, 8:07 am 8:07 am

The response from he Federal Retirement Thrift Investment Board (maintains Gov’t retirement accounts) about not being liable for losses really upset me. They claim no responsibility but provide minimal security in the format in which they require users to login to their accounts with SSN and a four digit numeric PIN. THIS IS UNACCEPTABLE!! While this goes on in the government, other agencies (FFIEC)that regulate the banking and credit union industry have been enforcing additional authentication requirements to prevent the exact events that this report was about. How ironic is that?

Posted by: W. Trout | March 20, 2007, 8:56 am 8:56 am

Something to remember when you use a computer on the road

Posted by: alan woodall | March 20, 2007, 9:27 am 9:27 am

Can you post online the video on Brian Ross’ 401K story from GMA this morning?

Posted by: Terry | March 20, 2007, 10:09 am 10:09 am

There’s such an easy way to combat this in the U.S.: Stop off-shore software development. And, refuse to do business with any company that endeavors in off-shore software development.

Posted by: Fred | March 20, 2007, 10:23 am 10:23 am

I’m a Network Admin for a small boutique hotel chain.
IF the hotels have the luxory of having an IT department, they would have properly set up the business center computers to avoid anyone installing rogue software on them.
Using a simple tool by microsoft, I’ve secured my hotel guests privacy when they access our public computers.
After every user is finished, either they can log off the machine or after 5 minutes of inactivity, the computer logs them off and reboots, effectivly restoring itself back to the way it was on the day i set it up.
Any shortcuts, virus’s and spyware, installed software, personal documents are erased.
I’ve implemented this free download at all of our hotels and so far I have not seen any trouble.
(The only complaint from some guests is that the normal windows experience is very restricted)
Granted, I know not every hotel (even large chains) have an IT staff available for the guests and hotel staff itself, so you should definitly be cautious of where you do your finances.

Posted by: Bill | March 20, 2007, 11:26 am 11:26 am

What knucklehead would trust a publicly available computer such as found at hotels and Internet cafes for such work?

Posted by: Clark | March 20, 2007, 11:49 am 11:49 am

Hackers stealing retirement funds?
This has been going on forever.
Of course we used to call them the IRS and congress.
But the damage is the pretty much the same.

Posted by: Zach | March 20, 2007, 12:05 pm 12:05 pm

I was almost a victim of this type of hack. Only thing that saved me was that I had set up email notification on my accounts for all transactions. It appears that someone hacked the telephone access, used that access to change my online password, then went online and transferred funds from a mutual fund into a money market. When I received the email on the changes to my account, I contacted the broker, advised I had not initiated these changes, and they immediately suspended access. However, it took me another 3 months, registered letters etc to get the brokerage to reverse the transfers and restore my account.
Apparently, there is a new scam where folks who make bad trades that lose money attempt to call brokerages and claim identity theft in order to reverse the trades… Hard to keep up.
Lesson learned, set up email notification on ALL access to you online accounts, change your ACCOUNT where possible to a alphanumeric account name (rather than SSN), and if your bank or brokerage offers it, go to two factor authentication (not just online password but some other personally set question)

Posted by: Matt | March 20, 2007, 12:55 pm 12:55 pm

I think we should just go back to the golden days, where there was more privacy on our lives and less to worry about someone else stealing your nested eggs.

Posted by: Erma | March 20, 2007, 12:59 pm 12:59 pm

Forgive my lack of knowledge, but do the same problems apply if your accessing through your own computer at a hotel using wifi or dial-up?

Posted by: Lisa | March 20, 2007, 2:19 pm 2:19 pm

It seems investigative journalists are able to track down the very people that are committing the scams, committing fraud, etc….and I feel our government or a mercenary should be able to do the same. Once you find the culprit……the next course of action is simple. After that, you catch a flight home.

Posted by: Dave | March 20, 2007, 2:50 pm 2:50 pm

Banks in the UK have changed to a system where you not only enter a User Name and Password but also have to enter several letters in a drop down list from a pre-designated word.
Assume the word is: clinton,
you might be asked for the 2nd and 5th letter.
Yu select these using a mouse on a drop down list.
This makes a keystroke logging program fail.
Also, the next time you log on, the server asks for different letters.
On a similar issue, all UK and most European credit card trasactions now require the entry of a PIN number into a terminal, and NOT a signature, which is not required.
Wake up America and start providing decent financial security.

Posted by: Norman | March 20, 2007, 3:02 pm 3:02 pm

This is all dependant upon who provides internet services to the hotels. Yes even your own computer could be vulnerable on certain networks.
Some hotels will only contract services from companies that offer more than adequate protection for your own computer as well as business center computers. The issue here is that ALL hotels need to be made aware of these issues and ensure that their service providers are doing all that they can to protect their guests.

Posted by: Sean | March 20, 2007, 3:44 pm 3:44 pm

You have to be careful in todays world. With more and more services being done through the internet, criminals are finding out it is much easier to get someones data and money through a key logger program or a phishing trick. On top of my Norton antivirus, I also use WebRoot anti spam and logger program to block and scan for any type of trojan progams

Posted by: Buck Johnson | March 20, 2007, 6:59 pm 6:59 pm

Will ABC blame Bush for this too lol

Posted by: sl | March 20, 2007, 10:12 pm 10:12 pm

Our Company sells, manages and monitors guest use computers for top hotels around the country. The foundation of our offering is security, privacy and reliability. Through our proprietary client management software, our systems are locked down to prevent hackers from loading any key stroke software and we electronically shred all guest user data upon ending their session. We proactively monitor and update our systems 24x7x365. My advice is that hotels provide their valuable guests with a high quality service such as ours and that hotel guests needing secure public access computers stay at a hotel offering our secure guest use computers.
Victor Alikin

Posted by: Victor | March 21, 2007, 1:10 am 1:10 am

I am a director of MIS for a large upscale hotel chain, who we wont mention. The point being most of these business centers are run by 3rd party companies. While most have software remedies like mentioned above, hardware is never locked down or secured. Very easily someone could slip in put a hardware device that records credit card information as well as echo key strokes. NO hotel is 100% safe from this. Best advise is use your head or bring your own laptop to use on travel.

Posted by: KK | March 21, 2007, 1:00 pm 1:00 pm

If I take my computer to a hotel, log on to read my newspaper or check the email but do not log on to scottrade or my financials…. can they still track my password and wipe me out?
Or is it only if I log on to financial website with password.
I’m scared. Please tell me.

Posted by: Brigie | March 21, 2007, 1:25 pm 1:25 pm

my mac just laughs at all of this stuff. someone remind me why microsoft is so popular?

Posted by: weefs | March 21, 2007, 3:37 pm 3:37 pm

One thing we don’t understand – how do the theives cash out the stolen stocks and get the money into their own account? We have an Ameritrade account and the only place money can be directed is into our bank account. Do the thieves have the ability to withdraw funds from our bank account too?

Posted by: Van | March 22, 2007, 12:31 am 12:31 am

This is an outrage! We’re forced to put money into 401K’s and other investment vehicles in part to sustain us in retirement because corporations continue to minimize/eliminate pensions and now with this garbage taking place we are robbed blind. Shame on the investment firms and our government. Just another case of Americal relinquishing its standard of living either by “outsourcing” or just plain neglect. People better wake up!

Posted by: Jim | March 22, 2007, 10:18 pm 10:18 pm

Lets get George Bush impeached and these cronies of his thrown out of office. The Republican Party is against the American way of life. Wake up America! A & B in Alabama.

Posted by: angela | March 23, 2007, 10:46 am 10:46 am

My guess is that the crooks are only transferring money from regular accounts directly, not from IRAs/401Ks. So if they break in, they can certainly wire money from your regular account.
Do not use public computers to access your accounts. Even though the security lock may show, if the public computer has a spyware program called a keylogger, it will capture your password info as you type it into the machine (before it ever goes out on the internet). Then the keylogger will transmit it to the crooks on the web behind the scenes.
If you use your own laptop on the road on a wireless network, you still face some risk, but it is far lower. If you use your own laptop in your room via an ethernet (wired) network, your risk is reduced almost to the same level you have at home.
By the way, if you use your laptop on the road and NEVER access your online accounts, your risk is almost zero that the crooks could get any info off your laptop (after all you never transmitted your password).

Posted by: Craig | March 23, 2007, 5:31 pm 5:31 pm

Good articles and news. Now a days we are afraid of using these facilty as hacking is getting common and eat our hard earn money which we use it very judicially and after careful thought.
ASs sugeested to change your password every ten second how it is possible and secondly very difficult to remember when you will use which pass word to acesses. If we forget password than especiaaly while in travelling you are stuck. Secondly you are engage in non productive activities and it will be very difficult to focus onbusiess for which you are travelling.
Look forward to see more ways of protections. information and method of safe guarding our hard earned money. Prime responsibilty of hotel ptroviding safety to their valuable customers,

Posted by: Mahmood Hussain | March 24, 2007, 11:47 am 11:47 am

Does it help to have the password written in an innocuous file, then using the mouse to cut and paste it?
That would bypass any keystroke reading programs, wouldn’t it?

Posted by: Kevin Rooney | March 25, 2007, 11:34 pm 11:34 pm

I have an Ameritrade acct. I am usually outside of the US, on business. I sometimes need to use wire transfers to move funds from Amerit. into or out of a US or foreign bank acct. Each time I put in a request for this type of transfer, I am required by Amerit. to submit a signed letter of authorization, and the funds can only be wired to one of my preauthorized accts, and only to accts. in my own name.
Ask your financial services providers to request of you extra authorization levels for transactions. It may add time and minor inconvenience, but I believe it’s worth it.

Posted by: commissar | March 26, 2007, 4:33 pm 4:33 pm

“crush after using” is my motto..
Seriously – Do not set up your account for wire transfers!!!

Posted by: wayne | March 28, 2007, 4:28 pm 4:28 pm

To all of you who use “internet” in financial dealing, remember the “enigma machine”………….

Posted by: Boris | March 28, 2007, 8:43 pm 8:43 pm

I tend to think that this is more the hubris and anarchy of the American government that is doing this and blaming it on Russians

Posted by: Vox Populae | March 28, 2007, 10:34 pm 10:34 pm

how about voice recognition matching customer data bank via phone for confirmation of trade plus password plus personal question, then callback from trader/bank for verification before processing,+++ then confirmation callback that message rec’d. etc…+++? would that work for a while?

Posted by: wmitch | March 29, 2007, 11:07 pm 11:07 pm

If you are done accessing anything that has to do by using passwords could the thieves get ahold of your password?
P.S.-If you put your computer on stand-by after your done using computer,and when you come back to use computer again,at the Welcome Screen,could thieves still get any information without your logon password?

Posted by: Matthew Way | April 4, 2007, 9:27 pm 9:27 pm

If this is happening on your own computer changing your user id
and password frequently is not going to help. Is there a scenario which describes how such a “key stroke” program could somehow get onto your home computer. Does any of the anti virus software or operating system software defend against this intrusion?..probably not.

Posted by: Alex | April 4, 2007, 10:54 pm 10:54 pm

Russian hackers are dangerous! They will crack all! BUT! We usual people. Simply we for the accessible information! We do not plunder! We do not offend! We for the truth! For availability! We not monsters!

Posted by: Masta_man | April 13, 2008, 5:14 am 5:14 am

Top

Leave a Reply

Do you have more information about this topic? If so, please click here to contact the editors of ABC News.