Saturday, April 07, 2007

Phighting Phishes and Pharmers

NEW YEAR’S VOWS TO GIVE UP STEALING apparently didn’t last long in 2007. More brokerage and international banks were subjected to popular forms of electronic pilfering in January than in any previous month monitored by the Anti-Phishing Working Group, an association devoted to eliminating identity theft and fraud.

APWG (http://www.antiphishing.org) says that in the first month of 2007, there were 29,930 reports of attempts to steal passwords or other important personal information from corporate customers, up more than 25% from December and up 5% above the previous record, set in June of last year. In all, 89% of the 135 corporate brands attacked were financial. One new wrinkle: Brazilian hackers are now using a kit—which was first employed in Russia—to break into Websites.

In researching our annual review of the best online brokers ("Tools of the Trade,” March 5), we queried firms about their security precautions. Since publishing that ranking, we’ve received several queries in search of more security information. We’re happy to provide it.

What are these scams? One of the most common is “phishing,” a scheme that uses a seemingly legitimate e-mail to deceive a recipient into thinking she’s communicating with a trusted company or government agency. The idea is to spoof the victim into disclosing sensitive financial information, like a Social Security or bank account number, that can be used to access her money.

In the case of some online brokerage or mutual-fund scams, an investor may be subject to “pharming,” a similar deception in which she’s lured into making transactions on a phony Website that looks like the home of a legitimate investment company. These sites typically ask for a lot more log-in information, including Social Security number and credit-card info, than a legitimate site to “verify” your identity.

If an e-mail or a Website looks fishy (or phishy), call your broker or bank to verify its legitimacy, or to report an attack.

Is online trading safe “from loss due to computer hacking,” as a reader asks?

Not totally. An advantage of any software-based broker is that clients don’t have to log into a Website, thus avoiding the possibility of stolen passwords. Even so, software-based brokers are as susceptible as browser-based systems when it comes to hacking, or “packet sniffing.”

PACKET SNIFFING SOUNDS LIKE SOMETHING A POSTAL inspector might do, but it’s actually a task for software or hardware that can log data going over a digital network. The intent is usually benign: to locate trouble spots or highlight attempted break-ins early on. But packet sniffers can also be used to analyze—and steal—the data, including passwords.

One way to thwart these scammers is to use a digital security ID card, which is the size of a credit card with a small numerical display. The number changes every minute or so, in sync with the broker’s system. A user logs in with her ID and password, and then types in the current number. This is known as “two-factor authentication.”

This system thwarts sniffers, because the second factor changes every minute—even if they sniff out the log-in number, it will be useless in 60 seconds. Several brokers make these cards available to clients, including E*Trade, Interactive Brokers and optionsXpress.

Most online brokerages offer repayment of any investor losses due to such thefts. For instance, E*Trade last year instituted a guarantee that covers any loss resulting from unauthorized use of its brokerage, banking, or lending services. Other firms reimbursing customers include Fidelity, TD Ameritrade, and WellsTrade. Firstrade this quarter will launch an Online Security Center, which will provide a written guarantee against losses sustained through online fraud.

Newer brokerages such as OptionsHouse, and older outfits like Scottrade and SiebertNET, which have recently revamped their systems, have implemented multilevel security protocols to prevent hackers from getting into their systems.

TradeKing will roll out new security shortly that includes a digital imprint stamped on every computer designated by the customer. Should an investor try to access an account from an unknown computer, he will be challenged with dynamically generated questions that must be answered before he’s permitted to enter a password.

The Securities and Exchange Commission has helpful information for online brokerage customers who think they may have had their identities compromised, at http://www.sec.gov/investor/pubs/onlinebrokerage.htm.

Published in Barron’s, April 2, 2007.

Posted by twcarey on 04/07 at 09:00 AM
Published in Barron's • (0) CommentsPermalink