Schneier on Security
A blog covering security and security technology.
« Military Uses for Silly String |
| The Zotob Worm »
November 10, 2005
Fraudulent Stock Transactions
From a Business Week story:
During July 13-26, stocks and mutual funds had been sold, and the proceeds wired out of his account in six transactions of nearly $30,000 apiece. Murty, a 64-year-old nuclear engineering professor at North Carolina State University, could only think it was a mistake. He hadn't sold any stock in months.
Murty dialed E*Trade the moment its call center opened at 7 a.m. A customer service rep urged him to change his password immediately. Too late. E*Trade says the computer in Murty's Cary (N.C.) home lacked antivirus software and had been infected with code that enabled hackers to grab his user name and password.
The cybercriminals, pretending to be Murty, directed E*Trade to liquidate his holdings. Then they had the brokerage wire the proceeds to a phony account in his name at Wells Fargo Bank. The New York-based online broker says the wire instructions appeared to be legit because they contained the security code the company e-mailed to Murty to execute the transaction. But the cyberthieves had gained control of Murty's e-mail, too.
E*Trade recovered some of the money from the Wells Fargo account and returned it to Murty. In October, the Indian-born professor reached what he calls a satisfactory settlement with the firm, which says it did nothing wrong.
That last clause is critical. E*trade insists it did nothing wrong. It executed $174,000 in fraudulent transactions, but it did nothing wrong. It sold stocks without the knowledge or consent of the owner of those stocks, but it did nothing wrong.
Now quite possibly, E*trade did nothing wrong legally. There may very well be a paragraph buried in whatever agreement this guy signed that says something like: "You agree that any trade request that comes to us with the right password, whether it came from you or not, will be processed." But there's the market failure. Until we fix that, these losses are an externality to E*Trade. They'll only fix the problem up to the point where customers aren't leaving them in droves, not to the point where the customers' stocks are secure.
Posted on November 10, 2005 at 2:40 PM
• 47 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Wow - something I've always feared for myself. If the financial institution takes responsibility, how can this problem be solved?
If there is 2FA, say with a secure ID token, compromise of just the password won't work (although as you've pointed out earlier, it is still susceptible to phishing with a man-in-the-middle; arguably this still is good because to trade, a crook would have to phish successfully). For trade transactions, the most secure way will be to call the customer up, but that takes time and the instantaneous advantages of online trading are somewhat compromised. Perhaps some sort of automated touch tone confirmation or an SMS to a cellphone will make it more palatable without frittering away the instant benefit too much?
If I've understood what you have recommended in past threads, Bruce, is to proactively identify fraudulent transactions. So in this case, a 'quiescent' account being liquidated in its entirety could raise suspicion and trigger a phone call to verify. But how long will it take for the crooks to understand simple cases of how fraud tx identification occurs and work around it? If they are less greedy and liquidate half of the account, will it trigger a fraud check? Or should consumers be given the ability to set notification-verification limits?
While working on fraud tx detection is absolutely needed, there is going to be a tradeoff between user convenience and security -- as long as the inconvience is 'configurable' and inversely proportional to risk endured, it may be acceptable to a majority of the customers.
Anyways, no disagreement that the FIs should take more responsibility - sigh.
I appreciate the sentiment in the abstract, but in this case, it seems that it was the customer's security failure that allowed the fraud to occur.
Murty stored sensitive data in an unsecured system, and he got hurt because of it.
At some point, the individual needs to be responsible for protecting their own interests. I think this particular case crossed that line when Murty's personal box got owned.
We saw this coming and even worried about a criminal using other peoples money in brokerage accounts to manipulate small cap stocks. The criminal takes a position in their own account and uses other peoples money to move the stock up or down to their benefit.
In 98/99 we had a designed and implemented solution that used smart cards to digitally sign every transaction and verify the brokerage signatures. Fell flat, never made it to a significant beta because of the additional cost per customer. Then day trading died and ...
I think it's more or less stupidity to put that much money behind such an online system. Getting codes for authorizing transactions by email should alreday ring some alarms.
"I appreciate the sentiment in the abstract, but in this case, it seems that it was the customer's security failure that allowed the fraud to occur."
I know, but this really has to be besides the point. Customers will always have security failures. A good commerce system has to be resilient against that.
Look at credit cards. Customers have security failures all the time, and they're not liable for losses. That's what needs to happen here.
"If I've understood what you have recommended in past threads, Bruce, is to proactively identify fraudulent transactions. So in this case, a 'quiescent' account being liquidated in its entirety could raise suspicion and trigger a phone call to verify. But how long will it take for the crooks to understand simple cases of how fraud tx identification occurs and work around it? If they are less greedy and liquidate half of the account, will it trigger a fraud check? Or should consumers be given the ability to set notification-verification limits?"
Don't know. Certainly the security lessons learned from the credit card industry would be applicable here. My guess is that an aggressive expert system would detect suspicious transaction patterns, and then a person would follow up. When I get a call from my credit card company asking if I really made this or that transaction, I'm not annoyed. I'm pleased.
"Murty stored sensitive data in an unsecured system, and he got hurt because of it.
At some point, the individual needs to be responsible for protecting their own interests. I think this particular case crossed that line when Murty's personal box got owned."
Er, how was the customer to keep the sensitive data in a secured place, when E*Trade emailed him the authorization code for the transaction in CLEAR TEXT?
The corporation needs to be responsible for protecting the customer data in some sort of secure fashion. Emailing confirmation codes for $30,000 transactions is just irresponsible.
Yes, it's rather like leaving your car keys on a table in the hotel lounge and then asking the hotel to compensate you for your stolen car.
I agree with you too. In the example above, it would be good of the hotel to have cameras and attentive bellhops.
But this can be a really tough problem to solve. Real security is a real inconvenience, which is entirely contrary to what E-Trade is supposed to provide - convenience.
The reason credit card holders are pretty defended these days is perhaps because most credit card holders become victims of fradulent transactions when the item is physically stolen from them, which usually means it's not very long before they contact the card company.
Besides, with credit limits, the damages any party (be it the credit card company, an insurer or a vendor where the card was used) must sustain are a lot lower than this poor man suffered via E-Trade.
Hell, aren't bank accounts only insured to $25,000 anyway? Can the private industry really be expected to do better?
I guess what no one here knows is how much money E-Trade reimbursed. That could have an effect on a lot of our feelings, I suppose.
"Look at credit cards. Customers have security failures all the time, and they're not liable for losses. That's what needs to happen here."
That would be great. Banks and FI's are starting to follow the CC model with debit cards tied to regular bank accounts. I suspect that this may eventually happen with other, higher value accounts.
CC would never have gotten the installed base they have today if the FIs would not have indemnified the card holders, limiting the card holder's risk to $50 (or whatever). However, this CC "insurance" is paid for by enforcing CC spending limits, high usage costs (for some CC holders), merchant fees, and high penatlies (late fees, etc.).
As a CC holder that pays the CC balance in full each month, has a grace period, and no annual CC fees, the CC system works great for me (and others like me). I get convenience, no extra cost, and limited liability.
However, someone has to pay for this CC "insurance", or the CC system would not work. Those that end up paying late fees, high % fees for maintaining a CC balance, and the CC merchants, are the ones paying the "insurance premium" by subsidizing the cost for the FIs to maintain the CC system and to cover the $billions in CC fraud each year.
"Until we fix that, these losses are an externality to E*Trade. They'll only fix the problem up to the point where customers aren't leaving them in droves, not to the point where the customers' stocks are secure."
Agreed. Sad thing is, in this case, there is probably not enough fraud taking place! Until the level of fraud "crosses the line", where customers are truely leaving them in droves due to uncovered financial loss from fraud, companies like e-trade will not take any real action, since what they are doing now is "good enough", and fits within their risk model.
@liability: "someone has to pay for this CC insurance, or the CC system would not work. Those that end up paying late fees, high % fees for maintaining a CC balance, and the CC merchants, are the ones paying the insurance premium by subsidizing the cost for the FIs to maintain the CC system and to cover the $billions in CC fraud each year".
The costs have to come from the profits these FIs make. Also, it may not be a bad idea to have the customer endure a small share of the liability like CCs do. At some point, a far sighted FI would use this CC model to protect its consumers as a business advantage and hope that increased incidents of fraud will lead to migration to their better protected system and make the increased costs a worthwhile business investment.
The government is supposed to be sensitive to consumer interests vis-a-vis the large corps. Now that the online brokerage industry has pretty much shaken out with good consolidation and healthy profits, it is time to put pressure back on the FIs and make it more secure for us, the small guys.
Bruce or anyone: I've asked for this on other threads and given up on online seacrhes. Is there any decent reading material on software systems a la Falcon, that discusses the field of fraud tx identification?
Calling someone to verify a stock transaction seems silly to me. Do they guarantee my strike price at the moment I pressed the "sell" button, or after they verify it? There's a lot more going on in a stock transaction than a simple bank wire transfer.
byte_jump, if they verified the request for the wire transfer (which doesn't have the strike price issue you mention), there wouldn't be nearly as much incentive for the bad guys to make a fraudulent stock sale. In other words, it's the wire transfer they should verify, not the sale.
Security costs money. But I would pay for it if i know I'm getting it. At this point I don't touch internet banking, because there is little to give me a good indication of security. I still do all stock trading via phone or face to face with my broker.
Now if a company could prove that they are secure i would be happy with higher fees etc. But I can't and the fact remains that more expensive services my be just as insecure and cheap ones, *because* there is little cost to the company.
Either cert standards backed by liablity laws, or just liablity laws are needed.
(OT but the EULA in software is just stupid, this kinda thing needs to stop)
Terms and conditions for Australian internet bank have almost exactly this clause (you indemnify the bank that anyone using your account is you - whether or not this is true).
The reason I don't do internet banking has nothing to do with security and everything to do with personal liability.
Banks here have simply used internet banking to move liability away from themselves and onto their customers.
This won't change due to increased bank morality because banks are amoral.
It won't change due to customer request, because all banks do it and banking is a regulated industry - so customers can't go elsewhere.
It can only change through regulation.
What if the customer had spray-painted his passwords on the outside of his house?
I think you're convolving two different problems that should be treated separately:
(1) Customer access from a non-secure system, e.g, any system in the customer's home. It's impossible to secure such systems, period. Who should be liable?
(2) There's the second problem of ID theft. In those cases, as I've argued before, the criminal and the institution that grants credit based on the false or stolen credentials are the ones who should be held liable. In many cases, the institution grants credit based on faulty, sloppy, or "inexpensive" procedures -- and then tells the victim that it's the victim's responsiblity to clean up the mess. (There's a talmudic dictum of "he who claims must bear the proof," but a mere assertion of claim from a credit card company is now cause for endless worry and expense, which is very odd indeed.)
I don't see how you can put the burden of case (1) on the financial institution -- not unless you are willing to shut down Internet banking entirely.
>>> Yes, it's rather like leaving your car keys on a table in the hotel lounge and then asking the hotel to compensate you for your stolen car.<<<
No, it's not like that. In that case the hotel doesn't even know that the keys are yours (maybe they're mine, and I am not a guest), nor do they make a guarantee to keep your property safe at the lobby.
E-trade, as a financial institution, knows about your stocks and keeps them for you. In order to serve you, they need to identify your requests. Their method is not perfect and they know it. So, they set up the terms of agreement such that they don't have to prove that the request came from you under their scheme. You can't prove that it was not coming from you, either.
Imagine a world where hackers were incredibly competant and defeated every electronic authentication mechanism on the internet. E-trade would not exist as a business since no customer would sign up with such terms & conditions. It would be up to e-trade to secure the transactions. They would perhaps manufacture their own computers, build their own network and write their own software if necessary.
It is just too easy to sidestep the security problems of the existing (and insecure) home computing environments with carefully crafted terms & conditions.
I don't agree that this type of security failure is just the responsibility of the customer. E*Trade (along with most trading & banking websites at present) is relying on an authentication method that has major weaknesses, and doesn't provide an easy way for their customer to understand the risks or how to address them. [E*Trade has started to rollout RSA SecurID tokens to their customers, so of course I'm talking about their poor password-only bunnies.]
With the car key analogy, it's actually more like leaving them in your house - but your car having funky new keys that use Wifi with cleartext ...
I'd guess that credit card companies are good at detecting fraudulent transaction patterns because they've had to deal with a lot of fraud (and have the clear financial consequences).
In electronic banking and trading the amount of fraud is clearly on the increase, but still more than an order-of-magnitude less than credit card fraud. Practically most of these organisations will be directly taking the fraud costs for internet banking/trading (so as to avoid the publicity of law suits etc.)
"I don't see how you can put the burden of case (1) on the financial institution -- not unless you are willing to shut down Internet banking entirely."
How come I can take my credit card and throw it in the middle of a crowded room and not be liable for any charges I didn't make, and at the same time not shut down the credit-card industry?
Come on, Internet banking won't shut down. The Internet banks will figure out security models that don't depend on any particular customer behavior. They will, because it will be in their economic best interest to do so. Don't have so little faith in the power of capitalism.
Although some of the Australian banks have T&Cs that imply customer responsibility when using Internet Banking, in practise this in unenforceable. The banks are all signatories to the EFT Code of Conduct which means that the customer has very limited liability (something around $50). Banks also avoid bad publicity as much as possible, so customers naturally get paid out in full.
Of course this isn't saying it's all nice & easy for customers when this sort of fraud issue happens - the banks check out that the customer wasn't involved in perpetrating the fraud, and it can take some time for the money to be returned and any bounced transactions/fees etc. sorted. All round lots of pain for the unfortunate customer, even though they get the money.
I like your optimism. My thought is that if the bank was happy with the liability then internet banking would have the same liability as credit cards. Which it doesn't. Come to think of it banks moved liability away from themselves when we moved from cheques (bank is liable) to credit cards (merchant is liable).
Since banks only listen to money I have only one vote to use in trying to register my unhappiness at their attempt to paint me as the villain in a fraud perpetrated against me through defficiencies in a system designed and run by the bank. That vote is my wallet.
Also, I have yet to read a T&C's for any bank in Oz that doesn't have that. Do you know one?
Lastly, its isn't implied - its a specific provision.
Here's what i'd do if i were in charge:
By default, ETrade would get to know your profile. If all you do is dump money into a mutual fund and occasionally buy and sell some AAPL and GM stock, they'll let you do that all you want.
But if you should try to buy $50,000 of some penny stock, or liquidate the mutual fund, at that point you have to authenticate via a second, slightly less convenient method. A four-digit number sent via SMS to your cell phone. Or a computer calls your land line and recites a few digits. Or you call the computer and it uses Caller ID. Or you use an RSA token.
Power traders, who need to be able to buy and sell all day at a moment's notice and have no time for a second authentication factor, could explicitly disable these protections at their own risk. Maybe they could get a USB dongle, which mitigates a lot of that risk for a moderate price.
How about a Bluetooth device with a fingerprint reader? Turn it on, touch your fingerprint to it, and it allows you to daytrade to your heart's content, with your trades going out as soon as you click Submit. A tiny expense for any power user, and it provides excellent security with little inconvenience.
So there you go -- fast access for the power users, cheap and simple access for my Mom, and everyone's secure.
If you toss your card into the middle of a crowded room, in theory you are liable for the charges. In practice, the credit card companies have tremendous experience and some very, very clever fraud-detection schemes; and they tend to write off small amounts of fraud, the same way stores write off small amounts of shoplifting and employee theft. In fadt, that's a great analogy; sometimes the credit card companies even have "sales" on money, as in, "interest free for six months."
Banks operate under a different mindset; they're quite serious about guarding the flow of money. The fraud can reach serious levels, and they aren't operating on the same 1.5% (minimum) per transaction that credit card companies have.
In summary: because of the different underlying business models, Internet banking won't support the fraud levels that credit card companies accept. (And note that ATMs, subject to fraud, charge per-transaction fees whenever they can, to bring that banking activity up to credit-card levels of income.)
And I don't think "security models that don't depend on any particular customer behavior" can be hand-waved into existence. If the entire burden of a particular realm of transcation is on the banks -- any wild and irresponsible behavior on the customer's part ignored -- then no bank will operate in that realm.
Callback on a mobile for any passed order?
Maybe should there be a system to automatically callback to a known mobile phone for order confirmation? You may have to type a pin there (pin that you receive from the mail, or by SMS).
I've seen that work for Domain Name registration, while I was to pay 10$ to a company in another continent. So the model works financially. Practically most people will accept to lose a minute for a transaction registration.
In terms of security, there may be new issues, but having a physical link. Someone would have to take control of the PC and steal the mobile/take control of the mobile network. I maybe forgot something?
My bank and stock broker require one time password for any operation except those defined as safe (e.g. transfers between my accounts). The passwords are sent by post, not email, or given to the account holder in the bank branch. As far as I know, all banks in Poland use either OTP or cryptographic tokens (challenge-response system, token has it's own keyboard and display, you never connect it to a computer). While this system is not completely tamper-proof (no system is), it greatly reduces the possibility of fraudelent transactions, while being cheap to implement and relatively inobtrusive. I'm suprised it's not that popular in other countries.
@mph: "In other words, it's the wire transfer they should verify, not the sale.".
You could also do some well timed stock transactions where the victim buys or sells very slow trading stocks at 'bad' rates. The attacker then gets the favourable end of those transactions. After a couple of such transactions, the bulk of the original portfolio value can be transferred to another party.
I think there are a number of issues that should have been caught by the broker. The key one being the transfer of funds to an organization outside of its control, that should have had additional steps to ensure the transaction was legit.
Multiple paths back to the account holder need to be taken to ensure that everything leads back to the same place.
I don't see how the SMS verification would have worked in this scenario - surely the mobile phone number would be configurable through the same web interface, so they would have changed that to a Pay-as-you-Go mobile number and still have verified the transaction.
I don't think there is a one size fits all solution. Security is something that's more important for larger customers. The small customers don't want their money taken either, but the institution has less exposure in the case of small customers. In order to improve security, there has to be a cost savings to the financial institution. As one of the other posters mentioned, free SecureID tokens to people with over $50k in their account, $25 to everyone else.
Some people want the convenience of doing everything online. As in this case, a compromised machine is all it takes to be indistinguishable from the real user. In this case, the additional risk is customer caused. Holding the customer liable seems unreasonable, but giving preferential terms to customers who help increase the security of their accounts might help.
I'd like to see more multi channel communication. For example, a one time password being sent to a cell phone is fairly convenient and not readily available to someone with no physical contact. The closer someone is willing to get to the target, the more successful they will be. Our problem now is that people across the ocean have little barrier to entry in the fraud market. Also, current attacks are like marketing campaigns - you can afford to target a large group because you only need a return on investment from a small percentage of the targets to be profitable. It's harder to find targets that are vulnerable if multiple channels must be compromised.
I would like to be able to set preferences with each financial institution I deal with. For example, two of the ones with multiple accounts have branches within 2 miles of my house. I'd like to be able to specify that any loans must be signed in person at the branches where I am a known customer. I wouldn't mind getting a call from any financial institution to verify any transaction over $2k. They are infrequent enough that the inconvenience would be minimal. I also have multiple accounts with my employer. I'd like them to call me at my desk or send internal email to verify any account changes.
Any authentication scheme whose only display of transaction details is a single unsecure system will always be at risk. If your system is compromised, the transaction can be modified. I think a trusted display of the transaction is essential for security.
Using something like a call back helps as long as they don't allow you to change the call back number over the same channel they are attacking!
I think cell phones could become a great way to help reduce fraud but it will require more than just forcing a pin number to be typed in.
The scary part is that the fact that the cell phone could tell where you are when the transaction was going on could be a good thing.
@Bruce "Come on, Internet banking won't shut down. The Internet banks will figure out security models that don't depend on any particular customer behavior. They will, because it will be in their economic best interest to do so. Don't have so little faith in the power of capitalism."
Any time someone accepts risk, they expect to be compensated for it. This is the basis of all speculative investing, insurance, and most modern economic systems.
You're asking financial institutions to accept the risk of fraud. They could do that, but they would need to be compensated for it. That would cost everyone money, in the form of maintenance fees and such.
It would also have the undesirable effect of making individuals complacent. "I don't have to worry about fraud; that's the bank's problem." Which would increase the likelihood of those individuals being defrauded.
Burdensome security measures could be used to reduce the risk, and thus the shared costs, but not eliminate them.
Alternatively, individuals could retain responsibility for the consequences of their actions. I keep a tight hold in my financial data and credentials, so I don't get defrauded. B1FF doesn't, and pays the price.
I'd rather live in a world where individual vigilance is rewarded than one in which I am forced to pay for the mistakes of others.
A possible half-way point would be fraud insurance. You pay a fee to InsuranceInc., and they agree to cover the damages should you be defrauded. InsuranceInc. could even offer discounts for participation in strong authentication schemes, the use of appropriate security software on your home PC, and passing some sort of "Safe Surfing" training.
@Bruce "Come on, Internet banking won't shut down. The Internet banks will figure out security models that don't depend on any particular customer behavior. They will, because it will be in their economic best interest to do so. Don't have so little faith in the power of capitalism."
Who is it that has so little faith in the power of capitalism that they call for government to force a business to take on liability for a consumer's lack of responsibility?
How is Wells Fargo not responsible for allowing an account to be opened in his name?
I am a Etrade account fraud victim, just as Mr Murty. I am wondering how many people have been affected by this Etrade account fraud. What wonderful times for The maffia!
Would it be possible for much of the risk of using an unsecured system in the home to be mitigated by using a virtual machine solution supplied by the FI? If you want to trade: use this CD image that is assigned to you with some unique hash. A summary of the transaction could still be sent to the unsecured machine.
Well said. It is more logical to say that Internet Banks will be incented into a security model that doesn't depend on any particular customer behavior, hopefully by wise regulation prior to widespread consumer revulsion.
Fundamentally, most existing web sites are only as secure as your email account. Virtually all web sites have options to email your password (or a new one) to you if you forget it. If you can intercept someone's email, then you can first monitor it to see what secure web sites they use, then trigger the change, intercept the email, and take over the account.
Even if I send a wireout instruction as done by the hackers in Murty's case, e-Trade should not have wiredout without first checking with the customer if the account was not registered in the customer's name. Looks like some kind of fraud took place in that case.
I'm also a victim of a hacker. My loss is about $6000, for which I'm waiting for ETRADE to reimburse me. The theft happened earlier this month (Dec. 2005). Has anyone out there been completely reimbursed by ETRADE after an unauthorized ACH withdrawal was made from your account? If so, what were the circumstances. Thanks for your help.
This article is about real fraud by an external source.
However , my experience is that Etrade is just grossly an ireresponsible organization and falsely advertsies about customer satisfaction. I had CDs totalling $103,000/-. When the CDs matured , Etrade (or any bank) is supposed to send some notrification (email or phone or address). None was sent & the CDs were auto renewed. Multiple. Just around that period we relocated. All our mails were properly forwarded by USPS. Address change was requested at least a dozen times by multiple means ( Call to Etrade,internet & also a fax as per thier request) , however when a request was made to withdraw the CDs ($103k) Etrade had the following to provide
1. Refusal to withdraw without a hefty
2. After finally accepting fault, decides
to "send a check" which is never
received after 3 weeks.
3. Repeated polite calls yeild no
accurate response. And on a little
using harsher tone, my calls are
4. After several calls, I am told they are
not responsible for "LOST" mail (when
in fact I receive all JUNK also from
5. After a nightmarish experience, they
claim they have sent the check
by "overnight" delivary" which will take
4 business days !. And thie r"Address
change notification gets mailed in 2
business days !
6. At the time of comments, I have still not received my money.
PS: Unfortunately I don't wish that my name be found in Google searches hence not using real identity.
But if some good soul can email me at firstname.lastname@example.org & let me know how I can recover my life's savings from such morons I would be very greatful.
Beware ETRADE is FRAUD, its NOT the External source, but the insiders who are fraud.
OK, I am biased, this is my dad. BUT, I too have an E*Trade account with an RSA card. Hackers also got into my account (I know I should have moved mine out of ETrade, as well but due to a move this was difficult) and since this incident, I asked for additional security. I have had my account frozen for a year...better than it getting stolen. BUT at the end of the day, I need an account where internal issues like this (had nothing to do with hackers it turns out, but rather was internal white collar crime at ETrade), consumers need a place that will take care of their customers. Clearly a need for f2f brokerage...what a dying breed - I have been looking.
I have had numerous conversations with E-Trade and have often thought of hiring an accountant and a lawyer as I feel that a lot of money has gone missing from the portfolios that I have. They always tell me their system is accurate; but it seems like I am always asking for a balance update. I also think the charge of 8% interest on a margin account is quite high especially with the economy the way it is.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.