On the morning of October 23, 2006, Dave DeSmidt had $179,000.23 in his 401(k). He was on a business trip to China when the unthinkable happened: someone logged onto his brokerage account, registered a new checking account, and then requested a distribution into that account. By the time Dave checked his brokerage account a few days later, it was empty. Read the full story; it’s quite disheartening.
Even more worrisome is how J.P. Morgan handled the situation:
“J.P. Morgan concludes there was no external or internal breach of controls with the J.P. Morgan environment,” the report said. “Access and authentication controls established within J.P. Morgan worked appropriately.”
The report dismissed the possibility that the crime was an inside job, as the request came from outside computers and the criminal knew DeSmidt’s user name and password.
The report’s conclusion: “Investigation Status: Closed.”
An online username and password are not good substitutes for more detailed levels of authentication. J.P. Morgan’s response to this might be arguably appropriate in protecting themselves from fraud, but their behavior shows no interest in truly protecting the customer – just protecting J.P. Morgan.
As online hacking becomes more prevalent, brokerages need to become more careful in their protections. Here is a three-step protocal that J.P. Morgan should have followed that would have protected Dave DeSmidt from this nightmare.
First, the distribution should not happen unless the name on the receiving account matched the name on the brokerage account. Whenever someone performs a withdrawal from a brokerage account, it needs to be verified that the names on both accounts match. If they do not, then no transfer should happen without a number of layers of additional confirmation.
Second, before any distribution occurs, the owner of the account should be notified. This notification should occur both in writing and over the phone for the initial distribution, and any changes to the distribution plan should involve similar confirmations.
Third, brokerages should maintain an intranet contact database and should carefully confirm any contact information changes. The online information should not be used as the sole mechanism for approval; brokerages should maintain an intranet database of client contact information that is not web-accessible and is only updated directly by employees. Whenever a change to this occurs, employees should require extensive verification from clients.
These protections would not completely eliminate fraud potential, but it would set the bar very high for any type of fraud to be successful. Dave DeSmidt would still have his money, and lots of responsible people could rest easier knowing that their brokerages were protecting them.
Here’s what you can do to help your brokerage get better fraud protection: call their customer service number and ask them what their protections are. If they don’t describe a protection like the one described above and they won’t guarantee your account in the event of such a fraud, then write to the company’s management and inform them that their security policy is inadequate.