Updated on 07.31.14

How Dave DeSmidt Lost $179,000 Out Of His Retirement Account In One Day – And Why A Few Reforms Are Needed At Brokerages

Trent Hamm

On the morning of October 23, 2006, Dave DeSmidt had $179,000.23 in his 401(k). He was on a business trip to China when the unthinkable happened: someone logged onto his brokerage account, registered a new checking account, and then requested a distribution into that account. By the time Dave checked his brokerage account a few days later, it was empty.

Even more worrisome is how J.P. Morgan handled the situation:

“J.P. Morgan concludes there was no external or internal breach of controls with the J.P. Morgan environment,” the report said. “Access and authentication controls established within J.P. Morgan worked appropriately.”

The report dismissed the possibility that the crime was an inside job, as the request came from outside computers and the criminal knew DeSmidt’s user name and password.

The report’s conclusion: “Investigation Status: Closed.”

An online username and password are not good substitutes for more detailed levels of authentication. J.P. Morgan’s response to this might be arguably appropriate in protecting themselves from fraud, but their behavior shows no interest in truly protecting the customer – just protecting J.P. Morgan.

As online hacking becomes more prevalent, brokerages need to become more careful in their protections. Here is a three-step protocal that J.P. Morgan should have followed that would have protected Dave DeSmidt from this nightmare.

First, the distribution should not happen unless the name on the receiving account matched the name on the brokerage account. Whenever someone performs a withdrawal from a brokerage account, it needs to be verified that the names on both accounts match. If they do not, then no transfer should happen without a number of layers of additional confirmation.

Second, before any distribution occurs, the owner of the account should be notified. This notification should occur both in writing and over the phone for the initial distribution, and any changes to the distribution plan should involve similar confirmations.

Third, brokerages should maintain an intranet contact database and should carefully confirm any contact information changes. The online information should not be used as the sole mechanism for approval; brokerages should maintain an intranet database of client contact information that is not web-accessible and is only updated directly by employees. Whenever a change to this occurs, employees should require extensive verification from clients.

These protections would not completely eliminate fraud potential, but it would set the bar very high for any type of fraud to be successful. Dave DeSmidt would still have his money, and lots of responsible people could rest easier knowing that their brokerages were protecting them.

Here’s what you can do to help your brokerage get better fraud protection: call their customer service number and ask them what their protections are. If they don’t describe a protection like the one described above and they won’t guarantee your account in the event of such a fraud, then write to the company’s management and inform them that their security policy is inadequate.

Loading Disqus Comments ...
Loading Facebook Comments ...
  1. Jeff says:

    I totally agree with the overall point you’re making, Trent, but I do think you ought to state, as the original post does, that in the end J.P. Morgan did refund the guy’s money. Especially since they are not legally required to do so.

  2. Doug Alder says:

    Most people who are victims like this are so because their home computers have become compromised and they don’t know it. By necessity in my work I have become an expert in online fraud. I deal with victims of fraud like Dave DeSmidt on a daily basis.

    You 3 steps are good but they can be out witted by a good thief, especially if the victim is careless. Part of that non-internet accessible database must be safety phrases that only the account holder will know. This is necessary as there must be some mechanism in place that allows the account holder to update their information , specifically phone numbers and mailing addresses. At no time should email be used as an authentication mechanism (I’ve seen numerous times situations when a computer has been compromised and the thieves are monitoring the client’s email in real time and responding to verification emails then removing any trace of the from the system). If the victim is silly enough to keep that pass phrase on their computer then there is no level of security at the financial institution that will prevent their account from being ripped.

    I know with my bank (TD Canada Trust) I can not make any inquiries about my account or any changes to my personal information without going through a live support person and answering several questions only I know the answer to. I am comforted by that.

    I urge everyone with a computer to take the most basic precautions.

    1. Use a good AV program and keep it updated (AVG is free and good)
    2. Use a personal software firewall that looks atr outgoing connections as well as incoming (Zone Alarm makes an excellent free one)
    3. Get a router (not a hub, not a plain switch) and put it between your computer and your ADSL or Cable modem (average lifespan of a windows computer on the net without protection is 20 minutes before it is thoroughly compromised). You can get a decent one for about $80.
    4. If you get a wireless router make certain you use the 128bit encryption and set a very difficult password. Better and safer would be to go wireline not wireless.

    Don’t think you’ll simply “know” when our computer is compromised. You won’t unless the hacker is careless. Take the above precautions at a minimum.

  3. Doug Alder says:

    I should also mention that financial institutions need to spend more time educating their customer facing staff in the tactics of social engineers. No amount of electronic security on their part can compete against a a good social engineer and a naive employee. I highly recommend people read Kevin Mitnick’s book “The Art of Deception”. He is a master social engineer and did the time to prove it.

  4. Trent Hamm Trent says:

    Jeff: they only did this because of the PR.

    Doug: I agree completely with this. Most people double-click on every attachment they get and also don’t turn on Windows Firewall (even at a minimum). It’s just amazing more people aren’t caught. My point is that brokerages are transacting things in this unsecure environment and they can take steps to make things more secure.

  5. jake says:

    Well some places are great with helping you get your money back. My cousin had his check book stolen along with his check card. They with drew about $3000 total from his account.

    Bank of America immediately returned the amount, then did an investigation. But I must say that he was lucky in the sense that the people who used his check didn’t even signed in his name. It was a completely different name. I am sure the bank saw that and couldn’t argue.

  6. Rob in Madrid says:

    There is a simple easy solution. In Europe it is quite common to have banks issue unique transaction numbers to prevent hacking, before you can do any online banking. In Germany it’s a 5 digit code which is required each time you use the bank. The bank issues you a paper with 100 codes on them and they can only be used once. Deutsche Bank in Spain give you a credit card sized grid that you nee for each transaction (for example H-02 = 21) While this isn’t 100% secure (nothing is) it prevents anyone who has you password and account number from accessing you funds.

    Interestingly enough I got caught off guard by the new Canada Trust secrity mesaures. You have to answer 5 questions and I couldn’t remember the answers so I got locked out. As Doug said I had to get to a live person to reset my password. Of course in the interest of security I wrote down all the questions and answers :) so I don’t get locked out next time.

    The other problem will always be that America is the largest country in the world and English the language of business and as such will always be prime territory for hackers and thieves. It also doesn’t help that Banking in America is run on security lite.

Leave a Reply

Your email address will not be published. Required fields are marked *