Possible Etrade Fraud

[prt_systems]

Quote from Choad:

Everybody, please, get and use one of the new electronic (physical) security token devices.

IB has these. They are free if your account is over $100K.

..[/i]

They probably should be required for everybody ....

Banks and major corporations have used these for years. We use our own custom version - written by me - on all our servers. It is not hard to write one of these and get it to work both on $soft and Linux systems. Unless a criminal has unlimited access to a supercomputer they have little hope of breaking the security codes used in these techniques: essentially this approach requires the criminal to resort to social engineering and not mere hacking.....

 

[Choad]

Quote from prt_systems:

essentially this approach requires the criminal to resort to social engineering and not mere hacking.....

I've been following this thread and I have yet to hear how these Etrade thefts happened?

The posters here who have thefts still seem to indicate that they have no idea how it happened. They have said they did not respond to those bogus Etrade phishing emails and revealed their account number and passwords.

I suspect they DID and just forgot about it, or they still think the emails were legitimate. What could be better for crooks? - The victims get an email from "Etrade" that says "We have suspected fraud. Login HERE to check your account..."

So a few days later they get a REAL email from Etrade that says "You have been the victim of fraud ..." They then panic and forget about the first one, then they blame Etrade.

I'm definitely sympathetic to people that lost money, but the truth is that, nowadays, your money doesn't sit in the back of a dusty old bank vault. It is just a few bytes of data somewhere. That data can dissapear in a couple milliseconds.

I check all my money every single day. Who else will take care of you? Nobody is your substitute Mom...

 

[ElectricSavant]

Choad,

I never thought about it, cause my spreadsheets keep track of my brokerage accounts.

I have so many automatic things I do, I have forgot what can happen. I don't know if that is good though..

Those hackers get pretty creative with their emails...don't they?

I would love to be in a sting operation to catch them. You know ...set up dummy #'s and try to raid their location or trace their transfers and wait for them to access their money!

 

[Choad]

Yeah ES, It would be great to nail those guys.

I also don't see how they can keep getting away with it. Everybody who uses the 'Net can be traced to a physical location, can't they?

I guess you can use fake ID to set up ISP accounts and servers, but isn't everybody's NIC (network interface card) coded with a unique "MAC" address number? Maybe people are "spoofing" these numbers?

And can't you look at bank records of account creation dates and acutally see the purp on the bank's security video?

Maybe it's too much trouble to run these crooks down, or I'm just naive at how it could be done...

 

[ElectricSavant]

Choad..

The paper trail is endless.....

but it ends somewhere...they blow it...

i knew of an 90 year old grandmother once who had no idea...oh never mind...

 

[palawan]

Quote from limitdown:

Airports, coffee shops, universities, outside or nearby other hotspots....that's how....

ID Theft is rampant and those not reported or noticed are worse....

Sniffers are so easy to attain (Www.downloads.com) as well as unsuspecting internet users who check their bank balances at these hotspots....

Encryption is one thing, tokens and https layers within the sockets are another, however once the handshake has occurred, generally no further verification occurs and certainly not on every packet level, nor are the packets sent over government security standard encryption (multi-layer, multi-dimensional verification) standards.....

Sorry, but this is the real world with real foreign based thieves working their way through as many layers of the socket protocols as possible.

Simple has always been better...

The internet has really changed everything....

i'm not saying it's impossible, but i just haven't heard of incidents involving compromised accounts because they used a public wifi hotspot...

i'm one of those people who use wifi hotspots to access my online accounts.

i've used it at the airport, in the philippines (coffee shops), and neighborhood open AP's.

someone with a sniffer could be at any of those places, but, that's one very patient guy. you see, to listen in on a "conversation" you need to capture every packet coming and going from a computer. most of these packets are garbage. on a wifi environment, you probably only have enough bandwidth to listen-in on one connection (laptop). as you already said, the logon process (username and password) go through a secured connection (encrypted packets), so you will not be able to "sniff" those.

well, what about after the connection has been made? i suppose once you find out i'm connected to my washington mutual account, you can try to intercept the communication by pretending to be me. how? by duplicating my mac and IP address. let's say you were able to do this without any hiccups from the access point (i don't see how, but let's say you're friends with the people running the location). then what? your internet browser is not gonna be able to load the webpage where i was at, as you don't have the cookies i have on my hard drive. my hard drive is not shared and xp has a built-in FW. by the way, at this point i'm gonna be disconnected or if i try to get on again, i'll be conflicting with you and you will get disconnected and it becomes a cycle.

sniffers were good in the past for intercepting simple communication/connections such as telnet.

and remember, many of these wifi hotspots are paid-connections (secured by WEP). if the guy wants to sniff the people on that hotspot, he has to be a paying customer...

one thing i do caution when using wifi in public places, make sure your keyboard is well hidden when accessing sensitive accounts. i try to go where my back is against a wall, look up and try to see if there's any cameras pointed in my direction, then close the lid of the laptop with just enough space to type stuff.

Good luck.

 

[paradox]

It seems the pattern here is that funds are wired out to an account with a different name, while people are on vacation. IMO, Etrade could have avoided most of these problems by doing a simple name check.

BTW, if google etrade fraud, this thread comes up.

 

[limitdown]

Quote from palawan:


one thing i do caution when using wifi in public places, make sure your keyboard is well hidden when accessing sensitive accounts. i try to go where my back is against a wall, look up and try to see if there's any cameras pointed in my direction, then close the lid of the laptop with just enough space to type stuff.

Good luck.

very well said.

firstly your advice is both accurrate and flawed. but how can both sides of the coin be right and wrong...?

simply put, there are degrees...one never knows when one has arrived at one of those intense degrees verses the phillipeans coffee shop degree or the starbucks outside of Redmond, WA (home turf of the surf capital, Microsoft) or some other high tech environ....

usage of these public access points with WEP conveys a good sense of customer trust and that too needs to be reconfirmed so that the services will work....

trust or trust not,
do or do not...

Yoda!

 

[etradevictim]

During our absence from this country in July, some hackers were able to wire out funds many times to a total more than $150,000. to a Wells Fargo account that was not registered in our name. All these funds were wired out on margin and finally they also sold some of our holdings that we had for a long time. Still there is a negative cash (margin) balance that is accumulating interest everyday although e-Trade said they froze the account after they realized the fraud following many transactions each one strangely slightly below $30K. Strangely, we have never wiredout a penny from this account during its life - this did not flag them or alert them to check !!!
e-Trade is not taking any responsibility at all and blaming us for not securing our computer properly. After all these transactions, they finally realized the fraud and tried to contact us but we were not here and they apparently froze the account then - too late !
Whe we ask how they could wire funds to a 3rd party account, they say that the hackers included our name as the account holder - without checking whether it was indeed in our name - it turns out that it is not and we never gave them written permission to transfer funds to a Wells Fargo Bank account.
We did contact an attorney but apparently we cannot sue them ! We can only arbitrate and that too in CA where e-Trade security folks are.
Dont they have any insurance against such fraud?
So far, e-Trade did not send us any document confirming the fraud that happened although they did mention it in our conversations. In addition to all these, we have to worry about tax issue.
They did not care to answer any of our letters written to many including CEO and President/COO.
We are trying to contact various TV folks to see if anyone can help us. Any help with this will be highly appreciated.

 

[nkhoi]

Quote from etradevictim:

During our absence from this country in July, some hackers were able to wire out funds many times to a total more than $150,000. ...

finally the 150k thread reappear, for my part I now use pass code with RSA key and I deleted all outside account link, Etrade create this feature for customer convenient but it backs fire, they should take it down.