Prof. Jayanth R. Varma's Financial Markets Blog

About me       Latest Posts       Posts by Year       Posts by Categories

Hacking online trading accounts

The SEC complaint against three Indians who hacked into online stock trading accounts in the United States illustrates an interesting strategy for using apparently legitimate stock exchange trades to take money out of hacked online trading accounts. Many people seem to have a belief that when shares are held in dematerialized form, the clear audit trail of securities transfers makes theft difficult. Some people connected with depositories in India appear to think that fraud can be reduced by applying stricter checks and controls to non market transfers as opposed to those made pursuant to settlement obligations on an exchange.

The procedure used by Jaisankar Marimuthu, Chockalingam Ramanathan and Thirugnanam Ramanathan illustrates the fallacy of this reasoning. Their method is described in the SEC complaint:

The Defendants first purchased thinly traded securities, at market prices, using their own online brokerage accounts. Shortly thereafter, the Defendants, using stolen usernames and passwords, intruded into the online brokerage accounts of unsuspecting individuals. The Defendants then used these intruded accounts to place a series of unauthorized buy orders, typically at prices well above the then-current market prices for those thinly traded securities. Immediately or shortly thereafter, the Defendants capitalized on the artificially inflated share price of the targeted securities by selling shares in their own accounts. In one instance, Defendant Marimuthu realized a 92% return on his investment in less than one hour.

It is easy to see how this process can be used in reverse to sell shares from the stolen online account and buy them in the fraudster’s account at artificially low prices only to sell them into the market at normal prices. This would be useful if the stolen account had a lot of shares but not much cash. The nice thing about this procedure is that it converts stolen shares into cash using what appears to be a very legitimate exchange transaction. This illustrates the fallacy of designing control systems based on subjective notions of what is suspicious and what is not. The fraudster gets to choose the method of defrauding the victim and the chosen method is likely to be one that is least likely to arouse suspicion.

Marimuthu and Ramanathan were arrested in Hong Kong but by then they had inflicted losses of $875,000 on their victims over a five month period.

Posted at 3:22 pm IST on Tue, 13 Mar 2007         permanent link


Comments

Comments