Prof. Jayanth R. Varma’s Financial Markets Blog

A blog on financial markets and their regulation

Hacking online trading accounts

The SEC
complaint
against three Indians who hacked into online stock
trading accounts in the United States illustrates an interesting
strategy for using apparently legitimate stock exchange trades to take
money out of hacked online trading accounts. Many people seem to have a
belief that when shares are held in dematerialized form, the clear
audit trail of securities transfers makes theft difficult. Some people
connected with depositories in India appear to think that fraud can be
reduced by applying stricter checks and controls to non market
transfers as opposed to those made pursuant to settlement obligations
on an exchange.

The procedure used by Jaisankar Marimuthu, Chockalingam Ramanathan
and Thirugnanam Ramanathan illustrates the fallacy of this
reasoning. Their method is described in the SEC complaint:

The Defendants first purchased thinly traded securities, at market
prices, using their own online brokerage accounts. Shortly thereafter,
the Defendants, using stolen usernames and passwords, intruded into
the online brokerage accounts of unsuspecting individuals. The
Defendants then used these intruded accounts to place a series of
unauthorized buy orders, typically at prices well above the
then-current market prices for those thinly traded
securities. Immediately or shortly thereafter, the Defendants
capitalized on the artificially inflated share price of the targeted
securities by selling shares in their own accounts. In one instance,
Defendant Marimuthu realized a 92% return on his investment in less
than one hour.

It is easy to see how this process can be used in reverse to sell
shares from the stolen online account and buy them in the
fraudster’s account at artificially low prices only to
sell them into the market at normal prices. This would be useful if
the stolen account had a lot of shares but not much cash. The nice
thing about this procedure is that it converts stolen shares into cash
using what appears to be a very legitimate exchange transaction. This
illustrates the fallacy of designing control systems based on
subjective notions of what is suspicious and what is not. The
fraudster gets to choose the method of defrauding the victim and the
chosen method is likely to be one that is least likely to arouse
suspicion.

Marimuthu and Ramanathan were arrested in
Hong Kong but by then they had inflicted losses of $875,000 on their
victims over a five month period.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: