Mumbai: Online brokerages here say they are baffled by the extensive fraud allegations coming out of the U.S. against three Indian traders, but assert that security precautions taken in the domestic market are more than adequate to protect investors.
“We are far, far ahead of other markets in terms of stringency of cyber-security measures,” said Anil Kaul, chief executive of India’s largest online brokerage, ICICI Direct.
Early last week, the US Securities and Exchange Commission (SEC) alleged that three Indians, two of them residents of Chennai, were involved in manipulation of prices in 14 US securities, and computer fraud.
The SEC said much of the fraud was executed from Chennai and Thailand and two of the accused—32-year-old Jaisankar Marimuthu from Chennai and 34-year-old Thirugnanam Ramanathan from Malaysia—were arrested. A third accused, 33-year-old Chennai resident, Chockalingam Ramanathan, was still missing.
In disclosing the charges, the SEC said starting July 2006, the three accused manipulated prices of 13 shares and one option by executing trades from online trading account of others who didn’t know their accounts had been hijacked.
The modus operandi was for the three to take positions in thinly traded stocks in their own trading account at low prices. Then they pushed up the share prices by purchasing these stocks at higher prices from those hijacked accounts, creating a spike in volume and price.
Once that happened, they off-loaded their real shares for hefty profits. In one instance, Marimuthu made 92% return on investments in one hour, according to SEC.
The US investigations traced the trading to computers and Internet Service Providers based in India and Thailand. Internet service providers can typically track the location of a computer from where such traffic emanates.
John Reed Stark, chief, SEC office of Internet enforcement, who is leading the prosecution, declined to discuss the specific Indian agencies that he is working with in the investigation but said that in general, “we have experienced much success, especially during the Internet era, in working with foreign governmental regulators and prosecutors.”
In some instances, the three opened new trading accounts in the name of the victims using stolen personal information.
One of the victims, for example, had gone on a five-day-long Alaskan fishing trip and on return, found that his brokerage account, which had a credit of $180,000 (Rs79.20 lakh), now had a negative balance of $200,00. The total loss suffered by people whose accounts were hijacked is estimated above $875000.
The fraud was allegedly perpetrated at leading US online brokerages such Charles Schwab and TD Ameritrade, as well as Merrill Lynch. The first such pump-and-dump operation out of India was in September by Marimuthu. The majority of these fraudulent deals were executed from Chennai.
In one instance, the accused opened a new account with TD Ameritrade using stolen personal information and transferred $150,000 from the victim’s Well Fargo Bank account to conduct the trade.
Technology officials at Indian online brokerages said they were unable to figure out the modus operandi but said human error, especially in terms of stolen or misplaced passwords, could be one way that the three traders could have gained access. “We don’t know the details of how this happened. We don’t know what loophole they have used,” said S Sriram, chief technology officer at online brokerage, India Infoline.
At India Infoline, Sriram pointed out, the trading system does not accept simple passwords, even if they are alphanumeric combinations, and all passwords needed to be changed every 14 days. If a customer fails in three attempts to log in, then his account is disenabled. They encrypt the password during transit from clients’ computers to the server and is always stored in encrypted formats.
“Even that may not be enough,” says Sriram. “The fraudsters are becoming more innovative.”
India Infoline has also introduced a token which will generate random numbers that needs to be entered along with password to log into the system, within seconds of it being generated so it could be matched at the server end. But this technology costs about Rs3,000 per year so only a very few high net worth customers are using it. Says Sriram: “It is a combination of user awareness, company’s willingness to offer the security platform and customers willingness to spend for that extra security that can prevent such frauds.”