Keep your online accounts secure

By Linda Stern
Thu Nov 10,12:14 PM ET

The U.S. Securities and Exchange Commission has taken the unusual step of warning online investors that they face growing fraud risks.

The agency said it had recently become aware of many situations in which individual brokerage accounts were hacked into and money stolen.

"We are concerned that many investors aren't taking appropriate precautions when accessing their online brokerage accounts," said SEC Investor Education Director Susan F. Wyderko.

The newest threat comes in the form of malicious software programs that can find their way onto your hard drive and report your keystrokes to an outside source.

With the name and password that you type in, a thief can sign on as you at your broker's web site and have your money sent elsewhere.

The SEC's warning comes several months after the brokerage industry's own organization, the National Association of Securities Dealers, issued a similar warning.

Several brokerage firms have been beefing up their security by requiring added levels of authentication before customers can move money around.

Etrade and Schwab, for example, both require several levels of personal proof before customers can wire money from an account to another financial institution. They both say they contact customers when they detect unusual account activity.

Nevertheless, it doesn't hurt to exercise a little bit of extra caution, especially when government and industry both tell you to. Don't close those accounts -- they're too easy and convenient. But do take these other steps, recommended by the SEC and others:

-- Don't assume that bank account safeguards will carry over to the brokerages.

The bankers say they'll take responsibility for consumer accounts drained by fraud, even if the fraud is committed on your personal computer and not on the bank's own system, says Laura Fisher of the American Bankers Association.

Brokers say they have made aggrieved investors whole in the past, but they don't promise to always do so. And it's also worth noting that the banks do not consider business accounts deserving of the same protective promises they make to consumers.

-- Protect your computer. You've heard it before, but take it to heart: Invest in firewalls, anti-spam, anti-virus and spyware detection software, even if you have to hire a consultant to set it all up for you.

Mac users can be a little bit more laid-back. Either their systems are more tamper-proof, or hackers just don't see the percentage in bothering with them as much.

-- Use a security token if you can. This is a relatively new number-generating device supplied by your brokerage that is housed in a piece of hardware separate from your computer. (It can be a small, key-sized device, for example, or even programmed into some Palm or Blackberry-type devices.

The numbers that it generates change constantly, and only the person with the device and the brokerage have the number, explained Christopher Young of RSA Security, the company that makes the devices for Etrade.

When you sign into a token-protected site, you type your user name and password, and then are asked for this second passcode. That's called dual authentication, because you're proving your identity two ways.

-- If your broker offers another method of dual authentication, use it. For example, some sites won't let you move money from one place to another, even after you are signed in, until you respond to a separate notice sent to the e-mail address associated with your account.

-- Use your own computer whenever possible, and don't click those "remember this password" boxes. Similarly, don't use your browser's password utility to keep track of your bank and brokerage passwords.

-- If you think you're in a secure site, click the padlock on your screen. The security certificate you see should reflect the name of the brokerage firm you think you're doing business with.

-- Don't just close the browser, but log out of your site when you are done with your transactions. Don't respond to e-mails that look like they are from your broker. Go directly to the brokerage site you know or call your broker on the phone. And don't rely on the phone number in the e-mail.

-- Check your statements carefully every month.

-- Be careful about the paper you're still accumulating. Despite all the worry and hype about online theft, most fraud still starts in person, with someone stealing a receipt or a statement or the like.

Copyright © 2005 Reuters Limited.