Thursday, January 18, 2007

The risks of digital 401(k) looting

Here's a very worrying new wrinkle in the identify theft/financial fraud: Are 401(k) accounts underprotected?

Most financial accounts held by banks are impressively impregnable. Yes, they can be hacked into -- as I keep discovering over and over -- but consumers are shielded from the crime's effects. If your credit, debit or ATM card is used fraudulently, your liability is capped by federal law at $50. (If you still physically have the card, and the thief obtained only the numbers, your liability is nothing. The bank/credit provider can't pass on any of the costs.) Meanwhile, if your whole bank goes wobbly, the FDIC (Federal Deposit Insurance Corporation) protects CDs and checking, savings and money-market accounts at up to $100,000 per depositor. With all the various regulations in place, if something nasty happens to your traditional bank account, you're in for a lot of hassle but don't have much risk of serious financial losses.

But 401(k) accounts are investment accounts. They're not subject to the liability caps attached to credit and debit cards. MSNBC had a recent article about a 401(k) theft: A hacker got access to the victim's $179,000 J.P. Morgan account and drained it.

This isn't the first time such a case has hit the headlines. Business Week wrote last year about a looted E*Trade account. This is the bit that really jumped out at me, from the Nov. 2005 article: "In the latest, most pernicious twist yet on Internet securities fraud, online brokerage accounts are being looted by hackers who exploit the weaknesses of investors' computers rather than the firms' systems. ... Six months ago, Securities & Exchange Commission investigators say, such schemes weren't even on their radar screen; now, the agency is knee-deep in them."

The frustrating part is that what happens next seems to vary by firm. The companies don't have a legal obligation to cover the stolen funds. Obviously, "Hack Attack Financially Ruins Customer" is a headline every PR person has nightmares about; the financial-services companies are going to do everything in their power to resolve the situation in a customer-pleasing way. But if they're on the hook for hundreds of thousands -- or millions -- of dollars? At what point do the hard financial costs outweigh the customer-service benefits of sheltering the theft victim?

J.P. Morgan is my 401(k) provider. After I first saw that MSNBC piece, I made a mental note to ask our HR person about fraud protections on our accounts. As often happens with my mental notes, this one disappeared into the clutter. But yesterday, my company sent out an email from J.P. Morgan, prompted by "an online article [highlighting] one particular case." (The actual article isn't linked or specifically cited. Very oblique.) The email talked about J.P. Morgan's efforts, in conjunction with law-enforcement agencies and investigators, to recover the money (apparently, they were successful), and about its "extensive precautions and controls" to protect accounts.

However, the email was noticeably lacking any assurances about what guarantees J.P. Morgan provides. It also shifted a big chunk of responsibility for protecting account information onto its customers' shoulders: "We recommend all clients, including individual participants, avoid making financial transactions on public computers or via wireless networks [emphasis mine] and that they keep their personal computers up to date with firewall and anti-virus software."

I'm down education campaigns to help people avoid phishing scams and protect their electronic information, but telling people not to do anything sensitive over wireless networks seems impractical and extreme. I also question how much responsibility consumers should bear, when the information-stealing scams are becoming ever more sophisticated.

This seems like a technical arms race between digital thieves and financial institutions, with increasingly higher stakes. Electronic credit-card and ATM card theft can net thieves hundreds or thousands of dollars per victim. Hacking investment or retirement accounts could yield hundreds of thousands of dollars -- or even millions. Unless there's a security breakthrough, digital theft could snowball into an economic disaster.