As identity theft continues to wreak havoc on the American public, including those in the financial services industry, firms are rushing to patch up holes in their online defenses with the newest software and processes.
Last year, there were 8.1 million reported victims of identity theft in the United States and their losses totaled about $45 billion, according to Javelin Strategy & Research Inc. of Pleasanton, Calif.
In its latest effort to foil hackers, Schwab Institutional offered new security cards April 4 to financial advisers in two of its 12 regions. The credit-card-like passkeys issued by the San Francisco-based asset custodian constantly update access numbers when advisers touch a finger to them. The advisers then match those numbers to their set pass codes in order to gain access to accounts.
Schwab's move comes as TD Ameritrade Holding Corp. of Omaha, Neb. — still smarting from a rash of bad publicity last year over a massive cyber attack on its client database and, separately, access to client accounts — is starting to launch its own security program.
TD Ameritrade Institutional's new security measures are not reactive, according to Brian Stimpfl, managing director of the Jersey City, N.J.-based firm.
"The spam issue last year has no impact on what we're doing now," said Mr. Stimpfl, who oversees technology for the firm.
Under the new program, a custody client answers four personal questions to augment their conventional pass code. The program is not available to financial advisers until TD revamps its Veo trading platform this summer.
TD is already preparing to send all custody clients free security software from TrendMicro Inc. of Cupertino, Calif., and Sana Security Inc. of San Mateo, Calif., in coming weeks.
Meanwhile,
Fidelity Investments of Boston and Pershing LLC of Jersey City are also stepping up efforts to stop hackers and prevent ID theft. Officials at both firms declined to give details.
It's no mystery why these online-dependent companies with hundreds of billions in client assets are hastening to seal their defenses, said Matt Sarrel executive director of Sarrel Group, a New York consultant that specializes in network security.
"More and more studies show consumers are losing faith in doing transactions over the Internet, and these [programs] are being [implemented] in response to that," he said.
One such study, the Internet and American Life Project Survey, was published in February by The Pew Research Center in Washington, Mr. Sarrel said.
The study revealed that 75% of Internet users either agreed (39%) or strongly agreed (36%) that they did not like giving out their credit card or personal data online.
It is understandable that investors would share these fears, said Boston-based Bill Dwyer, president of the independent-adviser-services group of Boston- and San Diego-based
LPL Financial.
"It's the modern-day pirates," he said. "It's a huge risk in the industry."
Though Mr. Dwyer declined to give specific details, he asserted that web security is on the front burner at LPL.
"We've been very active in stepping it up," Mr. Dwyer said. "Whether you have problems or not, it's one of the guaranteed risks going forward — keeping data safe."
But not all cyber defenses are created equal, Mr. Sarrel said.
"[Schwab's code cards] add a second layer of authentication," he said. "The [TD] Ameritrade thing is a little more contrived."
Mr. Sarrel added that he personally uses a TD account and that he had difficulty picking four questions out of the choices offered by TD.
"My problem was that a lot of the questions were unanswerable," he said. "Is my favorite book 'War and Peace' or 'Kafka on the Shore,' [which] I read last week?"
But the issuance of cards or tokens also has drawbacks, TD's Mr. Stimpfl said.
"Typically, it's had low adoption rates," he said.
TD's strategy of combining new software with personal questions will also be a solid defense, Mr. Stimpfl said.
"This is layering," he said. "It's more than the sum of its parts."
But TD's e-mail asking for answers to personal questions had an ironic effect on Mr. Sarrel as a customer.
"[Getting the questions by e-mail] was a big warning sign," he said. "My reaction was, 'Now, this is fake.'"
Meanwhile, Schwab says its custody clients have been receptive to the new credit card security measure, according to Schwab spokeswoman Lindsay Tiles.
Schwab sent 800 e-mails to all its advisers in the states of Oregon and Washington, and in Northern California, April 4. During the first four business days, Schwab received requests for 500 cards.
Adopting the security cards companywide was a "no-brainer," said Chris Braudis, vice president of operations for The Mutual Fund Store LLC of Overland Park, Kan., which has a combined $4 billion in assets under management.
His firm rolled out the cards to its 100 financial advisers — both franchisees and staff advisers — during Schwab's pilot program, and there was no resistance, he said.
"You're always looking for objections, and we haven't heard anything," Mr. Braudis said. "It went very well."
While firms continue to find ways to foil web attacks, they are not bulletproof, Mr. Sarrel said.
"This will perhaps prevent casual attacks, but it won't stop a determined, targeted attack."
E-mail Brooke Southall at [email protected].
