I sent out a trade alert for my Concierge members to buy LEAPS in the ProShares Ultra Technology Fund (ROM) a year ago to catch the yearend rally. Everyone got a great execution except those with a Tastyworks account, which unfortunately got hit with a hack attack that day.
I am passing on their detailed response which could have hit anyone. Unfortunately, the crooks are getting smarter.
“We have had to set a number of symbols to closing trades only due to fraudulent activity that has been taking place in those symbols. The simple answer on why we had to take about 1,500 symbols down only is that the criminals have dialed up their game to a new level.
Let me explain. Back in the day, a criminal would try to gain access to an account by brute force attack, key stroke logging, or buying credentials from other bad actors. They would then go into the account (never accessed by violating our security), liquidate the holdings, and then make losing trades in the compromised account with the winning side being their account at another firm.
It only happened a few times and if I remember correctly, the compromised account contacted us to ask why their account was being liquidated and we were able to stop the action.
Fast forward to today.
They have moved to a new level and that is identity theft. I have talked to friends at other firms, and they have all confirmed that they have seen the same action. They own someone as they have access to their SSN as well as most of the other information needed to open an account (they pass our security checks).
They also have bank information for the person whose identity they have stolen so they ACH money into tastyworks, wait for the funds to settle, and then gut the account within minutes. Look at how wide these markets are in (THO) for example:
The fraudsters would enter an order in their real account to pay $0.10 for the $110 puts and then put a sell order in the bogus account. Then within seconds, they put a sell order at $3.60 in their account, and in the bogus account they buy back at $3.60.
You can see that they have just cleaned $3,500 per 10 lot in seconds. If they do 100 contracts, that is $35,000, and so on. The problem does not end there.
The exchanges hide behind some horrible rules that say we have 30 min to file an obvious error objection and 60 min for catastrophic error. Clearly, it is basically impossible for us to hit either one of those targets. So, they throw their hands up and say not our issue and when the person who is the subject of the identity theft realizes that they have been attacked, they go to the bank and sign paperwork that allows the bank to pull the fund back with no questions asked.
We are left holding the bag and I could not allow that to continue. So, while we are doing a lot of things on the backend to limit someone’s ability to open a fraudulent account, we have to leave these symbols as closing only and ask you to call our desk 888-247-1963 to place a trade.
Please let us know if you have any further questions or concerns. We can be reached at 1-888-247-1963 or online via chat from 7am-5pm CT Monday-Thursday and 7am-4pm CT on Friday. We appreciate your business and happy trading!”
Regards,
Tastyworks
I am noticing an increasing pattern across many accounts. That’s to the rise of Bitcoin, there has been a huge increase in identity theft through phishing attacks. By simply getting access to your email account, they can obtain all the information they need to open a brokerage account in your name and commit the kind of fraud described above.
I’ll show you an example. I get hit with phishing attacks every day now. Today’s looked like this.
Looks pretty convincing, doesn’t it? Your natural instinct is to log in and see what’s going on, isn’t it? If you do, you just gave hackers your PayPal login ID and password. They can now go into your “my account” section and get all of your personal financial information.
One quick way to see if this request is legit is to hover your cursor over the sender’s address. This is what I found with this email:
Notice that the PayPal name shows up nowhere in this address. In fact, I had the FBI trace this address to a server in Russia where most of these attacks originate (it helps if you know the head of the FBI).
Here’s a better solution. Never respond to any email from a financial institution. If your bank is trying to contact you about an important issue, they will do so through their own internal email system. You can only see this message by first logging into your own personal account.
Here’s another tip.
Never access financial accounts through a free hotel WIFI. They don’t offer security anymore because they kept getting sued by guests who were hacked. If it is an emergency, then access your account only through your cell phone, but only through the cell phone network and not through the hotel WIFI. This provides an extra layer of security….for now.
I hope this helps.
John Thomas
CEO & Publisher
The Diary of a Mad Hedge Fund Trader