reddit
reddit is a source for what's new and popular online. reddit learns what you like as you vote on existing links or submit your own!
One moment Dave DeSmidt had $179,000 in his 401(k) retirement account, the next he had nothing. (redtape.msnbc.com)
499 points posted 3 days ago by mjk1093

(log in to vote on this article, comment on it, or share it with friends)

sort by

style

john_b 14 points 3 days ago

$179K in 25 years. That sucks.

permalink
danweber 7 points 3 days ago

As a ballpark figure, that could give him $34,000 a year.

They don't give DeSmidt's career, but that could be around what's he's earning now, so his standard of living wouldn't be significantly different.

(Median US household income is around $65,000. If his wife has a similar career (which we don't know at all), he's going to be above the median.)

permalink parent
citydweller 20 points 3 days ago

Not to nitpick, but where are you getting median US household income is $65,000? The U.S. Census Bureau says median household income was $46,326 in 2005.

http://www.census.gov/hhes/www/income/incxrace.html

permalink parent
jamesaguilar 5 points 3 days ago

He's probably talking about the median two-job household income.

permalink parent
danweber 5 points 3 days ago

I took the first answer from a google for "median US income." The chart I was quoting was for a 4-person household:

http://www.census.gov/hhes/income/4person.html

Fortunately, this error reduces the magnitude of my other error. :)

permalink parent
john_b 6 points 3 days ago

where's this $34K figure coming from? That would be enough for only five years (179/34). And then, in five years $34K will be nothing due to inflation and dollar value.

permalink parent
danweber 5 points 3 days ago

Nuts, my math was backwards. (I meant to take 5%, took 20% instead.) Thanks for asking so that I was reminded to look it up.

A 65-year-old man in Wisconsin can get an annuity generating $15,000 a year with $179,000.

permalink parent
Notclevr 2 points 3 days ago

Yeah, people who aren't in the top 1% of earners are crappy people.

Wait, no, people who judge others based solely on wealth suck. My mistake.

permalink parent
sbrown123 30 points 3 days ago

I don't think he was judging him, just saying it sucks that after working 25 years he only had $179K. Now if he said he sucks for only had $179K than that would be him judging the guy.

permalink parent
john_b 8 points 3 days ago

I never said he sucked, I meant something like - his job (or employer) sucks.

permalink parent
degustibus -1 points 3 days ago

If he moved to many parts of the world with 179,000 he'd be a wealthy man. It's all relative but absolute poverty is painfully real. When most of the world lives on less than a few dollars a day this man's retirement account sounds pretty good (plus he has other assets presumably and a job and social security coming).

permalink parent
obvioustroll 12 points 3 days ago

Ummm... That's about 150k more than I've saved over a similar time frame.

Different people have different financial circumstances.

permalink parent
ajax 7 points 3 days ago

The article says "That was a pretty good chunk of what we were going to retire on." So, that was not his entire retirement savings.

permalink parent
pascha 8 points 3 days ago

It's probably just one of his accounts. Everytime you change jobs you get a new account and he may not have consolidated them. I have 4 retirement accounts right now and could have 7 and I'm only 32. I need to consolidate 3 of them, but haven't gotten around to it.

permalink parent
ibsulon 2 points 3 days ago

probably 179k + pension from somewhere else. 401Ks weren't very common until later.

permalink parent
lahuman8 6 points 3 days ago

"On Oct. 25, logging in through an SBC Internet Services connection in San Francisco, the criminal deleted the Bank of America account information from DeSmidt's account."

uh, aren't logs kept about things of this nature? The article doesn't mention if the hacker was savvy enough to delete logs of this event as well. Well apparently he didn't, since they had a log of where he was appearing to come from during each transaction.

permalink
mynameishere 32 points 3 days ago

Yes, they are. And that is proof positive that the guy was no "hacker" but just some idiot who had the victim's password. I have a strong suspicion about how this happens: For low security accounts (example: reddit), the passwords are frequently unencrypted in the database. So, some clerical worker, tech support guy, programmer, DBA, flunky, etc, looks at the password, and then glances at the guy's email, often in the same database table. The "hacker" guesses that the email's password is the same as that of the first account.

Then, looking through the victim's email, he sees that he has an account with a brokerage firm, and uses the same password. He transfers the money, deletes his information (and NO information in real databases is ever deleted--but is only flagged as deleted), and then spends twenty years in Leavenworth.

permalink parent
frbiwaftt 1 point 3 days ago

I would guess keylogging software was on the victims computer, installed through a virus, trojan or other malware. The victim checked his account every few days, so the account+password would have been easy to get hold of then.

That will teach you to use Windows.

permalink parent
timg 0 points 3 days ago

phishing is far more likely. Why go for victims one-by-one? Unless that is, this was just some very trivial attack.

permalink parent
john_b 17 points 3 days ago

In fact, it's nearly impossible to delete all logs and backups in a bank system. They store them in separete physical locations.

But guess what, it's very convenient for a bank to blame it on hackers.

permalink parent
sbrown123 12 points 3 days ago*

uh, aren't logs kept about things of this nature?

Businesses are rarely held liable for gross negligence anymore. For example, you can bet that your personal information is stored in multiple locations across the globe and that it is completely unencrypted. You can also bet that, in the matter of only a few years, some if not all of that data will be stolen or "lost" (if it hasn't been already).

What can you do to protect yourself? Nothing really. Our government has done its best to ensure that this continues for, if they fixed the problem, others would appear:

  1. Illegal immigrants. And our government avoids that issue like the plague.
  2. Our government is currently pro-big-business, and holding companies liable for anything is against their mutual interests (money).
permalink parent
lahuman8 0 points 2 days ago

I always thought there should be a law that would force a company to delete any personal information they have of someone they once, but no longer, do business with if a request was made in writing. There would need to be some exceptions, like perhaps colleges.

permalink parent
ethics 9 points 3 days ago

I can't believe that in the tech age a very important part of everyone's investment (esp that of Middle Class) is unprotected!??!

permalink
rafuzo2 16 points 3 days ago

As the article said, at E-Trade and Charles Schwab, FDIC-style guarantees are in place. So I guess the answer is open your accounts with them, until the rest of the market falls in line.

permalink parent
lowdown 3 points 3 days ago

You don't need FDIC guarantees to prevent this sort of circumstance. The types of protection Schwab and E-Trade offer are not FDIC-style. They are protecting their customers which in turn leads to more diligence. The brokerage firm shouldn't be transferring anything over a certain amount without proof positive written instructions from the verified account holder. I'd have to imagine that firms offering this sort of protection are less likely to release any significant amount of cash without safeguards.

permalink parent
twoodfin 11 points 3 days ago

I don't disagree, but FDIC-style insurance is not as trivial to implement as it sounds.

You can't just hand out money to everyone who says they've lost it, so you need the ability to distinguish between legitimate claims and fraudulent ones. That means either hiring a bunch of very expensive investigators, or more likely, since you're the government, restricting the kinds of transactions that can be performed via regulation.

That's one reason why, for example, you're restricted in how often you can transfer funds between checking and savings accounts.

And that assumes you only want to insure against outside theft. But what if you're trying to insure against shady investment firms? They have a hundred ways to make your money disappear, from simply going out of business to using your money to artificially inflate stocks of friends of theirs. It's hard to imagine a regulatory scheme that could catch all of this accurately enough to get you back exactly what you lost. If such a thing existed, it would probably remove many of the efficiencies you get from the free movement of capital, which is how the investment is making money, anyways.

Investing is risky, and not just because the market goes up and down. A 401(k) is less risky than buying Nigerian bonds or something, but you're still susceptible to fraud. Putting your money in a bank is almost risk-free, even so, you might lose if so many banks go out of business that the FDIC defaults. In the meantime, you typically make more money in the riskier investments over the long term.

permalink parent
anteyekon4myst 6 points 3 days ago

That's because its a service that would cost the investment firm/ bank more money. If this was Jp Morgan &etc. money they would be all over this and you wouldn't have even heard about it in the media. Banks are quick to act when its their own money and seldomly ever let the media find out.

permalink parent
oditogre -6 points 3 days ago* [comment score below threshold] show comment
bhagany 13 points 3 days ago

But it wasn't JP Morgan's money. That's what he's saying.

permalink parent
oditogre 4 points 3 days ago

Ah, my bad, mis-read. :-/

permalink parent
mikaelhg -1 points 3 days ago

This is why we use one-time passwords in Europe.

permalink
boa13 14 points 3 days ago

Your statement is too broad. I don't use one-time passwords (except to log in at work). I don't know any major bank in France that uses such a system. (Not that I'm against it, it's just the current facts.)

However, I need to call my bank and provide several identification tokens (not always the same ones) when I need to add a new account in my list of accounts I can send money to.

Note that one-time passwords can be badly implemented too, there was a story on Reddit (or was it The Daily WTF?) about an almost non-random OTP. You could quite guess them...

permalink parent
erikw 5 points 3 days ago

In northern Europe we have different systems, but they are all based on new (semi)-random tokens for each login. The most popular system in Norway seems to be the "code calculator" (token generator), where you enter a four digit PIN, and get a eight digit hash based on the time and the PIN. If you enter the wrong PIN more than four times, the "calculator" locks up. Another account I'm using uses a pass-phrase and a four digit number from a sheet of different codes.

permalink parent
md5 3 points 3 days ago

My bank uses a system where you enter your username and password (which needs to be changed every 90 days), and then they send a session password to your mobile phone via text message. You use this session password to actually log in and authorise transactions. This has the added benefit of immediately alerting you if someone tries to use your first-level username-password pair.

permalink parent
boa13 1 point 1 day ago

And the fun part is, my bank actually recently switched to that. A session password is sent by SMS when a sensitive operation is first performed (confirmation of money transfers, request of new cheques, etc.)

So, I know of banks that implement OTPs, now. Mine does. Times are changing, and this time the change is good. :)

permalink parent
mikaelhg 2 points 3 days ago

Most of the multinational banks in Europe use the one-time password sheet method. I haven't seen token generators in use anywhere.

permalink parent
DougBTX 2 points 3 days ago

Rabobank and ABN Amro both do them in Holland, I assume other Dutch banks do too.

permalink parent
jramon 11 points 3 days ago

I'm sure no one in the history of Europe has ever had their online bank account compromised.

permalink parent
harrier0 2 points 3 days ago

You don't even need one-time passwords. All online brokerage firms I know only allow transfers to a reference checking account which was specified when the account was opened and which certainly can't be changed easily. Any other transfer has to go through multiple security/authorization steps.

permalink parent
bsmcat 1 point 3 days ago

Both Schwab and E-trade will give you a one-time password security token if you ask them to. Definitely recommended if you are worried about keylogging attacks. Also, most stock brokers and banks can set up a verbal password to use on the phone instead of the usual security questions.

permalink parent
ghost11 9 points 3 days ago

Why aren't the banks 100% liable (as per Schneier) for this kind of fraud?

permalink
citydweller 5 points 3 days ago*

Agreed. There are some common sense things consumers should do to help protect themselves (use strong passwords, use unique passwords for financial sites, etc.), but the onus shouldn't be on the consumer to protect himself. The onus should be on companies to protect the consumer or else pay the price.

permalink parent
chu 3 points 3 days ago

The onus should be on companies to protect the consumer

Presumably that's the main business of a bank - it shouldn't be safer to stash money in a mattress.

permalink parent
trutru 3 points 3 days ago

because real security costs money to implement, and because the banks can get away mostly unharmed by letting these rip-offs happen.

permalink parent
dextroz 2 points 2 days ago

Comerica bank in the US uses a 4 number pin for online account access! That's why I moved all my money to Chase Manhattan. Comerica is one of the biggest banks in Michigan-Ohio-Great Lakes region.

permalink parent
mynameishere 21 points 3 days ago

The FBI investigation must have been rough.

"Hello Bank of America, this is Special Agent Bill Smith--what is the name and address of account holder # 1432452456565? I can get a warrant in 30 minutes if need be."

"Please hold." [15 seconds later.] "Joe Johnson, 234 Elm, Atlanta, Georgia."

permalink
kelmr2003 6 points 3 days ago

So it was Joe Johnson that did this. Let's get him!

permalink parent
p-f 4 points 3 days ago*

"There is a fundamental business need to do it," Gable said. "We don't want clients concerned about the safety of their assets. … We want people to feel secure."

Summary of the quote: Let's make people feel secure without providing any real security!

Scary.

permalink
mleonhard 1 point 3 days ago

real security is expensive

permalink parent
fishandchips 15 points 3 days ago

thats very scary. I thought this was an article on the depreciation of the dollar at first.

permalink
goldenbb 2 points 3 days ago

The news media's specialty is "scary" news.

permalink parent
mnruxter 0 points 2 days ago

thanks for the humor

permalink parent
flyinglunatic 2 points 3 days ago

The thief must have left a paper trail a mile long. I mean, he transferred the money to his BofA account.

permalink
jramon 4 points 3 days ago

It was probably a phished BofA account, then just start withdrawing from ATMs in out of the way locations in Eastern Europe or whatever... Duh?

permalink parent
haywood_jablowme 3 points 3 days ago

Hmm, I have 2 brokerage accounts and this seems a bit unrealistic (assuming you check your email once every few days).

In order to add a bank account (at least for Ameritrade and Interactive Brokers) you have to wait for them to deposit/withdraw two amounts and go through the confirmation process, all of which requires at least 1 e-mail notification, and a few days for the transactions to post (longer if you dont use online/phone banking and wait for a paper bank statement).

Afterwards, each withdrawel results in an e-mail notification. Ameritrade withdrawels are quick (request during business hours and ACHed by next business day), interactive brokers takes a few days and has a few restrictions; so you have at least a day to notify them.

In short: the process does not happen in "One moment"

permalink
citydweller 2 points 3 days ago*

Agreed, but if the hacker could change the checking account number, I'm sure he could change the email address in the brokerage account to his own address.

permalink parent
haywood_jablowme 1 point 3 days ago

changing email for Ameritrade and Interactive Brokers is a multi step process which sends out at least one email to both old and new accounts... (recently changed my email address, Interactive Brokers was a real pain in the ass [prefer it this way])

permalink parent
ajax 6 points 3 days ago

Sensationalistic article. You have to read half-way through to find out that JPM returned all of the guy's money, and two-thirds of the way through to find out that it is standard industry procedure to return any money lost due to cybercrime ("Stark said that in every recent case of brokerage hacking he’s familiar with, consumers who complained have received full refunds.)

Perhaps poster should have used the title " One moment Dave DeSmidt had $179,000 in his 401(k) retirement account, the next he had nothing. Two months later, he had it all back."

permalink
citydweller 6 points 3 days ago*

It seems odd that it was so easy to change the linked checking account in his retirement account. That should require a written and mailed correspondence (with some kind of proof of identity) in my opinion. Maybe even an immediate follow-up phone call to the account holder that a request to change checking accounts had been made. Heck, even an automated phone call would be better than nothing.

permalink
maldrax 4 points 3 days ago

Obviously the hacker was able to setup a new account for withdraw over the web.

Shouldn't this require at least a phone call and confirmation of a persons identity?

permalink
citydweller 3 points 3 days ago

Maybe we should write to our Congressmen to introduce legislation that would give brokerage & retirement accounts the same kind of fraud protection that credit cards (liable for no more than $50 loss) and checking accounts (liable for no more than $500 loss if reported within 60 days) have.

permalink
dannod 1 point 3 days ago

Anything with an ACH transfer is ridiculously easy. They never check names and all you need is the routing number and account number to start drawing on someone's account. We had that happen twice on our business checking account. Ridiculous that you need a PIN to take 20 bucks out at the ATM but nothing to transfer as much as you want!

permalink
demoneyes -7 points 3 days ago [comment score below threshold] show comment
mkc 24 points 3 days ago

Not everyone goes through money like a drunken Republican legislator...

permalink parent
demoneyes 8 points 3 days ago*

Hey, I feel bad for the guy, but there is a reality check here for everyone reading this article.

His 401k is pre-tax dollars, meaning he will have to pay income tax on his distributions. The money he put in along with the money earned is taxable. That makes $179,000 appear much smaller. Even assuming he lives modestly in a 25% federal tax bracket (+5-9% state tax), his expenses will quickly add up in retirement...mostly for health care.

For his sake I just hope he has a working wife (with retirement), or a military pension. For any of you who take saving for retirement seriously, you will understand what I'm saying.

permalink parent
SteveAM1 9 points 3 days ago

The guy didn't say he was retiring on $179K. He said, "That was a pretty good chunk of what we were going to retire on."

It's more doable than most people here seem to think, especially if his wife has some retirement money. But even if she doesn't, he also gets social security, which will help.

He might own his home (probably does actually) and have very limited expenses. If he does, he could easily live on $1000 income a month (adjusted for inflation each year), which is easily done with a 4% portfolio withdrawal rate from a $179K nest egg and social security income.

permalink parent
muyuu 0 points 2 days ago

It all comes down to what do you interpret as a "good chunk." If it's something like 30% or more, then he was heading for a retirement in poverty.

These days people live 15+ years after retirement, easily.

permalink parent
TheSavageNation -3 points 3 days ago

yarc: Yet another republican comparison

permalink parent
mjk1093 -14 points 3 days ago [comment score below threshold] show comment
technothrasher 2 points 3 days ago

...Spokeswoman Mary Sedara said the stolen funds had been recovered and would be refunded in time for Christmas. The firm would even make good on any market gains DeSmidt missed out on while the money was missing, she said.

permalink parent
jotaroh -9 points 3 days ago [comment score below threshold] show comment
oditogre -5 points 3 days ago [comment score below threshold] show comment