This is scary as a lot of Retirees have accounts that they access over the Internet. In fact, a lot of poeple "insist" that you access the account over the net, so that it makes less paperwork for them... If they are the "insistant type", ask them if they will be liable for any hacking thefts, if not, then insist yourself, that they deal with the paperwork.

I wish you well..

Jesse

Thanks for the info. Sounds like both e-trade and Charles Schwab are good companies to do business with. And, I'll make sure that none of my accounts will ever have web access.

This is a very important issue. I hope all the programs on CNBC TV will set aside time to discuss this subject.

It was never explained how the hackers obtained his login and password.

This happened to my Mom,too, with a Merrill Lynch acount. In that case,however,no one in the family knew about it for a year.The amount stolen was only about $37,000. I am the one taking care of her, and we are just about out of money.
Please warn people that someone else should know about your finances. My Mom's Alzheimer's onset was insidious, and it took awhile for us to be realistic enough to face it. With all of her assets, I had a feeling that her possessions were hers and she should still control them. In truth, her posessions were meaningless to her.

Could it be that Mr. DeSmidt gave the user ID and personal access code to the thief, by his regular checking of the account balance. He may have originally been a victim of spy-ware by someone who was computer savy enough to manipulate the bank accounts. I do not put any personal information on my computer. I do not purchase things on line. I usually have to pay a little more to mail a check (service fees). If the company won't take a check then we do not do business. I recently had a conversation with a group of people where every one who had used a credit card on line had some type of problem with credit theft. I have a friend, who has written computer software, who told me that there is never enough protection to put personal information on your computer. His exact words were "don't put it on if you don't want to share it". He runs a separate, off line, computer for his financial and business records.

It is unconcionable that brokerage firms do not have the most elementary protections already in place. It should not be possible to withdraw any funds from a brokerage account via the internet. Typically this will be a once - in - a - lifetime transaction and should only be possible in person. Big brokerage houses have offices virtually everywhere.

I, and many other retired investors, would like to see a published list of investment firms that take the same approach as Charles Schwab. This news has made me very nervous and I think the public needs to become very aware of this problem. I think Schwab might even get a commercial on the TV to expedite this information that at least they protect their customers if no oneelse does. Then Uncle Sam should make this a prioity in this years congress to instill the same protection that credit cards have. Schwab first though because they can react faster than those "slower than molasses in January" politicians in Wahington can..if they even care. I'm sure their guaranteed rediculously high retirement pay is well protected already. I would publish my e-mail address, but I don't feel safe anymore even doing that. I'm sure you understand.

These types of financial accounts should be set up by default so that the only way to receive funds out of the account is by physical check made payable to the owner's name at the address of record on the account. Financial firms should warn customers that setting up the capability for electronic transfers out of the account can add to their risk.

It was very negligent of J.P. Morgan & Co. to transfer DeSchmidt's retirement account to a checking account with a different name.

I would never open a brokerage account at that brokerage firm.

JP Morgan promised (?) to refund the funds? Can we get a follow up? I'd be interested to see if they keep their promise.

This just proves that doing everything the easy way leaves you vulnerable to criminal activities. I have to fill out paperwork if I want to transfer anything from my IRA account to another account and NONE of those accounts are set up for web transfers. NONE. PERIOD. I have to make a phone call to request that anything be done. It's just too easy to lose everything.

I hope Dave "accepts full responsibility" for his loss !

Having an uninsured account with his entire 401k savings is a "bad-bad mistake" and he is the one that said "yes".

The theft was either and "inside job" or Dave did not take precautions to safe guard BOTH his ID and password. This too, is Dave's responsibility. If his computer was "Hi-jaked", that again, is Dave's responsibility for not protecting his computer or behaving in such a manner that he allowed himself to be Hi-jaked.

Fortunately for Dave he may have some some releif in the matter. He may be able to claim some or all of his "theft loss" on his Federal income tax.

If I was a personal or commerical customer of that bank, I would work to quickly close all my accounts there. This shows that there internal controls are not up to the standards need to safeguard assets under there control.

"The name on the checking account didn't match the name on the 401(k) account, but that discrepancy didn’t raise a red flag high enough to halt the transfer."

So, the transfer was to an account that had a mismatched name and that doesn't raise a red flag??? HELLO? At the very least, this should require a voice verification by the bank!

Another case of technology outpacing social institutions. But I am curious HOW the hackers retrieved two pieces of this man's "identity". Does his home computer have updated software and protections. Did he log into his account from a "public" computer at any time, say in China? Mr. DeSmidt is 57 years old. Is he computer literate, or does his 14 year old nephew do all "that computer stuff" for him? I do not discount The DeSmidt family loss, but I wish the author could give us more detail instead of Chicken Little's view of the sky falling.

Prudential only sends money to your home address, period. And only once the account administrator approves the transaction. There is a lot of communication. I know this because I have transferred funds before with them. It is a pain, but a pain worth going through.

I had to take a full disbursement from my 401(k) account a few years ago and my 401(k) company required a signed and notarized document before sending me the check.

Warning flags should have gone off when the hacker changed the checking account associated with DeSmidt's account AND requested a full disbursement. At the very least, brokerages should give an option for customers to demand personal contact on every disbursement, or a signed and notarized document before funds are released.

I do not understand. By Federal law no one can distribute money from a 401K account unless certain conditions are met, i.e, hardship, death, change of employment, 591/2 yrs old....
So how can someone move 401K money to a checking account without meting these conditions. I know I can not get to my $ unless I request a LOAN.

All you folks here who assume the victim allowed the thief to acquire the victim's user name and password don't understand how easily this can happen, and how easily you yourselves can be victimized by something similar. You may think you're protected by security software on your PC or by being careful not to give out your passwords. Spyware and phishing-type attacks are growing increasingly sophisticated and difficult to detect or prevent. Some experts suspect we may only be seeing early and small-scale dry-runs of a future and much larger coordinated attack on a large block of investors in an effort to bring down the US financial system. And I wouldn't be confident that you're invulnerable to similar kinds of account-raiding just because you don't allow Internet transfers. Your permissions can be changed without your authorization as well, or errors can be made by the brokerage firm to make a transfer that you have not allowed. However you allow transfers to take place (telephone, writing, in-person), you can be impersonated. Monitor your accounts and online security actively and do not be complacent. Assuming the victim was at fault here is a form of complacency and over-confidence in a financial system that is vulnerable.

Bravo to MSNBC! The only reason he got his money back is because you got involved. JP Morgan and other institutions probably got to talking to each other and figured that they had better take care of them rather than have the word get out about uninsured funds and then having a mass public withdrawl such as in the 1920's causing a banking collapse. These guys need to have better security in place. Can you do a follow up as to who got access to his user id and password?

Converting everything to paper and phone transactions doesn't really stop this problem entirely either. If the postoffice mis-delivers your mail to someone else? or if your mail is willfully stolen, someone could attempt to use your account id.

Maybe there needs to be a change to how SIPC brokerage account coverage works. I know it is only if a brokerage company fails you are guaranteed up to $500,000 in securities and $100,000 in cash, but now with online capabilities to view your accounts I think this needs to be considered to cover this type of theft. It is in turn on the brokerages to protect our assets. Even as popular as online banking and bill pay has become I won't use that either. I figure the less that i have exposed online, hopefully the more protected I will be. I'll stick to getting my statements in the mail and sending my bills out.

Most Likely, he at one point logged onto JP's website to check his 401, from a computer that has key logging spyware, that was planted from poor surfing habits. Possibly his home computer had spyware/key loggers that was installed, due to poor surfing habits, and thus started surfing. This is very widespread around the earth. People have no clue about home computer security.

All users should visit http://update.microsoft.com/microsoftupdate about once a week.

I also recommend spywareblaster from javacoolsoftware.com , and to updates its' definitions about once a week - I am not an employee of this computer.

Also use Ad-Aware Personal Edition. Also update the definitions for this application through the GUI as well once a week.

For home users, purchase a Linksys BEFSX41 - a good router without wireless capability, and a pretty strong firewall. Wireless is a whole other discussion point in terms of the general public not knowing how to lock down a wireless router out of the box from bestbuy or circuit city, etc.

Point being, my thoughts are probably that a home computer in his house was infected due to clicking on a link from spam(social engineering - oh hey, cclick this site it's your bank site the graphics look the same, but the actual link is a rogue website in china).

People need to be very concious about the security threats in the world. I am a network administrator, and try to make our employees concious about these type of threats all of the time.

people can learn alot by going to; www.websense.com

I am not trying to promote these products, while these are good home products, and enterprise products(websense) , you can learn alot by visiting the forums, and discussion areas on these websites, as their main scope of business is protecting customers identities from being stolen, or other criminal activity.

I'm going to take a wild guess and say that at his age, Mr. DeSmidt isn't all that tech-savvy. He probably has heard of the term spyware but has no idea what it is or how it works.

Because of this, I would venture to say there was some sort of spyware on his machine that captured his login information and sent it to the 'hacker' that drained his account.

There should probably be a massive campaign by financial institutions to tell its' customers that if they don't feel they are 100% tech-savvy, DO NOT use the online banking feature. However, this won't happen because by using the online banking feature, the customer is not having to contact a bank employee for transactions thus saving the bank money. Nonetheless, something has to be done.

As for the person above who says all his friends who have purchased things online and such through the years and have all been a victim of identity theft, well, as I'm here to say I've been online for 11+ years now and I've made probably hundreds of purchases online through various ways and not once have I been a victim of identity fraud (*knock on wood). Not a single time.

I really feel it goes back to common sense. Only make purchases on reputable sites that are SECURE and don't send money orders overseas and such. If your mind tells you that the transaction might not be safe, then it probably isn't.

But there's no sense in becoming paranoid and saying that people shouldn't purchase products/services online. One should just exercise caution just as one does in other avenues of life. Even though you can die in your automobile, that doesn't mean you take less trips in it, does it? Of course not.

I agree Matthew.

Sounds like life would be better if we just shut off our computers forever, based on these comments. When will people stop being afraid of "doing business" online, and take time to learn good security practices so this does not happen to you.

#1. Never check a banking account on a public computer
#2. Have a good personal firewall, Anti-Virus software, and spy-ware software on your computer
#3. You can purchase things online, just do it with a debit card, linked to a small account that you designate for online purchases.
#4 Never share your banking information or store it in a file on your computer

That's all you have to do.

I still believe it is easier to steal from those that do business over the phone, or via mail.

I wish this article was not a "technology is bad" article, all this does is force more people back to the stone age with their habits.

I am in favor of increasing consumer ease and reducing paperwork through electronic transfers but there must be in place consumer protections in order to incent the financial institutions to stay on top of electronic security developments. The same consumer liability limits that apply to other financial institutions should apply to brokerages.

The obvious answer is to stop the ability to change the accounts money can be transferred to. Once established, only a phone call to a verified number or personal visit could change the checking account information to which money could be transferred. In this manner, you could still have access to your account and a hacker could not change where the money could be moved to...simple enough.

I think an effective way to stop this would be before
any transaction would take place the Company would
automatically send an email to the email address the
client had initally set up and it would ask a security
question that only the client would know. then if this
email was not answered promply then it would lock up
the account and notify the client by phone immediately
of the problem. Now, how hard would that be to implement? That's what they need to do.

The guy worked for Chase. But who was the holding company for the 401K funds? And why weren't they quoted or contacted in this article?

This is inexcusable on their end. I'm a broker at CBOT, and even we have simple safeguard rules: internet request always follow up with a telephone call to verify the transfer request, plus....even Amazon.com won't let you transfer funds from your pro-merchant account for 14 days, if you change your checking account #. Don't blame the poor guy for being careless; don't blame computers and internet......Blame J.P. Morgan & Co. It is all common sense, jeez, even when you buy something big with your credit card, your bank sometimes calls you to verify, and here we 401K account, 175K or so, there is 30k Tax Penalty, new checking account with NON matching name on it! How many other red flags do you need to warrant a simple courtesy phone call from your broker to see what is going on? Unless, the guys in the BIG FIVE, don't give a rat's ass about you as a client....

Joe from Oxford doesn't seem to understand whose responsibility security is. It's not the end-user's. If the company providing these services cannot be bothered to secure their account from silly fraud like this they should bear the entire brunt of the loss.

It isn't that hard, people. The accounts to which money can be disbursed should be signature-verified via snail-mail by the account holder. Any account not bearing the account-holder's name should be automatically out of the question for disbursement unless there is a set of triplicate paperwork filled out in person. Any complete disbursement from the account should be delayed by at least 10 business days, and verified by a signature. This isn't a day-to-day checking account, people. It's someone's entire life's savings. I know I'll think twice before letting JP Morgan handle my money, if this is how carelessly they do it.

This makes no sense. If anyone has ever tried to get money from their 401k plan, they know about the amount of paperwork that needs to be filled out first. Most emplyoeers need to sign off saying the employee was terminated. Something is fishy with this story.

This story of Dave DeSmidt is a warning to us all. Especially to computer-literate legislators who must enact new laws protecting us. If they don't act, consumers could lose trust in all large financial institutions like banks and brokerage firms.

I've been working with computers for nearly 30 years. If the majority of the general public knew HALF of what I know, they would NEVER EVER EVER use their real name or make reference to any personal or private information on the internet, let alone use it for any financial transaction management or on-line purchases. It is simply to easy for a group of savy individuals to hack their way into these systems.

Having worked in the Financial Service industry for years, a majority of which in 401k plan sponsorship I feel confident in saying that this author has ommitted a discernable amount of information from this story. What comptuers had this gentleman used other than his home computer? how long was it before he reported the loss to Schwabb? Also, the part about the checking acct is bollocks, there is a manditory pre-note freeze to check acct information before a transaction is to be conducted...there is more to this story this in short. Pure scare-journalism.

401k's are a completely legit investment vehicle for anyone looking for high contribution limit, tax deferred savings. Anyone thinking otherwise would find it beneficial to speak with an accountant or registered financial advisor. No one should be scared of this investment vehical as a result of reading this article.

The true theme of this article should have been "learn to protect yourself from online predators, regardless of the asset in question." Singeling out 401k's and other brokerage accts as more vulernable than others is wrong. The sad truth of the matter is that the victim in the story was responsible for their loss.

Charles Schwabb is a direct comptetor of the firm I work for, but I'll come to their defense in saying they provide as much security as possible to protect their customers online access. The true fact of the matter is that if you are going to conduct online business, be prepared to take on the responsibility of protecting your home computer, and be inteligent enough to not use public computers.

As far as the author making a call to arms towards insured investment accts, its just simply not feasible. SIPC insurance covers the acct owner in case of Firm Failure, basically the only time a firm should be responsible for the loss of customers money--barring firm error.

In summation, the author is making an attack on an industry and a firm that is not broken. The customer was a victim of a crime for which they were most likely wholey responsible and it journalism like this that will cause many people to turn away from a very reliable and very efficient way of providing service, granted the customer peform due dilligence as well.

My brokerage accounts do not allow online transfers or withdrawals... such requests must be made in writing. Problem mostly solved. As for safeguarding id numbers and passwords, NEVER access your brokerage or banking account online form another computer other than your own (because spyware can trace keystrokes) and be sure to run multiple spyware systems on any computer.

AGreed. A few months ago the same thing happened to a couple in Miami where all their cash was WIRED to a foreign account. To avoid this, you MUST request the institution to only accept WRITTEN requests from YOU to wire anything to anywhere. That's how I have all my accounts setup.

I consider myself to be highly self-aware of internet crime scams, but I can honestly say I never even considered the possibility my 401(k) account could be hijacked and drained. Thank you for making me aware of this. I'm glad DeSmidt's retirement money was returned, but is anyone else concerned about DeSmidt's retirement future? He's quoted as saying, "That was a pretty good chunk of what we were going to retire on." Either he has an excellent financial planner who can guarantee phenomenal returns, or he's in for a pretty big shock. I'd recommend seeing a CFP ASAP.

I have American Funds 401K. They have changed the way you access your accounts. Now it's so difficult I have not been able to get in since. I guess this must be the reason for the change. Maybe they could just have you put up a no access by net on your 401K.

As a network security professional I too question the integrity of the man's home PC and would love to know which pieces of spy/Ad/mal ware or 0 day threats are currrently running on it. This day and age if you have that much money in the bank you are absulutely asking for it if you are accessing your accounts online and are not fully educated on how to protect your workstation.

Remember here people, this day and age as bad as this may sound it only takes one visit to that porn site or simply reading one suspicious email (yes READING IT) to infect yourself with something that can steal sensitive data from your PC. When in doubt and security is of the uptmost concern, DO NOT PUT IT ON A NETWORK!! If you must network / internet the workstation then please spend the money and buy the absolute best protection that you possible can afford. This is priceless!!!!

Please see the following for more information:
http://www.symantec.com
http://www.trendmicro.com
http://www.avast.com
http://safernetworking.org

It just happened to me, last month somebody took $1000 from my checking and savings accounts from citibank via wire transfer. Citibank is global bank so more risk. Citibank deposited $1000 back to my account with interest within ten days. I asked citibank to stop the wiretransfer, they said we can not do that, it's toooooo bad. Do not work with big banks....

Very unfortunate! To add another comment on brokers, Scottrade does not permit "account linking" - perhaps this is part of the problem. While it takes longer, Scottrade will only issue a check payable to the account holder at the account holders address, additionally, the withdrawal must be made in writing, signed.

A number of things clearly went wrong here. Some require legislation to correct, such as requiring brokerage firms to adopt an insurance system similar to that which protects people from credit card fraud. Some require common sense and a strong awareness of electronic security - if an individual is not competent to maintain electronic security, he/she ought not to utilize elctronic tools. (This includes any situation in which you would expose your username and password - deliberately or negligently, to anyone from anyplace. Even my husband does not know how to access this information - in the event of my death or disability, my attorney will deliver a sealed envelope to him containing this information.) And some require people to be paying attention - Bank of America should never have accepted that transfer. As a former BOA vice president, I know that more than one "red flag" was raised and some living, breathing human person ought to have stopped the transfer until it could be verified.

This is a scary article. I find myself logging on periodically to check my retirement. To loose my life savings would be devasting. Something must be done.

Internet and online stuff is dangerous. Just by mere userid/password people can do malicious wonders.Specially with outsourcing of call centers,you never know who in the world is accessing your personal information.

Bad guys will always try to do things like this. We need to have laws in place to protect people from something like this. May be some one should refer this matter to the new democratic congress.

Made me shiver when I read it. Went to my 401k and realized it was protected by a flimsy 4 digit PIN. Changed it to a much more secure longer password. E-mailing my company to suggest it be considered for all employees.

I believe my brokerage, TD Ameritrade, also has a fraud reimbursement guarantee.

Speaking as an IT pofessional with 25 years of experience, we now have to question the security impact of outsourcing IT work. As a developer, I can tell you that test data is often never masked - it is sent to developers raw, or the developers are given access to production files, so everyone's info is out there to see. It only takes one renegade developer to deliver id's and passwords to a buyer for cash, and there you have it. In my experience brokerage firms are the ones that run from the seat of their pants most often when it comes to Quality Assurance, although all of them would swear by their procedures. Oh well, best of luck to all.

All brokerage firms need to start offering two factor authentication. At e*trade, you can get a free RSA security FOB. It generates a random password that is synchronized with e*trade's computers. In this way, a user can only log in with something they know (their password) and something they have (their RSA fob). Once a RSA password is used, it cannot be used again. This prevents against pfishing attacks and spyware.

I guess the only good thing about having really bad credit is that no one wants to steal my idenity

I can't believe the writer of this story did not tell the readers why JPM decided to refund the money. Not even a simple "they did not comment" statement. Bad job of writing in my opinion!

I recently took a cash out from my 401 k at Hewitt to a Prudential IRA with a few keystrokes. Now I wonder how easy it would have been for a thief to move the funds to his account off shore? I'm concerned about the other funds I have with Hewitt!

I think the spyware theory is probably the most logical. Don't like spyware or viruses? Buy a Mac and stop complaining!

My concern is how the party obatained the user ID and password. As someone who set up a transactioal web site for a bank, I am concerned about that. It is stronly recommended that you never let your computer remember your passwpords to these sites. That to me is a key in safeguarding your assets. Even though it is the sponsoring company's responsibility to protect thei clients, it is also your responsibility as the user to do as much as possible to protect yourself as well.

I am confused by what seems to be quite incomplete reporting. Where is BoA in all this? Whose account did the transfer go to? Was there cooperation b/w and among all of the involved institutions?

The one thing I see wrong with all of this identity theft is that the banks aren't held responsible. When the banks are the ones held responsible for this I assure you that the identity theft issue will be reduced drastically. Maybe it's time to go back to the way my grandparents saved their money. In Mason jars and a hiding spot.

My heart goes out to all the people that have been robbed like this. I have lots of hope that DeSmidt will get back all his monies plus the money that he would have gained while it was missing.
I used Prudential before taking it all out. They really made sure that I was who I said I was. It took a number of days before I had the money in my hands (sent only to my home address).
When the day comes that I put money back into a 401K, I will definitely keep it off line. And, of course go back to Prudential.
Thank you for this watchdog site MSNBC.com.

Use Mozilla and turn on your firewall. if you have cable or DSL download the free protection from your provider

This is insane on the part of JP Morgan.

I've had brokerage accounts at a number of places over the years, including one of the ones mentioned here that has a fraud guarantee (eTRADE)

Here's reality guys - any REASONABLY DILLIGENT bank will not allow a fed wire (or any sort of ACH transfer) to an account THAT IS NOT TITLED IN THE SAME NAME AS THE BROKERAGE ACCOUNT!

This is a BASIC fraud prevention check and JP Morgan should be FORCED to implement it.

Five years ago I bought an expensive yacht. I wired the funds from my brokerage to close the deal. To do that, I have to provide WRITTEN authorization to the brokerage BECAUSE THE DESTINATION ACCOUNT'S TITLE DID NOT MATCH MY BROKERAGE ACCOUNT! They simply WOULD NOT take my word for it without a WRITTEN document clearing the transaction.

BRAVO FOR THEM!

eTrade goes one better. They will issue to you, at no charge, a "dongle" (that goes on your keychain) that displays a 6-digit PIN that continually (once a minute) changes. When you go to sign in, you need your account name, password AND THE CURRENT SIX DIGIT NUMBER. No code number, no access. Period!

If you steal my account ID and password, its worth NOTHING. You must also steal my access device, or you can't log in.

Problem solved, and this technology is neither expensive or difficult. TEN YEARS AGO I implemented a similar system for administrative access to my ISP so I could sign in with administrative capability when not physically present in the office - the device was a bit bigger (the size of a credit card) but worked the same way. No access device, no access. Period.

Vote with your feet guys and gals. JP Morgan should lose their ENTIRE customer base over this incident, since they obviously didn't put REASONABLE protective measures in place.

bank with chase, period! i have money in an i.r.a. from 20 yrs ago that i'm trying to add to an existing 401k plan. they will not release the funds at all without written consent fron the president of the u.s.your money is safe there (maybe too safe)

A follow up verifying that JPM replaced the funds would be in order. In my experience, institutional employees may make promises but if counsel says its a bad idea, the buck stops there. Also, it would be interesting to see if JPM is prosecuting someone for this theft or if it was an inside job or.... if they didn't actually recover the funds but decided to pay to make MSNBC go away.

A lot of brokerage houses now issue RSA's for people to avoid this, so even if the individual has spyware or whatever the id/password wont do much good..

Two-factor authentication should be used by uninsured online brokerages. Username and password would have only been half of the equation. The online brokerages can afford the implementation costs.

Problem solved...

I don't see how transacting only over the phone is going to alleviate this problem. If the hackers have account information, they can steal over the phone as well. The problems in this particular case were two -

(1) Ability to withdraw funds to a new checking account immediately. Just as no withdrawals can be made within 15 days of a change of address, they should ensure that no withdrawals can be made to a "new" linked checking account for upto 30 days or so.

(2) Funds were withdrawn from a 401(k) account to an account that had a different name. If this is NOT a RED FLAG, what is? This implies, J.P.Morgan has serious flaws in its procedures.

we know his 401k wasn't insured, but is there a way to insure it now that he knows there could be problems like this? I would definitely like to insure my investment into my future!

sorry about the loss, but who in their right mind would login in a public computer to see their financial information!!! Everyone knows that in public computers there are secret keylogger programs installed that the user does not know. Even worse, in the country that is number one in identity and piracy no one with their right mind would use such a service.

I am not surprised that these things could happen. But I am VERY surprised that it is that hard to trace back to the criminals. Please forgive my ignorance. But isn't every transaction recorded? The wire transfers must have a receiving account. Don't the security companies save this information somewhere in a safe place? If the account is from another country, it may be more difficult as you have to deal with the government to trace the account. But I doubt how easy it will be to transfer money to a foreign account through the security company. In this case, the account is in BofA. Doesn't J. P. Morgan record any changes in such important information such as the checking account number in a 401k account even though the criminal changed it back? Doesn't it also record the account that the money is going to?

I find it odd that banks are not making use of smart cards with encrypted identity information and a smart-card reader connected to the computer in order to access accounts. Passwords are simply not good enough... At least, banks should give the option of doing this. Personally, I'd pay them the costs of the hardware so I could do it. Smart card access technology is now common, and secure.

Until then, here is more precautionary advice:
--Make sure your important electronic accounts make use of secondary measures, like a 'security' question.
--Fidelity doesn't let you setup a bank account for transfer in 1 day, they require 2 weeks and send a postal mail to inform you.
--Make all family members use a 'limited' user account. Only use an 'admin' account when there is a need to install updates.
--Create a special 'limited' account for accessing financial information, and do nothing else from this account.
--Make sure your financial institution's web connection is an SSL connection indicated with httpS , and if you ever get the warning that talks about displaying non-secure elements while in an https connection, answer 'No' to not display the non-secure elements.
--Always 'logout' of a financial transaction, ending the electronic session key sooner than the forced timeout occurs.
--you probably do not really need wireless in your house, go non-wired with a wired solution like NetGear's Powerline solution, and setup the encryption key *before* you connect to the net.
--Phishing can also occur over the phone, with clever people that try to social engineer the info out of you by pretending to be someone they are not. Do not give any info over the phone, or via any other means, about yourself.

I just got done cleaning off a friend's pc that was infected with 8 or 9 spyware programs and more viruses than I could count. She's a dentist. Fortunately for her she does nothing online besides email and light web surfing. As more and more people use the Internet this will become a bigger problem. Even the most up-to-date PC is vulnerable to trojans and spyware. Most casual users don’t have a clue about keeping their system updated with the latest anti-spyware programs and definition files. The banking site can be as secure as Fort Knox but if you have the user ID and Password you’re in. Clearly more safeguards are needed when you’re dealing with someone’s life savings.

I'm still mystified why JP Morgan didn't confirm via phone call or registered mail that Mr. DeSmidt wanted to withdraw all of his money.

I can see where a large transfer of funds wouldn't necessarily raise a red flag - but taking out ALL of your money? No. There's something wrong and some HUMAN BEING should have stopped this and confirmed the transaction.

Question was asked -- how did hackers get the password. I just attended a security conference and it was revealed that the key-loggers (programs that records keystrokes) are poorly detected by anti-viral programs. The best tested had only a 80% success rate (and that was from a non-US firm) with some well known ones being only 20%.

Alternatively, the person may have checked his account on a public terminal or internet cafe where there was a key logger running.

If the police get involved, can't they go to Bank of America and demand the name and address on the account and then go question that person?

Listen to everyone "I do not put personal stuff on my computer". Duhh, it's my computer of course I'm putting MY stuff on it. The problem isn't that I use my computer as thought it really is my computer, the problem is people can do this and worst case they get a year or two in jail. No, the problem isn't that I use my computer as though it's mine (it is afterall really mine to do with as I please), the problem is our government doesn't actively pursue these individuals and the tragedy this can cause to someones life is very near immeasureable yet the punishment is minimal at the very least. I group this with the likes of the Enron debacle. We as Americans need to send a loud, clear message that under no circumstance will this be tolerated. If you ask me, death isn't too harsh but I could comprimise with the libs and be happy with life in prison for these kind of people.

The sad thing is, all these "do and don't do" computer tips do help. Not because we can't trust our computers with our information, but because we have haneous individuals and an inept government that can't seem to address more than one issue at a time. And even as a republican I am well aware our government seems to be consumed by the war on terror. I'm just one guy and I can multi-task, why can't our government?

as someone just said because of his age he probably isnt that computer knowlegeable,thats me,you would hope that the younger account executives would take this under consideration when explaining the ins and outs of retirement planning BUT it seems it takes to long to deal with older people and their questions

Homeland Security should be involved since the billions of assets lost are not only within the US, but also outside the US!

I received word from Vanguard that someone tried to access certain areas of my 401K acccount a couple of weeks ago. The "areas" weren't specified, but it's clear to me now that someone tried to raid my account too.

There should be a massive campaign to allow consumers to investigate identity theft violations in more detail. I once made the mistake of paying a bill over the phone by credit card, and I subsequently came across a number of fraudulent charges on that phone. When I called the company whom I gave the credit card number to inform them of possible credit card number abuse, they claimed they had nothing to do with it. The credit card company was able to drop the fraudulent charges, but when I wanted to find the person(s) responsible for the charges so that the criminal(s), not Joe Consumer, would not foot the bill, that credit card company would not give me a whole lot of information (e.g. names but no addresses). Finally, when I got a receipt from one of the fraudulent charges, I faxed it to a nearby police department asking them to investigate it (because if you can't get justice on your own, you're supposed to call the police, right?). Nothing happened, and it was very frustrating.

Wow..to all those of you that want to blame the victim..just because he's 57, he's not tech savvy? I know folks in their mid 60's that know how to use their computer-so that is pretty insulting-Then you say he probably doesn't have proper spyware and all the other stuff to make his computer lockdown safe-SO? If these banks and brokerages take your money and either offer or at times, force you to access their internet access and sites-then I would think they should at the very least be forced to provide you basic protections, like verifying the account where 150k is going when the name doesn't match..GOOD GRIEF..That is just crappy work on the part of the bank. The other thing is that if we as american's would get angry enough to stop using these brokerage accounts and lobby congress hard to stop the outsourcing of our banking and tax information-it would cut down on a lot of this because access would be far more difficult. I'm sick to death of hearing about how large banks and credit card companies are making huge profits by charging us fees out to wazoo then using cheap labor from countries that are on the Federal terrorist watch list.

That's why I use Fidelity Investments because their security is so intense that it sometimes becomes very frustrating to the customer.

As a computer technician, I see this everyday. The fact is people think they can get on the computer and do whatever they want without knowing how to operate the thing effectively. When a computer user gets hacked into, the hoops one has to jump through is incredible, especially if the theft took place in another state or overseas. The bank has affidavits to fill out, law enforcement is out of jurisdiction, multiple accounts can be effected as well as passwords and everyone wants everyone else to be responsible. If you're going to do any type of account/financing online establish safe guards for yourself and stick to them. Run antivirus, spyware and adaware scans, clean out your temp files and never store account info and passwords on the computer. Ever.

I hear all day, everyday, "But I have an antivirus program on my computer." I ask, "Have you been running it, do you keep it up to date, because I see 50 viruses?" The standard response is, "How do you do that?"

The more ignorant you remain, the easier it is to steal your money. If you don't know how to do this, find out. If you don't have time, have someone do it for you once a week.

I think the responsiblity is at the feet of the criminal. Look at the last 25 years and how far technology has come. The common person can't keep up with the computer savvy criminal. Public floggings would go a great way to end the cowardly conduct of these computer criminals.

I use HSBC online banking and they seem to have a very secure way of logging into my accounts. You not only have to go through user ID and password but have to enter a security key whereas a keyboard in dispayed on your monitor and you have to enter the security key with your mouse, thus eliminating key-logger spyware. All of the Id's, passwords and security keys are case sensitive and have to contain alpha and numeric symbols, upper and lower case. This helps but we also need to change these at least monthly.

This has nothing to do with Internet security, linking the brokerage accounts for Internet access or even having an uninsured retirement account. The blame simply falls on the shoulders of the bank, JP Morgan for their lax security procedures. It is quite clear and that is why JP Morgan refunded the money.

Shutting down the user's web access to the account does not decrease his vulnerability. As long as someone has his account information, a thief can still withdrawl funds via the web or phone.

Some companies, such as e-Trade, will give you a free RSA "secureID" token .. a keychain like device that contains a numeric code which changes every 60 seconds. To logon to your account, you need both your "regular" password, and the code from the token.

Even if a keylogger or snoop catches your password as entered, it's invalid no more than 59 seconds later. This significantly raises the bar for these companies.

Joe, from Michigan writes: I hope Dave "accepts full responsibility" for his loss !

Aww, c'mon Joe! Do you really expect us to believe that if you had a large portion of your retirement taken from you through illegal means that you would just say, "oh,well...serves me right for not being vigilant"? Give us a break. The fact that Dave has a retirement account AND checks the balances regularly proves the guy is obviously more responsible than most individuals. J.P. Morgan is selling a service and making money off of his account activity, AND they were irresponsible enough to allow a six-figure transfer to an un-matched named account?? With billions in profits, you would think these guys could afford an IT guy to write a simple piece of fraud-pattern detection software like the banking industry uses! Geez...log in, change bank accounts, transfer money out to a different named account, then multiple log-ins to check the progress...all in ONE DAY with no red flags?? Pathetic in my opinion.

I wish the article would have explained how the funds were recovered...apparently without an arrest being made. Since the money was transferred to an account here in the U.S., finding the culprit shouldn't have been that hard. There would have been a paper trail from the account being set up including copies of ID and possibly even security tapes with the crook's picture.

I am curious how the investments were structured at the time of the disbursement. If they were in securities (stocks, bonds, mutual funds, etc.) they can only be transfered out immediately if they are sent "in-kind" to another account that is capable of holding those types of assets, that is another "brokerage" account. The article states that they went to a "checking" account, which cannot hold securities. Therefore we are to conclude that the assets transfered had to be cash (money market). So, did the hacker first "sell" all of the securities? Different asset classes require time to "settle", anywhere from one day to three or more days. If this were the case then the hacker had to visit the account numerous times to effect the sales and the activity should have raised many red-flags. Another possibility is that our victim was timing the market and had taken all of his investments and liquidated them in anticipation of buying in after the market dropped for whatever reason.

I'm an IT Systems Administrator for a major corporation, and would like to offer my 2 cents worth on the reality of how "hackers" usually obtain passwords:

The single most irresponsible thing you can do, is use the same password for everything. I couldn't tell you how many times I've seen this at work. Otherwise saying, people pick one password they like, then they use it for every system or website they use that requires a password. Hackers know this, so they know that if they can obtain the password to your yahoo/hotmail account, or your PC (which pretty much everyone in the IT dept knows) then they can guess with 99% certainty that you probably use this exact same password for your online banking. All it takes is one dishonest person in your IT dept, and there goes your identity! There haven't been any published studies on this, but I have a suspicion that a great deal of identity theft occurs at work, where anybody in the IT dept can see EVERYTHING you do on your computer. Since most people at work spend a great deal of time surfing the web, and logging into different websites (including their banks), it would be very simple for a crook in the IT dept to steal your identity.

Most people are scarred into thinking that “hackers” are these super smart computer guru’s, who sit in a dark basement somewhere in Russia, cracking complicated code, and circumnavigating firewalls to access your computer over the internet…but in reality, as is the case with most crimes, the hacker is probably somebody you know. So my advice to you is to make sure the passwords you use for online banking are different from all your other passwords, and never do online banking at work. And for the love of God, stop writing the password to your PC on a sticky note under your keyboard!

I run a small computer service company and it is alarming how many people either ignore or are ignorant of computer security. I would estimate that easily half of American consumers don't have or don't keep antivirus software up to date and don't have antispyware software installed. As frequently as this problem is in the news I fail to understand why people are as careless as my experience would indicate. It is entirely possible to protect from 99.9% of the threats that are out there. In this instance I would guess that someone got the username and password from a piece of spyware on Mr. DeSmidts computer.

It all comes down to awareness and education. In many communities there are free classes focused at educating the user community. I highly recommend people to find and use those resources.

On the business side of this problem Congress has been way too reluctant to require implementing the kind of robust security that is the norm in Europe. I'm sure that has something to do with the coziness between government officials and the business community. Anything that represents a cost to business has little chance of making it into law. We have a crazy system that largely defies common sense. This again is an issue about awareness. Too many people are politically unaware of what is going on in Washington. This can be measured by the undesirable results that government provides. If people were more politically proactive chances are we would have a government that actually serves the people. Just as with computer security, ignoring this will come back and bite you. With the potential for a much worse outcome.

Is this just the beginning, with so much account informmation and back office brokerage work being sent to offshore centers. How do you prosecute someone overseas.

One simple security policy change would have eliminated this problem. The thief was allowed to change the checking account and transfer the money to it all within minutes. I believe with Vanguard (where my accounts are) a checking account change will initiate a hold on transactions for a few days. Meanwhile they send a paper letter acknowledging the change to the account of record. If you received the letter and didn't initiate the change yourself, you would know something was up and could intervene. Including locking out internet access if you chose.

I can’t understand the people that feel this guy is responsible for his loss. The man was robbed. And the brokerage firm was negligent in its duties and should be held responsible. With financial institution pushing online banking to reduce their costs, its their responsibility to ensure their customers security. How hard is it to make sure
The account names match!!!!
And by the way, if these banks and brokerage firms would just use the RSA securids
(Which I have used and they work great). Hacking of online accounts would vanish over nitght.

This article is very misleading. Many of the comments from readers are correct, distributions from a 401(k) account are fairly regulated. I think this is an example of msnbc.com possibly labeling the article incorrectly. This may be a brokerage account, held at JP Morgan and earmarked as Retirement Funds by Mr. DeSmidt but not within a 401(k) Plan sponsored by his employer. I'd like clarification on this fact because there are more safeguards to protect participants within 401(k) Plans that the article neglects to mention.

Fantastic article as always, but the author should also warn users not to log into online brokerage accounts when using a public access computer. Hackers have been known to put key-logging spyware on computers in hotels, libraries, etc. in hopes of snagging a big phish. The article should also warn about other ways to get phished, such as using the same password at other Web sites.

You scared me...I checked with my 401K provider, Fidelity and they guarantee against losses like this. See:
http://wps.fidelity.com/Security/protectCustomer_preLogin.html?urlName=https://401k.fidelity.com

As a plan admin for a major corp I know there should be plenty of paperwork to be completed before a transfer can be done. I wonder where are the safe guards on JP Morgan's side. My current 401k provider has strick account reviews, you must sign at least three forms indicating you want to move your account. This means the account holder, the plan administrator and the plan holder must sign all thee forms before the money is transfered.

Identity Theft unfortunately is now a major consumer concern. Millions already have been victimize of some sort of IDtheft. Of these millions many have paid dearly of losses they will never recover or matter in fact there own personal credibilty. Crimminals and Hackers are getting smarter in finding new ways to get a person's identity. People need to face the facts that Identity Theft has now become an epidemic all over the country. The laws are still weak and will be that way for a very long time. An average of 1 out of 900 crimmals ever get caught. Now there are new laws that will penilize business owners with Identity Theft. Also if you have lost money by someone getting in you bank account, you're limited in days to get it resolve. If you pass the time allow to have it resvolve you will compensate the lost. To know more about what you can do to protect your identity, http://DreamNow.buildlifestyle.com

That article is a real wake-up call!! Thanks for posting it. When I get phishing messages concerning "accounts" I don't have at banks I don't do business with, I delete those messages without opening them. One of my friends found his checking account (at Bank One-now Chase) drained, after he returned from being out-of-town. Apparently, the thief who stole his money used a "teller's check", to get access to his checking account, and take his money.

This senario is certainly one that people need to be aware of and I have to say it is ultimately up to the consumer to understand what he/she is doing. If the consumer has a lot to lose the more he/she should take the necessary steps to protect themselves. Get educated on technology or do not do it online. With that said I feel the firm has an obligation to make sure that they explain to the client the risks involved. Not just at sign up by clicking on an Agree button, but rather signing electronic trading agreement and sending them in. If they dont sign then they dont get internet access. But I do not think that Etrade would appreciate having to handle millions of documents. Also friendly reminders should be sent in the mail by the firm explaining that clients should ensure that there pc's are locked down. In fact firms should offer an encryption key so only the consumer holing the key physically on their body has the key code. I am sure everyone who would stand to lose the smallest of funds would be better servered having this. I know E*trade uses this method but for a cost. It should be free!!!

To prevent this, you should have complex passwords on all accounts. If it's too hard to remember them, then keep them in a safe place like c:\limewiredownloads\passwords.txt

There is another possibility, They sent him to Shanghai. Who watched his papers, mail and computer at home while he was gone? Lots of humans keep important info in their home. More than one home web browser stores account info and passwords. If you aren't there to guard it...

Couldnt this problem be detered with something as simple as a an IP address log file to the account. This way the computer can be traced and the account owner can check the log file to alert any new IP addresses accessing it.

OK, to sumerize the above:

1) I agree the article may have left many questions that leave leave a reader questioning whether they got the full story.
- But it still alerts us to a problem we need to be aware of, and it is scary.

2) Our accounts need better protection than the one in the article infers.
- we should check our accounts and se to it adequate protections are installed or we should disable at least some degree of on-line access. Read the wealth of information provided above and/or call your brokerage and ask questions for one. Also pursue this with your political representitives, write your congressmen.

3) Protect your PC by updated spyware and updated virus protection and firewall and a wireless router. Change your passwords on a regular basis, and use passwords that use at least 8 characters that mix numbers and both lower and upper case letters (harder to hack).

3a) As an option, as someone mentioned - use a Mac instead of a PC. PC folks don't understand why, but they have an embeded firewall for one. Second, they are "account oriented", and as long as you do your internet work on an account that is not an "administrators account", then executables cannot be instlled without your knoing about it Third, last I checked there were no known viruses for OS 10.

4) Don't conduct account business in public domains, especially wireless internet without encryption - even then, be careful.

5) Let me add this - My savings are with several different institutions. Diversification means it is much harder to lose it all. Each account has different passwords.

On-line access is relitively new. Things will change for the better, but the crooks will always be looking for ways to make easy money. Until on-line access matures - be caful. So for, the inbstitutions have protected us. Just know there is risk

I haven't read all the replies, but I would suggest this was a "phishing" scheme to get that personal information. If a person is not careful they can fall into this trap. I nearly did and my neighbor actually did but she got suspicious and got right on it to change everything before any damage was done. My suggestion would be to safeguard your screen names, passwords and your e-mail addresses.

I'm willing to bet the guy got phished with a fake email that solicited his account info.

My boss got suckered into giving up his Quicken info by phishing. He checks his account everyday and noticed a scheduled check for $4000 going to a trailer park in Portland, WA. We were able to halt the transaction in time. He then spent the night changing his logons and passwords to all of his bank, brokerage accts, etc.

It si unbelievable that it happened the way it was described. I checked with Fidelity Investments. Fidelity will reimburse any losses due to unauthorized activity. See www.fidelity.com/security for more details.

The bottom line is that it really doesn't matter whether or not you want your account to be Web-enabled. All this means is that YOU won't be able to access your account through the Internet ... it doesn't mean that your account information won't be going through the Internet anyway. Banks and financial institutions transmit all sorts of data and information through networks. When your money is direct deposited into your 401(k) account, account numbers and personal information is being transmitted through computers all the time.

ALL of our personal information is somewhere on the Internet. Does that mean the average Joe Schmoe criminal can easily access it? No. But is it possible? Certainly.

Not purchasing anything online? Fine. Send in the check. But the check is going to get cleared at the bank, which is going to transfer account numbers and personal information to your bank. I can guarantee that just because you right a check, Joe Doe from your bank isn't going to load up his Ford Probe with a sack of cash from your account and deliver it to the company with which you're doing business.

Yes ... it's important to be mindful of security but it isn't our job, as consumers, to ensure all of our information is protected ... it's the institution's.

The best way to be mindful of security is to only keep your assets with companies that guarantee to protect you.

Corporate Monopolies Rule America. Fascist America. You think they give a *beep* about you?

I'd hide my money under the bed as quarters before I'd trust these Crooks.

Who's worse... the Hacker or the Corporations?

In regards to overseas off-shore computer-crooks, maybe our embassies overseas should get involved in the pursuit of these people and at least get the overseas banks and police departments to pitch in. I know that at some of our large embassies, there are FBI and Secret Service attaches assigned to serve on the Ambassadors' country-teams. Beijing, for example, has an FBI and a Customs attache' assigned to China to look into piracy and intellectual property violations. Maybe they should look into assigning computer-fraud specialists as well, since overseas is where the tracks get cold due to lack of international cooperation. Don't forget there is also Interpol that could also push the pursuit to bring the culprits to justice.

I can not stress how important it is to have your computers secure and that includes the financial institutions also. Be sure and update your Windows updates. I had a client that did not even have service pack 2 on his XP computer and he did on line banking. He had his account drained in front of his eyes and the FBI contacted him 2 days later. Be sure and have firewalls enabled, strong passwords on your Windows 2000, XP or Vista profile, NTFS disk file format, anti virus and anti spyware programs. Microsoft offers a free A/S program called Defender. AVG offers a free 'home user' anti virus. There is currently a lot of identity theft going on in the Web. You all keep safe now!

This is in response to Joe's email on Jan 5. Joe you said this is ALL Dave's fault that he should have taken precautions to prevent his password or id from being stolen. Well, most of us who use computers
THINK our infor is PROTECTED. The sites state that this is a protected web site...so why don't you explain to the rest of us DUMMIES on how to make sure of infor is PROTECTED, when we believe it is!!! Most of us have spy-ware software...so you seem like the expert so be the expert and tell us instead of accussing people that are not that computer savy.

Never have your computer remember a login-password for any online financial account or money management application like Quicken. For complete internet security I recommend ZoneAlarm's Security Suite which includes firewall, anti-virus, anti-spyware, and identity protection software.

Actually, a lot of malware DOES come out of Russia, and a lot of financial details are going exactly there. If you get hit with any number of things, and you have such accounts on your computer, it will be logged by someone very nasty. I'm a malicious software analyst for 7 years, its getting a lot worse.

..said previously:

I have a friend, who has written computer software, who told me that there is never enough protection to put personal information on your computer. His exact words were "don't put it on if you don't want to share it". He runs a separate, off line, computer for his financial and business records.

Your friend is very smart.

My brokerage accounts notify me by email if I withdraw money, or change my email address. I think this is a good control, but should not be the only control, of course.

This is absolute poppycock. People who are afraid of using the internet just aren't in reality. There is just as much fraud being committed in mail and over the phone and in your trashcan or at your local bank when you carelessly enter a pin number. Same as fear of flying but no fear of driving which statistics show is more risk. Oh my don't swim in the ocean you may get bit by a shark! Please more people slip in the tub but you still take a shower don't you. Just be cautious about it.

IRA's and 401K's to my knowledge (and I am a broker) can not be transferred electronically unless it is a broker to broker transfer. They will not release IRA or 401K money without a signature and will only release it to your address of record by check or eft if you have set that up previously. It takes several days to set up an eft. If you try to change your address or bank information and get a check mailed they will insist on sending it to the address you originally have had. They also send a letter to the actual address and email you have on file to verify that indeed you have authorized that change.

Finally if you have online viewing, you would know that you can receive emails if any changes are made to your account. EVEN if someone changes your email they would send notice directly to your old one. If someone tries to sell off everything and wire it you would know. How could you know this if you don't have online viewing? You wouldn't have a clue until months end when your statement comes. Is that smart>??
Finally don't give out your pin or make it too easy to guess. The most likely culprit of robbing you is a child with a drug problem or an angry spouse not a nameless faceless "hacker."

Several comments above made the point that the banking transactions should reveal who bad guy is. Can anyone with law enforcement, banking or fraud experience confirm this? I guess it's the little kid in me, but I want to know when they catch the bad guy.

It is important to know that fraud like this can happen over the internet or via mail. Most people choose passwords that are easy to remember, and thus easy to hack. Also, if you are going to conduct business/financial transactions on your computer make sure that spyware and antivirus is always up to date and never give your password/username via email, not even through a 'trusted' link.

The government needs to put a WATCHDOG IT Group on all of these Hackers, but since our borders are open to all of these International Trading Commission we don't know who to trust anymore. Since 911 we as Americans have been under more attacks of our SECURED areas of Life; Identification, Credit, Phone Messages, Religion, Jobs, and The right to be protected by our own Government.

This story sounds all too familiar... The same exact thing happened to me. I also had my 401k at JP Morgan, and someone broke into my account, transferred the money to a checking account that was not under my name, and then the next day, there was an international wire that went out of that account to some place in the Ukraine! Other than the name on the checking account not matching my own, there were numerous other red flags that should have been raised. There was an attempt to transfer my money into another checking account one day before, but that account had been frozen due to suspicious activity and the transfer wasn't able to go through. There were no emails that went out, and no phone calls telling me that I was changing my bank account information. And there were no notifications letting me know that someone was trying to withdraw my entire 401k, with a 20% penalty, into another checking account.
I was on the phone for many days and hours with JP Morgan trying to figure out how this all happened, and whether I would get my money back. They gave me the same response as they gave to Dave: "J.P. Morgan concludes there was no external or internal breach of controls with the J.P. Morgan environment. Access and authentication controls established within J.P. Morgan worked appropriately...Investigation Status: Closed".
This all happened in late October. The J.P. Morgan investigation team didn't get back to me until late November, and all they were able to tell me was that they couldn't recover my money, and they weren't liable.
I was able to eventually attain a lawyer in late December, who wanted a $2500 deposit to do some research and get the paper work started on my case. The same week that I left the deposit with the lawyer, J.P. Morgan calls me back, and tells me they have decided to refund the money that was lost in my account.
So the good news is that I did eventually get my money back with all the market gains that were earned in the last couple months. However, it was a couple months of stress that I had to endure, and I lost some money due to the lawyer expenses.
One thing I did want to point out was that all the JP Morgan representatives kept telling me that I was a very unique case, and that this has never happened to anyone else. They also sent me a letter that they wanted me to sign stating that they have made a business decision to refund the money, but they were still claiming no responsibility for my losses. And they also did not want me to disclose my case to anyone else. So if this has happened to anyone else, hopefully they reply to this article, and we can uncover the truth about how big of an epidemic this 401k theft really is.

This is very valuable informaation. My husband and I just moved our money into a different account. The previous accounts had internet access and we would check the status 2-3 times a week. The new company doesn't have internet access. All business is done over the phone, via fax, or by way of mail. We were a little upset, but now I am thinking this is probably in our best interest. I would be traumatized if this was to happen to us. I wish him the best of luck getting his funds back.

As said earlier, not all of the facts are presented here. There is no way this happened in an active 401k plan. It may have been in a roll over account which is not much different than any other brokerage account. In an actual 401k plan, there would be trustees that would have been considered parties in interest and possibly held responsible. Since there was no mention of the company's plan trustees, the story was obviously incomplete.

It is unfortunate that J.P. Morgan needed a story like this before they took action. Firms like Smith Barney have been successfully preventing these kinds of incidents for several years now.

Here are some additional steps everyone can use to enhance their online security:

1. Never reveal your online login information to anyone. Your login information is designed to protect the privacy of your account information, but will only work if you keep them private.
2. Change your passwords often and don't use the same password for every site.
3. Don't leave your computer unattended. Once you have completed using your banking or brokerage site, always sign off. For additional peace of mind, close your browser window before leaving your computer.
4. Delete any e-mails from unknown sources immediately, before opening the e-mail.
5. Avoid clicking on any links in unsolicited e-mail, particularly e-mails that ask (either directly or by pointing to a website) for personal, financial, or identity information including asking for you to update your e-mail or password. Instead, directly type the website destination into your browser or use a trusted bookmark to verify the site or to log into your account directly.
6. If you receive an e-mail that warns you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing, credit or security information, do not reply or click on the link in the e-mail. Instead, contact the company cited in the e-mail using a telephone number or website address you know to be genuine such as those listed on your statements or the back of your credit cards.
7. Avoid sending personal and financial information over the Internet. Before submitting financial information through a website, look for the padlock icon on your browser's status bar. It signals that your information is secure during transmission. If you double-click on the padlock, you can view the security certificate.

I am now even scared to check my account online - right now as I doubt that hackers are working.

i think this guy was checking his account from just about any place he could,and its possable this was an inside job. just because the person used outside computers to do the job dosent stop it from being sone by someone on the inside. take note that the user name and password were used. one that could be stated well spyware or keyloggers were used thus making ol dave look inocent. the money going to an account with different bank and name and the fact that no one even tryed to contact him to qustion the transaction, makes it possable of an inside job. all flags were stoped and dave said he checked his account offten but hadent checked it while this was taking place and was out of the country, thus a good alabie. how is his relation with his wife? and dose he gamble alot? i belive he should be watched for offshore accounts and should be watched for money removed from this account and money deposited into other accounts. ie he removes 20.000 and puts that in a home safe and then takes 20,000 from what he stole and puts that into an account thus he has 40,000 in other words he is doubeling his money. and as long as he pays cash for things with the money in his home safe he wont get caught as easy as if he took out 10,000 from the bank alerting the feds of his withdrawling arge amounts of money. or he has now 20,000 cash to pay the person who did the job or 10,000 each. there are just to many things that went right for this to happen the way it did. why wasent paper work from his employer required when the money was being transferd. try getting some money from your 401 and youll see what im saying. it takes both parties to realease money from a 401. i know because i got my 401 money and had to go through qustions and paperwork and had to pay taxes on it. this was an inside job and is now a coverup. how quick did jp morgan say investigation closed. come on 140,000 gone in one day and they stop looking for it in about two weeks and then are willing to pay it back. someone got a huge payday. and the government got 39,000 out of the deal lord knows they could use the money right now as broke as they are. china has some of the best hackers and this guy was in china when this took place. hummmmmm

Let me get this straight. I buy something worth $400 dollars online and within 10 minutes I get a call to my cell phone, which I did not notice because it was on silent and then another one on my home landline, just to confirm the account activity. Someone transfers over 100k and no verification? It doesn't really matter how the password was obtained, the firm should automatically raise a flag and verify such a transaction. I write software for a living. It is the programmer's job to idiot-proof the software, and it wasn't done in this case.

This is the system you have accepted. It is as real as a federal reserve note. Nothing Federal about the reserve.
You are responsible for your financial security. Trust no one.

I agree, this story does seem incomplete. Is it also possible that JP Morgan allows you to link your brokerage account to your checking account (CHASE)? Not that I doubt for a moment that JP Morgan had some responsibility in this, but it is not that easy to liquidate your 401K like that. And if it is that easy at JP Morgan, shame on them, as they obviously do not have the right controls and procedures in place.

I strongly urge the new democratic congress to enact laws and regulations that will protect consumers assets in retirement and other investment accounts, including social security. The big brokerage firms, banks and investment houses make more than enough money on your assets while in their accounts, the least they can do is guarantee that those savings and investments are safe. An e-mail, a postal letter, requiring confirmation or a second tier password and secret question that must be correctly answered for the electronic withdrawal of funds. A randomly generated password could be provided by postal mail or customer required to provide a 10 digit numerical code entered by telephone only, to set second tier password is the very least these firms can do to protect their customers assets from thievery.

I also think tougher legislation for punishing criminals / hackers who "break and enter" an account either through the front door with a stolen ID and password, or through the back door of what ever system, should be tracked down globally like they do Al Quieda and sent to prison for a very long time, as a deterrent.

The BIG picture is you will all please take a look out of side from within your box!
Our government can not prosecute these dirt bags from China, etc..
Hell these dirt bags are probably working FOR these other countries!!
Millions are being ripped off! Brillant!!
This is the WAR of our future and OUR government needs to bump it up!
We as Americans are getting our asses kicked!! Our very way of living is being attacked!!
Wake up United States, the war has come HOME!!
Many many scams are traced to foreign countries who are not willing to help!!
Maybe if it had some sex, or explosions,CNN would cover this attack with the respect it deserves!!
Welcome the AREA 51!!!!!!!

Ye-Ha!!

As a retired programmer, I agree with the person who said the programmer in this case didn't do his job. I won't deal with brokers or brokerage houses. As to computers, you should access on-line accounts ONLY from your own computer, which should have (1) antivirus software updated daily, (2) anti-spyware software, and (3) a firewall (I have 2: one on the router, the other on