In an instant, his life savings vanished
One moment Dave DeSmidt had $179,000 in his 401(k) retirement account, the next he had nothing.
In the comments on the article, there is some skepticism that it would have been so easy to transfer such a large amount without verification, but the fact remains that somehow, someone managed to get his money. There’s a difficult balance to find between making financial web sites secure while at the same time making it easy for customers to make transactions. The two aims are often at odds with each other because high levels of security are often tedious.
In this case the difference between the owner of the 401(k) and the owner of the bank account would have been more than enough to raise a red flag and that shouldn’t affect honest people trying to make a withdrawal, so it seems like a no brainer. Performing transactions online is so easy, but that’s what makes them scary too. Additionally, there’s no guarantee that this would be resolved by doing what many people in the comments suggested doing, to move all their transactions to phone and regular mail. Thieves can still get to your mailbox (although it is harder because of the geography) and spoofing caller ID isn’t hard. They’re not resolving the problem, just changing it slightly.
Scary stuff. Reminds me of this WIRED story I read about a busted cyber-fraud that worked for the FBI to build cases against other crooks:
http://www.wired.com/news/technology/0,72515-0.html
In both stories I was amazed that the systems of these financial institutions didn’t better restrict suspect activity (i.e. changing accounts). Pretty obvious exploits, if you ask me.
They don’t care very much about security, because it hasn’t cost them enough money yet, and there are no laws forcing them to. These problems are relatively easily mitigated–I don’t care whether everyone needs ten-factor authentication, retinal scanners, challenge questions, DNA and blood samples, whatever, it can be solved. They just need the incentive to do so. And we pay for it.