Monday, March 19, 2007

Pump and Dump: The Katrina Moment

"Pump and dump" schemes have been around since well before New York City stock traders first gathered under the walnut tree.

It's a simple way to get rich - a bunch of criminals get together and conspire to "work" a public stock up or down in value, without the knowledge of other folks holding the stock, then sell out at their target value and leave innocents bereft of their money.

The old-style pump and dump scheme is relatively easy to spot - sophisticated systems have been developed to do just that. However, the new style "pump and dump" Internet trading schemes have changed the rules. On the Internet, the old adage goes, "nobody knows you're a dog". The bad news is, on the Internet, nobody knows you're a stockbroker either. In the new world of identity theft and online fraud, "you" could well be a criminal using stolen credentials.

The new-style pump and dump attacks recently reported by major online trading firms have so far resulted in less than $30 million in individual losses in less than six months. That's not a lot of money, but does prompt some interesting questions:

1. What level of tolerance is built into the online stock trading system?

2. Are they capable of withstanding a multi-billion-dollar scam?

3. Are the criminals capable of pulling such as scam off?

All these questions are really just one: at what point does such a scam become an online trading company's "Katrina moment", defined as the moment at which available assets are unable to fill an unplanned loss?

First, let's look at the classic "account hijack" version of the "pump and dump" scam. In this version of the "pump and dump" attack, online criminals create accounts using stolen personal or corporate credentials* at the online trading companies and then buy penny stocks. Then, using stolen credentials from legitimate account holders, they log in as these account holders, and start driving up the values of the selected stocks, by placing purchases through these hijacked accounts.

Nothing much different here - except that so far, the criminals appear to have stayed away from the main board, the big traders, the commodities market, the bond market, derivatives. What would happen if the losses suddenly escalated ten-fold?

First of all, SIPC (Securities Investor Protection Corporation) covers the customers of brokerage houses for up to $500,000 ($100,000 cash) in losses, should their trading company fail. That's good news for individual investors.

But what would it take to create a knockout blow on one of the trading houses? I took a look at the balance sheets of two mid-range trading companies and found that they had an average of half a billion dollars in cash on hand, or slightly less than 20x the amount stolen to date.

The thing that struck me in looking at these balance sheets is that some of these firms are great-looking companies - great margins, great ratios, great valuations. I bet that currently these companies are paying a relatively small insurance premium relative to the risk right now.

If the new pump and dump criminals move upstream, and bring about a "Katrina Moment", resulting in a collective loss to the industry of, say, $500mm, that could change.

As to the question of whether or not the criminals are capable of pulling off such a thing, there is no question in my mind that such a thing is possible, and possible today. Hopefully, the smart money will not aim this high, and choose instead to remain parasitic in nature.

Note: in researching this piece I went to three of the top five online stock trading sites, as defined by About.com. At all three sites, during the account creation process, I was asked to provide my social security number, my name and address, and account information: all the info any criminal would ever need to sign up for an online trading account - as me.

I chose not to continue.

No comments: