We have previously published articles warning readers that they may be vulnerable to theft of money through their computers. (See, for example, "Are You A Phish?") Now, predictably and unfortunately, some federal employees or retirees or military personnel are out of money that was taken from their TSP account.
Apparently, the thieves did not direct a person to a bogus website in these instances. Rather, they used keylogging software. This software can track your key strokes on a remote computer. The person with the remote computer can see what name and password you are typing and then follow in your footsteps at his earliest convenience; take money from your money; and then run from the law if the law can ever figure out the identity of the thief.
No doubt, the unlucky TSP investors who lost money did not know the keylogging software was on their computer. It is usually installed surreptiously and may arrive unknown to you with an e-mail that comes with a virus attached. (If you are using a PC, be careful of programs with a .exe attachment and do not open them unless you know who sent you the e-mail.) When the user runs the program, it may put new software that begins tracking your computer tracks–perhaps right into your bank account, your TSP account, or your favorite porn site. There are software programs that will monitor your computer and let you know that spyware has been installed on your computer. If you are using your computer to access any account on the internet, it is a small price to pay for the security and peace of mind it may give to you.
But, assume for the sake of argument, that you are the unlucky soul who unwittingly had spyware on your PC and thieves have now taken money from your TSP account. Will you get reimbursed for your loss?
The TSP machinery is working to let people know about the problem and also to let participants know that you may be out of luck in getting your money back as far as the TSP is concerned. Here is a statement from the TSP website: "Participants using the TSP Web site (or any Web site) must be vigilant and protect their computers; the TSP cannot be responsible for their negligence. The TSP will ensure that its security is current and that the risk of fraudulent activity is reduced to the greatest extent possible."
Stated more clearly: Your loss is your problem.
The security problem encountered by these unlucky investors was from the computer they were using to access their TSP account. It was not a beach of security on the TSP site. To quote from the TSP folks who like to write in the passive bureaucratese honed to a fine art by government writers at all levels: "We emphasize that the account information for these participants was not improperly obtained from the TSP record keeping system. External penetration testing has demonstrated that our system has not been breached. There is no evidence of any successful attacks against the system to identify a PIN and thus obtain access."
But wait. This is America and nothing is necessarily final until the lawyers have been paid in full. The TSP organization says it is not a problem caused by the TSP security and that the TSP is not responsible for negligence of investors. Here is another twist.
Not surprisingly, this type of event has happened in essentially the same way with other organizations that provide trading services for investors. In those cases, Marketwatch says that the investors were "quietly repaid" by the companies that handled their account. The difference is that the TSP is not a profit making company. It also has a monopoly, of sorts, in that your government benefit of extra added funds to your account goes into the TSP. The companies may have repaid the money out of fear of negative publicity, fear of the direct and indirect cost of lawsuits or just losing customers.
Of course, if the money is repaid, it is possible that all TSP investors will pay the cost of the losses through higher administrative costs being passed on to investors. That could reduce the amount of money distributed to other investors. In this instance, the $35,000 or so is fairly small in comparison to the billions invested in the TSP.
But what if the amount withdrawn had been a few million? Would TSP investors all bear the cost of reimbursing the losses of those who were unfortunate enough or not vigilant enough to install spyware on their personal computers?
And, if the TSP decides to reimburse the small number of investors who lost money in this instance, will that set a precedent if similar losses were to recur in the future?
No doubt, the TSP administrators-and some 3.7 million TSP investors–will be pondering the same questions.