E-Trade said it is unsure whether its losses will be covered by insurance. TD Ameritrade's CFO, Bill Gerber, said he is confident the company could "get a nice healthy chunk of the $4 million back if we can prove the fraud was from the same source."

Bartlett said that while account fraud using customers' personal details is an "ongoing" problem, he emphasized that no data had been stolen from TD Ameritrade's own databases, nor had its servers been breached, during this incident.

But he acknowledged that the company's antifraud efforts, which include a dedicated security team using special software to monitor for anomalous activity such as users logging in from unusual IP addresses and large withdrawals of money, had failed to detect the stock scams quickly enough. "We could identify it, but certainly not to the sophistication of what we can do now," he said.

Bartlett declined to say what technology TD Ameritrade uses to protect against identity fraud. E-Trade uses antifraud software from Cyota, now a part of RSA Security Inc., that helps it monitor accounts for unusual behavior. Since February 2005, E-Trade has also offered optional RSA tokens that generate six-digit codes that change every 60 seconds and that users must enter with their usernames and passwords when logging in, according to Tina Martineau, an E-Trade spokeswoman.

But Ryan Sherstobitoff, CTO at security vendor Panda Software, said that software such as Cyota, which relies in part on checking whether purported users are logging in from their usual IP address, can be tricked by skillful hackers. Meanwhile, tokens are ineffective against identity thieves who use names and Social Security numbers to create new bank or stock trading accounts, he said.