Online investors may have fallen victim to viruses or phishing schemes that allowed others to access their accounts in a possible attempt to manipulate share prices, the Investment Dealers Assocation of Canada warned Thursday.
The securities firms who reported the breach have not confirmed the means by which accounts were accessed, but the Investment Dealers Association (IDA) pointed to “pharming” Web sites as another possible avenue. Only two accounts were affected, although the IDA said it was alerted by a U.S. regulator about a similar situation which has happened south of the border.
“In the instances reported to the IDA, client portfolios were sold out,” the warning notice posted on the IDA Web site says. “The credit was then used to place buy orders for specific securities listed on the OTC Bulletin Board or NASDAQ pink sheets.”
IDA vice-president of enforcement Alex Popovic said it was the first time the association has been notified of a security breach involving the online accounts of its member institutions.
“The security pf the account system itself wasn’t compromised,” he said. “There’s encryption you would need to get past to get in, but the weak point is the person that accesses it — if they have somehow disclosed their password.”
Police have been informed of the incident and those affected by the breach have since changed their passwords, Popovic added, but member firms have an obligation to report client complaints, and the IDA wants to raise awareness about similar incidents.
“It happens in banking, it happens with debit cards – it’s certainly part of the fact of doing business online,” he said.
Vince Hwang, group product manager at Symantec Security Response, said some criminals use a combination of phishing e-mail messages and vulnerabilities in Microsoft operating system environments to download malicious software that can record keystrokes or find other ways to get into a system. In general, the attacks are becoming more sophisticated because the motivation is financial gain rather than notoriety within the hacker community, Hwang said.
“They’re taking the time to craft these socially engineered messages,” he said, adding that some pharming Web sites may in fact take users to the legitimate secure area of a financial institution’s Web site first. The trick comes when messages or sites include an additional link to verify status or to ensure an account is secure, which can fool even educated users.
“That’s where they get you,” he said.
Popovic said the IDA does not expect the problem to become wide-spread, if only because only a small number of mostly discount brokerages offer online accounts.
“Many of the firms have access so that you can look at information, but because it is a full-service brokerage, you can’t do anything without going through your broker,” he said. “There are not many where you can buy and sell on your own.”