Hong Kong police struggle to stop brokerage hacking spree
Hong Kong police are struggling to deal with digital pump-and-dump schemes targeting brokerages - a little-known type of computer-generated fraud that surged in the Chinese territory last year. Although the money involved was small - only about $20 million worth of shares - there were 81 such incidents reported in 2016, more than triple the number in 2015, according to police. In the scheme, criminals invest in thinly traded penny stocks and then manipulate their share prices by ordering trades from hacked brokerage accounts. They earn profits by selling before the fraudulent trades are reported.
After last year’s cyber-heist of $81 million at Bangladesh’s central bank and a series of hacks of ATM’s around the world, authorities fear such pump-and-dump schemes could be increasingly used for electronic theft. Hong Kong is a favored place for such attacks because of the number of thinly-traded penny stocks in the territory and because its securities industry has fallen behind other financial centers in defending against cyber fraud. At least seven brokers and eight banks have been targeted in Hong Kong, including HSBC Holdings Plc and Bank of China International (BOCI) Securities, according to regulators and people familiar with confidential investigations.
A spokesman for HSBC declined to comment. A spokeswoman for BOCI Securities said he could not comment on its case but the brokerage would continue to invest in IT security. “If you ask regulators in the industry what is the number one threat, not surprisingly it’s all about cyber attacks,” Ashley Alder, CEO of the Hong Kong Securities and Futures Commission (SFC) and chairman of the International Organization of Securities Commissions, said in a speech to the local legislature last week. “We’ve seen that happen not only in banking but also at brokers in Hong Kong, in particular recent attacks to do with basically hijacking share trading accounts.”
Such schemes surfaced more than a decade ago in the United States. Charles Schwab Corp, E*Trade Financial Corp and JP Morgan Chase & Co. were identified as victims of these schemes in a 2006 complaint filed by the Securities and Exchange Commission. The pace of attacks reported in the United States has slowed in recent years after big brokerages implemented a variety of strategies to thwart the hacks, said John Reed Stark, a former chief of the Securities and Exchange Commission’s (SEC) Office of Internet Enforcement.
Some use algorithms to identify and halt unusual trading activity, others scrutinize Internet traffic for orders coming from suspicious servers and one stopped permitting customers to use its online trading platform from buying penny stocks, said Stark, who now runs cyber-security consulting firm John Reed Stark Consulting LLC. But such protections are rare in Hong Kong, where the government has only recently started suggesting security improvements to banks and brokerages which have traditionally considered stock trading to be low-risk.