Investor Alert: Clients with online accounts at IDA member firms
This advisory is intended to alert clients with online accounts at Investment Dealers Association of Canada (IDA) Member firms of a potential security risk to these accounts
August 24, 2006 (Toronto, Ontario) – The IDA’s Enforcement Department has received information from several sources that unauthorized persons have gained access to clients’ online trading accounts. Specifically how this is accomplished is not yet known. We believe this could be done through one of several methods.
One theory is that the client’s personal access information is being discovered through a computer virus on the client’s home computers. The suspected virus monitors the client’s keystrokes and forwards the information on to individuals who then use the information or pass it on to others.
The other theory is that access information is being obtained from the client through a process known as ‘phishing’. Most phishing is accomplished by an e-mail purported to be from the firm asking for the client to assist with a security issue by providing their name, account number, password and other information necessary to access the accounts. The phishing emails usually adopt or rely upon corporate logos and information derived from the Member firm’s website.
An alternative to phishing emails are pirate websites that are set up to appear similar to the Member firm’s own website. In rare instances, the corporate website is compromised and clients moved sideways to the pirate site. When clients attempt to login, the information is captured on the pirate site and as result the client unknowingly gives up their information. The client may never know that they are no longer on the legitimate website.
At this point in time, there is no confirmation as to the method used to obtain client access information. There is also no suggestion that the security of Member firms’ on-line systems has been compromised. It appears that clients may have inadvertently given up the information to the persons who subsequently hijack the individuals’ accounts.
Once the clients’ personal identities and passwords are compromised, the perpetrators are able to access the clients’ accounts and execute trading instructions. In the instances reported to the IDA, client portfolios were sold out. The credit was then used to place buy orders for specific securities listed on the OTC Bulletin Board or NASDAQ pink sheets. It appears the purpose of such activity was to manipulate the price of shares in the issuer.
In some instances, the trades were settled before the clients were even aware that there had been an on-line breach of their account. Firms are now receiving client complaints concerning these unauthorized activities.
Investors who have online accounts should be aware of this risk. Clients should contact their firm regarding any unusual activities in their account.
The IDA is the national self-regulatory organization of the securities industry. The IDA’s mission is to protect investors, foster market integrity and enhance the efficiency and competitiveness of the Canadian capital markets. The IDA enforces rules and regulations regarding the sales, business and financial practices of its member firms and their approved persons. Investigating complaints and disciplining Members and approved persons is part of the IDA’s regulatory role.