Hong Kong — Hong Kong police are struggling to deal with digital pump-and-dump schemes targeting brokerages. It is a little-known type of computer-generated fraud that surged in the Chinese territory in 2016.
Although little money was involved — only about $20m worth of shares — there were 81 such incidents reported in 2016, more than triple the number in 2015, according to police.
In the scheme, criminals invest in thinly traded penny stocks and then manipulate their share prices by ordering trades from hacked brokerage accounts. They earn profits by selling before the fraudulent trades are reported.
After 2016’s cyber heist of $81m at Bangladesh’s central bank and hacks of ATMs around the world, authorities fear such pump-and-dump schemes could be increasingly used for electronic theft.
Hong Kong is a favoured place for such attacks because of the number of thinly traded penny stocks and because its securities industry has fallen behind other financial centres in defending against cyber fraud.
At least seven brokers and eight banks have been targeted in Hong Kong, including HSBC Holdings and Bank of China International (BOCI) Securities, according to regulators and people who are familiar with confidential investigations.
A spokesman for HSBC declined to comment. A representative of BOCI Securities could not comment on its case but said the brokerage would continue to invest in security.
"If you ask regulators in the industry what is the number one threat, not surprisingly it’s all about cyber attacks," Ashley Alder, CEO of the Hong Kong Securities and Futures Commission and chairman of the International Organisation of Securities Commissions, said in a speech to the local legislature last week.
"We’ve seen that happen not only in banking but also at brokers in Hong Kong, in particular recent attacks to do with basically hijacking share-trading accounts," Alder said.
Such schemes surfaced more than a decade ago in the US. Charles Schwab and JPMorgan Chase were identified as victims in a 2006 complaint filed by the US Securities and Exchange Commission.
The pace of attacks reported in the US had slowed in recent years after big brokerages implemented a variety of strategies to thwart the hacks, said John Reed Stark, a former CEO of the Securities and Exchange Commission’s office of internet enforcement.
Some used algorithms to identify and halt unusual trading activity, others scrutinised internet traffic for orders coming from suspicious servers and one stopped permitting customers to use its online trading platform to buy penny stocks, said Stark, who now runs cyber security consulting firm John Reed
Protection is Rare
But such protection is rare in Hong Kong, where the government has only recently started suggesting security improvements to banks and brokerages, which have traditionally considered stock trading to be low-risk. In 2016 the Hong Kong Securities and Futures Commission told firms to increase surveillance of client transactions and data protection.
Authorities believe that hackers accessed brokerage accounts using stolen or guessed passwords, according to investigators.
Hong Kong is being targeted because they have not instituted the same cyber protections that we see in the US and parts of Europe
This might have been thwarted if they were protected with two-factor authentication, the Hong Kong Monetary Authority has said. Two-factor authentication typically includes a password and a piece of information only the user has, for instance an electronic token with changing numbers.
"Hong Kong is being targeted because they have not instituted the same cyber protections that we see in the US and parts of Europe," said Jeff Cramer, a former US prosecutor.
Cramer, who is MD of cybersecurity investigations firm Berkeley Research Group, expected to see more attacks in Hong Kong and perhaps other Asian nations that were behind in cyber security, including China, Japan and South Korea.
Tough to Crack
Such pump-and-dump cases have been tough to crack in the US because the masterminds are typically overseas, using surrogates and pseudonyms to make investments.
Brokerages are typically not required to go public when they are hacked, so cases often surface only when the government files a complaint against suspected cyber criminals or when the hack results in litigation. The attack involving BOCI Securities became public after it was sued by a customer that claimed its account was breached.
Trading firm Fast Track alleged in court documents that somebody hacked into its brokerage account on the afternoon of September 23 using a valid user ID and password.
Within 18 minutes, the intruder had emptied the account by spending HK$38m ($4.9m) to buy 49-million shares of thinly traded Pa Shun Pharmaceutical, according to Fast Track.
The stock soared more than 30% after the purchase, which was made at a 36% premium to the previous day’s closing price, Reuters data show.
BOCI alerted Fast Track of the suspicious activity an hour later. It has said in court documents it should not be held financially responsible, saying it found no evidence its systems had been compromised.
Peter Pang, Pa Shun’s chief financial officer, told Reuters the management "would keep an eye to the incident and report to the regulators and the public when necessary".
One person familiar with the case said Fast Track’s management believed the incident was a pump-and-dump scam and Pa Shun was targeted because it was thinly traded. It remained unclear who was responsible.
Fast Track’s directors did not respond to requests for comment.