Hackers beware! ASIC issues report on cyber security

The Australian Securities and Investments Commission (ASIC) today published a report on cyber resilience in order to help its regulated firms ensure greater vigilance against hacking. The Australian regulator defines cyber resilience as an organisation’s ability to prepare, respond, adapt and recover from a cyber attack.

This particular report highlights the importance of cyber resilience to ASIC’s regulated population, to support investor and financial consumer trust and confidence and ensure markets are fair, orderly and transparent.

ASIC Chairman Greg Medcraft said: “Cyber attacks are a major risk for ASIC’s regulated population and that means cyber resilience is an area of ASIC focus. The electronic linkages within the financial system mean the impact of a cyber attack can spread quickly, potentially affecting the integrity and efficiency of global markets, and trust and confidence in the financial system. This report outlines some health check prompts to help businesses review their cyber resilience, including flagging relevant legal and compliance requirements, particularly on risk management and disclosure.”

The report documents that, in other jurisdictions around the world, the systems of some major executing venues have been the subject of hacking, where those wishing to attack have done so successfully. In October 2014, hackers breached the Warsaw Stock Exchange and exposed the login credentials of a number of brokers.

Using the stolen credentials, they managed to enter into the private email inbox of the stock exchange and steal customer data from them (including intimate pictures). Hackers represented themselves as cyber terrorists. The attack lasted 10 days as the Warsaw Stock Exchange struggled to get the attackers out of the system.

In the weeks preceding this report, LeapRate clearly demonstrated that there is a risk within the entire chain from deposit to withdrawal for retail customers, with NOIRE CEO Tim Thompson having discussed this matter in depth with LeapRate, at the time stating :”FX brokerage accounts are usually accessible online needing only a username and password in order to gain access to sensitive data and exposure to fraudulent withdrawals.”

“It can start in a number of ways; Fraudsters phishing customers details, through emails pretending to be from the broker and telephone calls, Trojan malware programs often downloaded for trading platforms which look legitimate but could be obtaining customers’ login details and passwords. Fraudsters do this on an industrial scale and gain access to many customer accounts across many businesses” is Mr. Thompson’s experience.

“The fraudsters obtain lists of client’s logins and passwords details and begin trawling through them. Logging in and out of accounts checking balances, looking for accounts to target. This logging in and out of accounts is very rarely detectable. Brokers often check IP addresses, but these will be tumbled by the fraudster each time, by using a proxy to give a new IP in the country in which they want to appear. The fraudster narrows the list down of accounts to hit and then goes back sometimes weeks later, possibly to make a withdrawal” Mr. Thompson explained to LeapRate in early March.

ASIC’s Mr. Medcraft continued along these lines, detailing the regulatory perspective with relation to today’s report: “We encourage businesses, particularly where their exposure to a cyber attack may have a significant impact on financial consumers and investors or market integrity, to consider using the United States’ NIST Cybersecurity Framework to manage their cyber risks or stocktake their risk management practices and will consider incorporating cyber resilience in our surveillance programs, across our regulated population.”

ASIC’s report also encourages collaboration with industry and the Government to ensure cyber attack responses can be co-ordinated and information on risks shared.

ASIC documents that, in congruence with Mr. Thompson’s conversation with LeapRate earlier this month, market participants may face various risks, including the risk of their client accounts being hacked or manipulated.

LeapRate discussed this matter at length in a TV interview recently, outlining the additional security matters that can be addressed, highlighting exactly the items outlined in this report, thus validating them.

Research by ASIC has discovered identity fraud on client accounts through alerts generated by ASIC’s Market Analysis Intelligence (MAI) surveillance system in response to price and volume anomalies. We notified and worked with relevant market participants to ensure appropriate action was taken.

Identify fraud in client accounts

Instances of identity fraud in financial markets that ASIC has discovered include clients being impersonated by mimicking the client’s email address or establishing an email address which is markedly similar to that of an existing client.

After establishing email contact with a broker, the criminal issues instructions to liquidate the client’s positions and distribute the proceeds to alternative bank accounts (including third party accounts); and clients overseas having their mail intercepted and personal details stolen, such as the client’s full name, address, date of birth and share trade account information. The criminal supplies relevant information to Australian brokers, including certified copies of passports and drivers’ licences, to effect share sales.

The legitimate clients’ securities have then been sold without their approval or knowledge. Client accounts that appear to be trading unprofitably or complaints of unusual trading from clients may be a sign of unauthorised account trading.

ASIC encourage market participants to continue their positive engagement with ASIC in acting swiftly to identify and address cyber attacks.

Mr. Medcraft concluded by stating “We have updated ASIC’s MoneySmart website to help financial consumers and investors protect themselves and their money from cyber risks when transacting online.”

For the full report by ASIC, click here.

Read Also: