Retail brokerage account hacks have soared this year in Japan, prompting most firms to introduce multi-factor authentication requirements to guard against the growing threat — and, highlighting the industry’s vulnerability to reputational risks, Moody’s Ratings says.
Citing data from Japan’s Financial Services Agency (FSA), the rating agency reported that, between February and mid-April this year, the country’s securities firms faced at least 1,454 cases of account hacking, which cost around ¥100 billion (US$700 million).
These breaches typically involve phishing attacks that aim to steal investors’ usernames and passwords using fake websites that emulate real brokerage firms’ sites. The hackers then use stolen credentials to access investors’ accounts and liquidate their holdings, using the proceeds to purchase other stocks to be used in market manipulations.
“Hackers make a profit by driving up the price of the stock through fraudulent transactions and selling that stock using other accounts they control. Hacked accounts are likely ultimately left with losses as the stocks they are used to purchase decrease in value,” Moody’s noted.
In response, most firms that offer online trading are now implementing mandatory multi-factor authentication (MFA) to guard against these kinds of attacks, it said.
According to the report, MFA has proven very effective against these kinds of attacks, but it hasn’t been universally adopted for several reasons, including “potentially complex implementation, compatibility issues with older company networks and users finding MFA inconvenient,” it said.
For the securities industry, these breaches will likely add costs, as firms beef up their systems and enhance risk management — in addition to the potential compensation they have to pay for customer losses.
“While the move to introduce mandatory MFA for retail transactions will mitigate cyber risks, a credit positive, the recent breaches nevertheless highlight securities firms’ high exposure to customer relations risks,” the report noted.
The attacks also “also threaten to undermine government initiatives” such as a new tax-assisted retirement savings program that has “driven a surge in nationwide investment activity,” Moody’s added.