New pump and dump scheme

The Investment Dealer's Association of Canada is warning investors that their online trading accounts are being compromised.  The attackers sell off the account holder's stocks and then invest in penny stocks. Presumably part of a pump and dump scheme whereby they create fictitious demand for stocks they hold a position in which they can then sell.  The IDA's press release placed the blame for this security failure squarely on the investors for falling prey to a phishing attack (no evidence for that at all) or possibly having spyware on their computers. Of course they don't suggest that the IDA member companies have inadequate controls on user account access and have zero ability to monitor their account activity. 

In the US there are  guidelines published by the FFIEC due to go into effect January 1 that require better means of user account authentication. I predict that without an equivalent regulation Canadian financial institutions will become the focus of more attacks. This is my principal that states you cannot have perfect security but you can have better security than your neighbors and thus avoid being targeted.  If you are the only one in your neighborhood with motion sensor flood lights and barred windows you are less likely to be the next victim of a break-in.  Of course a regulation is not what is needed. What is needed is for financial institutions everywhere to better protect their customers' accounts.  For access control look at simple to deploy systems from GridDataSecurity or GreenArmor.  To deal with the rapid escalation in attacks and the flexible nature of the FFIEC guidelines which are open to interpretation by auditors, consider an authentication infrastructure that is not tied to one means of authentication like TriCipher's concept of an "authentication ladder."

If these stock trading sites had been monitoring account activity they could have seen the unusual behavior when someone liquidates their holdings and they should be especially vigilant for multiple accounts doing similar trades. Solutions from RSA's Cyota, Cydelity, or even Imperva and AppSec Inc cold have alerted them before the damage was done.

The financial services industry has got to take responsibility for the safety of their customers' accounts. Phishing is their problem not an end user problem.