A Cyberport-based investment company alleges that an unauthorised person logged into its BOCI account and bought up 4.92% of PSP at an average 36% above the previous day's close, draining its account of about HK$37.7m. The SFC has today commenced a general cybersecurity review on brokers' systems after 16 incidents in the last 12 months involving over HK$100m.

Alleged hacked BOCI account explains Pa Shun Pharma (0574) surge
13 October 2016

A judgment published online today, Fast Track Holdings Ltd (FT) v BOCI Securities Ltd (BOCIS) (HCA 2480/2016) explains why there was a huge spike in the volume and price of Pa Shun Pharmaceutical International Holdings Ltd (PSP, 0574) on 23-Sep-2016. Volume was 92.568m shares or 9.26% of PSP and the price at one point reached $0.88, up 57.1% on the previous close of $0.56, before closing at $0.66, up 17.9%

FT is a company which has been 49% owned by Sun Hung Kai & Co Ltd (SHKC, 0086) since 2009. According to the judgment, FT is engaged in the trading of securities, options and futures contracts and investment holding. It has low-rent government premises at our esteemed Cyberport, shared with an asset manager called Dragon Field Investment Ltd, SFC-licensed since 27-Jul-2015. Being at the Cyberport, they don't have a web site, of course.

FT alleges that between 14:40 and 15:22 that day, unauthorised person(s) logged into its account at BOCIS with a valid user ID and password, from IP address 183.179.239.110, and in the space of 18 minutes from 15:03 to 15:21, bought a total of 49.2m shares (4.92%) of PSP from a total of 76 selling brokers. The purchases cost HK$37.69m (including fees and levies), draining almost all of the $37.85m cash in the account, at an average price of $0.7636 per share, 36.4% above the previous day's close. The shares closed today (13-Oct-2016) at $0.55, resulting in a book loss of HK$10.5m so far.

Those trades were settled on 27-Sep-2016 and the Webb-site CCASS Analysis System shows the net movements. The IP address tracks to an account at ctinets.com, or HK Broadband Network, so they will probably be able to track that to a particular HKBN user's account, although of course that doesn't prove that the HKBN customer was the person online - it could just be someone using their Wi-Fi network.

One seller which benefited from this ferocious buying is Advance Apex Ltd (AA, BVI), which sold 34.9m shares at an average of $0.746 and a high of $0.85, cutting its stake from 17.45% to 13.96%. AA is 47% owned by PSP non-executive director Li Ho Tan, 50% by Cheung Chi Mang and 3% by Yu Wentao.

FT claims it should not be held responsible for the purchases, while BOCIS points to the client agreement, clause 15.3 of which states that BOCIS can rely on any instructions given by "any other person purporting to be you". The issue at trial will likely be whether there are limitations to this clause - for example, if a rogue former employee of BOCIS had somehow obtained the user ID and password and impersonated FT, then BOCIS might not be able to avoid liability if its security policies had facilitated this. Good security policies include not storing plaintext passwords on the server - hopefully they store only salted hashes (as Webb-site does), so that insiders cannot read user passwords.

The judgment makes no mention of any 2-factor authentication. A user ID and password were apparently enough to get into the account. In a 2-factor system, the 2nd factor after your password is usually a pseudo-random number generated by a gadget, or a similar one-time passcode sent by SMS to a phone (although obviously that doesn't help if the rogue has gained access to your gadget or phone). Now we don't know whether FT is an institutional or retail client, and whether institutional clients have the option of 2-factor authentication, but a visit to the BOCIS retail login pops up this:

Online Account Login Page Upgrade

To safeguard your online account security, BOCI Securities Limited ("Our Company") is going to upgrade our online account login page in stages. Details could be found as follows.

Stage 1: The answer of "Security Question" field is newly added

(Launch Date: 30th September 2016)

After you enter the Login ID and password on the account login page, you are required to answer the "Security Question" for continuous use of account.

Stage 2: "Two-factor Authentication Code" field is newly added

(Estimated Launch Date: Coming Soon)

Better late than never.

Perhaps not by coincidence, the SFC has tonight announced that it has launched a cybersecurity review on brokers' internet and mobile trading systems, stating that in the last 12 months there have been 16 incidents involving 7 brokers and total unauthorised trades in excess of HK$100m, presumably including the one above. The SFC says these cases are under police investigation.

© Webb-site.com, 2016


Organisations in this story


Sign up for our free newsletter

Recommend Webb-site to a friend

Copyright & disclaimer, Privacy policy

Back to top