Sharemarket transaction security flaws exposed

It was late one evening in Auckland's long hot summer when an investor, let's call him John Smith, found himself walking up Parnell Rd and past the post office where his mail was delivered.

On a whim, Mr Smith decided to check his post office box for anything that might need attention the next day. What he found there obliterated the evening's relaxed mood and replaced it with a nasty feeling that something was seriously amiss with his multimillion-dollar share portfolio.

It was a transfer form from share registrar Computershare, referring to a share transfer he was sure he had never agreed to.

Racing round to Computershare the next morning, his fears were confirmed – someone was trying to rip him off for a lot of money, and had nearly got away with it.

The case, now before the courts, has exposed dangerous flaws in security surrounding sharemarket transactions.

"It's fair to say if you found out you were about to lose $3 million it puts the fear of god into you," said a source close to Mr Smith.

"I know for a fact it's not just my mate [who was targeted]. There have been attempts on other people. It has to be made more secure."

The problem uncovered by Mr Smith involved the security of two key numbers required for sharemarket transactions – the common shareholder number (CSN) and the Faster Identification Number (FIN). Investors trading shares on the NZX are all given a CSN, like a bank account number which identifies them as a shareholder across all listed securities and registries.

The FIN is like a bank card PIN – a four-digit personal number investors must quote to buy or sell shares.

Unlike a PIN, however, a shareholder's FIN can be communicated verbally to brokers and is known to share registrars. A shareholder who forgets their FIN can get a new one sent out by mail – and this is where the attempted fraud on Smith became serious.

According to one account, the fraud began with the infiltration of Mr Smith's broker, First NZ Capital. Once someone had access to information within the firm it was not hard to access the CSNs of individual investors.

To get the FIN, it seems the fraudsters conducted a mailbox scam, writing to the post office claiming to be Mr Smith and authorising someone else to clear the box while on holiday. They then simply telephoned Computershare and said the number had been lost, could another be sent out by mail.

"They then went through all his stuff every day and in no time at all had his FIN," said the source.

According to the police, there were four people involved in the attempted crime: a research assistant at First NZ Capital, a National Bank employee and two "mules" whose names were used to set up accounts into which assets would be transferred. The charges allege the group planned to steal about $5.4m.

The four, who made no plea at initial court appearances this month, are due to re-appear in court next month.

Computershare general manager Tim Bond declined to comment on the issue, but Stan Malcolm, head of operations at rival Link Market Services, said the case was "obviously of concern".

"From our perspective, since this fraud has been highlighted we have been looking at [security] with a view to reviewing our procedures."

Mr Malcolm said anyone asking for details such as a FIN would have to do so in writing and sign an indemnity. "But I have seen off-market transfer forms where there is space on the form for the CSN and FIN together. That's a no-no. Investors should never put those numbers on a piece of paper together."

However, Link's procedures allow a replacement FIN to be sent by standard mail to a shareholder's address on the register.

Banking Association spokesman John Bishop said although banks used mail to send replacement cards, this was never done with PINs.

"We don't ever communicate the PIN in the mail or electronically unless through an encrypted device."

Anyone needing a replacement PIN must front up to a bank branch and produce ID, Mr Bishop said.

First NZ Capital managing director Scott St John said there was little he could say while the case was before the courts, but "I think the fact [the fraud] was thwarted should give some comfort".

It seems Mr Smith is not so relaxed. "I'm not getting at First NZ," said the source. "Trust me, it could've happened to anybody.

"Supposedly it's an Asian triad involved in this," he said.

"My friend had his own investigative team on this and it's very nasty."