I just got a confirmation e-mail for $3000 of SST (Steamships Trading) shares that I’d apparently purchased. Complete with my account number and everything.
Check AusCERT, and Google for any phishing references. Log into my account (by typing the URL), no sign of the purchase. Change my password. Call Commsec on 13 15 19 and they confirm that the trade was made, ask me if I’ve given anyone else my password (of course not). Put me on hold. Wait. They come back and offer to investigate it, or sell the shares. Well, I want them to investigate it. She asks if I want to shell the shares (brokerage free). Well, I want to get rid of them, but I’d rather they cancelled the trade I didn’t make (price hasn’t gone up :). She arranges to call me back.
So I get the call back, and apparently they can see that the trade wasn’t made over the internet, they’re going to cancel the transaction, and make a note that I didn’t purchase the shares. They can’t tell me whether they screwed up or it was a malicious attack. They do ask if I’ve changed my password.
So I guess I don’t know if something on my network is insecure, leaking data, or if someone at Comsec screwed up, or if their end is insecure. I’d rather not cancel my account with them, but if they can’t tell me how random trades are being made on my account then there’s really no reason to stay with them. Unless I hear a big “Sorry our computers screwed up” apology on their site tomorrow.
Update - I got another e-mail at 3:22. Rang them up and hassled them to let me know if it was a security problem at my end (this would mean I’d have to work out where the hole is), or them being incompetent. Turns out that they were attempting to process someone else’s trade using my account.
