By: Helen Garneau
In March 2025, online brokerage firms in Japan were hit by a massive wave of account takeovers. Criminal groups used phishing sites to steal login credentials from investors, then logged in and executed trades—sometimes worth millions of yen—without the account holders’ knowledge. More than 100 stocks are believed to have been manipulated in the process.
The attack followed a familiar pattern: attackers built fake websites mimicking legitimate brokerage login pages. Unsuspecting investors entered their credentials, which were then used to log in as if they were the real account holders. In one case, a man lost over ¥2 million (about $14,700 USD) in minutes; in another, an account was accessed from an unfamiliar region and drained of nearly ¥10 million (about $70,000) in assets.
No compensation
Because these attacks used valid usernames and passwords, brokerages argued they weren’t at fault and denied compensation to the victims. From the system’s perspective, it looked like the real user had initiated all the trades.
No protection
Weak authentication that puts all the risk on the customer undermines trust in the entire trading ecosystem. And it’s an unsustainable security position when AI-tools and biometric identity fraud are added to the attacks on user accounts.
Are brokerages really going to take the position that a fake biometric was “real” as far as their system was concerned — and it’s the customer’s responsibility for their biometric data being faked or stolen?
A better and more powerful way to authenticate account holders
Step 1: Replace usernames and passwords for customer accounts with Verifiable Credentials
A Verifiable Credential is a tamper-proof digital credential that a customer holds in a digital wallet on a mobile device.
It’s verified by cryptography so authentication is seamless and doesn’t involve the process of inputting personal data that can be phished or stolen.
The credential can’t be shared or stolen because of the way it is bound to the customer and their device.
Step 2: Add a verified biometric to the credential
This can be done when a customer is onboarded, or it can be derived from a government issued ID during and combined with a liveness check to ensure the image on the ID matches the real, live person.
Now you have a way to cross check a liveness check in real time, mitigating biometric identity fraud and the risk of generative AI deepfakes. The customer has a way of proving that they are really who they present as.
Mutual trust, built in
With this setup, the customer and the brokerage verify each other before any data is shared. Customers can be sure they’re dealing with the real brokerage. Brokerages can be sure they’re dealing with the real customer. And phishing attempts are detected and blocked before they begin.
Built for compliance and trust
- Verifiable transactions: Your customer holds and controls their data from their device and you can cryptographically verify their identity and data without having to check it against information held in the cloud or by a third-party identity provider.
- Simplified compliance: Since biometric data never leaves the user’s device and doesn’t need to be stored by the brokerage or a third party to be verified, brokerages aren’t burdened with the responsibility of storing or managing that sensitive information. This reduces liability and makes it easier to align with strict data protection regulations.
- Consumer trust: When customers know that no trade can be executed without their personal, biometric consent, they feel secure. Brokerages can point to real safeguards—not just promises—when reassuring their customers that their investments are protected by the latest in identity security technology.
Indicio Proven makes all this simple
Indicio Proven makes it easy to issue and verify these credentials, radically simplifying identity assurance and data sharing — and at significantly lower cost than conventional identity providers.
This is why Money2020 selected Indicio as one of one of the key startups in 2025 “transforming the future of money.”
Take the first step to streamlined, secure, globally interoperable digital identity
Book a demo of Indicio Proven Auth and discover how to bring powerful, portable, privacy-preserving digital identity to your platform—reducing risk, lowering costs, and building the foundation for trusted, seamless services.
###
