Closing the door before the (trojan) horse has bolted – Brokers are ahead of banks….

The unlawful obtaining of customer information or the unauthorized gaining of access to online accounts is a very important modern criminal activity that should absolutely not be taken lightly, especially in the FX industry which not only conducts its entire, global business via the internet, but also is responsible for financial transactions and the safekeeping of client monies.

Cybersecurity, the terminology given to the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide, is paramount and therefore access to the right information from all parties is a given…. or is it?

Rather in keeping with the combination of avantgarde technological leadership and entrepreneurial pioneering spirit that exists even within the large, publicly listed firms in the online trading industry, whilst online security and client money custody cannot ever be the subject of complacency, it is quite surprising how far ahead the FX industry is in terms of awareness and action compared to much larger, long established financial institutions with their own internal development and security teams.

Lloyds Banking Group has built its own very sophisticated proprietary fraud monitoring system that records the every move of a customer when using an online account of any type.

The system can detect how a customer behaves physically, including how quickly a password is typed, or behavioral traits in how the cursor is moved around the screen. It records how often a customer typically logs in to an account and at what time of day.

Whilst this is not artificial intelligence, it most certainly is a form of machine learning. The system can track which mobile phone or computer a customer uses to access your account and where in the country they are in when they do so. The bank also knows its customers’ income, where they shop and how much they normally spend at a time. All of this information is used to compile a secret profile of each customer detailing their typical behavior.

Last year, Tim Thompson, CEO of British payment payment service provider and risk management technology company NOIRE explained to Andrew Saks-McLeod that FX brokerage accounts are usually accessible online needing only a username and password in order to gain access to sensitive data and exposure to fraudulent withdrawals.

“It can start in a number of ways” explained Mr. Thompson. “These methods include fraudsters phishing customers details, through emails pretending to be from the broker and telephone calls, Trojan malware programs often downloaded for trading platforms which look legitimate but could be obtaining customers’ login details and passwords. Fraudsters do this on an industrial scale and gain access to many customer accounts across many businesses.”

Mr. Thompson explained that in many cases, fraudsters have been able to successfully make withdrawals from trading accounts, their requests being so authentic that they have been passed by even the most diligent of compliance departments. The ability to access accounts by phishing and sending in Trojan horse malware programs in order to ’emulate’ the real customer would be avoided with the right anti-fraud security systems.

Some three four years ago, Jeff Wilkins, Managing Director of Michigan-based IS Prime a well recognized industry expert with regard to electronic risk management, explained to FinanceFeeds during a meeting in Cyprus that within networks used in the FX industry, points of presence, which are dedicated connectivity solutions between venues, trading companies and hosts, had been gaining popularity, and that distributed points of presence connectivity allows protection against denial of service attacks, confirming that ThinkLiquidity at that time always advised that this type of infrastructure is put in place.

Three years on, the institutional sector has in some form adopted such systems, venue-neutral Canadian infrastructure provider TMX Atrium put in place points of presence between Paris, London, Frankfurt and Moscow during 2013, however this venue-based connectivity has not filtered its way into the OTC retail sector on a widespread scale, a likely reason being the cost of implementing dedicated infrastructure to many smaller retail firms being high, especially when margins are low once spread, IB commission, client acquisition and retention costs and operating expenses are taken into account.

Two years ago, a spate of connectivity outages began affecting internet access for hosted customers of several MetaTrader 4-based brokerages, from Australia to Japan, and across the APAC region, largely as a result of attempted DDOS (Distributed Denial of Service) attacks.

In these cases, most of the attacks function by bombarding the server with a high volume of messages in order to either slow down the server, or to prevent it functioning at all, creating tremendous potential damage to brokerages, and subsequently, their clients.

The brokerage business is well on top of this, and dialogs that go back as far as these are clear testimony that the specialists within this industry are able to dedicate resources to ensuring safety of data, funds and to stop malicious attempts to damage rival businesses.

However, whilst our industry, especially in the retail sector, is very much committed to research and development and is in many cases responsible for driving forward new developments that eventually make their way into the wider financial and technology sectors, the banks are the entities with the time, the dedicated departments of several hundred technicians and eventually, whilst often slower at bringing new developments to market than the non-bank world, they get it right and have top quality solutions once they are approved for mainstream use.

Lloyds Banking Group has emulated some of Silicon Valley’s large internet firms by creating its facility in London in the same vein as a technology development firm rather than a belt-and-braces bank department.

The digital office seems more suited to the likes of Google or Facebook than one of Britain’s oldest banks. It is full of brightly coloured, coffee-stained sofas, garish green wallpaper and groups of young men clad in T-shirts and jeans talking excitedly in huddled groups over computer screens.

This bears a stark contrast to the 18 years of my 27 year career in electronic trading as a connectivity, software deployment and server engineer within many of the Tier 1 banks. Back in the early 1990s, the in-house development and R&D divisions of bank technology divisions were ultra-conservative, and whilst absolutely ground breaking in terms of the understanding of technological topography, not to mention a continually fascinating and sophisticated environment in which to have the privilege to spend a large part of one’s career, very beige cardigan, and not very Starbucks.

And today, it’s the Starbucks frequenters that have the upper hand over the beige cardigan when it comes to cyber attacks in this internet-dependent world.

With Lloyds’ new system, if a fraudster manages to gain access to an account, when they log in, the bank’s computer system — called the Risk Engine — will be waiting to catch them out. It is looking for any suspicious activity that seems out of character for that customer.

So if, for example, someone logs into your account from a computer in Manchester when you live in London, or types the password far more slowly than usual, the system will put an alert on the account.

If nothing suspicious happens next, the alert could be downgraded — after all, it might just be that you’re trying to check your balance from a friend’s house and are struggling to remember your password. In this case you probably wouldn’t even know anything had happened.

Under existing banking rules, if a fraudster steals someone’s card details and takes money from their account without their permission, their bank must refund the customer — unless they have been negligent with their personal details by telling someone else their password or PIN, for example.

However, there is currently no such protection for people who have been duped into handing over their cash — known as authorised fraud. In this instance, you will typically only get your money back if you can prove the bank made a mistake.

The same applies to retail FX. Many retail FX customers mistakenly consider that they are able to rely on the Financial Services Compensation Scheme (FSCS) if something goes awry, however, that, as demonstrated recently in a refusal to compensate customers who hold money with PremierFX.

FinanceFeeds reported that Premier FX Limited was only ever permitted to carry out certain payment services known as ‘money remittance’. However, Premier FX was found to be acting outside of the boundary of these permissions by also holding customer money in their accounts.

FSCS will not protect money customers held with Premier FX Limited because the firm was not authorised by the FCA to hold customer money in its accounts. This means FSCS will be unable to compensate for any shortfalls in customers’ money held by Premier FX Limited.

If this is the case, it is possible to consider that the FSCS is not a silver bullet or a cast iron shield against losses, thus greater security is required.

NOIRE CEO Tim Thompson’s explanation to FinanceFeeds as described earlier in this article shows that it is entirely possible to enter accounts and successfully make withdrawals of customer funds illegally. Mr Thompson actually showed records provided to him by some very well known FX firms that had enlisted his services following some large withdrawals having been made from customer accounts by fraudsters that were able to gain access and submit a withdrawal to the broker in the name of the account holder.

“It can start in a number of ways” explained Mr. Thompson. “These methods include fraudsters phishing customers details, through emails pretending to be from the broker and telephone calls, Trojan malware programs often downloaded for trading platforms which look legitimate but could be obtaining customers’ login details and passwords. Fraudsters do this on an industrial scale and gain access to many customer accounts across many businesses.”

Ransomware is a form of malware that is used to encrypt all data held on computers or on smartphones that do not use the iOS operating system.

The idea behind it is that it allows a hacker to extort an amount of money from the owner of the data – for example customer records held in an online trading company’s CRM – and if the amount requested is not paid, then the hacker deploys the encryption and destroys the data.

This is often used against not only commercial enterprises but also government agencies, therefore the extent of its level of sophistication and ability to penetrate security systems is patently obvious.

A particular thing to check here is affiliate links.

It is advisable when inserting affiliate links into websites that they are as originally defined, and that they do not appear to show unusual or differing characters than when they were inserted. These could be used to deploy ransomware, thus the advertisement which looks quite correct when viewed on a broker website may be contaminated with malware and once it is there, it is very very difficult to remove.

Brokerages, IBs and their clients should be very wary of emails which prompt them to update their passwords. For clients, these could be trading account access passwords, for IBs they could be portal or CRM passwords and for brokers they could be back office passwords.

Anything that appears to be automatically generated and does not come from what appears to be the correct format of internal corporate email address, our advice is not to click on it as it could contain code that grants hackers access to the trading account of retail clients, or the database owned by a broker, or even worse, the withdrawals system.

Domestic and international corporate espionage through hacking will increase as companies raid the intellectual property and trade secrets of other companies for profit. The theft of the plans of Lockheed Martin’s advanced F-22 fighter plane by Chinese hackers is an example of this trend. Chinese national Su Bin was convicted for his part in the stealing of the plans for the plane, and there is absolutely no reason at all why this type of espionage could not take place in the online trading firm, with counterfeiters wanting to get hold of new platform designs (MetaTrader 4 is the subject of massive counterfeit activity in China, and now with MetaTrader 5 having risen to popularity, espionage is not something to rule out).

The same applies to R&D departments of brokerages which have their own platforms and multi-asset offering, as hackers could spy on new unreleased designs and emulate them in order to beat them to market.

Whilst the FX world’s technologists are very quick, entrepreneurial and have shown over the years that their skills can get a very good product to market very quickly and actually change the face of the financial world, the large, well funded Tier 1 banks are developing holistic, all encompassing solutions that we will all benefit from.

Thus, a combination of the pioneering spirit of the FX world and the over-reaching prowess of bank technologists would be a good combination indeed.