What have Dolly Parton, Yoko Ono and a motorcycle got to do with your retail FX trading account? Security, that’s what!
Online trading accounts should be highly secured. We look at how to do this properly at a time during which identity theft is at an all time high. Compliance officers and regulators, be on guard!
The unlawful obtaining of customer information or the unauthorized gaining of access to online accounts is a very important modern criminal activity that should absolutely not be taken lightly, especially in the FX industry which not only conducts its entire, global business via the internet, but also is responsible for financial transactions and the safekeeping of client monies.
Britain, a nation which is home to the world’s largest financial markets capital – London – does require that its citizens carry identity cards, and has a government which does not know exactly how many people reside in the country.
Those who wish to know should perhaps ask one of Britain’s vast supermarket chains, as their procurement departments are painstakingly accurate as competition has forced high quality and low prices, and led to products that appeal to an exacting and specific customer base, across an entire spectrum. Therefore Waitrose and Morrisons are likely to know the exact demographic of the nation to a more precise unit that Prime Minister Theresa May.
The liberals may champion the freedom that they perceive to be afforded by not carrying ID cards, but there is a hidden danger, that being the ease by which fraudsters can misuse the identities of genuine customers of online financial services companies in order to make withdrawals to their own accounts.
Whilst identity theft in many Western and specifically Anglophone nations is becoming a thing of the past, it is the fastest growing crime in Britain, with young people increasingly targeted by cyber-fraudsters. In the first six months of this year there were a record 89,000 identity thefts committed by financial fraudsters – with four out of five conducted online.
Looking back a few years, identity fraudsters had concentrated on targeting vulnerable elderly customers of banks or insurance companies, or middle aged people with large bank balances and a good credit score in order to take loans in their name, which they then banked and never repaid, leaving the lenders to chase the victim for a debt that they never applied for.
Over the past year the number of under-21s hit by ID theft has doubled, while a third of all victims are now aged under 40, which is exactly the median age of the average British FX and CFD trader.
Sadly, the law remains as it is, and it appears as though ID numbers being introduced is likely never to occur, hence data protection specialists can only really give as much advice as a Citizens Advice Bureau.
Action Fraud, which is a division of the Police, advises choice of password to be a critical ingredient, however it is FinanceFeeds opinion that their advice does not suffice.
Action Fraud advises not to use obvious words, such as a pet’s name, or that of an interest followed by a memorable date. These are often easily hacked by fraudsters using crawlers and software to discover the ‘lifestyle’ of users and randomly attempt to guess the password and thus access a trading account.
Indeed, MetaTrader 4 and MetaTrader 5 do not have a system by which too many attempts at a wrong password entry blocks the account entirely.
To be able to avoid this, Action Fraud advises retail customers to find an easy to remember password that is made up of obscure things, such as, in their rather bizzare words, to imagine oneself on a Harley Davidson motorcycle with Yoko Ono riding pillion, and Dolly Parton’s music being played on the phone, thus HDYOKO925 would be a password they consider to be strong, yet easy to remember via that sequence.
This is well-meaning, if a little daft, as it takes into account the general need for people to remember their password, rather than have a very complex one written down for every account they hold.
Indeed, there are applications that can be downloaded that create complex passwords containing asterisks, speech marks, punctuation and non-alphabetical symbols akin to those used in the computer software and internet security industry and then store them offline for ease of use, however most retail customers would likely not want to be troubled by using these.
Early last year, research by McAfee Labs, the internet security and anti-virus research division of Intel Security, has this week concluded that only 42% of cybersecurity professionals use shared threat intelligence, despite 97% of those who do use it having stated that it helps them provide a better counter-threat service and with 59% having stated that shared data is “very valuable” to their organization.
The FX industry is so multi-faceted that the need for cybersecurity exists in many specific areas such as the electric payment processing sector, the safeguarding of client funds in online trading accounts and the actual access to trading accounts themselves in order that trades can be opened and closed.
Last summer in London, Tim Thompson, CEO of British payment payment service provider and risk management technology company NOIRE explained to FinanceFeeds that FX brokerage accounts are usually accessible online needing only a username and password in order to gain access to sensitive data and exposure to fraudulent withdrawals.
“It can start in a number of ways” explained Mr. Thompson. “These methods include fraudsters phishing customers details, through emails pretending to be from the broker and telephone calls, Trojan malware programs often downloaded for trading platforms which look legitimate but could be obtaining customers’ login details and passwords. Fraudsters do this on an industrial scale and gain access to many customer accounts across many businesses.”
Mr. Thompson had categorically stated that he had been aware of several successful attempts by hackers to access FX customer trading accounts and successfully facilitate withdrawals, something which prevailed during the course of last year.
Some five years ago, Jeff Wilkins, Managing Director of Michigan-based ThinkLiquidity (now IS Risk Management), a well recognized industry expert with regard to electronic risk management, explained during a meeting in Cyprus that within networks used in the FX industry, points of presence, which are dedicated connectivity solutions between venues, trading companies and hosts, had been gaining popularity, and that distributed points of presence connectivity allows protection against other security related matters such as denial of service attacks, confirming that ThinkLiquidity at that time always advised that this type of infrastructure is put in place.
This year, as the technology that counters hacking and cyber crime continues to be a subject of great investment by developers, the unfortunate reality is that, rather like germs that increase their immunities to improvements in medicine, the viruses and methods used by hackers are also highly evolutionary.
This year, ransomware continues to be a bugbear that most online trading firms and e-commerce entities should be aware of.
This, according to many internet security specialists, continues to develop in sophistication and will likely become a worse problem in 2017 than it was last year.
Ransomware is a form of malware that is used to encrypt all data held on computers or on smartphones that do not use the iOS operating system.
The idea behind it is that it allows a hacker to extort an amount of money from the owner of the data – for example customer records held in an online trading company’s CRM – and if the amount requested is not paid, then the hacker deploys the encryption and destroys the data.
This is often used against not only commercial enterprises but also government agencies, therefore the extent of its level of sophistication and ability to penetrate security systems is patently obvious.
A particular thing to check here is affiliate links.
It is advisable when inserting affiliate links into websites that they are as originally defined, and that they do not appear to show unusual or differing characters than when they were inserted. These could be used to deploy ransomware, thus the advertisement which looks quite correct when viewed on a broker website may be contaminated with malware and once it is there, it is very very difficult to remove.
Brokerages, IBs and their clients should be very wary of emails which prompt them to update their passwords. For clients, these could be trading account access passwords, for IBs they could be portal or CRM passwords and for brokers they could be back office passwords.
Anything that appears to be automatically generated and does not come from what appears to be the correct format of internal corporate email address, our advice is not to click on it as it could contain code that grants hackers access to the trading account of retail clients, or the database owned by a broker, or even worse, the withdrawals system.
Domestic and international corporate espionage through hacking will increase as companies raid the intellectual property and trade secrets of other companies for profit. The theft of the plans of Lockheed Martin’s advanced F-22 fighter plane by Chinese hackers is an example of this trend. Chinese national Su Bin was convicted for his part in the stealing of the plans for the plane, and there is absolutely no reason at all why this type of espionage could not take place in the online trading firm, with counterfeiters wanting to get hold of new platform designs (MetaTrader 4 is the subject of massive counterfeit activity in China, and now with MetaTrader 5 having risen to popularity, espionage is not something to rule out).
The same applies to R&D departments of brokerages which have their own platforms and multi-asset offering, as hackers could spy on new unreleased designs and emulate them in order to beat them to market.
One thing to consider is that investment in cyber security startups has rocketed over the last few months. The Israel Export Institute stated at the Israel HLS & Cyber Conference that investment in cyber-security startups climbed more than threefold and exports increased 15% in the first half of the year, compared with the same time in 2015. That made Israel the No. 2 destination for cyber-security investment globally after the United States.
A clear indication that any online financial product is not immune from cyber threats is that even central banks and large institutions have experienced some very damaging interference from outside.
This year’s hacking of Britain’s Tesco Bank, the Bangladesh Bank and Russia’s Central Bank were just the tip of the iceberg of attacks on banks around the world that have been successfully perpetrated by groups such as the Carbanak gang for several years.
These days, the institutional sector has in some form adopted systems that provide dedicated connectivity. Venue-neutral Canadian infrastructure provider TMX Atrium put in place points of presence between Paris, London, Frankfurt and Moscow during 2013, however this venue-based connectivity has not filtered its way into the OTC retail sector on a widespread scale, a likely reason being the cost of implementing dedicated infrastructure to many smaller retail firms being high, especially when margins are low once spread, IB commission, client acquisition and retention costs and operating expenses are taken into account.
In October last year, Integral Development Corporation experienced an outage between the hours of 8.43am and 10.50am EST on the 19th day of the month, having its cause rectified later that day during a planned maintenance session.
FinanceFeeds contacted senior executives at Integral Development Corporation in order to establish the cause of this and to gain perspective on how it was resolved, however no reply was proffered, thus FinanceFeeds conducted investigations via trading logs and back office systems reports of several industry partners.
Whilst the reports from the back offices at various sources confirmed the outage, it is important to research the cause, which according to various industry information gathered by FinanceFeeds deduced that the cause of the outage was rectified in planned maintenance later in the day, itself taking 15 minutes longer than usual.
According to several industry sources, the outage occurred during the morning, however, at approximately 5.00pm Eastern Standard Time, during the period which is a period colloquially known as ‘roll’, which is when a number of server restarts happen and many traders in jurisdictions outside North America are inactive, Integral Development Corporation conducted maintenance which included a resolution to the cause of the outage earlier in the day.
This calls into question whether a back up system should be in place which diverts to an emergency server farm in the case of such an outage. Such systems have been commonplace in financial technology infrastructure for many years, including during my early years from 1991 onwards when infrastructure providers were continually testing uninterruptible power supplies (UPS) and uploading entire data sets onto DAT tapes constantly, to be able to switch to other servers in the event of an outage.
This year, the bandits appear to be as smart as even the largest of institutional internet security firms, hence vigilance and investment in furthering the cause of keeping the entire intellectual property, client assets and structure of online trading businesses is now paramount.