The online criminals are at it again – Brokers beware as FXCM hit for third time
FXCM has been hacked three times in five years, this time it’s Israel office being the target. The first time was in 2015, when customer money was withdrawn by fraudsters, sending the shares to an all time low. This time, FXCM Israel says no customer accounts were compromised. We explain why cyber security is vital in our industry
The unlawful obtaining of customer information or the unauthorized gaining of access to online accounts is a very important modern criminal activity that should absolutely not be taken lightly, especially in the FX industry which not only conducts its entire, global business via the internet, but also is responsible for financial transactions and the safekeeping of client monies.
Cybersecurity, the terminology given to the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide, is paramount and therefore access to the right information from all parties is a given…. or is it?
Rather in keeping with the combination of avantgarde technological leadership and entrepreneurial pioneering spirit that exists even within the large, long established firms in the online trading industry, whilst online security and client money custody cannot ever be the subject of complacency, it is quite surprising how far ahead the FX industry is in terms of awareness and action compared to much larger, long established financial institutions with their own internal development and security teams.
Over the last five years, FXCM, one of the largest FX firms in the world, which before the National Futures Association (NFA) removed its license in its home market, was by far the largest, has been subjected once again to what is being reported as a ‘cyber event’ – politically correct terminology for a full compromise of data security as a result of criminals having accessed FXCM’s systems and obtained customer information.
This particular incident happened on Sunday, January 10, 2021 and affected the company’s Israel offices, as reported by Israeli business media company Globes this week.
The report, in Hebrew, stated that FXCM had announced “in the morning, the company became aware that an unauthorized person had broken into the company’s computerized data set and copied information from it, including documenting recordings of conversations between customers and company representatives.”
The company also explained that “according to its tests, so far, and to the best of its knowledge, for the time being, there is no danger to customers’ money, bank account details and / or account login passwords and the trading system operates as a series.”
FXCM’s Israel office reported this matter to the Israel Securities Authority which is the financial markets regulator for the State of Israel.
This time, FXCM has explained that customer accounts were not at risk, however in previous cyber attacks, they have been.
In 2017, Tim Thompson, CEO of British payment payment service provider and risk management technology company NOIRE explained to FinanceFeeds that FX brokerage accounts are usually accessible online needing only a username and password in order to gain access to sensitive data and exposure to fraudulent withdrawals.
“It can start in a number of ways” explained Mr. Thompson. “These methods include fraudsters phishing customers details, through emails pretending to be from the broker and telephone calls, Trojan malware programs often downloaded for trading platforms which look legitimate but could be obtaining customers’ login details and passwords. Fraudsters do this on an industrial scale and gain access to many customer accounts across many businesses.”
Mr. Thompson explained that in many cases, fraudsters have been able to successfully make withdrawals from trading accounts, their requests being so authentic that they have been passed by even the most diligent of compliance departments. The ability to access accounts by phishing and sending in Trojan horse malware programs in order to ’emulate’ the real customer would be avoided with the right anti-fraud security systems.
We believe that in this case, FXCM was the company in question and that as a result of the fraudsters having been able to breach the system security and access accounts, withdrawals had been made.
Back in 2015, FXCM had experienced a successful attempt by hackers to access the company’s systems, and a “small number” of unauthorized wire transfers were made from customer accounts, sending the company’s shares down 25 percent to a record low.
At that time, FXCM said it received an email from a hacker claiming to have illegal access to customer information and that it had notified the Federal Bureau of Investigation, and an FBI spokeswoman said the bureau was “aware of the incident and is investigating.”
FXCM said it was working with a cybersecurity firm to determine the scale of the incident and identify affected customers.
Regarding this week’s hack, FXCM states that if it appears that personal details of customers have been copied, the company will provide the relevant customers with information regarding the details in the possession of the same unauthorized party.
The Israel Securities Authority stated on Monday that “the ISA required the company to provide all information known to it regarding the incident” and that it “is in continuous contact with the company in order to examine the possible risks that may arise from this incident.”
The ISA, which oversees the activities of all FX brokers in Israel, also said that “at the same time, the authority is also in contact with the relevant government cyber factors to provide guidance and examine the risks, if any.”
FXCM spoke to FinanceFeeds this morning on this matter, explaining “FXCM Trading Limited (FXCM Israel), a licensee of the FXCM brand but not a member of the FXCM Group, has become aware of an unauthorized party accessing computerized data, including recordings of conversations between customers and FXCM Israel representatives.”
“According to company tests, to the best of its knowledge there is no danger to customer’s money, bank account details or account logins/passwords. All necessary and appropriate steps are being taken with regard to the local regulators and law enforcement. FXCM Group will provide all possible assistance including the attention and resources of our internal cyber security team” concluded the FXCM spokesman.
Recently, there have been many reports of cyber incidents in business companies, and at present it is not clear the source behind these attacks is unknown.
The reality is, however, that FXCM has had this happen three times in five years, which should ring alarm bells.
Some three four years ago, Jeff Wilkins, Managing Director of Michigan-based IS Prime a well recognized industry expert with regard to electronic risk management, explained to FinanceFeeds during a meeting in Cyprus that within networks used in the FX industry, points of presence, which are dedicated connectivity solutions between venues, trading companies and hosts, had been gaining popularity, and that distributed points of presence connectivity allows protection against denial of service attacks, confirming that ThinkLiquidity at that time always advised that this type of infrastructure is put in place.
Three years on, the institutional sector has in some form adopted such systems, venue-neutral Canadian infrastructure provider TMX Atrium put in place points of presence between Paris, London, Frankfurt and Moscow during 2013, however this venue-based connectivity has not filtered its way into the OTC retail sector on a widespread scale, a likely reason being the cost of implementing dedicated infrastructure to many smaller retail firms being high, especially when margins are low once spread, IB commission, client acquisition and retention costs and operating expenses are taken into account.
Two years ago, a spate of connectivity outages began affecting internet access for hosted customers of several MetaTrader 4-based brokerages, from Australia to Japan, and across the APAC region, largely as a result of attempted DDOS (Distributed Denial of Service) attacks.
In these cases, most of the attacks function by bombarding the server with a high volume of messages in order to either slow down the server, or to prevent it functioning at all, creating tremendous potential damage to brokerages, and subsequently, their clients.
The brokerage business is well on top of this, and dialogs that go back as far as these are clear testimony that the specialists within this industry are able to dedicate resources to ensuring safety of data, funds and to stop malicious attempts to damage rival businesses.
However, whilst our industry, especially in the retail sector, is very much committed to research and development and is in many cases responsible for driving forward new developments that eventually make their way into the wider financial and technology sectors, the banks are the entities with the time, the dedicated departments of several hundred technicians and eventually, whilst often slower at bringing new developments to market than the non-bank world, they get it right and have top quality solutions once they are approved for mainstream use.
Lloyds Banking Group has emulated some of Silicon Valley’s large internet firms by creating its facility in London in the same vein as a technology development firm rather than a belt-and-braces bank department.
The digital office seems more suited to the likes of Google or Facebook than one of Britain’s oldest banks. It is full of brightly coloured, coffee-stained sofas, garish green wallpaper and groups of young men clad in T-shirts and jeans talking excitedly in huddled groups over computer screens.
This bears a stark contrast to the 18 years of my 27 year career in electronic trading as a connectivity, software deployment and server engineer within many of the Tier 1 banks. Back in the early 1990s, the in-house development and R&D divisions of bank technology divisions were ultra-conservative, and whilst absolutely ground breaking in terms of the understanding of technological topography, not to mention a continually fascinating and sophisticated environment in which to have the privilege to spend a large part of one’s career, very beige cardigan, and not very Starbucks.
And today, it’s the Starbucks frequenters that have the upper hand over the beige cardigan when it comes to cyber attacks in this internet-dependent world.
With Lloyds’ new system, if a fraudster manages to gain access to an account, when they log in, the bank’s computer system — called the Risk Engine — will be waiting to catch them out. It is looking for any suspicious activity that seems out of character for that customer.
So if, for example, someone logs into your account from a computer in Manchester when you live in London, or types the password far more slowly than usual, the system will put an alert on the account.
If nothing suspicious happens next, the alert could be downgraded — after all, it might just be that you’re trying to check your balance from a friend’s house and are struggling to remember your password. In this case you probably wouldn’t even know anything had happened.
Under existing banking rules, if a fraudster steals someone’s card details and takes money from their account without their permission, their bank must refund the customer — unless they have been negligent with their personal details by telling someone else their password or PIN, for example.
However, there is currently no such protection for people who have been duped into handing over their cash — known as authorised fraud. In this instance, you will typically only get your money back if you can prove the bank made a mistake.
The same applies to retail FX. Many retail FX customers mistakenly consider that they are able to rely on the Financial Services Compensation Scheme (FSCS) if something goes awry, however, that, as demonstrated recently in a refusal to compensate customers who hold money with PremierFX.
FinanceFeeds reported that Premier FX Limited was only ever permitted to carry out certain payment services known as ‘money remittance’. However, Premier FX was found to be acting outside of the boundary of these permissions by also holding customer money in their accounts.
FSCS will not protect money customers held with Premier FX Limited because the firm was not authorised by the FCA to hold customer money in its accounts. This means FSCS will be unable to compensate for any shortfalls in customers’ money held by Premier FX Limited.
If this is the case, it is possible to consider that the FSCS is not a silver bullet or a cast iron shield against losses, thus greater security is required.
NOIRE CEO Tim Thompson’s explanation to FinanceFeeds as described earlier in this article shows that it is entirely possible to enter accounts and successfully make withdrawals of customer funds illegally. Mr Thompson actually showed records provided to him by some very well known FX firms that had enlisted his services following some large withdrawals having been made from customer accounts by fraudsters that were able to gain access and submit a withdrawal to the broker in the name of the account holder.
“It can start in a number of ways” explained Mr. Thompson. “These methods include fraudsters phishing customers details, through emails pretending to be from the broker and telephone calls, Trojan malware programs often downloaded for trading platforms which look legitimate but could be obtaining customers’ login details and passwords. Fraudsters do this on an industrial scale and gain access to many customer accounts across many businesses.”
Ransomware is a form of malware that is used to encrypt all data held on computers or on smartphones that do not use the iOS operating system.
The idea behind it is that it allows a hacker to extort an amount of money from the owner of the data – for example customer records held in an online trading company’s CRM – and if the amount requested is not paid, then the hacker deploys the encryption and destroys the data.
This is often used against not only commercial enterprises but also government agencies, therefore the extent of its level of sophistication and ability to penetrate security systems is patently obvious.
A particular thing to check here is affiliate links.
It is advisable when inserting affiliate links into websites that they are as originally defined, and that they do not appear to show unusual or differing characters than when they were inserted. These could be used to deploy ransomware, thus the advertisement which looks quite correct when viewed on a broker website may be contaminated with malware and once it is there, it is very very difficult to remove.
Brokerages, IBs and their clients should be very wary of emails which prompt them to update their passwords. For clients, these could be trading account access passwords, for IBs they could be portal or CRM passwords and for brokers they could be back office passwords.
Anything that appears to be automatically generated and does not come from what appears to be the correct format of internal corporate email address, our advice is not to click on it as it could contain code that grants hackers access to the trading account of retail clients, or the database owned by a broker, or even worse, the withdrawals system.
Domestic and international corporate espionage through hacking will increase as companies raid the intellectual property and trade secrets of other companies for profit. The theft of the plans of Lockheed Martin’s advanced F-22 fighter plane by Chinese hackers is an example of this trend. Chinese national Su Bin was convicted for his part in the stealing of the plans for the plane, and there is absolutely no reason at all why this type of espionage could not take place in the online trading firm, with counterfeiters wanting to get hold of new platform designs (MetaTrader 4 is the subject of massive counterfeit activity in China, and now with MetaTrader 5 having risen to popularity, espionage is not something to rule out).
The same applies to R&D departments of brokerages which have their own platforms and multi-asset offering, as hackers could spy on new unreleased designs and emulate them in order to beat them to market.
Whilst the FX world’s technologists are very quick, entrepreneurial and have shown over the years that their skills can get a very good product to market very quickly and actually change the face of the financial world, the large, well funded Tier 1 banks are developing holistic, all encompassing solutions that we will all benefit from.
Thus, a combination of the pioneering spirit of the FX world and the over-reaching prowess of bank technologists would be a good combination indeed.
