How valuable is YOUR data? Even the large institutions are worried….
A very comprehensive look into how keeping data safe – whether a small retail FX firm or a large Tier 1 bank – is critical, how to do it and what to look out for. FinanceFeeds delves deep
Due to its nature as an online business, a substantial part of the intellectual property of a retail FX brokerage is its customer database.
For many retail FX firms, especially those using MetaTrader 4 and providing spot FX to a medium to low deposit value client base, fitting into the category which forms the average deposit amount of $3800 per customer, the differentiating factor in terms of the intrinsic value of the business is the size and trading activity of the traders and introducing partners or portfolio managers that generated the last three years’ revenues.
Thus, many brokerages which offer a similar trading environment and value proposition to their array of competitors have been for quite some time concerned about the security of the client database that forms such an important component within their business.
Unwelcome attempts at accessing customer accounts from the inside are somewhat passe these days. Within most retail FX firms it is no longer par for the course that a junior employee should acquire the contents of a CRM for the purposes of selling it to his next employer as used to happen in some unregulated smaller firms a few years ago, and still occurs on a prolific basis within the sordid binary options industry.
These days, these unwelcome attempts are from the outside, using sophisticated trojan horse style deployable viruses in order to collect customer passwords and usernames and access the records for commercial benefit, and in some cases by fraudsters wishing to make withdrawals from trading accounts.
FinanceFeeds has conducted substantial research with regard to cyber security within the retail FX industry recently, and continues to maintain that ensuring secure data is one of the top priorities for R&D investment this year.
What has transpired more recently than the all-too-well-known risks for retail brokerages and their customers is that the need to increase cyber security mettle is not just the preserve or concern of the retail FX trading business, but is also firmly in the lap of senior executives within the world’s largest Tier 1 financial institutions which have extensive and high-budget in house systems development and support divisions.
For example, major banks – especially those whose core business activity is Tier 1 interbank FX dealing – are moving away from analog, belt-and-braces branch banking, closing down many of their branches and offloading entire continental retail banking divisions, and instead concentrating on their interbank dealing, whilst encouraging existing retail customers to go completely online.
The wood paneled walls and cut-glass whiskey decanters of Lombard Street are gone and forgotten. Central London’s financial powerhouse is today fully reliant on its FinTech sector to shape the topography of its future infrastructure.
Twenty five years ago, at the very beginning of my career in this all-encompassing and fascinating industry which still provides me with enthusiasm to this day, things were somewhat different.
London was an institutional, old school tie establishment. Its bank trading desks were intrinsically linked to in-house technologists who had spent their lives at the firm, to government-owned British Telecom for connectivity (now BT Radianz) and were part of a more innocent, less international world.
Simply, London dominated and nowhere else stood a chance. A small worm virus from the Far East would have been dismissed with a derisory look over the half-moon spectacles of a divisional manager at a London bank. Accompanied by a postured laugh with a shade of sarcasm, a quick straightening of the Old Mill Hillians school tie, a dismissive shake of the head and a quiet utterance of “good grief” , it would be shaken off lightly before continuing to enjoy his fine Aveyron Truffade served on a silver closh in the managers restaurant.
Looking back to 25 years ago, I recently said:
10BASE2 networks could not be extended without breaking service temporarily for existing users and the presence of many joints in the cable also makes them very vulnerable to accidental or malicious disruption. There were proprietary wallport/cable systems that claimed to avoid these problems (e.g. SaferTap) but these never became widespread, possibly due to a lack of standardization. Can you imagine that in today’s retail trading environment, where best execution and nano-second response is demanded? – Andrew Saks-McLeod, CEO, FinanceFeeds
Today, gone is the managers restaurant and the pretentious old-schoolism that is part of London’s endearing corporate charm, and well and truly here are the 25 year old jeans and sneakers-wearing technology geniuses, working hand in hand with the longstanding traditional institutions, which are not so traditional anymore.
Gone also are the differences between the system topography upon which I reminisce, and the fully standardized global infrastructure of today which is a hacker’s delight.
Indeed, HSBC and Barclays, along with the London-based electronic trading global headquarters of transatlantic and continental counterparts Citi, Deutsche Bank and JP Morgan Chase are as modern and focused on ultra-high technology as the recent computer science graduates who think a glass ceiling is something that hinders their innovative abilities, not an adornment in the dining gallery of their favorite Caribbean cruise ship.
The ID Co is a case in point.
The ID Co consists of two online security products. One is a virtual passport, miiCard for individuals. The other, DirectID is a bank verified identity for businesses. Just a few years ago, start-ups like this would have been targeting small online or ecommerce firms, but today The ID Co has major banks firmly in its sights.
“The reality is, as individuals, if we really knew and appreciated the risks we face when dealing with financial services online, we simply wouldn’t do it,” suggests James Varga, chief executive officer of The ID Co. “15 years ago nobody knew about banking fraud, now everybody knows somebody who has been affected by fraud, phishing attacks, or identity theft.
“High profile hacks from TalkTalk, Yahoo and dating sites have exposed our personal data to potential misuse. The fact is, a lot of that risk comes from our online activities and the need to constantly prove we are who we say are.“
With online fraud growing every year, it is now estimated to cost the UK economy more than £11bn per year, with bank-funded crime prevention group Financial Fraud Action reporting that a financial scam was carried out every 15 seconds in 2016.
In his role as CEO, Mr Varga has spent the past five years playing an active part in the UK’s Open Bank Working Group,
“We began discussions with GSMA, the trade association for the mobile industry, as well as Verify.gov a number of years ago. As part of those discussions, we were invited by HM Treasury to participate in the development of the latest pan-European Payment Services Directive (PSD2) programme, where I co-chaired the data sub-group.
For fintech businesses, the ongoing adoption of PSD2 across Europe – a two-year process that is expected to be complete by January 2018 – represents a watershed moment.
The key requirement of PSD2 requires banks to provide access, via secure APIs, to their customer accounts and provide account information to third party apps, if the account holder wishes.
“It establishes standardised interactions between consumers and their banks – seamlessly and securely” said Mr. Varga.
The implementation of PSD2, which has been driven largely from the UK, will enable fintech businesses to accelerate disruption in a sector recognized or limited innovation and being understandably risk averse.
According to data from the World Economic Forum investment in fintech has soared in the past decade – from $1.8 billion in 2010 to $19 billion in 2015.
The majority of that investment has targeted the most profitable areas of global banking – namely personal and corporate finance. While fintech investment continues to be dominated by Silicon Valley, London remains the undisputed fintech capital of Europe, while pre-Brexit research by Ernst & Young singled out the UK as a whole as the world’s leading fintech center.
Banks are now well and truly focused on a thoroughly modern approach when it comes to securing their trading topography as well as their extremely valuable databases. Not only is customer data critical to business value, but in banking, leaks are subject to litigation for breaching data protection laws.
With regard to how the retail FX sector leads the way with regard to security innovation, a few months go, Tim Thompson, CEO of British payment payment service provider and risk management technology company NOIRE explained to FinanceFeeds that FX brokerage accounts are usually accessible online needing only a username and password in order to gain access to sensitive data and exposure to fraudulent withdrawals.
“It can start in a number of ways” explained Mr. Thompson. “These methods include fraudsters phishing customers details, through emails pretending to be from the broker and telephone calls, Trojan malware programs often downloaded for trading platforms which look legitimate but could be obtaining customers’ login details and passwords. Fraudsters do this on an industrial scale and gain access to many customer accounts across many businesses.”
Mr. Thompson had categorically stated that he had been aware of several successful attempts by hackers to access FX customer trading accounts and successfully facilitate withdrawals, something which prevailed during the course of last year.
Some four years ago, Jeff Wilkins, Managing Director of Michigan-based ThinkLiquidity, a well recognized industry expert with regard to electronic risk management, explained during a meeting in Cyprus that within networks used in the FX industry, points of presence, which are dedicated connectivity solutions between venues, trading companies and hosts, had been gaining popularity, and that distributed points of presence connectivity allows protection against other security related matters such as denial of service attacks, confirming that ThinkLiquidity at that time always advised that this type of infrastructure is put in place.
This year, as the technology that counters hacking and cyber crime continues to be a subject of great investment by developers, the unfortunate reality is that, rather like germs that increase their immunities to improvements in medicine, the viruses and methods used by hackers are also highly evolutionary.
This year, ransomware continues to be a bugbear that most online trading firms and e-commerce entities should be aware of.
This, according to many internet security specialists, continues to develop in sophistication and will likely become a worse problem in 2017 than it was last year.
Ransomware is a form of malware that is used to encrypt all data held on computers or on smartphones that do not use the iOS operating system.
The idea behind it is that it allows a hacker to extort an amount of money from the owner of the data – for example customer records held in an online trading company’s CRM – and if the amount requested is not paid, then the hacker deploys the encryption and destroys the data.
This is often used against not only commercial enterprises but also government agencies, therefore the extent of its level of sophistication and ability to penetrate security systems is patently obvious.
A particular thing to check here is affiliate links.
It is advisable when inserting affiliate links into websites that they are as originally defined, and that they do not appear to show unusual or differing characters than when they were inserted. These could be used to deploy ransomware, thus the advertisement which looks quite correct when viewed on a broker website may be contaminated with malware and once it is there, it is very very difficult to remove.
Brokerages, IBs and their clients should be very wary of emails which prompt them to update their passwords. For clients, these could be trading account access passwords, for IBs they could be portal or CRM passwords and for brokers they could be back office passwords.
Just last week FinanceFeeds exposed a massive data security issue within Hello Markets platform, in which a simple URL can be copied and pasted into the source code of the site, revealing the entire database of all of the affiliates that use the Hello Markets platform. FinanceFeeds brought this to the attention of the company, and explained exactly how to replicated it, however the company has thus far been unable to resolve it.
Anything that appears to be automatically generated and does not come from what appears to be the correct format of internal corporate email address, our advice is not to click on it as it could contain code that grants hackers access to the trading account of retail clients, or the database owned by a broker, or even worse, the withdrawals system.
Domestic and international corporate espionage through hacking will increase as companies raid the intellectual property and trade secrets of other companies for profit. The theft of the plans of Lockheed Martin’s advanced F-22 fighter plane by Chinese hackers is an example of this trend. Chinese national Su Bin was convicted for his part in the stealing of the plans for the plane, and there is absolutely no reason at all why this type of espionage could not take place in the online trading firm, with counterfeiters wanting to get hold of new platform designs (MetaTrader 4 is the subject of massive counterfeit activity in China, and now with MetaTrader 5 having risen to popularity, espionage is not something to rule out).
The same applies to R&D departments of brokerages which have their own platforms and multi-asset offering, as hackers could spy on new unreleased designs and emulate them in order to beat them to market.
One thing to consider is that investment in cyber security startups has rocketed over the last few months. The Israel Export Institute stated at the Israel HLS & Cyber Conference that investment in cyber-security startups climbed more than threefold and exports increased 15% in the first half of the year, compared with the same time in 2015. That made Israel the No. 2 destination for cyber-security investment globally after the United States.
A clear indication that any online financial product is not immune from cyber threats is that even central banks and large institutions have experienced some very damaging interference from outside.
This year’s hacking of Britain’s Tesco Bank, the Bangladesh Bank and Russia’s Central Bank were just the tip of the iceberg of attacks on banks around the world that have been successfully perpetrated by groups such as the Carbanak gang for several years.
These days, the institutional sector has in some form adopted systems that provide dedicated connectivity. Venue-neutral Canadian infrastructure provider TMX Atrium put in place points of presence between Paris, London, Frankfurt and Moscow during 2013, however this venue-based connectivity has not filtered its way into the OTC retail sector on a widespread scale, a likely reason being the cost of implementing dedicated infrastructure to many smaller retail firms being high, especially when margins are low once spread, IB commission, client acquisition and retention costs and operating expenses are taken into account.
In October last year, Integral Development Corporation experienced an outage between the hours of 8.43am and 10.50am EST on the 19th day of the month, having its cause rectified later that day during a planned maintenance session.
FinanceFeeds contacted senior executives at Integral Development Corporation in order to establish the cause of this and to gain perspective on how it was resolved, however no reply was proffered, thus FinanceFeeds conducted investigations via trading logs and back office systems reports of several industry partners.
Whilst the reports from the back offices at various sources confirmed the outage, it is important to research the cause, which according to various industry information gathered by FinanceFeeds deduced that the cause of the outage was rectified in planned maintenance later in the day, itself taking 15 minutes longer than usual.
According to several industry sources, the outage occurred during the morning, however, at approximately 5.00pm Eastern Standard Time, during the period which is a period colloquially known as ‘roll’, which is when a number of server restarts happen and many traders in jurisdictions outside North America are inactive, Integral Development Corporation conducted maintenance which included a resolution to the cause of the outage earlier in the day.
This calls into question whether a back up system should be in place which diverts to an emergency server farm in the case of such an outage. Such systems have been commonplace in financial technology infrastructure for many years, including during my early years from 1991 onwards when infrastructure providers were continually testing uninterruptible power supplies (UPS) and uploading entire data sets onto DAT tapes constantly, to be able to switch to other servers in the event of an outage.
This year, the bandits appear to be as smart as even the largest of institutional internet security firms, hence vigilance and investment in furthering the cause of keeping the entire intellectual property, client assets and structure of online trading businesses is now paramount.