As the world goes online, up go the risks. Is your brokerage safe from the hackers?
As the world moves online, so do the hackers. The exponential increase in attempted fraud by attacking online financial services companies over the last six months must be combatted. Will the brokers do it before the regulators do?
Who had heard of Zoom before March this year?
Very few people, by all accounts, even those employed in the high technology sector.
Zoom Inc used to have large billboard advertisements at JFK airport in New York, and various advertising campaigns aimed at corporate executives on the move in order to increase its presence in the online communications market, which was already quite a crowded place.
Now, following the endless lockdowns, Zoom has become as prominent as Google in everyday life.
Thus, it is fair to assume that the world has gone online, and that operating absolutely every aspect of the working day from home has become de rigeur.
There are those who consider this to be a move toward modern efficiency, and there are those who understand that it is a potential risk, as in the number of people working remotely and using online medium of communication has risen exponentially, therefore so has the chance of being hacked by ne’erdowells.
Indeed, the amount of internet crime has rocketed in the same way that the amount of internet usage has increased, and financial services and electronic trading companies need to pay attention to potential security risks.
Oddly, there have been some companies taken by surprise, which is perhaps a sign of complacency.
Online commerce is, after all, over 20 years old and whilst most working-age people have taken to it, many people in the world still did not use online methods until they were forced to do so. We have all seen elderly people here in London very quickly get used to using mobile devices to order what they need, and very soon we will be forced into a mobile-first commercial scenario for a wide range of products and services.
Even people’s social lives have gone permanently online. It is fair to assume that this is absolutely detrimental and reminiscent of many dystopian novels of the 1940s and 1950s which painted a grim picture of the future of the world – around about the time we live in now – as being isolated people living in glass pods, totally controlled by a faceless government which speaks to the population which have no names, just serial numbers, via a voice synthesizer, toward which disobedience would not be tolerated.
Whilst this appears to have been a relatively accurate look into the future, we have sophisticated technology. Without a variety of internet-based services for retail clients of every industry sector globally, there would be an even worse global affront to humanity than that being enforced now.
Yinglian Xie, CEO and Co-Founder of DataVisor is one security industry executive who considers this of utmost importance.
She today advised that, rather obviously, physical bank vaults are safer than firewalls.
Whilst that sounds like a cliche, he does have a point.
“Fraudulent transactions are extremely difficult to catch because the decision to block a transaction must occur within seconds. Adding to the problem, the number of transactions has increased along with the number of payment channels, and fraudsters are taking advantage of these complexities, using AI to automate online and mobile attacks” said Ms Xie.
“Data Visor, which is a fraud management, detection and prevention platform, uses deep-learning applications to help make more accurate, real-time decisions on behalf of banks and companies experiencing network disruptions. Work with the top 15 banks in the US, Pinterest Yelp, etc. they are powering these institutions with advanced AI and machine learning algorithms that leverage holistic data analysis and intelligence across multiple customer touchpoints to detect and stop fraud early, before damage occurs, and without adding friction to the customer experience” she said.
Yes indeed, that may appear to be blatant marketing speak, but it is quite clear that regulatory authorities will begin looking at how secure brokerages and electronic trading venues infrastructural ringfencing is in future, as client custodial accounts and trading accounts become the increasing target of imposters and fraudsters.
Ms Xie’s current remit is centered on how traditional security technologies are ineffective because they can’t continuously adapt to the new AI-driven threats, how data breaches are inevitable and with that stolen data are sold through the dark web for fraudulent transactions and activity, and how rigid authentication schemes can frustrate legitimate customers by adding friction to the customer experience, leading to churn.
She considers that many businesses rely on traditional methods and address only the known types of fraudsters, and that to be truly proactive, businesses need to use more transformational methods like machine learning that relies on identifying patterns and co-ordinated attacks without relying on only known fraud patterns. And in many cases even macro level information like data centre IPs and email domains can be used to stop attacks early without the need for compromising privacy.
When we look at some of the less technologically advanced nations, they are really suffering right now, and it is heart rending to watch.
However, those who live in the very few remaining (for how much longer we don’t know!) free democracies that exist are subject to other risks. The hackers are out in force, more than ever.
In March, a parody of the British government’s website was made and its logo and content sent via an SMS message link to random UK citizens, telling them that they had been seen breaking the ‘curfew’ (when there is no curfew like there is in some nations) and that they must pay £250 or face prosecution. This is a total cheat, and, rather ironically, emanates from South East Asia.
Whilst people concentrate on the endless repetitive drone of the news channels – I do not watch or listen to the news, it is like an over emphasized and more ficticious version of Groundhog Day – and whilst people take to their new reality of internet-based living, the hackers and cheats are out in force and are having a field day.
Perhaps more alarming still is that the FinTech world is experiencing a tremendous array of attackers and DDOS chancers right now.
Retail bank and credit card websites are now overloaded with users who would ordinarily perhaps pay their bills the traditional way by mail, or at a post office, but are now using internet banking. Wait times are over 2 hours to speak to any bank in the United Kingdom about any subject at the moment, and people’s minds are on survival and being able to make their rent and mortgage payments whilst they languish at home under the utterly treacherous rules of a lock down, rather than considering protection against hackers.
I did some research on this matter this week, and found that some websites, especially those representing lesser known financial services companies, are out of action because they have been hacked and security has been breached, opening their confidential databases to home-bound ne’erdowells who will then nefariously use customer data, or even worse, make transactions on people’s accounts.
Most of these sites have been taken offline and remain so for some time, however this does show the utterly Dickensian times that urban humanity is now returning to.
With regard to this, it is worth taking time to secure your brokerage even more than it already is. We are among the world’s most astute in terms of cybersecurity in our industry, partly due to regulatory clampdowns on the security of client assets, and partly due to the forward-thinking and downright clever methods put in place by the astute leaders of our industry, who should certainly afford themselves a degree of proudness.
We must be vigilant, however.
Tim Thompson, CEO of British payment payment service provider and risk management technology company NOIRE explained to me recently that FX brokerage accounts had until recently in many cases been accessible online needing only a username and password in order to gain access to sensitive data and exposure to fraudulent withdrawals.
“The way fraudsters access accounts can start in a number of ways” explained Mr. Thompson. “These methods include fraudsters phishing customers details, through emails pretending to be from the broker and telephone calls, Trojan malware programs often downloaded for trading platforms which look legitimate but could be obtaining customers’ login details and passwords. Fraudsters do this on an industrial scale and gain access to many customer accounts across many businesses.”
Mr. Thompson explained that in many cases, fraudsters have been able to successfully make withdrawals from trading accounts, their requests being so authentic that they have been passed by even the most diligent of compliance departments. The ability to access accounts by phishing and sending in Trojan horse malware programs in order to ’emulate’ the real customer would be avoided with the right anti-fraud security systems.
Some seven years ago, Jeff Wilkins, Managing Director of Michigan-based IS Risk Analytics a well recognized industry expert with regard to electronic risk management, explained to FinanceFeeds during a meeting in Cyprus that within networks used in the FX industry, points of presence, which are dedicated connectivity solutions between venues, trading companies and hosts, had been gaining popularity, and that distributed points of presence connectivity allows protection against denial of service attacks, confirming that ThinkLiquidity at that time always advised that this type of infrastructure is put in place.
Three years after that, the institutional sector began in some form to adopt such systems. Venue-neutral Canadian infrastructure provider TMX Atrium put in place points of presence between Paris, London, Frankfurt and Moscow during 2013, however this venue-based connectivity has not filtered its way into the OTC retail sector on a widespread scale, a likely reason being the cost of implementing dedicated infrastructure to many smaller retail firms being high, especially when margins are low once spread, IB commission, client acquisition and retention costs and operating expenses are taken into account.
And where are TMX Atrium these days anyway? We seem to live in a hosting monopoly, with Equinix overshadowing everyone including my previous employer BT Radianz where I started my career in 1991 in their financial markets infrastructure division before the Radianz acquisition!
Four years ago, a spate of connectivity outages began affecting internet access for hosted customers of several MetaTrader 4-based brokerages, from Australia to Japan, and across the APAC region, largely as a result of attempted DDOS (Distributed Denial of Service) attacks.
In these cases, most of the attacks function by bombarding the server with a high volume of messages in order to either slow down the server, or to prevent it functioning at all, creating tremendous potential damage to brokerages, and subsequently, their clients.
The brokerage business is well on top of this, and dialogs that go back as far as these are clear testimony that the specialists within this industry are able to dedicate resources to ensuring safety of data, funds and to stop malicious attempts to damage rival businesses.
However, whilst our industry, especially in the retail sector, is very much committed to research and development and is in many cases responsible for driving forward new developments that eventually make their way into the wider financial and technology sectors, the banks are the entities with the time, the dedicated departments of several hundred technicians and eventually, whilst often slower at bringing new developments to market than the non-bank world, they get it right and have top quality solutions once they are approved for mainstream use.
Lloyds Banking Group, one of the firms that is under tremendous load this week with a deluge of customers panicking and calling them on the business and retail side, has emulated some of Silicon Valley’s large internet firms by creating its facility in London in the same vein as a technology development firm rather than a belt-and-braces bank department.
The digital office seems more suited to the likes of Google or Facebook than one of Britain’s oldest banks. It is full of brightly coloured, coffee-stained sofas, garish green wallpaper and groups of young men clad in T-shirts and jeans talking excitedly in huddled groups over computer screens.
This bears a stark contrast to the 18 years of my 29 year career in electronic trading as a connectivity, software deployment and server engineer within many of the Tier 1 banks. Back in the early 1990s, the in-house development and R&D divisions of bank technology divisions were ultra-conservative, and whilst absolutely ground breaking in terms of the understanding of technological topography, not to mention a continually fascinating and sophisticated environment in which to have the privilege to spend a large part of one’s career, very beige cardigan, and not very Starbucks.
And today, it’s the Starbucks frequenters that have the upper hand over the beige cardigan when it comes to cyber attacks in this internet-dependent world.
However, it is the civic duty of the Starbucks frequenters to do their bit to protect those who don a beige cardigan in the morning as we have been forced to be socially responsible toward each other at a time during which the customer service lines are jammed solid and support staff are either out of the office or working from home.
Let’s do our bit to make people aware, and safeguard what will be left after this economic Armageddon.