[ISN] Security should be an issue when choosing an online broker

From: InfoSec News (alerts@private)
Date: Tue Aug 14 2007 - 23:09:33 PDT


http://www.theglobeandmail.com/servlet/story/LAC.20070814.RCARRICK14/TPStory/Business

By Rob Carrick
August 14, 2007

It's time to start thinking about security, and not just commission fees 
and service, when you decide which online broker to use.

The Investment Dealers Association of Canada says its members are 
reporting about two to three instances of hackers gaining access to 
client accounts each month, and the results can be costly both in 
dollars lost and aggravation. That's the message from a woman who 
contacted this column last week about an incident on July 30 in which a 
hacker gained access to her account, sold her holdings and began buying 
shares of a Nasdaq-listed company.

"I was just shocked when I heard this happened," said the woman, who 
asked that her name not be used. "I'm not very computer savvy and I 
didn't know that this was a risk that I was taking when I traded with a 
discount broker online."

The woman's broker, Montreal-based TradeFreedom Securities, had as of 
yesterday promised to restore her account to the state it was in before 
the intrusion. But her experience has led her to wonder if she'd be 
better off with a broker that offers a security guarantee against losses 
from fraud.

Her brush with a hacker began two weeks ago when she was unable to log 
into her account online. She said she was told by her broker after 
calling in that someone had gained access to her account, sold her 
holdings and purchased 11,400 shares of SourceForge Inc., an Internet 
company. She recalls being told that her account had been frozen when 
TradeFreedom's internal systems noticed some trading anomalies.

Presumably, the fraudster was trying a version of the pump-and-dump 
scam, where big purchases are used to bid up the price of a stock. The 
fraudster then sells his own personal position in the stock, taking 
advantage of the upward price move.

SourceForge's share price didn't tank after the unauthorized purchases 
in the woman's account, as sometimes happens. However, she said she 
missed out on a rise in a core stock in her portfolio that was sold by 
the hacker. "What gets me is that it was my intention not to sell the 
stock," she said.

The key question here, of course, is how a hacker got access to the 
woman's username and password, which are needed to access an account 
online. Experts say your personal data can be stolen if you click on 
strange e-mails that introduce spyware or viruses to your computer, but 
the woman said she has anti-virus software on her computer, and that she 
hasn't opened any suspect e-mails. TradeFreedom is still investigating.

So it goes with security problems such as these. It's difficult to know 
exactly how they happened and who's at fault. If you're victimized, all 
you want is for the problem to go away.

This brings us to security guarantees, which are now fairly standard in 
the credit card world through zero-liability policies that eliminate the 
risk of having to pay for fraudulent transactions. In the online 
brokerage world, security guarantees are slowly starting to catch on.

Among the firms that offer them are TD Waterhouse, the country's largest 
online broker, RBC Direct Investing, E-Trade Canada and Qtrade Investor. 
Note: these guarantees are not bulletproof. They may require you to 
notify your broker within a few days of an account intrusion and to 
co-operate fully in providing information to your broker. Also, they may 
not cover you if you failed to take reasonable precautions to keep your 
account safe.

Still, having a security guarantee at least suggests a level of 
commitment to protecting clients against fraud. Without one, customers 
can't be sure of where they stand if they've been victimized.

Consider the case of the woman whose account was hacked - she said she 
was told initially that TradeFreedom would not restore her account to 
the way it was before the intrusion. Then, the firm decided to step up.

"Generally, our policy is if a customer has unknowingly or unwittingly 
been victimized, we help the customer out," said Bruce Seago, 
TradeFreedom's president.

People in the investment industry say online fraud isn't a major problem 
in Canada, but the situation in the United States suggests it could 
easily get worse. E-Trade Financial's annual report says the company's 
fraud losses tripled to $31.2-million (U.S.) last year.

Your first line of defence as an investor is to take all possible 
precautions. Then, on the off chance a hacker nails you, consider using 
a broker with a security guarantee.

Take it from a woman who has lived through the experience of being a 
victimized investor: "There's enough risk out there without this sort of 
thing happening."


PROTECT YOURSELF

Here are some suggestions for protecting the username and password 
required to log into your online brokerage account. This personal data 
can be captured by hackers who use it for frauds that involve 
unauthorized trading in your account.

* Don't share your username or password with anyone.

* Avoid accessing your account using wireless Internet access in a 
  public place.

* Use anti-virus and anti-spyware programs on your computer, and keep it 
  updated.

* Steer clear of "phishing" e-mails, which direct you to phony websites 
  where you're asked to provide your username and password.

* Be cautious in clicking on attachments in e-mails.

* Clear the cache on your Web browser after logging out.

* Review your account statements to ensure all transactions were 
  authorized by you.

Source: TradeFreedom Securities


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Tue Aug 14 2007 - 23:24:08 PDT