Saturday, March 15, 2008
What Online Brokers Are Doing To Keep Their Customers' Accounts Safe
HORROR STORIES ABOUND ABOUT ON-LINE BROKERAGE ACCOUNTS hacked by mysterious bad guys, and then emptied. The methods vary from simple—logging in and transferring cash to a thief’s account—to complex; say, rigging an investor’s computer to buy penny stocks being sold by a crook at hugely inflated values.
Online investors say that security is an increasingly important factor in selecting a broker, so we surveyed nearly two-dozen firms to see what they’re doing to keep their customers’ money safe.
As a quick and easy starting point, always be sure you see the letter “s,” as in “https,” preceding the Web address of a site at which you’re entering personal or sensitive information. The “s” is a standard indication that the site is secure. Another is the padlock icon in the lower right-hand corner of the browser window. Even so, these indicators can be duplicated by some very clever fraudsters.
ONE METHOD THAT BROKERS use to thwart troublemakers is a token that generates a series of numbers that change every minute or two. Clients use these momentary passwords to log in to their accounts. The password’s life span is too short for a hacker to steal it. This, however, requires customers to carry the token around with them, usually on a key ring or in a wallet.
James Burton, a senior vice president at Fidelity’s retail-brokerage unit, says his firm employs extensive physical, electronic and procedural security controls, regularly modifying them to meet changing technology threats. Fidelity’s encryption standards turn the data you send across your Internet connection into gobbledygook, unless the computer receiving the information can decode it. Fidelity.com, like many brokerage sites, will automatically log you off after a short period of inactivity, which is designed to prevent unauthorized access or keystrokes by either a co-worker or a mischievous household pet that wanders onto your keyboard.
Another ploy that crooks use is changing your account’s address so that future checks come to them, or rerouting online money transfers to their coffers. Most brokers now require added security for these kinds of changes. OptionsXpress, for instance, sends out a notice to both existing and new addresses when a customer requests a change.
TD Ameritrade is rolling out a two-factor authentication system that “remembers” the computer from which a client logs into its system. If the next log-in attempt comes from a different computer, the investor will need to provide more information. CEO Joe Moglia says, “Clients have free access to security software via our online security center (http://www.tdameritrade.com/security/securityTools/securityTools.html), which enables them to detect and remove threats like computer Trojans and to monitor for suspicious behavior.” (Trojans are viruslike programs that travel via the Internet.)
TradeKing employs an intriguing system to thwart keystroke loggers—who keep track of every keystroke you make. These thieves can use your keystrokes to divine your password and personal information. To prevent that, TradeKing has you enter your password on an on-screen keyboard, using your mouse to select the appropriate characters. If you don’t type your password, a keystroke logger can’t pick it up. TradeKing also asks you a series of challenge questions if your online behavior is deemed unusual.
Software-based brokers such as Terra Nova don’t transmit information via a Web browser; they employ other methods of security. Terra Nova utilizes Captcha technology, which prompts the customer to type in the letters displayed in a small picture, to eliminate spammers and counter other electronic contact attempts. It also maintains an intrusion-detection system on its Website and database servers, to identify any attempted contact that is suspect.
AT ANOTHER SOFTWARE-BASED BROKER, MB Trading, President David Lipsett says, “We use proprietary algorithms to prevent unauthorized trading within an account as well as databasing user-connection information to spot trading that does not fit into the client’s normal patterns.”
Just how many challenges are out there? Consider Siebert CEO Muriel Siebert’s response to our queries: “The layered security consists of firewalls, encryption, intrusion-detection sensing, network segmentation, translation, monitoring, antivirus, antispam, antispyware, internal software and hardware lockdowns, premise-level security, employee screening and other security methods.”