Every time you download a trading App and register with a broker, your data is stored in their servers. Most brokers now use cloud providers, while there are some brokers that manage their own servers.
A broker buying their own servers and managing them is different from a broker ‘renting’ server space with a third-party hosting company and only paying for the space they have used up on the cloud.
In both these cases there are security risks that must be managed by the broker or its vendors.
For example, brokers using major cloud providers sometimes outsource the management to third party vendors. This poses security risks to brokerage companies either from the vendor managing the cloud.
Hackers also target brokerage company executives and clients using social engineering methods to try to gain access to their passwords and devices. We will be discussing the security risks that brokers can face.
Security Risks
1. Cloud or Server Misconfiguration Risk
Some brokers store their data on a cloud with a professional third-party data center/hosting company so the cloud management is not done by them. If the third-party vendor working with the data center makes a mistake while working on the broker’s security configuration, the broker’s data is left exposed to attackers.
Some brokers choose to store their data on their own personal data center instead of sharing a public server. However, they have to employ and pay seasoned IT professionals to manage these clouds and not use shortcuts.
The case of FBS forex broker who left their Elasticsearch server without password protection and unencrypted is an example of how a misconfigured server & improper security practices can expose the client data.
This Elasticsearch server of FBS contained client’s personal identifiable information such as IP addresses, mobile device models, full names, email addresses, phone numbers, passport numbers, Google ID’s and even contained unencrypted passwords.
If a hacker stumbles upon this kind of unguarded client information, they could use it to hack the client’s device, blackmail, extort and even sell the data to other scammers on the black-market.
So, any misconfiguration or not keeping the cloud private can be used by attackers to also gain access to a server, and the customer data.
2. Spear Phishing risk
This is an email scam aimed at a specific target or group of targets in an organization.
Research has shown that 91% of successful data breaches involved spear phishing.
Cybercriminals could either send emails that look legitimate to a group of targets and wait for any of them to click on the link in the email (spray and pray method) or send to a specific individual.
Linkedin serves as a watering hole for profiling targets as most employees put their employment history on the social media page. Spear phishing is executed via the following steps:
· Get the targets email address: Cybercriminals can use special software to extract email addresses from search engines or buy the emails data.
· Bypass the Antivirus software: Special open-source software such as Metasploit originally meant for testing for security vulnerability can be used by hackers to find out the type of antivirus you are using, or any known network vulnerabilities. Once the antivirus is known, the malware in the email is designed to bypass antivirus software detection.
· Egress filtering: This checks all data that leaves a network so cybercriminals deploy payload software to encrypt information leaving the network to the Metasploit server.
Cybercriminals carry out social engineering on their targets by checking their Facebook posts, LinkedIn profile etc. to find out personal, information such as their spouses name, children’s name or even where they spent the last vacation. All this information is put together to prepare a phishing attack and make it look and sound authentic.
Once the target clicks on the link, malware is secretly installed on his system. This malware could be key-logger software which secretly records your passwords and sends the information back to the cybercriminal.
3. Client-Side Risks
Most clients that use trading Apps could also be targeted by cyber criminals.According to Forex Beginner UK, there has been a substantial increase in cyber-attacks that target clients of brokers since the start of pandemic.
Phishing attacks could be launched at them via SMS messages, emails, and even cold calling to trick them into taking an action that will reveal their sensitive information such as App passwords, credit card details or clicking on malicious links.
Once this information is gotten the hacker gains access to the trading App and transfers funds out of the account if the broker is not vigilant in its withdrawal policies.
Two factors authentication helps to tighten security by adding another layer of verification to the password layer. This layer could be SMS messaging carrying a code or email messaging.
Cybercriminals have taken advantage of this to send malicious verification SMS messages and emails to clients to steal their log in information.
Risk management Ideas to protect against Cyber attacks
1. Don’t share sensitive information on social media
By providing sensitive information on sites like LinkedIn, Facebook etc. you are providing fodder to cybercriminals to launch phishing attacks against you.
A cybercriminal can tell where you work and your particular department from LinkedIn. Some people even go as far as posting their current location and activity on Facebook. Actions like these set you up for a phishing attack.
A broker should educate traders & their staff on the best practices to follow when sharing on social media.
2. Organizational Email policy
An organization I.e., the brokerage firm, should have software in place that filters the emails their employees send outside their network & any emails that are received should be scanned.
This is important because cybercriminals could extract emails of employees using complex scripts and use them to prepare spear phishing attacks. If a proper filtering system is in place, then it can block malicious emails.
3. Education
Both employees of brokerages and clients using their trading Apps should educate themselves on cyber security periodically.
A brokerage could organize training courses on cyber security for its employees and after that test the level of compliance by deploying dummy phishing attacks. Employees who fail the phishing attack should be made to undergo the training again.
4. Two factors authentication (2FA)
Authenticating with a password alone may not be enough so 2FA adds another level of authentication like a code sent to a mobile device. This helps secure a trading platform.
Clients using online trading platforms should also create strong alphanumeric passwords containing capital letters, special, characters and numbers.
5. Adherence to Anti-money laundering laws
Brokers should always look out for red flags and suspicious withdrawals from clients’ accounts. A client who rarely withdraws money and suddenly begins to withdraw is a red flag.
Also, anti-money laundering laws require brokers to trace and stop money laundering activity by conducting due diligence on customers and reporting withdrawals above certain threshold limits to the relevant authorities. Doing this can help prevent loss of funds and aid fund recovery even after an account has been compromised.
6. Employee Disengagement
Organizations should ensure disengaged employees are treated fairly and retrieve all official information from them.
A malicious employee could sell organizational data and leak client information. Though the law may catch up with them eventually, the damage would have already been done as clients would be exposed to data breaches and lose money.
Conclusion
Users of trading platforms & the brokers are exposed to cyber security risks from different angles. To be on the safe side clients using these Apps should guard their passwords, read articles on cyber security, and change their passwords frequently.
Organizations like forex brokers should also check their infrastructure for leaks on a regular basis, conduct regular security checks, conduct training sessions about security with their clients & staff, and ensure anti-money laundering laws and data protection laws are strictly adhered to.