The State of Brokerage Security: Protecting Stocks and Financial Data
In a New York Times Dealbook article published in early February, the headline reflects the more realistic implications of recent high-profile, media-sensationalized and data-parsed, drama-filled data breaches: Brokerage Firms Worry About Breaches by Hackers, Not Terrorists.
Since brokerage firms deal with investors that trade public stocks and other financial securities, in addition to offering loans and stock prices and tips, they’re often targeted by hackers seeking to exploit brokerage firm employees that have access to a large clientele of stockbrokers - and large sums of money.
The Current State of Brokerage Security
Last year, the Financial Industry Regulatory Authority (FINRA) conducted a number of ‘cybersecurity exams,’ also known as their Risk Control Assessment (RCA) Survey, across 57 broker-dealers and 49 investment advisors to get a better idea of the state of security within this particular pocket of the financial industry.
According to a summary of the exams’ results in a report (PDF) from the U.S. Securities & Exchange Commission (SEC), FINRA collected information on each firm’s ability to:
- Identify cybersecurity risks and establish cybersecurity
- Govern, including policies, procedures and oversight processes in order to protect firm networks and information
- Identify and address risks associated with remote access to client data and funds transfer requests
- Identify and address risks associated with vendors and other third parties, including detecting unauthorized activity
While the report found that most firms conducted periodic risk assessments (93 percent of broker-dealers and 79 percent of advisers), fewer reported requiring their vendors to meet the same standards (84 percent of broker-dealers and only 32 percent of advisers).
Brokerage firms also receive a lot of spammy email - over half of audited brokers and about 40 percent of advisers have received fraudulent emails with requests to transfer client funds. About 26 percent of brokers report losses of $5,000 and more due to these emails. It’s kind of alarming that nearly a third of brokers are actually falling for the emails and losing money that way, raising questions about security training and awareness in those firms.
The difference between large firms and smaller brokers can be evident in the data - large firms report using metrics to measure many different aspects of its IT security programs, including patches, vulnerability management, security infrastructure performance, access control management, secure app development, training and awareness and vendor risks. But by comparison, smaller firms did not report using the same breadth of metrics, putting them at possible risk.
Real Broker-Dealers, Real Breaches
A brokerage firm was hit by hackers at the end of May last year. Benjamin F. Edwards & Co. discovered that one of their employee’s computer was infected by CryptoWall malware, a variant of CryptoLocker that encrypts files and transfers the data to a suspicious IP address, as a breach notification letter (PDF) from the firm stated. CryptoWall is a type of ransomware that can be used to hold your data ransom by encryption until its captors are paid.
In a recent blog from Cisco, they report that CryptoWall 2.0 uses TOR to obfuscate the command and control channel, using multiple levels of encryption. CryptoWall can be delivered through email attachments, malicious PDFs and exploit kits; all forms of malware-dropping that target brokerage firms.
Another brockerage breach case dating back to 2012 involved a hacker that got access to electronic broker-dealer firm accounts and used them to trade stocks and securities in order to manipulate market prices, which allowed him to buy back or sell the same stocks at artificial prices - reaping a profit on transactions, as ComputerWorldUK.com reported.
Then there are the cases that target client email accounts, as seen in an incident involving the managing director of Bush O'Donnell Investment Advisors Inc, InvestmentNews.com reported. Someone had hacked into a client’s email account, sending a fraudulent email to the firm’s director requesting a wire transfer of $51,000 to a Hong Kong bank in order to purchase a condominium. The email had specific client information, including the client’s account number.
Two-Factor Authentication for Broker-Dealers
To address these types of attacks and others that target online brokers’ credentials, FINRA’s Examination Sweep Survey Questionnaire included a question about access controls and authentication security:
What forms of authentication are used by customers to access your firm's applications over the Internet? Please select all that apply.
- Single-Factor Authentication (e.g., user-ID/password)
- Dual-Factor Authentication (e.g., hardware or software key fobs/secure ID/tokens)
- Adaptive Authentication (e.g., challenge questions posed for risky or abnormal logins)
While they provide the example of token and hardware-based two-factor authentication, an out-of-band authentication solution using a mobile app may provide more security in the event of certain types of malware attacks delivered via phishing emails. Last July, a report on a banking malware found that attackers could intercept one-time password (OTP) of a two-factor authentication solution.
By using an out-of-band two-factor solution that sends a push notification to a smartphone via mobile app, broker-dealers and other financial institutions can avoid a similar fate by requiring the use of a physical device to verify their identity.
An article from Reuters echoes concerns about small companies affording security technology:
Firms which cannot afford to employ round-the-clock technology departments are facing mounting responsibilities as hackers become more aggressive and regulators ramp up their scrutiny of precautions firms are taking against such threats.
One way small and mid-sized companies can win one against remote hackers is to choose a cloud-based security solution that doesn’t translate to a high TCO (total cost of ownership). Software as a service (SaaS) providers either handle or outsource the infrastructure behind their solution, meaning no server or infrastructure costs for the client, and cloud solutions mean anyone with a web browser can easily access and manage their security solution.
Hopefully financial firms have learned from breaches like that of JPMorgan Chase’s breach last summer that was credited to the lack of two-factor authentication on one of their servers. This oversight let attackers steal 83 million records. Learn more in JPMorgan Chase Breach: 83 Million Records Breached by Lack of Two Factor.
Learn more about two-factor authentication to protect transactions in:
Primary Defense Against New Business Email Scams: Two-Factor Authentication
Executive Order Mandates 2FA to Protect Consumer Financial Transactions
Two-Factor Authentication, Financial Firms, and You