Protecting Your Online Trading Account

Among the many entertaining stories in the book "Stealing Your Life" (mentioned below), Frank Abagnale relates the story of an online brokerage customer who has their account taken over by a hacker and used to trade options in Cisco Systems, to the tune of a $40,000 profit.

Now, if the story stopped there, you can imagine it becoming a modern-day version of "The Elves and the Shoemaker".

"I swear Honey, we had 2,000 Cisco options when I went to bed, but when I woke up, they'd all been sold - for a net gain of 170%!"

Unfortunately, like most stories involving identity theft, the story doesn't stop there. The thief isn't a charitable elf. He performs a risk-free set of trades, cashes out, and leaves you with those GM and Lucent shares you bought eight years ago.

Yes, you can go to your broker and explain your loss, and most of the time they'll believe you. But don't think this is the first time your broker has heard the "it wasn't me - I was hacked" story. Be prepared to have all your documents prepared, and get ready to prove your case.

Or better still, stop it from happening before it starts.

This is both harder (and, ultimately, easier) than it sounds.

Harder, because a lot of people try and apply enterprise security solutions to situations that are much different.

Easier, because it is possible to harden the user authentication mechanism against attack, so that user credentials are not easily stolen. You just need the right approach.

A lot of on-lines banks and brokerages have recently started experimenting with expensive physical tokens and "virtual keyboards" - on-screen keyboards that feature randomized, repainted numbers that users can click on with a mouse to gain access.

Both these approachs are seriously flawed.

Let's look first at Virtual Keyboards. Let me say this loud and clear: virtual keyboards are 100% useless. If you're infested with malware created by a hacker with an IQ even slightly above room temperature (and more than half of you that are reading this are infested with malware that matches this description), your randomized virtual PIN entries are going to get captured - in the form of JPG screen shots.

Print. Print. Print. Send as email (to hacker).

Hardware-based tokens can be equally problematic. It's not that these sleek-looking devices don't do their job and create credentials that are unfathomably hard to guess - they do. That isn't the problem.

The problem is that these credentials are susceptible to being stolen by hackers en route to the login page, via very simple forms of the Man In The Browser attack. See my earlier post on this subject a couple of months back.

So what's an online brokerage to do, if it wants to protect its customers, aside from keep paying its SIPC dues?

The technology issues seem overwhelming. If someone were to dream up a technology solution for adoption by online trading professionals, it would, on the surface, appear complex.

It would, out of necessity, include a combination of system-level command handling and file hardening approaches, desktop virtualization, a locked-down non-standard browser with update and plug-in controls, secure DNS infrastructure, secure application update channel, and the best in current third party anti-phishing systems. And all of this would have to work seamlessly and simply.

I'll spare you any further build-up: we've built this. The solution we've created to protect consumers against online trading fraud is called SafeCentral.

Authentium SafeCentral is currently being evaluated by online brokerages on four continents, and our first release went live just over three weeks ago at Firstrade, the top-ranked US online broker (Consumer Reports).