"Online Intrusion" of Brokerage Accounts

Discussion in 'Retail Brokers' started by wilburbear, Apr 28, 2007.

  1. The Wall Street Letter today reports that the "SEC has found no evidence of negligent behavior at the firms", because the firms "reimburse clients" for online theft. All you guys who have not be reimbursed by your firms for online theft should get a lawyer. Apparently, the firms are supposed to reimburse you for online theft, and are portraying this as fact to the SEC.

    Finally, the firms were less than honest when they simply shrugged their shoulders about theft in retail accounts. This phenomenon (online theft) was, in fact, well known. Deputy Director of Enforcement at the SEC, Peter Bresnan, acknowledged the extent of the problem, and said that "tens of millions of dollars" had been stolen from investor accounts.

    Retail investors, of course, did nothing wrong. The firms are now responsible for the fix. "Virtual keyboards" and "software that changes clients' passwords every 10 seconds" are now being tried to re-implement the necessary security for investors' funds.
  2. cstfx


    For added security, do any of you use fingerprint readers such as the ones from Microsoft or Logitech for your security passwords when logging on and off? For the IT guys out there, does this prevent pswds from being read by Trojans or other programs that hackers like to install on your computer?
  3. patl


    The short answer is "no". A sniffer program can monitor everything you type at your keyboard as well as everything your machine sends to the server, including whatever is being derived from your fingerprint.

    The only defense against this is a "challenge/response" system. This is where the server sends you a challenge that you punch into a secure device, and the device tells you how to respond to the challenge. This is how the IB Security Device works.

    This process can be automated -- via a USB interface, for instance -- but the essential architecture is the same: Server challenge -> client-side secure device -> response to challenge.

    A fingerprint is really just a form of password. It does not play any role nor provide any security beyond that of a good, strong password.
  4. mde2004


    Good point on the fingerprint security.
  5. cstfx


    The fingerprint readers enable you to enter your logons/passwords without keystrokes once programmed. I do not mean to use your fingerprint as a password. Are there hacks that can read this info when applied even if keystrokes were not used to enter info?
  6. patl


    Yes. Logging actual keystrokes is only one form of attack. Another form, at least as common, is to monitor the contents of all HTTP/HTTPS POST requests. See for instance http://www.symantec.com/security_response/writeup.jsp?docid=2006-080315-1729-99&tabid=2. This is sufficient to capture most Web site logins.

    In general, whatever secret your fingerprint is protecting must ultimately be sent to the server to authenticate you, and there are trojans that simply monitor your network transactions in order to steal such secrets. With that information in hand, the attacker can then convince the server that he is you.

    Challenge/response systems are the only certain way to thwart an attacker who has compromised your machine.

    The best idea, of course, is not to let your machine get compromised in the first place. Avoiding Microsoft products is a good start...