Discussion in 'Retail Brokers' started by lilboy716, May 12, 2004.

  1. to anyone cares to know about the security of your broker's DAT(direct access trading) platform.

    possible problem:
    transfer of sensitive data such as brokerage username, password.

    all discount brokers(et. ameritrade, etrade) uses SSL on their web based platform. it is as secure to the point that the password and browser cookies are sent through encrypted channel, using public key encryption algorithm(very hard to break).

    this does not apply to DAT brokers, because they all write their own software to implement different trading features, including their own account access algorithms.

    it is imperative that every DAT brokers adhere to the minimum standard of security used on the web.

    targeted audiance:
    if you only trade at home and your connection is connect to a home router directly to a cable/dsl modem, T1 box. you are okay.

    if you trade in public places such as, work, school. the connection might travel through several routers before going into a fiber optics network. this can be problematic. at various points of this network connection, a hacker can collect data(sniffing data). your user/password information can potentially become compromised.

    a typical senario: assuming user/password not encrypted.
    a person saw your username on the platform screen, writes it down. by sniffing the network to collect data for hours(not to go into too much detail). he can filter data coming from your computer, and search for your username(he wrote it down), and he can end up with various potential maches of your password.

    check for problem: might be too advanced for many people
    check if your DAT platform encrypts at least the password information.

    1. download ethereal (google it, its open source). its a packet sniffer that you can use to to check if your sensitive data can be compromised.

    2. shutdown all other programs that might be using the internet connection.

    3. open your DAT platform, type in your user login info.

    4. start ethereal, start sniffing packets. and immediately log into your DAT platform. perform a few common tasks, such as, viewing account data.

    5. stop sniffing. ethereal will display all the packets been collected. it has a search function that allow you to search for your username or password in the data collected. and look for signs of your password is being displayed in plan text.

    6. now you know. if you can see your password, tell your broker to do something about it IMMEDIATELY!
  2. gerico


    Security is a REAL problem nowadays, and it seems that many Online Brokers aren't doing the necessary actions to maintain at least a decent security level.

    Why? Because they put rules in the Customer Agreement that leave responsibility of ANY trades in the customer account to the customer, even when the customer account has been hacked.

    Nice, isn't it?
  3. Interactive Brokers provided customers with a small "SAFEWORD" Secure Computing device that generates a unique password for every account transacation. So, there is no way a stolen password can be used again. The password is only good once. They also use SSL both on their account web access and from their trading platform.

    At least the industry is moving in the right direction. More brokers should adopt such mechanisms.
  4. the user/password encryption i am refering to is the info your put into your software when you want to login to your broker. that is one(uno) set of user/pass information. it doesnt matter what the software does later on. as long as the login information is compromised, a hacker can just login w/IB's trading software using your information.

    you should try these steps to see they actually put their money where their mouth is.

    i've already discover an DAT broker that send password in the clear during later transaction. but their login portion was "secure" enough. i ask their customer service rep about it, and they said it was secure, of course that's what they were told.

    that's the major reason that prompt me to start this thread.

  5. There is no way for you to know that your information is secure by using a piece of propritary software. when you connect to a shopping website, the browser tells you that you are using some form of security by showing you that little lock. if you click on it, it will show you information on the certificate assigned to the website signed by a trusted certificate authority. the same level of security awareness doesn't exist in a propritary software. at least its not obvious enough to the user. and alot of users simply do not care about it.

  6. lilboy,
    you are of course correct, and many of the current trading platforms do not have sufficient security in my view. SSL is truly weak and offers no comfort on it's own either.

    When I was developing secure customer login I always included a security token which would be updated and passed along with every transaction. This would be a MD-5 checksum which was calculated on a password from a circular list of passwords and a timestamp to validate the time frame it would be allowed to use. The MD5 checksum is one of the fastest "encryption" methods out there - and it's lossy as a checksum. I won't explain further on this technique - but those who understand it get the point.

    The point is that a password and SSL alone does not hinder anyone in mediating into your communication stream - or snooping.

    Nowadays there is a really good block cipher routine available called Rijndael ( ) - also known as AES. This gives good encryption capabilities for streams - and not only fixed packets of code like RSA etc.
    An example a few years ago was the old NATO equipment used to encrypt communication lines - consisting of only 64-bit encryption keys - but long taperolls of encryption data. With Temepest I and II rules in place one could be impressed - but not by the encryption standard itself. Sitting in a bunker decrypting mundane ZOPR messages is noones cup of tea.

    When dissecting broker traffic one can quickly point out weaknesses in both protocol and (failing) security techniques. Still there is not much focus on DDoS on brokers or similar, but it's something that will be coming more and more. Terrorism, pranksters or simple criminals can seriously affect how we are able to react to the markets.

    So far I have seen no credible information on any broker offering any technical assurances with regards to security of execution platform or trading software.
    (Compaq) TANDEM is not what it used to be - most people don't know what that hardware platform is anymore. Of course you can get solutions good enough with a distributed transaction server and some well designed load-balancing and redudancy in a trading execution platform/backend - but I think we have all experienced the negative impacts of that not being the case.

    Broker uptime as well as stellar execution times should be the norm and what brokerages strive for - but most often they are quickly huddled together by people with little technological background and with a bare minimum of technical platforms - and more focused on aggressive pricing.

    So there might be hope for many of those laid-off IT experts out there - if daytraders truly become prolific in the markets once again - which I personally think will happen (is starting to already).

    The FIX protocol offers good encryption within the protocol - if it is being used - but it seems it is not the norm many times. Tunneling the FIX protocol within some other protocol is very counter-productive. For those with knowledge of Class-of-service and Quality-of-service techniques in networks this is basic knowledge. More and more ISP are starting to use traffic-shaping , so something like SSL and pure HTTP is not really going to get the proper priority that financial network traffic deserves. Not to mention the vile evil of ISPs who employ transparent HTTP and SSL proxies on their network to offset costs in increasing traffic by chacheing popular pages and not increasing bandwidth demanded by a increasingly eager customer base.
    If you have a ISP who does transparent HTTP/SSL and you are using financial software which rely on any of these protocols, you should beware, as you're probably being hit with extra delays all the way to the bank ...
    Running SSL on other ports than 443/HTTPS is of course a little better - but not if your ISP is running the state-of-the-art traffic shapers.

    Well, enough rant I guess - most of this is probably way out of most traders fathom/reach anyway.
  7. will destroy ya.

    perhaps trading is too risky given current tools. if the reward does not justify the risk associated with the current technology, put your money in a CD and wait for it to get better.

    you current choices are call the broker, click the mouse, or stand aside.

    it is what it is.
  8. i am not being paranoid. the security risk described on the thread's topic post is very real. it applies to all DAT brokers' software.

    when brokerage account get hacked, you cannot deny *you*, personally, did not make those trades that *you* didn't place. obviously someone have to place the order. it is the purpose of the basic user/pass authentication.

    i am calling for security awareness, not ignorance.

  9. we all read our usage agreements and disclaimers when we opened our accounts, BEFORE we funded them. (or at least the reasonable people did.) there is nothing knew here.

    either do someting concrete to make it better or live with it.

    there are risks associated with any profitable activity. and right now, there are certain security risks. there were similar risks, i might mention, when trades were placed via telephone. same risks, different day.

    btw: if i wanted to spend quality time fretting, i would worry more about the liklehood of somebody transferring money out of my account and spending it than i would some malicious hacker wasting his or her time making trades for me. the truely clever hacker will steal your money for personal gain, not trade it for you. (and who knows, if the hacker trades for you, you might even make a profit for a change! <g>)
  10. you watched too many movies.

    most brokerage wont allow you to transfer money to a bank account that's not under the owner's name. same goes for wire transfers.

    if a person does get a handle of your account, trades can be made, loss can occur. you can also profit from it. it would be weird to see transactions showing up not knowing when, or if, you placed those orders. you would freak out even if it result in a gain.

    #10     May 14, 2004