Tag Archives: security

Learn how to protect your business from hacking attacks at FPA Business Solutions 2013

One session at FPA Business Solutions 2013 will expose advisers to security threats their business is likely to face

I’m on the task force for FPA Business Solutions 2013 and helped put together a great lineup of speakers and thought leaders for financial advisers.

One speaker I invited is Peter Giza, founder of Spitbrook Consulting and former CTO of RedBlack software.

FPA Business Solutions is scheduled for March 7-9 in Chicago, IL. In his session, Giza will address threats advisers face from hackers and social engineering and identify things to do to deflect such attacks.

I asked Giza for a preview of his session for FPA Business Solutions which was broadcast in the lastest episode of FPPad On Air.

Watch the interview below, and be sure to register today for FPA Business Solutions to learn more from Giza and the rest of the excellent speakers on the agenda. The FPA member early bird rate of $399 expires this January 25!

(click to watch on YouTube)


Rescue your lost mobile device with this simple setting

This is the back of a Town Car. Don’t leave your phone here!

I just flew over 16,000 miles in the last 60 days, passing through airport security and riding in taxis at least a dozen times. Thankfully, I always remember to gather up my laptop and phone before I head to my destination.

But what if you have that one time when you’re in a rush and leave your mobile device behind?

This month’s Quickview update for Morningstar Advisor tells you about one simple setting you can use on your laptop, tablet, or smartphone to increase your chances of recovering your device.

Go read Rescue Your Lost Mobile Gear at Morningstar Advisor now.

FPPad Bits and Bytes for August 3

Now that August is here, the flow of financial planning technology news has slowed to a trickle. This week you’ll want to stay on top of security developments at Dropbox, but also check out a potential app to manage your multitude of projects.

Here are this week’s stories of interest:

If you missed Wednesday’s story, Dropbox user accounts compromised, new security features to appear, be sure to read it and review what you should do to protect your online accounts, whether or not you use Dropbox.

Salentica Inc. begins pilot phase of testing the Salentica Advisor Desk with Schwab OpenView Gateway from Salentica.com

[Salentica is the overlay provider for Microsoft Dynamics CRM. In this company press release, Salentica announces it is officially in a pilot phase of integrating account data obtained from the Schwab OpenView Gateway™ program.] In May, Salentica entered beta testing where our Client Advisory Panel which included Salentica clients as well as several RIA firms who are using a standard version of Microsoft Dynamics® CRM tested the newly developed functionality and provided us with feedback on the user interface and client experience.

Projectbook is the iPad productivity app for the disorganized from GigaOm

[If you’re searching for a new project management solution, Projectbook may be worth investigating. I often vascillate between managing everything in one CRM or working with multiple, specialized apps to manage tasks, reminders, and workflow. There’s no one right answer, so Projectbook may be a good resource for some of you.] Keeping your personal and professional documents in the cloud so you have access to them everywhere is on it’s way to becoming standard practice: it’s why Google and Apple now have their own cloud storage solution for users. But what if you’re on the fence about committing to the cloud but want an all-in-one mobile app to organize your stuff? Then a small midwestern app company called Theory.io has an iPad app for you.

Dropbox user accounts compromised, new security features to appear

Last night I posted this tweet about a TechCrunch.com article on several compromised Dropbox accounts.

Unlike an issue last summer (see Bug Affects Dropbox Security: What Advisers Need To Know), you need to know that Dropbox’s security was not compromised.

Username and password credentials were stolen from a third-party website, which were then used to log in to associated Dropbox accounts.

In response, Dropbox said in a blog post that it will add new security features in the coming weeks, with two-factor authentication being the most noteworthy (see Boost your online security with two-factor authentication).

Events like this should be a lesson to you, even if you’re not a Dropbox user. Remember to follow good security practices to keep your account credentials safe, such as:

  • Avoid using the same username and password for multiple websites/accounts. Make each password unique for each account.
  • Avoid using unfamiliar or shared computers, as keystroke logging programs or other trojans may be installed without your knowledge.
  • Verify website addresses before typing in your login credentials. Look for the https:// address prefix and make sure you’re not redirected to a phishing website (see Cloud computing for financial advisers: How to stay safe)

In a few weeks, Dropbox should be rolling out the new security features. When they appear for your account, be sure to activate and use two-factor authentication. It’s one additional layer of protection you can add to better protect all the information you keep in your Dropbox account.

Cloud computing for financial advisers: How to stay safe

Financial advisers recognize the benefits of moving to the cloud, but security remains a top concern

While speaking on a panel at the Technology Tools for Today (T3) Conference in Dallas earlier this year, I predicted that within five years, the majority of independent investment advisers would no longer have a server located in their office.

Clearly the trend of embracing cloud computing and services delivered over the Internet is gaining momentum, but financial advisers continue to be concerned about the security of data stored in the cloud.

In my latest column for the Journal of Financial Planning, I reviewed the practices advisers should follow when evaluating the security policies of any cloud provider.

Included is a sidebar titled 10 Key Elements of Cloud Security that lists the top essential questions advisers must ask when conducting due diligence. Use it as a guide as you try to determine whether a provider’s policies and procedures meet your expectations.

Read How to Stay Safe When Using the Cloud from the Journal of Financial Planning

Should Financial Advisers use Google Drive?

Broad terms of service language likely makes the latest cloud file storage service off limits for client files

Earlier this week, Google entered the increasingly-crowded market of cloud-based file storage services by introducing its own utility called Google Drive.

Google Drive offers convenient access to files from any device, but advisers may want to keep client files off the service

There are a number of popular cloud file storage services available today, with Dropbox, Box, SugarSync, and ShareFile generating the most buzz and interest among financial advisers. Generally, these cloud file storage services give users the ability to back up selected files and folders to servers in the cloud and enable remote access to those documents using mobile apps and web browser interfaces.

Ever since these services launched, financial advisers have questioned whether or not they’re safe to use for the storage of client files.

Last year I wrote Dropbox for Financial Advisers: Is it Safe? which continues to receive consistent traffic from advisers seeking opinions on whether or not using such services will violate any regulatory rules (the short answer is yes, but with conditions. Read the full post for details.).

Safe for Client Files?

With Google Drive, advisers want to know the same thing: is it ok to use to store files containing client information?

I believe the answer is no.

Google’s terms of service explain how the company may use files and information stored on a variety of its services, including Google Drive. Here is the relevant section for advisers:

Your Content in our Services: When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide licence to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes that we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights that you grant in this licence are for the limited purpose of operating, promoting and improving our Services, and to develop new ones. This licence continues even if you stop using our Services (for example, for a business listing that you have added to Google Maps).

The terms give Google the license to publish and publicly display content uploaded to their services. In addition, that license continues long after use of the services is discontinued.

Sure, for a listing on Google Maps, the terms make sense. But for files stored on Google Drive, applying the same terms can mean there is no limit to how long Google has the option to use your content.

Google Drive may ultimately prove to be the product that disrupts the cloud file storage market, but for now, financial advisers should stay clear of the service and never use it to store files containing client data.

Why advisers can’t trust their clients anymore

“Spoofing” is on the rise and RIAs are becoming targets of clients that are not who they appear to be.

What seemed like ordinary correspondence from a client quickly became a compliance nightmare for one Dallas-based wealth management firm.

I recently spoke with an executive from the Dallas-based firm who asked to remain anonymous due to ongoing investigations about the incident. This person described how the firm received a wire request from a client via email, so the firm replied by sending the appropriate form for a client signature. A few hours later the form was returned and the signature was compared with another from a prior wire request already on file. Everything looked to be in good order.

But unfortunately for all parties involved, the wire request was not from the actual client, but from someone who had broken in to the client’s email account.

Client Spoofing 

It turns out this scenario is not unique, as over a half-dozen cases involving Dallas/Ft. Worth-based RIAs have been reported since the beginning of the year.

In the latest scheme to defraud individuals, hackers are using “spoofing” techniques to impersonate others who have relationships with professional financial advisers. Spoofing is commonly accomplished by obtaining a client’s email account password through keylogging software or by substituting indistinguishable characters in valid email address (e.g. lower-case “l” and a capital “I”). In either case, the hacker attempts to exploit the existing trusted relationship with the adviser who has no reason to be suspicious of a request to transfer funds.

In addition to client impersonation through email, some hackers are going so far as to activate call forwarding on a client’s personal cell phone account, meaning that confirming a client’s wire instructions via phone may not always guarantee the person on the other end is who they say they are. The boldest of hackers are calling in directly to advisory firms, spoofing Caller ID, and verbally requesting wire transfers.

If a firm’s back office staff has little or no contact with certain clients, employees have little opportunity to properly validate the identity of the individual calling in.

Combating Spoofing

Since you can no longer trust the authenticity of all correspondence received from clients, either by email or phone, what can you do to protect yourself and your clients from spoofing activity?

There’s no clear consensus on best practices to combat client spoofing. Remember that verifying instructions by placing a phone call can be insufficient if the hacker is able to activate call forwarding on a victim’s phone.

One recommendation is to follow the authentication practices of large banks and credit card companies. When you call in as a customer, you’re asked for a secret word or phrase in addition to your account information to proceed with any assistance. While one’s mother’s maiden name is often the typical security word, I would advise against using it for your authentication process.

You may want to update your policies and procedures to ask for clients’ secret phrase before processing fund transfers of any kind. Keep this secret phrase secure and confidential, likely included in your password-protected CRM software next to your client’s contact record.

Also, in the age of camera-equipped mobile devices, a video chat to confirm wire instructions is a better way to verify a client’s identity versus a standard phone call. Still, the employee at the advisory firm must know what the client looks like before contacting him/her to verify instructions!

If You’re Targeted

If you believe your firm is the target of client spoofing, one good place to report the incident is the Internet Crime Complaint Center, or IC3 (http://www.ic3.gov/). IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) and aggregates incident reports to allocate investigative resources accordingly. Often, the FBI or the Secret Service will get involved in cases involving spoofing of investment adviser clients.

Educate Clients

Finally, one weak link in most spoofing scenarios is a client’s password credentials to web-based email accounts. A value-add service you can provide to clients is education on how to best protect login and password credentials. Sage advice includes never entering credentials using an unknown computer, such as a public computer in a hotel business center.

Also, an increasing number of web-based email providers allow users to enable multi-factor authentication to the login process. I addressed multi factor authentication in this Morningstar Advisor column, which requires users to authenticate their login activity through a second device, typically via SMS text messages. Even many credit card companies are employing this additional verification process to their systems.

So don’t fall victim to the next spoofing attack your firm encounters. It’s not a question whether if an attack will occur, but rather when.

More resources on spoofing:


Boost your online security with two-factor authentication

After participating virtually (e.g. online) in what was likely the busiest shopping weekend of the year last week, I logged in to reconcile one of my credit card accounts. Lo and behold, they added a new security feature to authenticate my account when I used a second computer to log in.

The timing is perfect as my blog post for Morningstar was just posted yesterday, titled Quickview: Get Enhanced Security With Two-factor Authentication.

So Chase recently added a two-factor authentication process it calls an Identification Code to complete your account logon and verify your identity. This is the first screen I was presented at login:

After clicking Next, I was given the option of receiving my code using several contact methods associated with my account profile. Options included voice or text messages to one of my phone numbers or receiving a code via an email account previously registered to my account.

Just as in my blog post, more and more online providers, including free web-based email programs, social network services, and credit card companies are giving customers the option (and in Chase’s case, requiring) to boost their account security by adding two-factor authentication.

Cloud Data Security Depends on Your Password Strength

Financial advisers are concerned about the security of data they place on the cloud. Cloud services including CRM, portfolio management, document management, and more are all accessed by credentials connected with the adviser’s account. The strength of the login credentials largely determines how well account data is protected from attack or unauthorized use.

Technically, the strongest passwords have a high amount of entropy. There’s a lot of science that goes into the explanation of entropy and its application to passwords, but allow me to share a webcomic from xkcd that captures the concept in six short frames.

[Hat tip to Ben Gilbert, CFP®]

Photocopiers, Scanners Expose Private Information

This article was originally posted on April 29, 2010 to advisors4advisors.com, a practice management website for independent financial advisers. For continuously updated news, information, and commentary relevant to financial advisors, sign up today.

Last week, CBS News released an investigative report that revealed how documents with private information were accessed from the hard drives of used photocopiers.

Compromised data included internal documents from the sex crimes division of law enforcement, payroll information, and health and medical records.

Click here to view the five-minute video.

Read More…