Tag Archives: spoofing

See Kevin Mitnick, the World’s Most Famous Hacker, teach RIAs a thing or two about cybersecurity

Win a free ticket to see Kevin Mitnick

Here is a great opportunity to get schooled in cybersecurity from the World’s Most Famous Hacker, Kevin Mitnick.

Envision Consulting, a Washington DC-based provider of IT services and support to financial advisory businesses, has hired me to be the master of ceremonies for a unique event to be held Wednesday October 19 in Tysons Corner, VA from 11am to 2pm.

The World’s Most Famous Hacker

Envision Consulting is brining Mitnick in to demonstrate his skills in front of our live audience and reveal just how vulnerable many of us are to sophisticated (and sometimes shockingly basic) phishing, spoofing, and social engineering attacks.

For more about Mitnick’s story and how he became known as The World’s Most Famous Hacker, watch the interview segment below with Stephen Colbert on the Cobert Report

See Kevin Mitnick for Free

So let’s get to the good stuff. You can enter to win a free ticket to this event, a $184.99 value, now through September 22nd.

Simply visit https://envisionconsulting.leadpages.co/fppad-cybersafe/ and use the Tweet button to post your entry via Twitter, or (since I’m all about efficiency) use the same Tweet button embedded below. All the rules for the contest, including notification information for the winner, are on the contest landing page, so be sure to review them to determine your eligibility.

Good luck, and I hope to see you in Washington DC on the 19th of October!

Tweet: Register today! Watch World's Most Famous Hacker school #RIAs on #cybersecurity Oct 19 McLean, VA @EnvisionITCloud http://bit.ly/29yV0yx

FPPad Bits and Bytes for March 28

On today’s broadcast, cybersecurity takes center stage at FINRA and the SEC, what you need to do to protect your business from attacks. Amazon launches its cloud desktop service to the public. Does this mark the end of plain old desktop in your business? And two growing providers form a new joint venture to take your portfolio management efficiency to the next level.

So get ready, FPPad Bits and Bytes begins now.

(Watch FPPad Bits and Bytes on YouTube)

Today’s episode is brought to you by Orion Advisor Services, the nation’s largest privately held portfolio accounting service bureau.

Orion Advisor Services

Providing full-service data reconciliation, advisory fee billing, Salesforce integration, mobile apps and more, Orion believes it’s time for you to enjoy your business again. Visit fppad.com/orion for more information.

Here are the links to this week’s top stories:

Top Cybersecurity Threats for BDs, Advisors from ThinkAdvisor, and

SEC Cybersecurity Roundtable Webcast from SEC.gov

[Leading off today’s broadcast is an update from FINRA and the SEC highlighting cybersecurity threats faced by advisors and broker-dealers. In a roundtable event held in Washington DC this week, regulators and industry representatives acknowledged that the number one cybersecurity threat to firms of all sizes is the unauthorized account takeover.

This happens when a hacker compromises an investor’s username and password credentials, or manages to take control of an investor’s email account. The hacker then proceeds to liquidate holdings and transfer money to outside accounts, or even poses as a client with a convincing story to get advisors to transfer funds to an outside account, a clever tactic known as spoofing.

Both FINRA and the SEC acknowledge they must play a role in this area, but neither provided details on what exactly that role should be, and if any advisor exams are to include cybersecurity audits, they are likely to start in the fall of 2014 at best.

Until then, here’s what I recommend you do: First, update your compliance manual with policies for what you do when faced with a cybersecurity attack.

Second, train everyone in your organization so they’re familiar with the common tactics from hackers, including phishing, spoofing, and reverse social engineering. And finally, invest in technology to boost your security, like activating multi-factor authentication, deploying firewalls, and even using phishing simulation software that I highlighted in episode number 115.] The top risks broker-dealers face in dealing with cybersecurity threats are operational risk, “insider” risks posed by rogue employees and hackers penetrating BD systems, Daniel Sibears of the Financial Industry Regulatory Authority said Wednesday at the Securities and Exchange Commission’s cybersecurity roundtable.

Amazon WorkSpaces, Amazon’s Cloud Desktop Service, Launches To Public Along With New Sync Client from TechCrunch, and

Amazon WorkSpaces from Amazon

[Next up is news from Amazon, as the company announced the general release of its virtual desktop solution to the public called WorkSpaces.

WorkSpaces is squarely aimed to take on other virtual desktop providers like Citrix, VMWare, and Microsoft, and with pricing ranging from $35 to $75 per month for each user, WorkSpaces is roughly half the price of the competition. If you’re looking to get rid of your aging server and move all of your core software to the cloud, Amazon WorkSpaces just became a very compelling option.

Plus, with the introduction of a new WorkSpace Sync application, you can backup and synchronize up to 10GB of documents between your WorkSpaces, the Amazon Simple Storage Service, and even your local desktop computer. This gives you a secure and reliable document storage alternative to consumer services like Dropbox, Box, Google Drive, and Microsoft OneDrive that you might be using today.] Amazon WorkSpaces, the company’s virtual desktop computing environment introduced last fall at the AWS re:Invent conference, is today available to the public.

Orion Advisor Services, LLC and Total Rebalance Expert (TRX) Form Joint Venture; Announce Technology Integration from PRNewswire.com

[And finally, two popular providers in portfolio management and rebalancing software, Orion Advisor Services and Total Rebalance Expert, announced a new joint venture this week called the “Total Technology Platform.”

The two companies first integrated their solutions back in October of 2012, enabling the import of account, transaction, and tax lot data from Orion directly into TRX with a single click.

But this latest venture goes beyond bidirectional integration, as users of Orion will now be able to access TRX directly from within the Orion platform. At the same time, both companies said they are committed to maintaining open-architecture platforms rather than hold advisors captive to one bundled solution.

Orion users can still take advantage of integrations with Blaze Portfolio, iRebal from TD Ameritrade Institutional, and Rebalance Express from RedBlack Software, and TRX users can continue to import data from Morningstar Office, Portfolio Center from Schwab Performance Technologies®, Advent’s Black Diamond Performance Reporting and more.] Total Rebalance Expert (TRX) and Orion Advisor Services, LLC (Orion) announced today a joint venture between the two companies to provide a “Total Technology Platform” designed to simplify and streamline the portfolio management process.

Here are stories that didn’t make this week’s broadcast:

Box Unveils First Standalone Product And New API Pricing At Inaugural Dev Conference from TechCrunch

New Kitces Network to Target Planners for Gen X & Y from Financial Planning

Office 2 HD for iPad is now Citrix ShareFile QuickEdit, drops $7.99 price to become free via iTunes

 

Watch FPPad Bits and Bytes for March 28, 2014

Watch FPPad Bits and Bytes for March 28, 2014

Client spoofing strikes again, RIA loses $290,000 of client funds

An RIA’s poor compliance procedures let hackers steal $290,000 of client funds

Financial advisers who aren’t prepared to defend against client spoofing attacks not only stand to lose client funds, but also face steep penalties from regulators.

FPPad readers have known since April 2012 that hackers are targeting financial advisers, masquerading as clients via email in a ruse to steal client funds.

Go read Why advisers can’t trust their clients anymore for a refresher of what spoofing attacks are and steps to defend them.

Spoofing Strikes Again

This week, several of the industry trade magazines broke the story about GW & Wade, a registered investment adviser based in Wellesley, Mass., regarding how hackers were able to steal $290,000 of client funds from the company. See RIA Fined By SEC After Hacker Uses E-Mails To Steal Client Funds from Financial Advisor magazine and SEC Sanctions 3 RIAs for Custody Rule Violations from Financial Planning magazine.

The lapse in compliance policies and procedures at the company also resulted in a civil penalty assessed by the SEC in the amount of $250,000.

Full details of the SEC Administrative Proceeding can be viewed here (opens a PDF in a new window).

Hackers Target Advisers

Hackers continue to target investment advisers because they’re the ones with the ability to direct fund transfers.

Solo advisers might not fall victim to a client spoofing attack so easily because they may detect right away that something about the client’s communication is just “not right.”

But when the same attack is deployed in a multi-billion dollar RIA with dozens of administrative employees, hackers have much better odds of success.

Convenience Creates Risk

Once again, according to the Administrative Proceeding, GW & Wade had hundreds of blank Letters of Authorization (“LOAs”) forms on file with only client signatures.

Only after a request was received would the company fill in the pertinent details on a pre-signed LOA and route it for processing.

The convenience of pre-signed LOA forms decreased the chances the company would suspect something wasn’t right with a client wire request. Instead of verifying the authenticity of the request, the company simply routed the pre-signed LOA forms with wire instructions included.

Although, one could argue that if GW & Wade DID try to obtain a client signature via email, following the spoofed client’s instructions, the attack still would have succeeded.

So assume for a moment that no pre-signed LOA forms existed, GW & Wade likely still would have fallen prey to client spoofing because the company would have tried to obtain a client signature via email. The hacker likely would have quickly complied using a signature cut and pasted from another document in the hacked email account.

Clearly, a separate factor of authentication is required to properly authenticate wire requests from clients (a secret phrase, a video chat, Why advisers can’t trust their clients anymore has more details).

Calculating Fees With Spreadsheets Is Hard

Also buried in the Administrative Proceeding is a note about excess fees charged by GW & Wade.

Allegedly since January 1, 2005, the company failed to exclude mutual fund class C share holdings in assets subject to the company’s advisory fee schedule.

The company likely was already receiving 12b-1 fees from the C share holdings, but evidently was “double dipping” by charging the firm’s advisory fee on the same C shares once again.

I have no additional details on the matter, but let’s assume that advisory fees were calculated using a spreadsheet loaded with the value of client holdings for each quarter.

If that spreadsheet isn’t designed to specifically recognize C share mutual fund holdings (which, quite frankly, opens up a Pandora’s box of trouble on its own) and exclude them from the advisory fee calculation, then it’s far too easy to roll up those C share holdings among all the other assets and calculate the fee due.

For GW & Wade, the company now has one year to reimburse in full every client affected by the excess advisory fees charged. That means going back over more than eight years of billing history to determine what the amount of excess fee was charged to each client, quarter by quarter, and credit each client accordingly. That applies to both current and former clients!

So for former clients, how many of you retain holding balances and pricing information indefinitely?

Talk about a huge big data challenge.

FPPad Bits and Bytes for February 8

The 2013 T3 ConferenceToday I’m headed out early to the T3 conference in Miami, FL. Stop by and say hi if you’re attending; I’m speaking on Tuesday at 1:15pm (Defending Your Business from Hackers) and 2:40pm (Current Technology Trends) and again on Wednesday at 8am (File Sharing and Collaboration Software).

Here are this week’s stories of interest:

Ten Tips That Could Prevent Cyber Criminals from Hijacking Client Data from WealthManagement.com

[Remember the Phishing, Hacking, and Spoofing article I wrote here last year? See: Why advisers can’t trust their clients anymore. Now a bunch of the major financial trade publications are picking up the story on ways advisers need to protect their business and their clients’ personal information, because hackers are exploiting holes in security and are stealing money.] As tablet ownership continues to grow—doubling since 2011—and more than half of U.S. consumers owning a smartphone, according to a 2013 Forrester Research report, advisors need to be more vigilant about data security now more than ever. Below are 10 easily implemented safeguards that could prevent advisors becoming an easy target for cyber thieves.

Windows 8 Review: 5 Things to Know from Financial-Planning.com

[Joel Bruckenstein wrote this good review of Windows 8 and the pros and cons the new operating system offers to financial advisers (See: Windows 8 for financial advisers: Pros and cons from FinFolio CEO Matt Abar). I admit, I couldn’t convince myself to personally buy a copy of Windows 8 to try it on my own. I know, I know, I’m a technology consultant, and I should have experience with ALL software systems available, but still… it’s a Microsoft product, and I stopped using their OS in 2011. Nevertheless, you will likely need to replace an aging Windows machine, and Windows 8 is about your only reasonable option for the OS.] Whenever Microsoft releases a new operating system, it is a significant event. And the latest edition of its operating system, Windows 8 – designed to work on desktop computers, laptops, tablets and smartphones – is much more than a PC operating system.

FPPad Bits and Bytes for February 1

With the TD Ameritrade Institutional 2013 National Conference wrapping up today, I got a late start on aggregating the best tech news from around the industry this week.

Nevertheless, you still have Saturday and Sunday to review this week’s stories of interest:

On Guard: Stopping Data Thieves from Financial-Planning.com

[This is a video filmed at the TD Ameritrade conference right after I presented about hacking and spoofing attacks targeted at financial advisers. I cover some of the popular schemes out there and a few clever ways to authenticate the identity of your clients.] Tech consultant Bill Winterberg recommends steps to help protect clients from hacking, phishing and spoofing.

TD Ameritrade adds iRebal to the cloud and offers it for free to affiliated advisers from FPPad.com

[The big tech news out of TD Ameritrade’s conference was the announcement that iRebal will soon be free for advisers who custody with TD Ameritrade, and the software will be delivered over the cloud.] TD Ameritrade’s rebalancing software will soon be available online via the cloud and at no additional cost to affiliated advisers.

RedBlack Software Announces First Third-Party Rebalance Solution and Trading Integration with TD Ameritrade Institutional’s Veo® Platform from PRWeb.com

[Yes, TD will soon offer iRebal for free to advisers, but that doesn’t mean all advisers are going to use it. There are still other rebalancing solutions out there are a variety of price points with different functionality. So here’s a move from RedBlack to get onboard with Veo Open Access and streamline trading for advisers using a multi-custodial rebalancing system.] RedBlack Software, LLC, the largest independent provider of portfolio rebalancing software for the investment management industry, today announced the successful integration with TD Ameritrade Institutional through their Veo® platform.

Why advisers can’t trust their clients anymore

“Spoofing” is on the rise and RIAs are becoming targets of clients that are not who they appear to be.

What seemed like ordinary correspondence from a client quickly became a compliance nightmare for one Dallas-based wealth management firm.

I recently spoke with an executive from the Dallas-based firm who asked to remain anonymous due to ongoing investigations about the incident. This person described how the firm received a wire request from a client via email, so the firm replied by sending the appropriate form for a client signature. A few hours later the form was returned and the signature was compared with another from a prior wire request already on file. Everything looked to be in good order.

But unfortunately for all parties involved, the wire request was not from the actual client, but from someone who had broken in to the client’s email account.

Client Spoofing 

It turns out this scenario is not unique, as over a half-dozen cases involving Dallas/Ft. Worth-based RIAs have been reported since the beginning of the year.

In the latest scheme to defraud individuals, hackers are using “spoofing” techniques to impersonate others who have relationships with professional financial advisers. Spoofing is commonly accomplished by obtaining a client’s email account password through keylogging software or by substituting indistinguishable characters in valid email address (e.g. lower-case “l” and a capital “I”). In either case, the hacker attempts to exploit the existing trusted relationship with the adviser who has no reason to be suspicious of a request to transfer funds.

In addition to client impersonation through email, some hackers are going so far as to activate call forwarding on a client’s personal cell phone account, meaning that confirming a client’s wire instructions via phone may not always guarantee the person on the other end is who they say they are. The boldest of hackers are calling in directly to advisory firms, spoofing Caller ID, and verbally requesting wire transfers.

If a firm’s back office staff has little or no contact with certain clients, employees have little opportunity to properly validate the identity of the individual calling in.

Combating Spoofing

Since you can no longer trust the authenticity of all correspondence received from clients, either by email or phone, what can you do to protect yourself and your clients from spoofing activity?

There’s no clear consensus on best practices to combat client spoofing. Remember that verifying instructions by placing a phone call can be insufficient if the hacker is able to activate call forwarding on a victim’s phone.

One recommendation is to follow the authentication practices of large banks and credit card companies. When you call in as a customer, you’re asked for a secret word or phrase in addition to your account information to proceed with any assistance. While one’s mother’s maiden name is often the typical security word, I would advise against using it for your authentication process.

You may want to update your policies and procedures to ask for clients’ secret phrase before processing fund transfers of any kind. Keep this secret phrase secure and confidential, likely included in your password-protected CRM software next to your client’s contact record.

Also, in the age of camera-equipped mobile devices, a video chat to confirm wire instructions is a better way to verify a client’s identity versus a standard phone call. Still, the employee at the advisory firm must know what the client looks like before contacting him/her to verify instructions!

If You’re Targeted

If you believe your firm is the target of client spoofing, one good place to report the incident is the Internet Crime Complaint Center, or IC3 (http://www.ic3.gov/). IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) and aggregates incident reports to allocate investigative resources accordingly. Often, the FBI or the Secret Service will get involved in cases involving spoofing of investment adviser clients.

Educate Clients

Finally, one weak link in most spoofing scenarios is a client’s password credentials to web-based email accounts. A value-add service you can provide to clients is education on how to best protect login and password credentials. Sage advice includes never entering credentials using an unknown computer, such as a public computer in a hotel business center.

Also, an increasing number of web-based email providers allow users to enable multi-factor authentication to the login process. I addressed multi factor authentication in this Morningstar Advisor column, which requires users to authenticate their login activity through a second device, typically via SMS text messages. Even many credit card companies are employing this additional verification process to their systems.

So don’t fall victim to the next spoofing attack your firm encounters. It’s not a question whether if an attack will occur, but rather when.

More resources on spoofing: