Tag Archives: Two-factor authentication

FPPad Bits and Bytes for April 11

On today’s broadcast, a serious security flaw impacts two-thirds of the Internet. How this may affect the information you store online. Betterment announces the launch of an Institutional platform. Will they start winning turnkey asset management business from advisors? And learn how a new integration between Redtail and Riskalyze will help you monitor client portfolios to keep them in line with your client’s risk tolerance.

So get ready, FPPad Bits and Bytes begins now!

(Watch FPPad Bits and Bytes on YouTube)

Today’s episode is brought to you by Wealthbox CRM. Wealthbox is collaborative, social, and outrageously simple CRM for financial advisors.

Wealthbox CRM

Sign up for a free trial today by visiting fppad.com/wealthbox

Here are the links to this week’s top stories:

Here’s everything you need to know about the Heartbleed web security flaw from Gigaom, and

The Heartbleed FAQ for financial advisers from FPPad

[Leading off this week’s broadcast is news of a critical security flaw in a web browser encryption standard called OpenSSL, in use by an estimated two-thirds of all the servers connected to the Internet.

To summarize, the flaw, called “Heartbleed,” allows an attacker to use messages called “heartbeats” to trick a server into passing along sensitive information from its memory, which could include account passwords or the server’s private encryption keys. When hackers get access to that information, really bad things can happen.

So what can you do in response to the Heartbleed vulnerability? In all honesty, not too much. Assume the worst-case scenario, that an attacker has compromised your online passwords, so consider updating your passwords for affected websites to one that’s longer and more difficult to crack. You should also activate multi-factor authentication for any service where it is supported.] Researchers have discovered a serious flaw known as Heartbleed that affects the security software that runs on about two-thirds of the servers on the internet and could expose user data, including passwords. Here’s what you need to know about it

Tiburon CEO Summit extrudes big news: Betterment Institutional is born from RIABiz.com

[Next is an update from the online investment advice category, as this week Betterment revealed plans to introduce an institutional version of its technology to financial advisors.

In a fascinating report, RIABiz detailed how plans for Betterment Institutional were made public this week at the Tiburon CEO Summit in New York, as Betterment CEO Jon Stein and new Betterment partner and investor Steve Lockshin, known for founding Fortigent and Convergent Wealth Advisors, were both in attendance.

The soon-to-be-released offering from Betterment takes direct aim at existing turnkey asset management platforms, or TAMPs, which include well-known names like SEI, Envestnet, Adhesion, and even Fortigent itself, with an ultra-low cost offering of around 35 basis points all in.

Cut-throat pricing isn’t the only attraction of Betterment Institutional, as both advisors and clients will likely benefit from access to Betterment’s slick online dashboards and mobile app support for Android and iPhone.
So if you’ve considered outsourcing your investment management and reporting to a TAMP, Betterment Institutional will be a solution that deserves your close attention over the coming months.] Steve Lockshin lays out his plans for TAMP-like venture and how Michael Kitces, a public critic of the Betterment CEO, very much fits in

Redtail and Riskalyze Launch Next-Generation Integration Partnership from Riskalyze.com

[And finally, rounding out this week’s update is news of a new integration between Redtail Technology and Riskalyze. Redtail, known for its CRM, email, and imaging solutions now synchronizes client assets with Riskalyze, a client risk tolerance assessment tool and my pick for best client-facing technology of 2013, on a nightly basis.

In the other direction, Riskalyze updates client risk scores based on the synchronized account information and pushes them along with the client Risk Numbers over to the client’s profile in Redtail CRM. This is a time-saving upgrade as users of both solutions will no longer have to manually switch back and forth to keep assets or Risk Numbers up to date.] Redtail, the industry leader in advisor CRM, email and imaging, and Riskalyze, the company that invented the Risk Number, today announced a next-generation integration partnership that delivers incredible tools for advisors to grow their practices.

And here are stories that didn’t make this week’s broadcast:

The Advisor’s Technology Swiss Army Knife from Morningstar Advisor

One advisor technology startup combines a suite of disparate business-development tools into one effective solution.

Watch FPPad Bits and Bytes for April 11, 2014

Watch FPPad Bits and Bytes for April 11, 2014

The Heartbleed FAQ for financial advisers

Heartbleed for financial advisers

A security flaw dubbed “Heartbleed” has the potential to affect financial advisers and their clients

This is an evolving story, so in the interest in providing financial advisers with pertinent information about a serious vulnerability in Internet security, I’m offering this guide in a FAQ format.

What is Heartbleed?

Basically, “Heartbleed” is the name of a bug in software that many web-based services use to secure connections over the internet called OpenSSL. When you see the green padlock icon in your web browser’s address bar, chances are your online Internet session is encrypted with some form of the OpenSSL protocol.

The Heartbleed bug, discovered earlier this week, allows an attacker to use messages called “heartbeats” to trick a server into passing along sensitive information from its memory. The information could include account passwords or the server’s private encryption keys.

When hackers get access to that information, really bad things can happen.

Lots of additional details on Heartbleed can be found online, but you can start with the Wikipedia entry that is being updated in real time: http://en.wikipedia.org/wiki/Heartbleed

How do I test a site if it’s vulnerable to Heartbleed?

Go to this website and type in the domain name of the service you want to test: http://filippo.io/Heartbleed/

The site I tested is vulnerable to Heartbleed! What do I do now?

Oh no! First, assume that your password has been compromised. If you use the same password for other online services, identify the other sites where it’s used.

BUT WAIT! Don’t reset your passwords on the vulnerable sites just yet!

You need to wait until the vendor updates their OpenSSL code to eliminate the vulnerability. Only AFTER you receive confirmation from the vendor that OpenSSL has been updated will it be safe to return to the service and reset your password. Next, skip to the question on multi-factor authentication to increase the security of your online accounts.

The site I tested is all clear. What do I do now?

Whew, what a relief! That one site hasn’t been exposed, but your passwords still may have been exposed from another site. One thing you can easily do to enhance the security of your account is to activate multi-factor authentication (see below).

What’s the multi-factor authentication you mentioned?

Multi-factor authentication is a process where you use two or more factors to successfully log in to a secure account. The “factors” take three forms:

  • Something You Know, like your username, password, PIN, or finger gesture pattern.
  • Something You Have, like your ATM card, security token, smartcard, or mobile phone.
  • Something You Are, like your fingerprint, retina, voice, or typing rhythm.

Combining two or more of these factors substantially increases the difficulty of compromising your online account.

Assume that your password was compromised due to the Heartbleed bug and a hacker attempts to use it. If you implemented multi-factor authentication, the hacker also needs to satisfy the second factor of authentication in order to access your account. If you use your mobile phone to receive a login code, the hacker would not only need to know your password but also have physical access to your mobile phone to identify the login code.

Is there list that shows what sites support multi-factor authentication?

I’m glad you asked! Last week I identified an outstanding resource on multi-factor authentication in this post, Who supports two factor authentication? Find out in this awesome chart.

The site is twofactorauth.org and it’s totally worth your time right now to review the list of services and activate multi-factor authentication for any login

Can I do something to my web browser to validate the security of my session?

Yes, you can tweak your web browser settings to enforce more stringent security settings for your online sessions. While it’s not a guarantee against the Heartbleed vulnerability, the settings shown below will check if a site’s security certificate has been revoked before establishing a connection.

With thanks to Levi on Twitter, here are some changes you can make to Chrome and Firefox:

Also, courtesy of Dan Santner, here is a link to a more comprehensive scanning tool for a server’s SSL integrity:

The results of that test resemble a grade shown below:

A report generated by the Qualys  SSL Server Test

A report generated by the Qualys SSL Server Test

Add your questions below

Did I miss any important details? Is something unclear in one of my answers?

Let me know in the comments below and I’ll update this FAQ accordingly.

Who supports two factor authentication? Find out in this awesome chart

Find out who supports two factor authentication in this awesome chart

Two factor authentication significantly boosts the security of online accounts. Find out who supports the technique.

The damage to your business can be significant if hackers get a hold of your username and password to an online account. Once inside your program, whether it be your online CRM, portfolio accounting software, bookkeeping service, or even custodial dashboard, hackers can perform any number of nefarious activities.

So how do you increase your defenses against attacks and increase the security of your online accounts?

Use two factor authentication (see Boost your online security with two-factor authentication at FPPad)

Where is two factor authentication supported?

Sure, you understand how important two factor authentication is in protecting your online accounts from unauthorized access.

But WHICH online account providers actually support the technique?

I came across a terrific new resource online that spells out, industry by industry, who does and does not support two factor authentication.

The site is twofactorauth.org and it’s worth checking out when you have a moment.

You may discover several services you already use today that support two factor authentication, but you’re not yet using it.

So go visit twofactorauth.org and boost your online account security.

Client spoofing strikes again, RIA loses $290,000 of client funds

An RIA’s poor compliance procedures let hackers steal $290,000 of client funds

Financial advisers who aren’t prepared to defend against client spoofing attacks not only stand to lose client funds, but also face steep penalties from regulators.

FPPad readers have known since April 2012 that hackers are targeting financial advisers, masquerading as clients via email in a ruse to steal client funds.

Go read Why advisers can’t trust their clients anymore for a refresher of what spoofing attacks are and steps to defend them.

Spoofing Strikes Again

This week, several of the industry trade magazines broke the story about GW & Wade, a registered investment adviser based in Wellesley, Mass., regarding how hackers were able to steal $290,000 of client funds from the company. See RIA Fined By SEC After Hacker Uses E-Mails To Steal Client Funds from Financial Advisor magazine and SEC Sanctions 3 RIAs for Custody Rule Violations from Financial Planning magazine.

The lapse in compliance policies and procedures at the company also resulted in a civil penalty assessed by the SEC in the amount of $250,000.

Full details of the SEC Administrative Proceeding can be viewed here (opens a PDF in a new window).

Hackers Target Advisers

Hackers continue to target investment advisers because they’re the ones with the ability to direct fund transfers.

Solo advisers might not fall victim to a client spoofing attack so easily because they may detect right away that something about the client’s communication is just “not right.”

But when the same attack is deployed in a multi-billion dollar RIA with dozens of administrative employees, hackers have much better odds of success.

Convenience Creates Risk

Once again, according to the Administrative Proceeding, GW & Wade had hundreds of blank Letters of Authorization (“LOAs”) forms on file with only client signatures.

Only after a request was received would the company fill in the pertinent details on a pre-signed LOA and route it for processing.

The convenience of pre-signed LOA forms decreased the chances the company would suspect something wasn’t right with a client wire request. Instead of verifying the authenticity of the request, the company simply routed the pre-signed LOA forms with wire instructions included.

Although, one could argue that if GW & Wade DID try to obtain a client signature via email, following the spoofed client’s instructions, the attack still would have succeeded.

So assume for a moment that no pre-signed LOA forms existed, GW & Wade likely still would have fallen prey to client spoofing because the company would have tried to obtain a client signature via email. The hacker likely would have quickly complied using a signature cut and pasted from another document in the hacked email account.

Clearly, a separate factor of authentication is required to properly authenticate wire requests from clients (a secret phrase, a video chat, Why advisers can’t trust their clients anymore has more details).

Calculating Fees With Spreadsheets Is Hard

Also buried in the Administrative Proceeding is a note about excess fees charged by GW & Wade.

Allegedly since January 1, 2005, the company failed to exclude mutual fund class C share holdings in assets subject to the company’s advisory fee schedule.

The company likely was already receiving 12b-1 fees from the C share holdings, but evidently was “double dipping” by charging the firm’s advisory fee on the same C shares once again.

I have no additional details on the matter, but let’s assume that advisory fees were calculated using a spreadsheet loaded with the value of client holdings for each quarter.

If that spreadsheet isn’t designed to specifically recognize C share mutual fund holdings (which, quite frankly, opens up a Pandora’s box of trouble on its own) and exclude them from the advisory fee calculation, then it’s far too easy to roll up those C share holdings among all the other assets and calculate the fee due.

For GW & Wade, the company now has one year to reimburse in full every client affected by the excess advisory fees charged. That means going back over more than eight years of billing history to determine what the amount of excess fee was charged to each client, quarter by quarter, and credit each client accordingly. That applies to both current and former clients!

So for former clients, how many of you retain holding balances and pricing information indefinitely?

Talk about a huge big data challenge.

FPPad Bits and Bytes for June 21

integration

For financial advisers, integration, no matter how simple or complex, leads to higher revenue, profitability, and income says one survey.

Here are this week’s stories of interest:

What I Learned from Getting Robbed: Part 1 from Advisortechbuzz.com

[This is a last-minute addition to this week’s Bits and Bytes. Here’s a personal story from Commonwealth’s Justin Unton about a robbery at his house and the theft of a bunch of his electronics. Unton strongly advocates the use of two-factor authentication (see: How to enable two-step verification on your LinkedIn account) which renders these devices and online logins useless without access Unton’s mobile phone. Let this be a lesson to us all: turn on two factor authentication wherever you can to give yourself an additional layer of protection in the event something like this happens to you.] At first, we thought it was our cat, Oscar, who had caused the mass destruction in our living room. We even laughed it off, thinking that he must have seen a fly and done his best puma impression to track it down and pounce on it. That all changed as we went down the hallway to our bedroom and saw the contents of our drawers strewn about the floor.

Envestnet | Tamarac White Paper: Technology Integration Leads To 20% More Annual Income For Advisors from Marketwatch.com

[I think it’s generally common sense to equate the use of integrated software tools with increased profitability. But just in case you have your doubts, here’s a white paper compiled from an Aite Group survey that demonstrates this fact. So what is “some degree” of technology integration? The white paper says it’s single sign-on, manual data sharing, automatic data sharing, and cross-product functionality. Want a copy of the white paper? Visit http://tamaracinc.com/White-Paper-Download.aspx and offer your contact information.] Envestnet | Tamarac, part of Envestnet, Inc., a leading provider of integrated web-based portfolio and client management software for independent advisors and wealth managers, has released a white paper showing that financial advisors at independent RIA practices with some degree of technology integration earn approximately 20 percent more in annual income than their counterparts at independent RIA practices with no technology integration.

AssetBook rolls out mobile portfolio management application from InvestmentNews.com

[AssetBook joins other portfolio management software providers including Black Diamond and Orion Advisor Services (see: Eric Clarke, President of Orion Advisor Services, on additional integrations and mobile apps) in offering a native mobile app advisers can use to view portfolios.] AssetBook LLC announced Friday the release of AssetBook Mobile: a native application for devices running both iOS and the Android operating system.

Smarsh, an archivist for the information age from OregonLive.com

[Smarsh routinely appears on FPPad for email and social media compliance. Clearly they’re a popular service provider among their regulated financial service customers, and that popularity has resulted in dramatic growth of what was once a small start up in the Pacific Northwest.] Companies used to wish away their old correspondence. Old letters were a legal liability, the thinking went, and ought to be destroyed. Smarsh has built one of Portland’s fastest-growing tech businesses by taking the opposite approach, contending that in the information age nothing is ever really gone.

Dell owns 60 percent of Smarsh, with an option to buy more from OregonLive.com

[This is a sidebar to the Smarsh article above, but I felt it important enough to break it out separately. Did you know Dell, yes, that Dell, now owns 60 percent of Smarsh? I didn’t either. That news managed to fly under my radar.] Companies that produce the kind of growth that Smarsh has inevitably attract suitors. But don’t look for a buyout at Smarsh: It’s already happened.

Tweet this: Finra spot-checking firms for social media compliance from InvestmentNews.com

[Surprise, surprise, FINRA is checking broker-dealer rep’s use of social media! It’s not breaking news, FINRA is doing what they’re supposed to be doing; their job! Still, if these spot-checks scare you, here’s what you need to have: 1) A compliance manual that includes your social media policy, 2) documentation that reps are periodically trained, and 3) a monitoring and archiving system that contains the history of social media posts. Is there anything I left out?] The Financial Industry Regulatory Authority Inc. is doing social-media compliance spot checks on some of its member firms. In a notice posted Monday on Finra’s website, the regulator said it wants broker-dealers to identify the sites used by a firm, as well as all individuals who post or update the firm’s content on social-media sites.

 

How to enable two-step verification on your LinkedIn account

Don’t let hackers compromise your carefully curated LinkedIn profile. Protect your account by enabling LinkedIn’s two-step verification.

Hackers know that if they can trick you into handing over your password to online websites, they can carry out all sorts of nefarious activity.

Protecting Your Digital Assets

Online banks, Google, Dropbox and even Facebook and Twitter have all enhanced the security of user accounts by adding a two-step verification option to the login process (see: Boost your online security with two-factor authentication).

Not only do you need the right username and password to sign in to online accounts, you also need to enter a code sent to your mobile phone. That unique code is the second factor of authentication, drastically increasing the difficulty of hacking in to your account.

LinkedIn’s New Two-step Verification

Finally, LinkedIn just only recently added two-step verification to user accounts.

The video walkthrough above shows you how to quickly turn on two-step verification in your LinkedIn account.

All you need is your mobile phone and two minutes of time to keep your LinkedIn account safe from outside attacks. Go do it!

 

FPPad Bits and Bytes for February 8

The 2013 T3 ConferenceToday I’m headed out early to the T3 conference in Miami, FL. Stop by and say hi if you’re attending; I’m speaking on Tuesday at 1:15pm (Defending Your Business from Hackers) and 2:40pm (Current Technology Trends) and again on Wednesday at 8am (File Sharing and Collaboration Software).

Here are this week’s stories of interest:

Ten Tips That Could Prevent Cyber Criminals from Hijacking Client Data from WealthManagement.com

[Remember the Phishing, Hacking, and Spoofing article I wrote here last year? See: Why advisers can’t trust their clients anymore. Now a bunch of the major financial trade publications are picking up the story on ways advisers need to protect their business and their clients’ personal information, because hackers are exploiting holes in security and are stealing money.] As tablet ownership continues to grow—doubling since 2011—and more than half of U.S. consumers owning a smartphone, according to a 2013 Forrester Research report, advisors need to be more vigilant about data security now more than ever. Below are 10 easily implemented safeguards that could prevent advisors becoming an easy target for cyber thieves.

Windows 8 Review: 5 Things to Know from Financial-Planning.com

[Joel Bruckenstein wrote this good review of Windows 8 and the pros and cons the new operating system offers to financial advisers (See: Windows 8 for financial advisers: Pros and cons from FinFolio CEO Matt Abar). I admit, I couldn’t convince myself to personally buy a copy of Windows 8 to try it on my own. I know, I know, I’m a technology consultant, and I should have experience with ALL software systems available, but still… it’s a Microsoft product, and I stopped using their OS in 2011. Nevertheless, you will likely need to replace an aging Windows machine, and Windows 8 is about your only reasonable option for the OS.] Whenever Microsoft releases a new operating system, it is a significant event. And the latest edition of its operating system, Windows 8 – designed to work on desktop computers, laptops, tablets and smartphones – is much more than a PC operating system.

Dropbox user accounts compromised, new security features to appear

Last night I posted this tweet about a TechCrunch.com article on several compromised Dropbox accounts.

Unlike an issue last summer (see Bug Affects Dropbox Security: What Advisers Need To Know), you need to know that Dropbox’s security was not compromised.

Username and password credentials were stolen from a third-party website, which were then used to log in to associated Dropbox accounts.

In response, Dropbox said in a blog post that it will add new security features in the coming weeks, with two-factor authentication being the most noteworthy (see Boost your online security with two-factor authentication).

Events like this should be a lesson to you, even if you’re not a Dropbox user. Remember to follow good security practices to keep your account credentials safe, such as:

  • Avoid using the same username and password for multiple websites/accounts. Make each password unique for each account.
  • Avoid using unfamiliar or shared computers, as keystroke logging programs or other trojans may be installed without your knowledge.
  • Verify website addresses before typing in your login credentials. Look for the https:// address prefix and make sure you’re not redirected to a phishing website (see Cloud computing for financial advisers: How to stay safe)

In a few weeks, Dropbox should be rolling out the new security features. When they appear for your account, be sure to activate and use two-factor authentication. It’s one additional layer of protection you can add to better protect all the information you keep in your Dropbox account.

Why advisers can’t trust their clients anymore

“Spoofing” is on the rise and RIAs are becoming targets of clients that are not who they appear to be.

What seemed like ordinary correspondence from a client quickly became a compliance nightmare for one Dallas-based wealth management firm.

I recently spoke with an executive from the Dallas-based firm who asked to remain anonymous due to ongoing investigations about the incident. This person described how the firm received a wire request from a client via email, so the firm replied by sending the appropriate form for a client signature. A few hours later the form was returned and the signature was compared with another from a prior wire request already on file. Everything looked to be in good order.

But unfortunately for all parties involved, the wire request was not from the actual client, but from someone who had broken in to the client’s email account.

Client Spoofing 

It turns out this scenario is not unique, as over a half-dozen cases involving Dallas/Ft. Worth-based RIAs have been reported since the beginning of the year.

In the latest scheme to defraud individuals, hackers are using “spoofing” techniques to impersonate others who have relationships with professional financial advisers. Spoofing is commonly accomplished by obtaining a client’s email account password through keylogging software or by substituting indistinguishable characters in valid email address (e.g. lower-case “l” and a capital “I”). In either case, the hacker attempts to exploit the existing trusted relationship with the adviser who has no reason to be suspicious of a request to transfer funds.

In addition to client impersonation through email, some hackers are going so far as to activate call forwarding on a client’s personal cell phone account, meaning that confirming a client’s wire instructions via phone may not always guarantee the person on the other end is who they say they are. The boldest of hackers are calling in directly to advisory firms, spoofing Caller ID, and verbally requesting wire transfers.

If a firm’s back office staff has little or no contact with certain clients, employees have little opportunity to properly validate the identity of the individual calling in.

Combating Spoofing

Since you can no longer trust the authenticity of all correspondence received from clients, either by email or phone, what can you do to protect yourself and your clients from spoofing activity?

There’s no clear consensus on best practices to combat client spoofing. Remember that verifying instructions by placing a phone call can be insufficient if the hacker is able to activate call forwarding on a victim’s phone.

One recommendation is to follow the authentication practices of large banks and credit card companies. When you call in as a customer, you’re asked for a secret word or phrase in addition to your account information to proceed with any assistance. While one’s mother’s maiden name is often the typical security word, I would advise against using it for your authentication process.

You may want to update your policies and procedures to ask for clients’ secret phrase before processing fund transfers of any kind. Keep this secret phrase secure and confidential, likely included in your password-protected CRM software next to your client’s contact record.

Also, in the age of camera-equipped mobile devices, a video chat to confirm wire instructions is a better way to verify a client’s identity versus a standard phone call. Still, the employee at the advisory firm must know what the client looks like before contacting him/her to verify instructions!

If You’re Targeted

If you believe your firm is the target of client spoofing, one good place to report the incident is the Internet Crime Complaint Center, or IC3 (http://www.ic3.gov/). IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) and aggregates incident reports to allocate investigative resources accordingly. Often, the FBI or the Secret Service will get involved in cases involving spoofing of investment adviser clients.

Educate Clients

Finally, one weak link in most spoofing scenarios is a client’s password credentials to web-based email accounts. A value-add service you can provide to clients is education on how to best protect login and password credentials. Sage advice includes never entering credentials using an unknown computer, such as a public computer in a hotel business center.

Also, an increasing number of web-based email providers allow users to enable multi-factor authentication to the login process. I addressed multi factor authentication in this Morningstar Advisor column, which requires users to authenticate their login activity through a second device, typically via SMS text messages. Even many credit card companies are employing this additional verification process to their systems.

So don’t fall victim to the next spoofing attack your firm encounters. It’s not a question whether if an attack will occur, but rather when.

More resources on spoofing:

 

Boost your online security with two-factor authentication

After participating virtually (e.g. online) in what was likely the busiest shopping weekend of the year last week, I logged in to reconcile one of my credit card accounts. Lo and behold, they added a new security feature to authenticate my account when I used a second computer to log in.

The timing is perfect as my blog post for Morningstar was just posted yesterday, titled Quickview: Get Enhanced Security With Two-factor Authentication.

So Chase recently added a two-factor authentication process it calls an Identification Code to complete your account logon and verify your identity. This is the first screen I was presented at login:

After clicking Next, I was given the option of receiving my code using several contact methods associated with my account profile. Options included voice or text messages to one of my phone numbers or receiving a code via an email account previously registered to my account.

Just as in my blog post, more and more online providers, including free web-based email programs, social network services, and credit card companies are giving customers the option (and in Chase’s case, requiring) to boost their account security by adding two-factor authentication.