Connect with us

Industry News

Pepperstone data leak: Kudos for handling it correctly! – FinanceFeeds

Pepperstone does the right thing and holds its hand up to a data leak, reassuring customers. We look into why cyber security is so important in FX, here is our full and detailed report Putting your hand up and admitting important matters in a transparent fashion is the number one tenet of running a business…

Pepperstone does the right thing and holds its hand up to a data leak, reassuring customers. We look into why cyber security is so important in FX, here is our full and detailed report

Putting your hand up and admitting important matters in a transparent fashion is the number one tenet of running a business properly.

On this basis, absolute kudos must go to Australian retail FX and CFD company Pepperstone this week, notably around the way in which the company dealt with a data leak that temporarily plagued its systems.

This is the first time in my 29 year career in FX, most of which bas been within the infrastructure and systems development sector, that I have ever seen any company in any capacity whether a bank, liquidity provider, platform vendor or integration specialist openly admit that a data leak has occurred and to actively reassure customers without being prompted that all is well.

As client and transaction data privacy and security is so critical in financial services, most companies hide any mishaps until it is too late, resulting in mass complaints, uncertainty and eventually a poor reputation, but in the case of Pepperstone, clients and partners should hold the company in high esteem for its self-prompted reaction.

In a notice to customers yesterday at 13.07 UK time, Pepperstone explained that it had been the subject of a data leak, and detailed exactly what had happened, reassuring clients that absolutely no potential harm could come to their trading account or funds held with the company.

The company referred to it as a “data security incident which impacted people who had registered for a Pepperstone live or demo trading account.”

The company then listed exactly the data which their investigation showed had become exposed, those aspects being registrants’ name, contact details including address, date of birth and security questions and answers that were chosen.

Pepperstone confirmed categorically that trading accounts, passwords and bank account information had NOT been compromised and are safe.

This is a very courageous and transparent move from Pepperstone, and is one which will instil confidence in its client base and Pepperstone should be commended for it. Consumer confidence is vital, and reaching out to reassure clients is the right thing to do. I personally hope Pepperstone gets recognized for this.

Cyber security is a very important factor in all areas of financial services, and in many large scale electronically operated financial markets businesses such as Tier 1 banks, exchanges and insurance companies, it is common practices for professional services consultancies such as Accenture, Steria, Fujitsu or Capita to have their consultants on site on a contracted basis to manage data security.

Here in London, almost anyone who lives in central areas of the city will have a neighbor or friend who works for one of the big consultancies and is assigned to a financial services company as a data security architect.

But this does not exist in the FX industry. Even the very large FX brokerages do not utilize IT consultancies for data security, largely because many brokerages do not consider technology to be the heart and lifeblood of our industry, even though it absolutely is.

In many cases, data leaks and outages have been intentionally ignored.

Two years ago, Tim Thompson, CEO of British payment payment service provider and risk management technology company NOIRE explained to FinanceFeeds that FX brokerage accounts are usually accessible online needing only a username and password in order to gain access to sensitive data and exposure to fraudulent withdrawals.

“It can start in a number of ways” explained Mr. Thompson. “These methods include fraudsters phishing customers details, through emails pretending to be from the broker and telephone calls, Trojan malware programs often downloaded for trading platforms which look legitimate but could be obtaining customers’ login details and passwords. Fraudsters do this on an industrial scale and gain access to many customer accounts across many businesses.”

Mr. Thompson had categorically stated that he had been aware of several successful attempts by hackers to access FX customer trading accounts and successfully facilitate withdrawals, something which prevailed during the course of last year.

FinanceFeeds knows that this has happened to a few large brokerages, one of which was FXCM around 5 years ago, and there have been many cases of this among Japanese brokerages, but they have kept quiet about it.

GMO Payment Gateway, one of the largest electronic payment systems in the world admitted a payment gateway data breach in 2017, but that was only after it was made to admit it.

As the technology that counters hacking and cyber crime continues to be a subject of great investment by developers, the unfortunate reality is that, rather like germs that increase their immunities to improvements in medicine, the viruses and methods used by hackers are also highly evolutionary, and most FX firms aren’t interested in investing in such technology.

Over the past two years, ransomware continues to be a bugbear that most online trading firms and e-commerce entities should be aware of.

This, according to many internet security specialists, continues to develop in sophistication and will likely become a worse problem in 2017 than it was last year.

Ransomware is a form of malware that is used to encrypt all data held on computers or on smartphones that do not use the iOS operating system.

The idea behind it is that it allows a hacker to extort an amount of money from the owner of the data – for example customer records held in an online trading company’s CRM – and if the amount requested is not paid, then the hacker deploys the encryption and destroys the data.

This is often used against not only commercial enterprises but also government agencies, therefore the extent of its level of sophistication and ability to penetrate security systems is patently obvious.

A particular thing to check here is affiliate links.

It is advisable when inserting affiliate links into websites that they are as originally defined, and that they do not appear to show unusual or differing characters than when they were inserted. These could be used to deploy ransomware, thus the advertisement which looks quite correct when viewed on a broker website may be contaminated with malware and once it is there, it is very very difficult to remove.

Brokerages, IBs and their clients should be very wary of emails which prompt them to update their passwords. For clients, these could be trading account access passwords, for IBs they could be portal or CRM passwords and for brokers they could be back office passwords.

Anything that appears to be automatically generated and does not come from what appears to be the correct format of internal corporate email address, our advice is not to click on it as it could contain code that grants hackers access to the trading account of retail clients, or the database owned by a broker, or even worse, the withdrawals system.

Domestic and international corporate espionage through hacking will increase as companies raid the intellectual property and trade secrets of other companies for profit. The theft of the plans of Lockheed Martin’s advanced F-22 fighter plane by Chinese hackers is an example of this trend. Chinese national Su Bin was convicted for his part in the stealing of the plans for the plane, and there is absolutely no reason at all why this type of espionage could not take place in the online trading firm, with counterfeiters wanting to get hold of new platform designs (MetaTrader 4 is the subject of massive counterfeit activity in China, and now with MetaTrader 5 having risen to popularity, espionage is not something to rule out).

The same applies to R&D departments of brokerages which have their own platforms and multi-asset offering, as hackers could spy on new unreleased designs and emulate them in order to beat them to market.

One thing to consider is that investment in cyber security startups has rocketed over the last few months. The Israel Export Institute stated at the Israel HLS & Cyber Conference that investment in cyber-security startups climbed more than threefold and exports increased 15% in the first half of the year, compared with the same time in 2015. That made Israel the No. 2 destination for cyber-security investment globally after the United States.

A clear indication that any online financial product is not immune from cyber threats is that even central banks and large institutions have experienced some very damaging interference from outside.

The 2017 hacking of Britain’s Tesco Bank, the Bangladesh Bank and Russia’s Central Bank were just the tip of the iceberg of attacks on banks around the world that have been successfully perpetrated by groups such as the Carbanak gang for several years.

These days, the institutional sector has in some form adopted systems that provide dedicated connectivity. Venue-neutral Canadian infrastructure provider TMX Atrium put in place points of presence between Paris, London, Frankfurt and Moscow during 2013, however this venue-based connectivity has not filtered its way into the OTC retail sector on a widespread scale, a likely reason being the cost of implementing dedicated infrastructure to many smaller retail firms being high, especially when margins are low once spread, IB commission, client acquisition and retention costs and operating expenses are taken into account.

Going back 10 years, I had endless contact with TMX as it continued to major on this infrastructure, but now all has gone quiet. Most retail brokerages don’t know what points of presence are, let alone care about how they can secure not only the speed of transaction and give them an edge over other firms, but also the security of client data.

In October 2016, Integral Development Corporation experienced an outage between the hours of 8.43am and 10.50am EST on the 19th day of the month, having its cause rectified later that day during a planned maintenance session.

FinanceFeeds contacted senior executives at Integral Development Corporation in order to establish the cause of this and to gain perspective on how it was resolved, however no reply was proffered, thus FinanceFeeds conducted investigations via trading logs and back office systems reports of several industry partners.

Whilst the reports from the back offices at various sources confirmed the outage, it is important to research the cause, which according to various industry information gathered by FinanceFeeds deduced that the cause of the outage was rectified in planned maintenance later in the day, itself taking 15 minutes longer than usual.

According to several industry sources, the outage occurred during the morning, however, at approximately 5.00pm Eastern Standard Time, during the period which is a period colloquially known as ‘roll’, which is when a number of server restarts happen and many traders in jurisdictions outside North America are inactive, Integral Development Corporation conducted maintenance which included a resolution to the cause of the outage earlier in the day.

This calls into question whether a back up system should be in place which diverts to an emergency server farm in the case of such an outage. Such systems have been commonplace in financial technology infrastructure for many years, including during my early years from 1991 onwards when infrastructure providers were continually testing uninterruptible power supplies (UPS) and uploading entire data sets onto DAT tapes constantly, to be able to switch to other servers in the event of an outage.

More recently, the bandits appear to be as smart as even the largest of institutional internet security firms, hence vigilance and investment in furthering the cause of keeping the entire intellectual property, client assets and structure of online trading businesses is now paramount.

Well done Pepperstone, keep up the good work. Maybe now is the time to lead the way and bring in the cyber security companies, host a few events on cyber security in the FX industry and raise awareness. This would build the steps toward our industry taking this as seriously as other financial markets sectors.

Continue Reading
Advertisement

Daily Financial News

Don’t Count On JPY Correction; Staying Long GBP/JPY

The path of the potential pace of the JPY decline may still be underestimated by markets, which continue trading the JPY long.

While the 10% USDJPY advance from September lows looks impressive from a momentum point of view, it may no thave been driven by Japan’s institutional investors reducing their hedging ratios or Japan’s household sector reestablishing carry trades.

Instead, investors seemed to have been caught on the wrong foot, concerned about a sudden decline of risk appetite or the incoming US administration being focused on trade issues and not on spending. Spending requires funding and indeed the President-elect Trump’s team appears to be focused on funding. Here are a few examples: Reducing corporate taxation may pave the way for US corporates repatriating some of their USD2.6trn accumulated foreign profits. Cutting bank regulation could increase the risk-absorbing capacity within bank balance sheets. Hence, funding conditions – including for the sovereign – might generally ease. De-regulating the oil sector would help the trade balance, slowing the anticipated increase in the US current account deficit. The US current account deficit presently runs at 2.6% of GDP, which is below worrisome levels. Should the incoming government push for early trade restrictions, reaction (including Asian sovereigns reducing their holdings) could increase US funding costs, which runs against the interest of the Trump team.

Instead of counting on risk aversion to stop the JPY depreciation, we expect nominal yield differentials and the Fed moderately hiking rates to unleash capital outflows from Japan.The yield differential argumenthas become more compelling with the BoJ turning into yield curve managers. Via this policy move, rising inflation rates push JPY real rates and yields lower, which will weaken the JPY. Exhibit 12 shows how much Japan’s labor market conditions have tightened. A minor surge in corporate profitability may now be sufficient, pushing Japan wages up and implicity real yields lower.

JPY dynamics are diametrical to last year . Last year, the JGB’s “exhausted”yield curve left the BoJ without a tool to push real yields low enough to adequately address the weakened nominal GDP outlook. JPY remained artificially high at a time when the US opted for sharply lower real yields. USDJPY had to decline, triggering JPY bullish secondround effects via JPY-based financial institutions increasing their FX hedge ratios and Japan’s retail sector cutting its carry trade exposures. Now the opposite seems to be happening. The managed JGB curve suggests rising inflation expectations are driving Japan’s real yield lower. The Fed reluctantly hiking rates may keep risk appetite supported but increase USD hedging costs.Financial institutions reducinghedge ratios and Japan’s household sector piling back into the carry trade could provide secondround JPY weakening effects

Continue Reading

Daily Financial News

Mexico raises interest rates, cites Trump as risk

The head of Mexico’s central bank says U.S. Republican candidate Donald Trump represents a “hurricane” sized threat to Mexico.

Banco de Mexico Gov. Agustin Carstens told the Radio Formula network Friday that a Trump presidency “would be a hurricane and a particularly intense one if he fulfills what he has been saying in his campaign.”

Trump has proposed building a wall along the border and re-negotiating the North American Free Trade Agreement.

Mexico’s central bank raised its prime lending rate by half a percent to 4.75 percent Thursday, citing “nervousness surrounding the possible consequences of the U.S. elections, whose implications for Mexico could be particularly significant.”

Mexico’s peso had lost about 6 percent in value against the dollar since mid-August. It recovered slightly after the rate hike

Continue Reading

Financial News

Africa’s first Fairtrade certified gold co-operative offers hope to gold miners living in poverty

Syanyonja Artisan Miners’ Alliance (SAMA) has become the first artisanal small scale mining co-operative in Africa to become Fairtrade certified, bringing much needed hope to impoverished communities who risk their lives to mine the rich gold seam that runs around Lake Victoria.

SAMA is one of nine previously informal groups from Uganda, Kenya and Tanzania which has benefitted from a pilot project launched by Fairtrade in 2013. This innovative program aims to extend the benefits of Fairtrade gold to artisanal miners across East Africa.

In that short time, SAMA has undergone training in business and entrepreneurship, as well as safe use of mercury, internal control systems, labour rights and better working conditions, health and safety and more. Previously, daily contact with toxic chemicals used to process gold meant members risked disease, premature births and even death.  Fairtrade gold was first launched in 2011, and SAMA now joins Fairtrade certified gold mines MACDESA, AURELSA and SOTRAMI in Peru.

The co-operative produces just 5 kg gold per year, but nevertheless has the potential to significantly benefit many people in the local community through better conditions through certification. It is expected that Fairtrade and organizations like Cred Jewellery will support the miners, ensuring their gold can be refined and made available to jewellers in the UK and other markets.

Gonzaga Mungai, Gold Manager at Fairtrade Africa said: “This is a truly momentous and historical achievement and the realisation of a dream that is many years in the making. Gold production is an important source of income for people in rural economies. Congratulations to SAMA, it sets a precedent which shows that if groups like this can achieve certification, then it can work for others right across the African continent.”

The Fairtrade Gold Standard encourages better practice and changes to come in line with international regulation around the production and trade of so-called ‘conflict minerals’. Under the Standard, miners are required to:

  • Uphold a human rights policy preventing war crimes, bribery, money laundering and child labour
  • Clearly represent where the minerals were mined
  • Minimise the risks of conflict minerals through robust risk assessments and collaboration across supply chains
  • Report to buyers and trading partners regarding the risks of conflict minerals

Now in its second phase, the programme will focus on supporting other mining groups in the region to access affordable loans and explore a phased approach to accessing the Fairtrade market, allowing more mining co-operatives across Africa to participate in the programme.

Gonzaga added: “Sourcing African metals from smallscale miners in the Great Lakes Region is the responsible thing to do. For a long time companies have avoided buying gold from this region, with devastating consequences for impoverished communities who were already struggling. It has driven trade deeper underground, as unscrupulous buyers pay lower prices and launder illegal gold into legitimate supply chains. That’s why we have chosen to work with these groups to help them earn more from their gold within a robust compliance system that offers social, environmental, and economic protections.”

The Fairtrade gold programme offers a small but scalable solution to sustainable sourcing of gold from the region in line with Section 1502 of the Dodd-Frank Act in the US, OECD Due Diligence Guidance and recent EU Supply-Chain Due Diligence proposals which could come into effect in 2016. This means that up to 880,000 EU firms that use tin, tungsten, tantalum and gold in manufacturing consumer products could be obliged to provide information on steps they have taken to identify and address risks in their supply chains for so-called ‘conflict minerals’.

Continue Reading

Trending