Have you been watching the news lately? Have you heard about the most recent data leak from this and that website?
If you did, most likely hackers were able to breach a very very large company and posted their loot online somewhere where third parties were able to access and verify its origin, That is why you heard of it.
LinkedIn comes to mind, many many of us were affected by it.
Most data leaks in the Forex Industry come from within companies, willingly or unwillingly people often hand keys over one way or another. But today I want to talk about something else: what a Forex brokerage can do to maximize data integrity and prevent leaks.
Let’s start with mitigation. You have to be sure that every digital asset on your servers and on every laptop is backed up.
Setting up local backups is easier than it seems, all you will need are external hard drives for all of your employees and some free software to do automated incremental backups. (like EaseUS for PC or built in Time Machine for Mac)
This way even if you are affected by some Ransomware, the perpetrators wont be able to hold your data hostage – you got a backup. Another bonus here: You will save at least a day of work when your PC or hard drive fails. Note that it’s a ‘When’ not an ‘if’.
Setting up Backups on your servers will be even easier as all cloud based servers can be backed up by the providers and no hardware or software is needed. Backing up non-cloud servers can be done similarly to the local PCs.
Let’s now talk about prevention. And here I’d like to focus on the risks of your applications and data being connected to the internet:
#1: Website – Your website is likely powered by a CMS such as WordPress. WordPress is a solid system proven by years and years of use, it succeeded where millions of others failed. Even WE used to have an internally built CMS.
But the security issue with WordPress is not actually in WordPress, it’s in the plugins, themes and various extensions. Everything needs to be backed up, and there should be a person or a company on call ready to update every plugin and to be ready to pull things out of backup.
The rule of thumb here – do not store any customer data on anything that touches WordPress. It is only a matter of time until one of the plugins or themes gets compromised.
Another tip: Once your website is complete run it through at least one Penetration and Venerability Testing Tools. Yes, it will cost a bit extra, but it’s better not to risk your reputation. Even though your website does not store customer data, it’s not a good look to your clients to be notified by their browser that your website has been compromised.
#2 Your Forex Trading Platform. Over the years we’ve worked with at least 7 trading platforms. They are all very different, but one thing that unites them is that their IPs and ports are exposed to the world and publicly known. Make sure to utilize secure passwords and keep your hosting servers securely firewalled. I’ve only worked with commercial trading platforms, the source code of those is very well guarded and that could be a good thing as well as a bad one.
Good because it’s not possible to take a peek at the actual code – it’s well encrypted.
The bad, because nobody but corporate structure is in charge of that so some obvious security issues may be going unnoticed.
Another thing here is since many trading platform providers sell you software and leave the Broker in charge of setup, it seems natural to put it up on a server and be done with it. And this is where you may not even be aware of the fact that that server may already be compromised.
#3 Forex CRM and other Third Party Systems. There are a lot of APIs integrated between the website and Trading platform, all having significant access to data. There is no way to avoid it. These applications are PSPs handling your customer payments, Payment Aggregators – systems that are passing clients to PSPs, Affiliate Systems, IB systems, Reporting Systems, Marketing Systems, and much more.
The most natural request is to say: “Can I host the data”. It is a bit counterintuitive – but it’s likely less secure for you to host your data than trust a third party.
I’ll tell you a story that happened to me once. I spun up a new virtual server, I needed to test something, and I needed it to be in China. So I created a Linux cloud server in Hong Kong, I went to make a coffee, and then I SSHed into the new server. When I navigated to the home directory there were 2 files there. One massive archive file and a text document saying that we’ve encrypted your data, if you want to decrypt it send us some amount of Bitcoin, I remember it was a reasonable amount like 500USD worth or so. But I actually had nothing on the server, it was brand new! So I checked the logs, and it was clear someone hacked into it while I was making a coffee… Well it was not someone, it was something, just some bot that checks for newly issued IPs from certain providers and trying their luck.
So If you get to host your data – It’s not like your server is more secure because YOU bought it. It takes a lot of effort to keep things updated and encrypted, so its better to leave it with third parties.
If you do get to host your application, do it the right way: Host the application separate from the database. I mean on a separate server. Allow access to the database only from the application server and maybe a VPN. Nowhere else. Bonus points: if the application allows it – encrypt the data. Not just passwords – all data. And keep the descriptor on yet another server. This way perpetrators will need to hack into at least 2 servers instead of one – and that’s a lot more difficult.
If you don’t get to host your data, employ a third party to do a penetration test. Yes, it will cost extra, but its the best an the easiest thing you can to secure the data and save yourself a lot of headache.
Finally, here is a shortlist for your client facing applications:
- Use Cloudflare or similar CDN
- Use encrypted connections (SSL HTTPS SSH SFTP)
- Make sure your Payment systems are PCI compliant
- Adopt complex passwords and Multi-Factor Authentication
- Host on Linux when possible
With our help and guidance, you will be able to quickly gain a solid client base and develop an excellent reputation.
Kenmore Design has representation worldwide and we are looking forward to seeing more of you in 2022!