NASD issues online security warnings to investors and brokers

Source: NASD

Wireless technologies are making it easier both for investors and for brokers to conduct investment business online, especially from remote locations.

But those same technologies are posing new risks that confidential customer information will get into the wrong hands. Today, NASD issued two formal communications - one aimed at investors, the other at brokerage firms - offering guidance for protecting sensitive information from the hazards that changing technology presents.

NASD's Investor Alert, Protect Your Online Brokerage Account, highlights the risks involved when transacting investment business online and outlines steps investors can take to prevent unauthorized access to their account information. NASD's Notice to Members 05-49, Safeguarding Confidential Customer Information, reminds the more than 5,000 NASD-registered firms that their systems, policies and procedures must adequately address the risks posed by current technologies.

"The Internet makes life a lot easier for investors on the go, but it also presents them with new and serious security concerns," said NASD Chairman and CEO Robert R. Glauber. "Investors have the responsibility to be vigilant when doing business on-line. But firms also have the responsibility to have the right policies and procedures in place to protect investor records and information. NASD's job is to make sure those policies and procedures are in place and operating properly."

NASD's Investor Alert includes tips to help investors keep their information safe, including: thinking twice about using the "remember my username and password" feature when accessing brokerage accounts, especially on a public or shared computer; terminating each online session when finished by logging out, and creating passwords that are unpredictable and counterintuitive.

The Alert also addresses security issues surrounding the use of computers in wireless fidelity (Wi-Fi) hotspots, which provide free Internet connections and virtual private network access in places like airports, Internet cafés, or libraries. These hotspots are becoming more common and pose significant security threats, such as sniffing and evil-twinning. Sniffing uses a program that intercepts data to find specific information like passwords and credit card numbers. Evil twinning (also called WiPhishing) uses an attack computer that mirrors the setting of a Wi-Fi hotspot, but usually offers a stronger signal. The unsuspecting customer taps into this "rogue" entry point, which then allows the hijacker to use sniffing technology to read data that the victim might be sending, including login IDs and online account information.

Completely securing a computer against unauthorized Wi-Fi access is beyond the scope of the Alert, but it does recommend ways investors can protect themselves, such as shutting off wireless connectivity or removing the wireless network card if they leave the computer unattended; installing a firewall and anti-virus software on any laptop with wireless connectivity, and avoiding conducting confidential business in a Wi-Fi hotspot. For additional information, see the Wi-Fi Alliance's Wi-Fi Security page and NASD's January 2005 Investor Alert, "Phishing" and Other Online Identity Theft Scams: Don't Take the Bait.

NASD's Notice to Members 05-49 reminds registered firms that their systems, policies, and procedures must adequately reflect the latest changes in technology. NASD advises that while there can be no "one-size-fits-all" policy or procedure, each firm should, at a minimum, consider whether its existing policies and procedures adequately address technology currently in use; whether the firm has taken appropriate technological precautions to protect customer information; whether it is providing adequate training to employees regarding the use of available technology and the steps employees should take to ensure that customer records and information are kept confidential; and, whether the firm is or should be conducting periodic audits, to detect potential system vulnerabilities and to ensure that its systems are, in fact, protecting customer records and information from unauthorized access.

Comments: (0)