For intermediaries and investors alike, cybersecurity has become one of the most important concerns of online trading.
Along with the convenience of online securities trading, cyberattacks have also become more frequent and are posing a constant threat to investors. According to statistics from the Securities and Futures Commission, for the 18 months ended 31 March 2017, there were 27 cybersecurity incidents reported by 12 licensed corporations. Most of these involved trading account hacks that led to unauthorised trading and losses.
Stealing login details
Hackers make every attempt to hack into computers and mobile phones to steal login credentials including login IDs and passwords to take control of and manipulate online trading accounts. Through various social engineering tactics, they prey on people who let their guard down by posing as a representative from a well-known company or someone that you know, and sending emails or mobile messages to trick you into giving away your personal details.
While intermediaries are required to take proactive action to ensure that robust cybersecurity measures are in place, investors should also protect themselves against falling victim to trading account hacks.
Watch out for social engineering traps
Scammers use social engineering tactics to exploit and trick people into revealing crucial and confidential information. They do so by first investigating the victim's background before making their move, such as impersonating a friend, acquaintance, bank or police officer, etc. to gain trust and solicit personal information. Whatever the situation, never disclose details of your account and confidential information to others. Be careful when posting your personal information on social media websites. Some of these personal information, such as date of birth, telephone number, pet's name, etc. could be the answers to the questions for resetting your account passwords.
Moreover, hackers can also trick people into providing personal details or clicking on the malicious hyperlinks via phishing e-mails, fraudulent websites, suspicious mobile apps and messages on social media. You can refer to the Protecting against Phishing Attacks section of the InfoSec website to protect your personal details against these social engineering attacks.
Run antivirus software on a regular basis
Being online exposes you to the threats of different viruses. If your computer or mobile device is infected by a hacking virus, hackers can track your keystrokes when you login to obtain your username and password to manipulate your account. Scan your computer and mobile devices regularly with the most updated version of antivirus software to detect and remove any malicious software. You can use a real-time scan which offers the best protection, an on-demand scan where you can run it manually, or you can even automatically schedule for it to run on a daily basis.
Set up a strong password
Hackers tend to go for the easiest options and exploit by trial-and-error with common and simple passwords. You may think it obvious to avoid simple and lax combinations such as "123456" or "password", but these are in actual fact the most commonly-used worst passwords. Create passwords that are unique and not associated with your personal information. Add some complexity by including upper and lower case, alphanumeric characters and symbols. Depending on the required length of the password, you can even use a phrase and mnemonics to make it even harder to crack (e.g. "I have 2 dogs and 1 cat" can translate to "Ih2d&1c"). In addition, passwords must be changed on a regular basis, and do not re-use your old password.
Passwords are not foolproof
Hackers can be very determined and they are getting better at exploiting vulnerabilities. Therefore, ongoing user awareness and good security practices are countermeasures to reduce the risk of hacking. Extra login security such as two-factor authentication (2FA) provides an added layer of security protection. Two-factor authentication involves a combination of two different types of authentication measures, such as the use of password authentication with a one-time SMS password/ hardware token/ software token/ digital certificate or biometric data.