Online Security
A major concern for anyone transmitting personal information over the Internet is security, especially when it comes to your investments and the ability to access your account.
"How does the security system work?," "Can it be trusted?," and "What about hackers?" are just some of the questions posed by individual investors. Understanding how on-line transactions are conducted and how they are secured should help dispel some of the fears.
First of all, Internet commerce is not dangerous and, with the right browser software, can in fact be a very safe means of conducting a transaction—whether that is purchasing a best-selling novel or 1,000 shares of a best-selling stock. Yes, the Internet is still a new and dynamic medium for communication and the exchanging of data. But state-of-the-art security technology is at work in the on-line brokerage firm's systems.
The on-line discount brokerage firms as an industry boast a perfect track record when it comes to the issue of security and unbreachable accounts. "Security breaches just do not happen," says Michael J. Anderson, president of TD AMERITRADE, Inc. "We (as an industry) have not had anything like that happen as of yet."
Many firms have established a separate in-house department to handle security issues, specifically those involving on-line, Internet-based transactions. "TD AMERITRADE has a new director of information security who is constantly looking at new technology" says Anderson. "We (TD AMERITRADE) take any and all proactive steps to maintain and enhance our levels of security."
As one example of this attention to security detail, TD AMERITRADE has recently added a "time-out" feature to its Internet trading interface. After a certain period of inactivity, a customer in the trading area will be automatically logged out by the system.
Another security feature from TD AMERITRADE is "three strikes and you're out." If the correct PIN number is not entered by three tries, the account will be blocked, preventing unauthorized individuals from accessing your account. Your account can only be re-enabled for access by an authorized individual who must contact TD AMERITRADE directly and answer several security/verification questions. Another security misconception is that of hackers accessing your cash balance and going on a shopping spree. If and when a request is made to mail out a check against funds in an on-line account, the check can only be transferred to a bank account and made payable to the name of the person(s) on the account.
Browser Software
Most, if not all, on-line discount brokerage firms require you to use
a secure browser to access account information and place trades. Netscape
Navigator version 3.0 or higher, the Netscape Communicator, and the Microsoft
Internet Explorer version 4.0 or higher are all secure browsers. A secure
browser is software that employs Secure Sockets Layer (SSL) technology
to communicate with servers.
Some brokers require a certain level of encryption strength for browser software. Encryption is simply the encoding of information. A 128-bit encryption level is the current standard and, combined with SSL version 2.0, is the highest level of on-line security available. Due to U.S. export restrictions, however, you may need to upgrade a standard installation of a browser to this higher security level. All three browsers mentioned above can easily be upgraded to 128-bit certification by downloading an update from the browser manufacturer's Web site. The 128-bit number refers to the size of the key involved in encrypting the communication between your browser and the on-line broker's server—the larger the key, the stronger the level of encryption. Both parties need to be at the same level of encryption in order to communicate and execute a trade for your account.
Trade Execution
Upon entering an account number and PIN number, and in some cases a secondary
trading password, the user will enter the site's secure realm where trades
take place. In order to do this, there is an exchange of information.
This first step is called authentication.
On the 128-bit encryption level, the browser software—via your PIN number and password—explains to the firm's server that you are who you claim to be: Joe X, an account holder looking to place a trade. The firm's server, via its SSL, authenticates itself as the server of the firm you are attempting to access. This handshake results in your browser and the server agreeing on the level of security they will share, in this case 128-bit, and fulfills any further authentication requirements necessary for the connection.
The next step is the encryption of all traffic between your browser and the firm's server. This encryption, referred to as message privacy, is done via a session key that works with the 128-bit browser key (or public key) and the 128-bit server key (or private key). The session key encrypts your order and passes it through to the brokerage firm's server. The same session key then decrypts the order so that the server can read the message and the trade will then be executed. The session key is used only for this transaction and is discarded.
During this second exchange of information, further encryption takes place. Throughout the exchange, a complete level of integrity must be maintained. This is referred to as message integrity. Message integrity simply ensures that the data being sent is received and processed accordingly. A cryptographic word count, or checksum, is taken to ensure that the exact same number of bytes is being transmitted and received.
The entire on-line commerce process is conducted only with the proper level of communication encryption—128-bit—and the proper protocol for secure communications—SSL. Without either one, safety is lost and the exchange will not take place.
Most, if not all, on-line discount brokers provide this kind of protection. To verify that a potential broker offers this level of security, browse the Web site for security details, contact the broker with specific questions, and request literature on the topic.