Web site security is particularly important in the financial services sector, in which large sums of money and sensitive financial details are at stake. But, according to experts, security can be dangerously inadequate.

Part of the problem, says Michael Legary, founder of Winnipeg-based security consultancy Seccuris, is that small investment firms with little IT expertise feel pressured to provide online services to clients. “But because they don’t have the internal resources, a lot of technical security flaws fall through the cracks,” he says. This leaves them open to attacks.

The attacks are many and varied. A practice called “cross-site scripting” is the biggest problem, says Brian O’Higgins, chief technical officer at Ottawa-based Third Brigade, a provider of intrusion prevention systems designed to spot and block attacks on Web applications.

Cross-site scripting takes advantage of the fact that Web pages can contain scripts that run in the browsers of visitors’ computers. A malicious Web page can direct visitors to a legitimate Web page, inserting malicious script code on that page in the process. Such browsers have been used to alter the information on company Web pages and even to manipulate user accounts.

Another common attack — an “SQL injection” — occurs when a hacker tailors an entry on a Web form so that the Web server interprets it as a direct query to the database. “Almost every client in financial services that was assessed this past year had some type of an SQL injection issue,” says Legary.

Transactional Web sites operated by small investment advisory firms are often run using off-the-shelf software that may have been implemented with minimal custom configuration, Legary says. “Few of those packages have been thoroughly tested for common security flaws,” he adds.

Even when security software is in place, companies may fail to patch and update the software as new flaws become known, rendering them increasingly vulnerable to attack.

Regulators have taken a hands-off approach to Web site security in the investment community. “Our sense is that we’re not IT experts, so we expect firms to conduct their best technical efforts,” says Connie Craddock, vice president of public affairs at the Investment Dealers Association of Canada.

Like the Mutual Fund Dealers Association of Canada, the IDA follows a policy of principles-based regulation that describes the need for security in very vague terms. It falls short of mandating specific security standards for Web sites and IT infrastructures. The federal Personal Information Protection and Electronic Documents Act nevertheless mandates that adequate safeguards be placed on customer information in line with its sensitivity.

What can financial services firms and independent advisors do to ensure that their Web sites are secure? There is no such thing as complete security. Instead, experts recommend taking the following steps to ensure your system is secure enough to make an attack so difficult that it would be uneconomical.

> “Make sure you buy secure software. Understand what testing it has undergone,” says O’Higgins. If you don’t have the skills in-house, work with an expert consultant. Make sure your in-house staff or partner is evaluating the Web site software and implementation process against the standards developed by the Open Web Application Security Project (www.owasp.org), an open-source non-profit organization dedicated to encouraging the development of more secure Web software.

> Arrange for an independent security audit (also called a “penetration test”) by authorizing independent security experts to try to infiltrate your Web site to reveal flaws that need fixing.

> Restrict the features on the site to the bare minimum; the more features and fripperies you have, the more vulnerable your site is likely to be.

> Enforce strong passwords with a stated minimum number of characters. This reduces “brute force” attacks in which hackers try to guess passwords using common combinations of characters.

Even then, your customers may not be safe. “Phishing” attacks, in which individuals are sent fake e-mails purporting to be from their financial institution, are commonplace. These e-mail messages direct people to fake Web sites that ask for clients’ personal details, including account passwords.

The criminals who run the sites use this information to transfer money and steal identities. Phishing attacks can be conducted entirely independently of the legitimate Web site, and prey on the ultimate security flaw: lack of consumer education. IE

@page_break@