A firm of stockbrokers has been fined for failing to adequately protect its customers from the risk of identity fraud. The Financial Services Authority (FSA) said its mistakes included failing to manage the risks introduced by staff using instant messaging and web-based email. Merchant Securities Group Limited also failed to …
Why have they not fined government ministers, who seem to be losing more and more data each day?
I know that fining government departments is largely a wasted effort, but fine the individuals involved and you may find that things start to get better...
A bit hypocritical
So a government agency is fining companies for not taking adequate care of their data? Pot calling the kettle black methinks.
Mines the one with the backup tapes in the pocket.
When is the FSA
going to fine our government for all their breaches of security, putting people at risk of identity fraud - or worse? Or maybe this government are above the law...
Who's that on the phone?
From a quick look at their website they seem a medium sized mid-range broker offering a full range of services. A fairly common operation.
They'll have a large number of clients. Ranging from man-in-street with a few hundred quid to high net worth clients. I'd expect execution-only clients to be asked for ID over the phone, passwords, DOB etc. However, for high net worth individuals who have a personal relationship with a broker this does not make sense. The client will become cross if they are subjected to such checks. Often the best way to ensure someone who you know is on the phone is via voice and personal chat. I know it's for their own good but that's not the way relationships like that work. If you are trusting a broker with a large amount of cash and investments they need to feel that you have a trusting personal relationship with the broker.
The conversation will go like this:
Broker: Good morning, Montmorency Piggington-Smythe speaking.
Client: Monty! Henry Fussington-Duckbilled here, how the devil are you?
MP-S: Good to hear you Henry, Pinkie told me you shot a 21 on old man Lyndley's course last night.
HF-D: Yes yes, doing fine until the last hole, blasted rain came down.
MP-S: And I hear you're off on holiday next week.
HF-D: Yes yes, just a week at the little place in France. Now, I heard on the news about that bank, what about them?
MP-S: Well, I'd see if they drop a little lower, word is the government will bail them out anyway...
...and so on. Now do you think 'Third and seventh digits of your PIN' fits into this?
The risk of fraud in such cases is quite low. The cash will usually be held on account with the broker if there is an instruction to sell. Money transferred out is usually via BACS direct to a bank account. The major risk has got to be the personal identifying information leaking out. To make changes to a client's account then a full range of checks should be carried out and the request for change should be in writing.
Account numbers on letters, backup tapes at home bad bad bad irrespective of the industry. Now if only all sectors where regulated and subject to spot checks.
Oh, and I know nothing about golf so 21 might be good or bad and 'shot' might not be the right verb. Although 'shot' and golfers does have a certain appeal.
They've stuffed up here, no doubt about it, but in this instance - having a close enough relationship with your client that you can recognise their voice and know enough minutiae to spot when you're actually talking to them is probably *more* secure than relying on a random call-center agent to ask for a DOB and 1st and 3rd characters of your password to determine if you are who you say you are.