What is online trading?

Online trading allows you to conduct investment transactions over the internet. The accessibility of the internet makes it possible for you to research and invest in opportunities from any location at any time. It also reduces the amount of resources (time, effort, and money) you have to devote to managing these accounts and transactions.

What are the risks?

Recognizing the importance of safeguarding your money, legitimate brokerages take steps to ensure that their transactions are secure. However, online brokerages and the investors who use them are appealing targets for attackers. The amount of financial information in a brokerage's database makes it valuable; this information can be traded or sold for personal profit. Also, because money is regularly transferred through these accounts, malicious activity may not be noticed immediately. To gain access to these databases, attackers may use Trojan horses or other types of malicious code (see Why is Cyber Security a Problem? for more information).

Attackers may also attempt to collect financial information by targeting the current or potential investors directly. These attempts may take the form of social engineering or phishing attacks (see Avoiding Social Engineering and Phishing Attacks for more information). With methods that include setting up fraudulent investment opportunities or redirecting users to malicious sites that appear to be legitimate, attackers try to convince you to provide them with financial information that they can then use or sell. If you have been victimized, both your money and your identity may be at risk (see Preventing and Responding to Identity Theft for more information).

How can you protect yourself?

• Research your investment opportunities - Take advantage of resources such as the U.S. Securities and Exchange Commission's EDGAR database and your state's securities commission (found through the North American Securities Administrators Association) to investigate companies.
• Be wary of online information - Anyone can publish information on the internet, so try to verify any online research through other methods before investing any money. Also be cautious of "hot" investment opportunities advertised online or in email.
• Check privacy policies - Before providing personal or financial information, check the website's privacy policy. Make sure you understand how your information will be stored and used (see Protecting Your Privacy for more information).
• Conduct transactions on devices you control - Avoid conducting transactions on public resources such as internet kiosks, computers in places like libraries, and other shared computers and devices. Other users may introduce security risks.
• Make sure that your transactions are encrypted - When information is sent over the internet, attackers may be able to intercept it. Encryption prevents the attackers from being able to view the information.
• Verify that the website is legitimate - Attackers may redirect you to a malicious website that looks identical to a legitimate one. They then convince you to submit your personal and financial information, which they use for their own gain. Check the website's certificate to make sure it is legitimate (see Understanding Web Site Certificates for more information).
• Monitor your investments - Regularly check your accounts for any unusual activity. Report unauthorized transactions immediately.
• Use strong passwords - Protect your computer, mobile devices, and accounts with passwords that cannot easily be guessed (see Choosing and Protecting Passwords for more information). Use different passwords for each account.
• Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. However, because attackers are continually writing new viruses, it is important to keep your virus definitions current (see Understanding Anti-Virus Software for more information).
• Use anti-spyware tools - Spyware is a common source of viruses, and attackers may use it to access information on your computer. You can minimize the number of infections by using a legitimate program that identifies and removes spyware (see Recognizing and Avoiding Spyware for more information).
• Keep software up to date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities (see Understanding Patches for more information). Enable automatic updates if the option is available.
• Evaluate your security settings - By adjusting the security settings in your browser, you may limit your risk of certain attacks (see Evaluating Your Web Browser's Security Settings for more information).

• U.S. Securities and Exchange Commission - http://www.sec.gov/investor/pubs/cyberfraud.htm
• National Consumers League - http://www.fraud.org/tips/internet/investment.htm

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Know the risks

Your smart phone, tablet, or other device is a full-fledged computer. It is susceptible to risks inherent in online transactions. When shopping, banking, or sharing personal information online, take the same precautions with your smart phone or other device that you do with your personal computer — and then some. The mobile nature of these devices means that you should also take precautions for the physical security of your device (see Protecting Portable Devices: Physical Security for more information) and consider the way you are accessing the internet.

Do not use public Wi-Fi networks

Avoid using open Wi-Fi networks to conduct personal business, bank, or shop online. Open Wi-Fi networks at places such as airports, coffee shops, and other public locations present an opportunity for attackers to intercept sensitive information that you would provide to complete an online transaction.

If you simply must check your bank balance or make an online purchase while you are traveling, turn off your device's Wi-Fi connection and use your mobile device's cellular data internet connection instead of making the transaction over an unsecure Wi-Fi network.

Turn off Bluetooth when not in use

Bluetooth-enabled accessories can be helpful, such as earpieces for hands-free talking and external keyboards for ease of typing. When these devices are not in use, turn off the Bluetooth setting on your phone. Cyber criminals have the capability to pair with your phone's open Bluetooth connection when you are not using it and steal personal information.

Be cautious when charging

Avoid connecting your mobile device to any computer or charging station that you do not control, such as a charging station at an airport terminal or a shared computer at a library. Connecting a mobile device to a computer using a USB cable can allow software running on that computer to interact with the phone in ways that a user may not anticipate. As a result, a malicious computer could gain access to your sensitive data or install new software. Don't Fall Victim to Phishing Scams If you are in the shopping mode, an email that appears to be from a legitimate retailer might be difficult to resist. If the deal looks too good to be true, or the link in the email or attachment to the text seems suspicious, do not click on it!

What to do if your accounts are compromised

If you notice that one of your online accounts has been hacked, call the bank, store, or credit card company that owns your account. Reporting fraud in a timely manner helps minimize the impact and lessens your personal liability. You should also change your account passwords for any online services associated with your mobile device using a different computer that you control. If you are the victim of identity theft, additional information is available from http://www.idtheft.gov/.

For even more information about keeping your devices safe, read Cybersecurity for Electronic Devices.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

What are rootkits and botnets?

A rootkit is a piece of software that can be installed and hidden on your computer without your knowledge. It may be included in a larger software package or installed by an attacker who has been able to take advantage of a vulnerability on your computer or has convinced you to download it (see Avoiding Social Engineering and Phishing Attacks for more information). Rootkits are not necessarily malicious, but they may hide malicious activities. Attackers may be able to access information, monitor your actions, modify programs, or perform other functions on your computer without being detected.

Botnet is a term derived from the idea of bot networks. In its most basic form, a bot is simply an automated computer program, or robot. In the context of botnets, bots refer to computers that are able to be controlled by one, or many, outside sources. An attacker usually gains control by infecting the computers with a virus or other malicious code that gives the attacker access. Your computer may be part of a botnet even though it appears to be operating normally. Botnets are often used to conduct a range of activities, from distributing spam and viruses to conducting denial-of-service attacks (see Understanding Denial-of-Service Attacks for more information).

Why are they considered threats?

The main problem with both rootkits and botnets is that they are hidden. Although botnets are not hidden the same way rootkits are, they may be undetected unless you are specifically looking for certain activity. If a rootkit has been installed, you may not be aware that your computer has been compromised, and traditional anti-virus software may not be able to detect the malicious programs. Attackers are also creating more sophisticated programs that update themselves so that they are even harder to detect.

Attackers can use rootkits and botnets to access and modify personal information, attack other computers, and commit other crimes, all while remaining undetected. By using multiple computers, attackers increase the range and impact of their crimes. Because each computer in a botnet can be programmed to execute the same command, an attacker can have each of them scanning multiple computers for vulnerabilities, monitoring online activity, or collecting the information entered in online forms.

What can you do to protect yourself?

If you practice good security habits, you may reduce the risk that your computer will be compromised:

• Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses, so you may be able to detect and remove the virus before it can do any damage (see Understanding Anti-Virus Software for more information). Because attackers are continually writing new viruses, it is important to keep your definitions up to date. Some anti-virus vendors also offer anti-rootkit software.
• Install a firewall - Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer and limiting the traffic you send (see Understanding Firewalls for more information). Some operating systems actually include a firewall, but you need to make sure it is enabled.
• Use good passwords - Select passwords that will be difficult for attackers to guess, and use different passwords for different programs and devices (see Choosing and Protecting Passwords for more information). Do not choose options that allow your computer to remember your passwords.
• Keep software up to date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities (see Understanding Patches for more information). Many operating systems offer automatic updates. If this option is available, you should enable it.
• Follow good security practices - Take appropriate precautions when using email and web browsers to reduce the risk that your actions will trigger an infection (see other US-CERT security tips for more information).

Unfortunately, if there is a rootkit on your computer or an attacker is using your computer in a botnet, you may not know it. Even if you do discover that you are a victim, it is difficult for the average user to effectively recover. The attacker may have updated files on your computer, so simply removing the malicious files may not solve the problem, and you may not be able to safely trust a prior version of a file. If you believe that you are a victim, consider contacting a trained system administrator.

As an alternative, some vendors are developing products and tools that may remove a rootkit from your computer. If the software cannot locate and remove the infection, you may need to reinstall your operating system, usually with a system restore disk that is often supplied with a new computer. Note that reinstalling or restoring the operating system typically erases all of your files and any additional software that you have installed on your computer. Also, the infection may be located at such a deep level that it cannot be removed by simply reinstalling or restoring the operating system.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

How are these myths established?

There is no one cause for these myths. They may have been formed because of a lack of information, an assumption, knowledge of a specific case that was then generalized, or some other source. As with any myth, they are passed from one individual to another, usually because they seem legitimate enough to be true.

Why is it important to know the truth?

While believing these myths may not present a direct threat, they may cause you to be more lax about your security habits. If you are not diligent about protecting yourself, you may be more likely to become a victim of an attack.

What are some common myths, and what is the truth behind them?

• Myth: Anti-virus software and firewalls are 100% effective.
  Truth: Anti-virus software and firewalls are important elements to protecting your information (see Understanding Anti-Virus Software and Understanding Firewalls for more information). However, neither of these elements are guaranteed to protect you from an attack. Combining these technologies with good security habits is the best way to reduce your risk.
• Myth: Once software is installed on your computer, you do not have to worry about it anymore.
  Truth: Vendors may release updated versions of software to address problems or fix vulnerabilities (see Understanding Patches for more information). You should install the updates as soon as possible; some software even offers the option to obtain updates automatically. Making sure that you have the latest virus definitions for your anti-virus software is especially important.
• Myth: There is nothing important on your machine, so you do not need to protect it.
  Truth: Your opinion about what is important may differ from an attacker's opinion. If you have personal or financial data on your computer, attackers may be able to collect it and use it for their own financial gain. Even if you do not store that kind of information on your computer, an attacker who can gain control of your computer may be able to use it in attacks against other people (see Understanding Denial-of-Service Attacks and Understanding Hidden Threats: Rootkits and Botnets for more information).
• Myth: Attackers only target people with money.
  Truth: Anyone can become a victim of identity theft. Attackers look for the biggest reward for the least amount of effort, so they typically target databases that store information about many people. If your information happens to be in the database, it could be collected and used for malicious purposes. It is important to pay attention to your credit information so that you can minimize any potential damage (see Preventing and Responding to Identity Theft for more information).
• Myth: When computers slow down, it means that they are old and should be replaced.
  Truth: It is possible that running newer or larger software programs on an older computer could lead to slow performance, but you may just need to replace or upgrade a particular component (memory, operating system, CD or DVD drive, etc.). Another possibility is that there are other processes or programs running in the background. If your computer has suddenly become slower, it may be compromised by malware or spyware, or you may be experiencing a denial-of-service attack (see Recognizing and Avoiding Spyware and Understanding Denial-of-Service Attacks for more information).

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

What is an ISP?

An ISP, or internet service provider, is a company that provides its customers access to the internet and other web services. In addition to maintaining a direct line to the internet, the company usually maintains web servers. By supplying necessary software, a password-protected user account, and a way to connect to the internet (e.g., modem), ISPs offer their customers the capability to browse the web and exchange email with other people. Some ISPs also offer additional services. With the development of smart phones, many cell phone providers are also ISPs.

ISPs can vary in size—some are operated by one individual, while others are large corporations. They may also vary in scope—some only support users in a particular city, while others have regional or national capabilities.

What services do ISPs provide?

Almost all ISPs offer email and web browsing capabilities. They also offer varying degrees of user support, usually in the form of an email address or customer support hotline. Most ISPs also offer web hosting capabilities, allowing users to create and maintain personal web pages; and some may even offer the service of developing the pages for you. Some ISPs bundle internet service with other services, such as television and telephone service. Many ISPs offer a wireless modem as part of their service so that customers can use devices equipped with Wi-Fi.

As part of normal operation, most ISPs perform backups of email and web files. If the ability to recover email and web files is important to you, check with your ISP to see if they back up the data; it might not be advertised as a service. Additionally, most ISPs implement firewalls to block some portion of incoming traffic, although you should consider this a supplement to your own security precautions, not a replacement (see Understanding Firewalls for more information).

How do you choose an ISP?

Traditional, broadband ISPs typically offer internet access through cable, DSL, or fiberoptic options. The availability of these options may depend where you live. In addition to the type of access, there are other factors that you may want to consider:

• security - Do you feel that the ISP is concerned about security? Does it use encryption and SSL (see Protecting Your Privacy for more information) to protect any information you submit (e.g., user name, password)? If the ISP provides a wireless modem, what wireless security standards does it support, and are those standards compatible with your existing devices?
• privacy - Does the ISP have a published privacy policy? Are you comfortable with who has access to your information and how it is being handled and used?
• services - Does your ISP offer the services you want? Do they meet your requirements? Is there adequate support for the services? If the ISP provides a wireless modem, are its wireless standards compatible with your existing devices?
• cost - Are the ISP's costs affordable? Are they reasonable for the number of services you receive, as well as the level of those services? Are you sacrificing quality and security to get the lowest price?
• reliability - Are the services your ISP provides reliable, or are they frequently unavailable due to maintenance, security problems, a high volume of users, or other reasons? If the ISP knows that services will be unavailable for a particular reason, does it adequately communicate that information?
• user support - Are there published methods for contacting customer support? Do you receive prompt and friendly service? Do their hours of availability accommodate your needs? Do the consultants have the appropriate level of knowledge?
• speed - How fast is your ISP's connection? Is it sufficient for accessing your email or navigating the internet?
• recommendations - Have you heard or seen positive reviews about the ISP? Were they from trusted sources? Does the ISP serve your geographic area? If you've uncovered negative points, are they factors you are concerned about?

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify