Saxo Capital Markets has a strong commitment to information security. In order to meet our own high level of security standards as well as those of the legal bodies regulating our business sector, Saxo Capital Markets places strong emphasis on securing the trading platforms that our clients use. Even with this diligent effort in place, it is important that you are aware of what you can do to maintain as well as increase the security of your own personal trading platform – your PC.
2FA Risk Awareness Statement
What is 2FA?
2FA (also known as 2-factor authentication) is the verification of a user’s online identity using two distinct factors.
The current practice used by financial institutions in Hong Kong is to require clients to go through a 2-factor authentication process – (1) a Personal Identification Number (PIN), which is issued by the financial institution and (2) a One-Time Password (OTP), which is generated by a hardware token device or software token application. This is also the same practice adopted by Saxo Capital Markets HK Ltd ("SCM").
SCM has deployed Symantec’s 2FA soft token solution known as VeriSign® Identity Protection (VIP) Access. This software security token may be obtained free-of-charge via your preferred web store. Please note that, by electing the soft token solution, you are deemed to acknowledge that you may encounter occasional service downtime resulting in the delay or inability to log into your trading account. In such event, SCM shall be indemnified from any direct or indirect losses or liabilities resulting from your inability to access the third party-provided 2FA function.
Alternatively, a hardware token is also available. Please note that the cost of the hard token is to be fully borne by the client. If you would like to purchase a hard token, please contact your Relationship Manager for more information.
Clients enjoy the added security layer when accessing their trading accounts online. The client’s unique security device (soft token), generates a one-time password (OTP) which will be requested upon each trading platform login.
What is the purpose of 2FA?
The key objectives of 2FA are to protect the client’s online trading account and information from unauthorized access, and enhance the overall security of online trading systems.
SCM takes a proactive role in protecting our clients. We have risk mitigating measures in place to protect your online trading account and information from unauthorized access. Should you require assistance, please contact SCM for more details.
Is 2FA compulsory for trading through SCM?
2FA is compulsory for trading via SCM. Clients will be required to provide both password and OTP to access the online trading services. Clients should exercise due care to safeguard their password and OTP, and not disclose them to other parties.
For users of hardware tokens, any loss or theft of the token shall be reported to SCM immediately. The lost/stolen token will be disabled and the user will not be able to access his online trading account until such time when he completes the de-registration process and a new token is received. There is a fee for the token. Please contact SCM for more details.
What additional measures can I adopt to protect myself while trading online through SCM even with 2FA in place?
You should observe the following practices to secure the confidentiality and integrity of your PIN, security tokens, personal details and other confidential data as far as possible. These will help to prevent unauthorised transactions and fraudulent use of your accounts and make sure that no one else would be able to observe or steal your access credentials or other security information to impersonate them or obtain unauthorised access to your online accounts:
- Take the following precautions as regards your PIN
- Your pin should be at least 8 characters of alphanumeric mix;
- Your pin should be at least 8 characters of alphanumeric mix;
- Your pin should not be based on guessable information such as user-id, personal telephone number, birthday or other personal information;
- Your pin should be kept confidential and not be divulged to anyone;
- Your pin should be memorised and not be recorded anywhere;
- Your pin should be changed regularly or when there is any suspicion that it has been compromised or impaired; and
- The same PIN should not be used for different websites, applications or services, particularly when they related to different entities,
- Not select the browser option for storing or retaining user name and password
- Check the authenticity of our website by comparing the URL and our name in its digital certificate or by observing the indicators provided by an extended validation certificate;
- Check that the website address changes from ‘http://’ to ‘https://’ and a security icon that looks like a lock or key appears when authentication and encryption is expected;
- Check your account information, balance and transactions frequently and report any discrepancy;
- Install anti-virus, anti-spyware and firewall software in your personal computers and mobile devices;
- Update operation system, virus and firewall products with security patches or newer versions on a regular basis;
- Remove file and printer sharing in computers, especially when they are connected to the internet;
- Make regular backup of critical data;
- Consider the use of encryption technology to protect highly sensitive or confidential information;
- Log off each and every online session;
- Clear browser cache after each and every online session;
- Not install software or run programs of unknown origin;
- Delete junk or chain emails;
- Not open email attachments from strangers;
- Not disclose personal, financial or credit card information to little-known or suspect websites;
- Not use a computer or a device which cannot be trusted; and
- Not use public or internet café computers to access online services or perform financial transactions.
Read more about Security Guidelines
Do you know who is calling?
Appearances are not always what they seem to be. You should always be somewhat skeptical if you are contacted by phone, mail or otherwise with unusual requests or offers that are too good to be true. Who can it be?
Unknowingly passing on confidential information to the wrong person can have dire consequences. Imagine giving your SaxoTrader account details directly to a thief while believing that you are talking to a Saxo Capital Markets employee.
Social engineering is the act of manipulating a person to unknowingly divulge confidential information, e.g. by imposing as a trusted professional wanting to assist with a specific issue. A person performing social engineering will collect information about you leading you to believe they are to be trusted.
By following the guidelines below, you will minimize the risk of being the victim of a social engineering attack:
- Never divulge confidential account details or similar information to anyone, neither verbally or in writing. You will never be asked to do so by a Saxo Capital Markets employee.
- Be skeptical of unusual calls by persons posing as Saxo Capital Markets support staff or as a substitute for your regular advisor at Saxo Capital Markets.
Is your computer vulnerable to attack?
The majority of attacks, whether these are by viruses or hackers, take advantage of software that has not been updated appropriately. Learn how you with a few clicks can make sure that you are not among the first to be hit.
A computer that is not updated with current software can provide easy access for a targeted attacker or virus outbreak. An attacker with full access to your computer can potentially perform transactions on your behalf.
Hackers and creators of viruses exploit known vulnerabilities in software that is not up-to-date. Typically, an attacker will scan the Internet to detect systems displaying known vulnerabilities, drilling down on these subsequently.
By following the guidelines below, you will have a system with a minimal level of vulnerability:
- Ensure that all software on your computer is up-to-date by using the computer’s update functionality. In particular your operating system and your browsers should be prioritized (MS Windows Update or Software Update on Mac OS).
- Use antivirus software to protect against malware. Make certain to have the update functionality enabled.
- Enable the personal firewall on your computer
Is someone else trading in your name?
It is a common human tendency to re-use passwords across different accounts (e.g. webmail, social networking site, as well as the Saxo Capital Markets account). Learn why this is poses a serious threat and how you can make unique and secure passwords… If someone has access to your user account details, they will be able to perform transactions in your name.
A common tendency is to reuse passwords on different sites in order to minimize the number of passwords that we have to remember. If you are reusing your SaxoTrader password on less secure sites that are compromised by an attacker, the attacker will be able to gain access to your account and perform transactions in your name.
By following the guidelines below, you minimize the risk of your password being stolen:
- Use different passwords on different sites.
- There exists a number of different password management tools to handle your passwords.
- If you must reuse passwords, then create them in different complexity levels: complex passwords for net-banking and trading applications; less complex passwords for sites where the consequences of a compromise are lower.
- Make complex passwords consisting of a minimum of 8-10 alphanumeric characters as well as special characters. A simple technique for creating complex passwords is to make a sentence that you can remember and use the first letters of each word and vary the use of lower case and upper case characters. This may seem difficult at first glance but is actually relatively simple:
- I will make a great Profit with my Saxo Capital Market account: Iwm@gPwm$Cma
- Change your complex passwords on banking sites at least every three months.
What's going on?
If you experience unusual occurrences on your computer or receive unexpected requests via phone or email relating to your Saxo Capital Markets account, you should contact Saxo Capital Markets immediately. Read why…
Unusual occurrences on your computer can imply that your computer has been compromised and someone is misusing it, potentially for personal gain.
Unusual or suspicious requests from persons claiming to be Saxo Capital Markets staff or others can imply social engineering or fraudulent activity.
Should you suspect any irregularities, please contact Saxo Capital Markets immediately.