Security holes found in online stock trading platforms

Security holes found in online stock trading platforms

A new report finding security holes in digital trading platforms is a sharp reminder of one downside associated with our Digital Lifestyle investing theme. While most tend to take it for granted the ease of shopping or in this case trading or at least buying and selling stocks, mutual funds, and ETFs online, few are likely pondering the inherent risks when they doing so, especially at a Starbucks or another public access Wi-Fi network.

The report also shows that better security measures need to be instilled to protect sensitive information in consumer accounts and that spending is a positive incremental driver for our Safety & Security investing theme.


A new report from Alejandro Hernández, a security consultant at IOActive, found that nearly all of the 40 major online trading platforms he investigated had at least some form of vulnerability. While they range widely in severity and scope, the overall picture is of an industry that has not taken security measures proportional to the sensitive information involved.

Hernández analyzed 16 desktop applications, 34 mobile apps, and 30 websites, comprising 40 trading platforms in all. That includes major legacy players like Fidelity and Charles Schwab, mobile-first upstarts like Robinhood, and less common names like Kraken and Poloniex. And while some companies, like Schwab and Merrill Edge, earned mostly high marks for their security hygiene, the overall picture seems bleak.

Well over half of the desktop applications Hernández examined, for instance, transmitted at least some data—things like balances, portfolios, and personal information—unencrypted. That leaves traders vulnerable to a potential attack from someone on the same Wi-Fi network, who could observe that information and potentially intercept and alter it using a fairly straightforward man-in-the-middle attack.

Also troubling: Several mobile apps and a handful of desktop applications stored passwords unencrypted locally, or sent them to logs in plain text.

Source: Online Stock Trading Has Serious Security Holes | WIRED

A new study warns of rising hacker threats to ERP software

A new study warns of rising hacker threats to ERP software

With at least a dozen companies and government agencies being targeted and thousands more exposed to data breaches by hackers exploiting old security flaws in management software from Oracle or SAP, a new study reminds us of growing pain points associated with cyber attacks. Per the study, inside this enterprise resource planning software companies store financial results, manufacturing secrets and credit card numbers in the vulnerable products with associated application housing customer, employee and supplier information. This pain for corporate security is a positive for our Safety & Security investing theme.

The U.S. Department of Homeland Security is preparing on Wednesday to issue an alert based on the report about the risks posed to thousands of unpatched business systems from software makers Oracle and SAP, which can enable hackers to steal corporate secrets, the researchers said.

Systems at two government agencies and at firms in the media, energy and finance sectors have been hit after failing to install patches or take other security measures advised by Oracle or SAP, experts at security firms Onapsis and Digital Shadows said.

The security alert from the Homeland Security’s Computer Emergency Response Team (US-CERT) includes steps that organisations can take to identify vulnerable systems and close long-standing security gaps, the companies told Reuters.

Many of these issues date back a decade or more, but the new study shows rapidly rising interest by hacker activists, cyber criminals and government spy agencies in capitalising on these issues, Onapsis Chief Executive Mariano Nunez told Reuters.”These attackers are ready to exploit years-old risks that give them full access to SAP and Oracle systems without being detected,” he said. “The urgency level among chief security officers and CEOs should be far higher.”

The new alert, if issued, would expand on a 2016 Homeland Security department warning to SAP customers after Onapsis uncovered plans by Chinese hackers to exploit out-date software used by dozens of companies, Nunez said.

Source: Study warns of rising hacker threats to SAP, Oracle business management software

The Expanding Pain Point Fueling Safety and Security Investment Theme

The Expanding Pain Point Fueling Safety and Security Investment Theme

Over the last few weeks, we’ve been reminded of the dark side of our increasingly Connected Society, given cyber attacks and hacks at Equifax (EFX) and more recently Amazon’s (AMZN) Whole Foods and Sonic Corp. (SONC). Those are but a handful of examples in what is an expanding pain point that is fueling our Safety & Security investing theme and the ETFMG Prime Cyber Security ETF (HACK)* shares on the Tematica Investing Select List.

Unsurprisingly to us, there is yet another new report that not only paints a gloomier picture but also forecasts a continued ramp in cyber attacks. We see this as confirming our $35 price target on HACK shares over the coming quarters. New research by Gemalto showed that almost 2 billion data records around the world were lost or stolen by cyber attacks in the first half of 2017. Worse yet, the number of breaches is slated to rise further. Per the latest Gemalto breach level index report, there were 918 breaches during the first six months of 2017, and of those breaches, 500 had an unknown number of compromised records. Meanwhile, the top 22 breaches involved more than one million compromised records.

With new regulations such as the U.K. data protection bill, the European Union’s General Data Protection Regulation and Australia’s Privacy Amendment (Notifiable Data Breaches) Act set to come into force in the coming months and quarters, odds are we will see another step up in the number of reported security breaches. No wonder in its latest annual results, consulting firm Deloitte described cybersecurity as a “high growth area” for the firm.

A somewhat different view on this was had with FedEx’s (FDX) recent earnings report, in which it copped to the fact that cyberattack Petya cost the company around $300 million dollars. This should serve as a reminder the impact of a cyber attack can cost a company day to day, but it also has implications for its stock price when it misses earnings expectations.

We see all of the above as a reminder of the incremental spending to be had to fend and secure companies from prospective cyberattacks, a good thing for the companies contained inside the HACK ETF.

  • Our price target on Safety & Security investing position in the ETFMG Prime Cyber Security ETF (HACK) remains $35.


* One quick housekeeping item, there was a recent name change for HACK shares to ETFMG Prime Cyber Security ETF from PureFunds. The underlying strategy of the ETF and its focus on cybersecurity stocks remains intact.

May Data From ADP and Challenger Offer Confirmation for Several Tematica Select List Positions

May Data From ADP and Challenger Offer Confirmation for Several Tematica Select List Positions

This morning we received the Challenger Job Cuts Report as well as ADP’s view on May job creation for the private sector. While ADP’s take that 253,000 jobs were created during the month, a nice boost from April and more in line with 1Q 2017 levels, we were reminded that all is not peachy keen with Challenger’s May findings. That report showed just under 52,000 jobs were cut during the month, a large step up from 36,600 in April, with the bulk of the increase due unsurprisingly to retail and auto companies.

As Challenger noted in the report, nearly 40% of the May layoffs were due to Ford (F), but the balance was wide across the retail landscape with big cuts at Macy’s (M), The Limited, Sears (SHLD), JC Penney (JCP) and Lowe’s (LOW) as well as others like Hhgregg and Wet Seal that have announced bankruptcy. In total, retailers continued to announce the most job cuts this year with just under 56,000 for the first five months of 2017. With yesterday’s news that Michael Kors (KORS) will shut 100 full-price retail locations over the next two years, we continue to see more pain ahead at the mall and fewer retail jobs to be had.

Sticking with the Challenger report, one of the items that jumped out to us was the call out that,

“Grocery stores are no longer immune from online shopping. Meal delivery services and Amazon are competing with traditional grocers, and Amazon announced it is opening its first ever brick-and mortar store in Seattle. Amazon Go, which mixes online technology and the in-store experience, is something to keep an eye on since it may potentially change the grocery store shopping experience considerably, “


In our view, this means the creative destruction that has plagued print media and retail brought on by Amazon (AMZN) is set to disrupt yet another industry, and it’s one of the reasons we’ve opted out of both grocery and retail stocks. The likely question on subscriber minds is what does this mean for our Amplify Snack Brands (BETR) position? In our view, we see little threat to Amplify’s business; if anything we see it’s mix of shipments skewing more toward online over time. Not a bad thing from a cost perspective. We’d also note that United Natural Foods (UNFI) is a partner with Amazon as well.

  • Our price target on Amazon (AMZN) remains $1,100 and offers more than 10% upside from current levels.
  • Amplify Snack Brands (BETR) has an $11 price target and is a Buy at current levels.
  • Our target on United Natual Foods (UNFI) is $65, and the recent pullback over the last six weeks enhances the long-term upside to be had.

We’d also note comments from Chipotle Mexican Grill (CMG) that its recent cybersecurity attack hit most Chipotle restaurants allowing hackers to steal credit card information from customers. In a recent blog post, Chipotle copped to the fact the malware that it was hit with infected cash registers, capturing information stored on the magnetic strip on credit cards. Chipotle said that “track data” sometimes includes the cardholder’s name, card number, expiration date and internal verification code. We see this as another reminder of the down side of what we call both our increasingly connected society and the shift toward cashless consumption. It also serves as a reminder of the long-tail demand associated with cyber security, and a nice confirmation point for the position PureFunds ISE Cyber Security ETF (HACK) shares on the Tematica Select List.

  • Our price target on PureFunds ISE Cyber Security ETF (HACK) shares remains $35.


With 2017 Poised to be the Year of Ransomware, More Cyber Spending is on the Way

With 2017 Poised to be the Year of Ransomware, More Cyber Spending is on the Way

With headlines swirling following the WannaCry attack that hit more than 230,000 computers across more than 150 countries in just 48 hours, on this episode of Cocktail investing we spoke with Yong-Gon Chon, CEO of cyber security company Focal Point to get his insights on that attack, and why ransomware will be the cyber threat in 2017. Before we get into that Safety & Security conversation, Tematica’s investing mixologists, Chris Versace and Lenore Hawkins broke down last week’s economic and market data as well as the latest relevant political events. With all the controversy in D.C., there was a lot to discuss concerning the likelihood that the Trump Bump, which was based on assumptions around tax reform, regulatory roll-back, and infrastructure spending is evolving into the Trump Slump as investors realize the anticipated timeline for such was decidedly too aggressive. With mid-term elections looming, we expect the Trump opposition will be emboldened by the controversy surrounding the administration and will put in best efforts to appeal to their constituents. For the market, it’s another reason to see the Trump agenda likely slipping into late 2017-early 2018, and that realization is likely to weigh on robust GDP and earnings expectations for the balance of 2017.

The markets on May 17th suffered their biggest losses in 2017, with the Nasdaq taking the biggest one-day hit since Brexit, as the turmoil in Washington dampens investors’ appetite for risk while raising questions over GDP and earnings growth. While some Fed banks are calling for 2Q 2017 GDP as high as 4.1 percent (quite a jump from 1Q 2017’s 0.7 percent!), the data we’re seeing suggests something far slower. We continue to think there is more downside risk to be had in GDP expectations for the balance of 2017, and the latest Trump snafu is only likely to push out team Trump’s reforms and other stimulative efforts into 2018. If 2Q growth is driven in large part by inventory build, which is what the data is telling us, expect the second half to be significantly weaker than the mainstream financial media would lead you to believe.

While the global financial impact of the WannaCry ransomware attack may have been lower than some other high profile attacks such as ILOVEYOU and MyDoom, the speed at which it moved was profound. We spoke with Yong-Gon Chon, CEO of Focal Point Data Risk about the incident to get some of the perspective and insight the company shares with its c-suite and Board level customers. While many are focusing on WannaCry, Yong-Gon shares that as evidenced by recent content hijackings of Disney (DIS) and Netflix (NFLX), ransomware is poised to be the cyber threat of 2017. Those most likely to be targeted are those organizations that prioritize uptime and whose businesses tend to operate around the clock, making backups and software updates extremely challenging.

While in the past IP addresses may have been scanned once every four to five hours, in today’s increasingly Connected Society, IP addresses are scanned one to ten times every second. As consumers and businesses in the developed and emerging economies increasingly adopt the cloud and other aspects of Connected Society investing theme, we are seeing an explosion in the amount of data as more and more of our lives are evolving into data-generating activities. From wearables to appliances to autos, our homes, offices, clothing and accessories are becoming sources of data that goes into the cloud. With the Rise of the New Middle Class in emerging markets, we are seeing the number of households participating in this datafication grow dramatically, exposing new vulnerabilities along the way. That increasingly global pain point is fodder particularly for cyber security companies, such as Fortinet (FTNT), Splunk (SPLK) and Cisco Systems (CSCO) that are a part of our Safety & Security investing theme.

During our conversation with Yong Gon we learned that companies need to understand that breaches must be viewed as inevitable in today’s Connected Society, network boundaries are essentially a thing of the past. Security can no longer about preventing nefarious actors from gaining entrance, but rather is now about managing what happens once a company’s network has been invaded. From a sector perspective, with all the regulation and reporting requirements in financial services, many of these firms are leading the way in how to best deal with such breached.Uber

For investors who want to understand the potential impact of cybercrime, Yong-Gon Chon suggests looking at how much data a company is generating and how the company is managing the growth of that data, with companies such as Facebook (NASDAQ:FB), Alphabet (NASDAQ:GOOGL) and Uber examples of heavy generators. Investors need to look at a company’s cyber risk as a function of the magnitude of its data generation and the company’s level of maturity in addressing that risk. By comparison, companies not affected by attacks such as WannaCry need to be asking themselves why didn’t they get hit? Was it luck or did we do something right? If so, what did we do right and what is the scope of protection we have given what we’ve learned about the latest attack strategies?

We also learned about the new efforts underway globally to develop attribution of cyber threats so as to differentiate between those threats from professional cyber criminals versus the capricious tech savant engaging in ill-advised boundary exploration. Along with this shift is also a change in the boardroom, where cybersecurity is viewed in the context of its potential impact on the business, rather than as a function of a company’s IT department.

One thing we can be assured of is that hackers are watching each other and the good ones are learning what makes attacks fail and where organizations are weakest. As the Connected Society permeates more and more of our lives, these risks become more pernicious and their prevention more relevant to our everyday lives. The bottom line is we are likely to see greater cyber security spending in preventative measures as well cyber consulting as those responsibilities become a growing focus of both the c-suite and board room.

Companies mentioned on the Podcast

  • (AMZN)
  • Apple (AAPL)
  • CVS Health (CVS)
  • Disney (DIS)
  • Facebook (FB)
  • Focal Point
  • JC Penny Co (JCP)
  • Kohl’s (KSS)
  • Macy’s (M)
  • Microsoft (MSFT)
  • Netflix (NFLX)
  • Nordstrom (JWN)
  • TJX Companies (TJX)
  • Twitter (TWTR)
  • Uber
  • United Parcel Service (UPS)
  • Walgreens Boots Alliance (WBA)

Resources for this podcast:

To Prevent a Cybersecurity Workforce Crisis, Education is Key

To Prevent a Cybersecurity Workforce Crisis, Education is Key

As companies develop and respond to ever evolving cyber security threats, the the emerging Connected Car, Connected Home, and the Internet of Things markets will explode the number of potential vulnerabilities, while hackers continue to reinvent their attack strategies. The response requires a vibrant talent pool that can fill in the ranks of new and existing cyber security companies, but the looming pain point is an expected talent shortfall. The problem is a twist on the old baseball saying, “you can’t get the hits if you don’t have the at bats.” In this case, if you don’t have the talent, how will cyber security companies keep up with the hackers? One potential solution to this pain point sits in overhauling our education system. 

The latest U.S. News/Raytheon STEM Index showed that high school students’ interest in technology and engineering grew slightly over the past year. To meet the current and future security challenges, however, more young people must see cybersecurity as a worthwhile career option.

Current estimates mark the talent shortfall at 1 million professionals. A recent study by the National Cyber Security Alliance, with support from Raytheon, explored the talent shortfall in the global cybersecurity industry and found that a fundamental problem was the lack of even a basic awareness of potential opportunities in the field.

Business, policy and technology leaders agree there will be serious implications for the world’s security, safety and economic stability if we fail to foster a cybersecurity workforce.

We must encourage early exposure to technology and cybersecurity careers within our educational systems.

Source: Op-Ed: The Time Is Now to Prevent a Cybersecurity Workforce Crisis | US News

Akamai’s 1Q 2016 State of the Internet and Security

Akamai’s 1Q 2016 State of the Internet and Security

When a cyber attack makes the headlines it serves as a reminder of the growing threat we face as part of our increasingly Connected Society. Even without flashy headlines, ongoing increases in the number of cyber attacks confirm its place as a growth industry.  

Akamai Technologies released its Q1 2016 State of the Internet – Security Report, which takes an in-depth look into the global cloud security threat landscape to provide analysis and insight into malicious activity that’s been observed across the Akamai Intelligent Platform™ from January to March of this year.“We have continued to witness significant growth in the number and frequency of DDoS and web application attacks launched against online assets, and Q1 2016 was no exception,” explained Stuart Scholly, SVP and GM of Akamai’s Security Business Unit.

Source: State of the Internet and Security In Q1 2016 |

Recently confirmed Myspace hack could be the largest yet, dwarfing @LinkedIn and @Tumblr breaches $HACK @SophosLabs @Time

Recently confirmed Myspace hack could be the largest yet, dwarfing @LinkedIn and @Tumblr breaches $HACK @SophosLabs @Time

While the myspace data breach may data back a few years, it’s size (roughly 427 million passwords!) serves as a reminder that not every breach/attack is immediately detected let alone thwarted. This serves as a harsh reminder on the ever evolving need for cyber security that fuels our Safety & Security investing theme.

Time, Inc. didn’t confirm how many user accounts were included in this data set, but a report from says that there are over 360 million accounts involved. Each record contains an email address, a password, and in some cases, a second password. As some accounts have multiple passwords, that means there are over 427 million total passwords available for sale.Despite the fact that this data breach dates back several years, the size of the data set in question makes it notable. Security researchers at Sophos say that this could be the largest data breach of all time, easily topping the whopping 117 million LinkedIn emails and passwords that recently surfaced online from a 2012 hack.

Source: Recently confirmed Myspace hack could be the largest yet | TechCrunch