Did you know | Fund houses appoint specialists to hack their websites and plug loopholes

Did you know | Fund houses appoint specialists to hack their websites and plug loopholes

Last fortnight, Quantum Asset Management Co. Ltd launched a facility to enable new investors to buy any of its schemes without giving any physical signature. Though most other AMCs allow investors to buy/sell their MF units online, Quantum’s latest initiative eliminates paperwork. That’s all very convenient, but in reality, how safe is it? Hackers (people who steal others’ data from the Internet and use it for malicious purposes) are after your crucial data, money and in worse cases, your identity. Are fund houses doing enough to protect your money?

Security agencies

Although your online MF accounts come with a unique username and password, it may not take long for a smart hacker to break into your fund house’s system and get access to crucial data. To counter such potential attacks, many fund houses—and also banks and brokerages— hire external agencies called Internet security firms such as Paladion, NII Consulting and Mahindra Securities, to run all sorts of checks to ensure that your online interaction with your fund house is safe.

These firms advise the fund houses not just on improving security measures but also check the robustness (or otherwise) of the Internet systems. Their motto: To prevent theft, you’ve got to think like a thief and plug the loopholes.

Vulnerability Assessment Penetration Test

A popular way to check the robustness of a fund’s website is to carry out a test, commonly known as Vulnerability Assessment Penetration Test (Vapt). These tests are carried out every few months. They visit your fund house’s website and try and hack information using various permutations and combinations. Vapt also assesses business logic violations. For instance, they open genuine accounts in an online share trading website (the latter being their own clients) and then try and trade beyond their permissible limits to check if such violations are possible.

Is it really necessary?

If your online MF account gets hacked, your direct and personal loss is limited. For instance, even if your hacker mischievously redeems your MF units in your online account, the redemption proceeds will go straight in your bank account; you won’t lose the money.

However, if there is a data breach, fund houses stand to lose their reputation. You could sue your fund house and it could be in serious trouble. Security experts also claim that a hacker can make an intelligent guess that the customer’s password may be the same on many other sites including the Internet banking site and try to use those same credentials to cause greater damage. Ultimately, other investors get dissuaded from investing through a website that may have been hacked. Most fund houses we spoke to, including Quantum, insist that such thorough checks are a norm and loopholes, if found, are instantly plugged.