Global Prime fails to handle client data securely

minimoi

Newbie
Messages
2
Likes
0
Over a week ago I wrote about Global Prime not using SSL in forms requiring client data on the stevehopwoodforex forum. My post was promptly deleted along with my account. I tried posting on donnaforex and the post there was deleted too. Probably never made it past their moderators. At least they did not delete my account. Global Prime has still not done anything about the issue. Clearly they are not taking it very seriously.

Here are a couple of forms on the Global Prime website that send client data unencrypted over the internet (name, email, account nr, Credit Card scan, etc):
http://www.globalprime.com.au/forex/clients/credit-card-funding/
http://www.globalprime.com.au/forex/clients/withdraw-funds/

To illustrate the risk, here are some examples of what has been done with some of the data listed above that is not securely transfered:
How Apple and Amazon Security Flaws Led to My Epic Hacking
Bank information may be at risk

This is my original post to the Global Prime section of the stevehopwoodforex forum and to the broker section donnaforex forum:

Reasons why not. The globalprime website does not appear to have or use a SSL certificate.

Does that mean that the broker transfers client data unencrypted over the internet (name, email, account nr, Credit Card scan, etc)?
http://www.globalprime.com.au/forex/clients/credit-card-funding/
http://www.globalprime.com.au/forex/clients/withdraw-funds/

If so, why would they do that? It is reckless and irresponsible.

Seeing that they have their clients Credit Card scans transmitted to the site and they in some way handle credit card payments, are they not subject to PCI compliance rules?
https://www.pcicomplianceguide.org/pci-faqs-2/


From the PCI compliance FAQ:

Q: What is PCI?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Q: If I only accept credit cards over the phone, does PCI still apply to me?
A: Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.

Q: What is defined as ‘cardholder data’?
A: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant.

Q: Am I PCI compliant if I have an SSL certificate?
A: No. SSL certificates do not secure a Web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI Compliance.
 
It has now been about 2 weeks since I first posted about this issue and the pages to upload client data unencrypted are still online. The only action they have taken is to try and discredit me.
http://www.forexpeacearmy.com/public/review/www.globalprime.com.au
Using SSL to secure data is not "my idea". It is pretty much standard practice when transmitting sensitive data over the internet.

Facts:
  1. Global Prime website has a page to upload client credit card data unencrypted, ie without SSL and other pages transmitting other client data unencrypted.
  2. This was first reported 2 weeks ago on their section of stevehopwoodforex and they have as yet not removed or fixed those pages.
  3. The initial attempt to inform them via their forum on stevehopwoodforex was deleted.
  4. The next attempt to inform them via their thread on donnaforex was deleted.
  5. Sites handling credit card data should follow PCI compliance rules. This is for the protection of the clients data.

Here are some free tips for Global Prime.

How not to handle security issues on a web site
  • Kill the message.
    Jeremy: "Anyone can go on Steve Hopwood's Forex forum or Donna Forex to see how we interact with the FX community at large".
    Yes I did. My post was deleted.
  • Kill the messenger.
    Jeremy: "Anyone can go on Steve Hopwood's Forex forum or Donna Forex to see how we interact with the FX community at large".
    Yes I did. My account was deleted.
  • Blame the messenger.
    Jeremy:"without even contacting us directly about your ideas on SSL".
    I did try to inform you on forums you sponsor or that sponsor you.
  • Blame your competitors.
    Jeremy: "it reeks of a jealous competitor attempting to discredit Global Prime".
    It is your site. It is your responsibility. SSL is not "my idea".
  • Discredit the messenger.
    Jeremy: "it reeks of a jealous competitor attempting to discredit Global Prime".
    I'm not a competitor. Again, I did try to inform you on forums you sponsor.
  • Insult everyone.
    Steve Hopwood: "Wise up dimwits... Personally, I loathe you all...".

How to handle security on a web site
  • Review and fix reported issues as soon as possible.
  • Audit the site to find any other security issues it may have.
  • Reassure your clients that you are serious about security and have taken action to fix the issues.

Some tips on fixing your site.
  • Remove the offending pages. This should take minutes in any reasonable CMS.
  • Redirect the offending pages to your subdomain with an SSL certificate. This should also be pretty easy to do. Minutes easy.
  • Use SSL for the whole website and you will not make these blunders. Your clients are not trading cat pictures. They are trading real money.
  • If you insist on having clients upload images of their credit cards to your site, see to it that your site is PCI compliant. This is for your clients safety and to absolve you from liability if there is a breach and client credit card data is compromised.

Finally, I would like to point out that before each post made, I checked to see if you had fixed the issue and you had not. It is your own inaction that has led to this. I should not have to tell you how to fix your site.
 
Last edited:
Maybe the solution is...switching to another broker? IF broker doesn't care about security and lax about customer reasonable inquiries then what for to involve yourself in a risk. There are pretty much reputable, regulated, quite vigilant about security brokers happy to accept any real account trader..
 
I am disappointed by what you just said, I heard talk about Australian fx fx broker on another forum, I am about even to open a demo account with them, I'll stay away from them.
 
Wow that's pretty shocking, not just from the broker but the fact that those two forums actually deleted your account just because you raised the issue.

I've seen forex factory change thread titles to protect advertisers but at least they don't delete accounts. Those two forums really take the cake.
 
Top