Online Security for Canadian DIY Investors: How to Stay Safe While Trading Online


March 10, 2017

Published March 10, 2017 11:25 PM

Table Of Contents

    Key points

    Data breaches, fraudulent activity, and online tricks and traps are all around us. It happens so often we’ve dubbed March fraud month to raise awareness of the growing issues. In fact, we’ve got enough to say about it that we’ve broken up this article into two parts. Part one looks at two factor authentication (TFA) […]

    Data breaches, fraudulent activity, and online tricks and traps are all around us. It happens so often we’ve dubbed March fraud month to raise awareness of the growing issues. In fact, we’ve got enough to say about it that we’ve broken up this article into two parts. Part one looks at two factor authentication (TFA) and your responsibilities as a DIY investor. Part two examines investor confidence and how you can check to be sure your advisor is trustworthy, accredited and competent. To cap things off, we’ve also included some handy resources at the end of Part one.

    Online brokerage security agreements: a handshake

    First things first: don’t freak out. Despite the multitude of risks and negative headlines concerning online activity, there’s plenty of security, and lots you can do to ensure your online brokerage account is safe and secure.

    That said, what DIY investors cannot do is stay complacent, or just assume that an online brokerage is either solely responsible for online account security or necessarily doing all it could to keep investment safe. Just like learning about how to choose investments comes with the territory of investing online, going the DIY investor route also requires learning enough about technology and online security to ensure that access to your trading account is as safe as is reasonably possible.

    While online brokerages may have regulatory compliance standards in place that ensure a minimum level of security, investors (i.e. online brokerage clients) must also take steps to keep up too.

    It’s a handshake agreement between you and your online brokerage that only works when you both maintain a steady grip.

    Internet security: conditions apply

    The good news for DIY investors is that most Canadian discount brokerages have a security agreement of one kind or another, offering a “100% security guarantee.”

    Those agreements, however, have stipulations that depend on a DIY investor maintaining good security practices, which begs the question, what strings are attached to the ‘100% security guarantee?’

    Most guarantees offered by Canadian discount brokerages are limited to “direct losses” in your online brokerage account that come about from “unauthorized” activity. At the very least that means they likely won’t cover losses that occur if you allow someone to use your account and then that person cleans you out. Also, most online brokerage security guarantees say that you must adhere to the conditions they have placed on your end. That might include installing up-to-date software such as firewalls and frequent passcode changes, among other conditions. The bottom line: Learn them. Know them. Do them.

    Meet security conditions if you want losses reimbursed

    Online security conditions vary among online brokerages, so be sure to check yours out—and carefully.

    Here are some common concerns:

    • Use a unique user name and password that you change frequently. But how often is that? Not as often as you might think. A UNC-Chapel Hill study showed that people tend to create new passwords out of old ones, thus making the new one as easy to breach as the previous one. Lifehacker argues that hackers run hardware and software full-time to crack user names and passcodes and frequently changing a password isn’t going to stop them. And Mark Burnett, author of Perfect Passwords, told Wired that it’s enough to change your password every six months to one year . . . if you use one that’s 16 to 20 characters long.
    • Install a firewall. A firewall is like a security guard at the door to the building, checking the list for who goes in and who goes out. Of course, to add to the confusion, one of the go-to diagnostics for connectivity troubles for many trading software platforms is to disable a firewall to verify if that interferes with connecting.
    • Ensure your browser uses 128-bit or even 256-bit encryption—and has its own firewall. Some brokerage agreements demand it.
    • Protect your wireless network and internet connection from hacking by using a strong password.
    • Install the latest anti-spyware and anti-virus software.

    These aren’t anywhere near all the conditions that you might have to meet for your internet security guarantee to kick in. And, in most cases, whether you have met the required conditions is determined by the online brokerage, not you. So, you might want to track things like how often you change your password and, at a minimum, regularly check your account (even if you’re a passive investor) to ensure no irregular account activity is taking place.

    Ultimately, account security is a two-way street, and you might want to ask your online brokerage if their security system is the best it could be. More and more companies online are turning to two factor authentication, aka 2fa or TFA, as data breaches and fraud become only more prevalent.

    Online brokerages: how they keep your online accounts secure

    Of 14 Canadian online brokerages, three currently offer two factor authentication (TFA) including BMO InvestorLine, Interactive Brokers and HSBC Invest Direct. But what is TFA, anyway, and does it matter to have it as part of your log in system at your online brokerage? Well, the short answer might be, how much do you care about your money and investments?

    Two factor authentication (TFA): the way of the future?

    If you don’t know already, two factor authentication (TFA) requires two steps, or factors, as part of the authentication process when you access your account.

    The first step is your username and password. The second step is either a physical token (like your debit card) or a PIN. The PIN is usually sent to you via your cell phone when you enter your user name and password. You can see it’s a pretty secure approach since only you (presumably) have your phone with you, and only you know your username and password.

    The 11 online brokerages that currently do not use this system have other, multiple levels of security. These include 128-bit or even 256-bit encryption, multiple firewalls, anti-virus software, internal protocols and constant electronic monitoring, among other measures. Thought hackers get better all the time, two factor authentication (TFA) may be the best security around right now.

    DIY investors and regulatory agencies call for increased vigilance as data breaches escalate

    Data breaches cost Canadian companies an average of $6.03M every time they occur according to The Ponemon Institute, and Blackberry estimates that total costs for Canadian companies will reach $23B by 2019.[i]

    And, like most costs, those losses are eventually passed on to consumers. Canada’s regulatory agencies are also weighing in on the matter. The Investment Industry Regulatory Organization of Canada (IIROC) itself the victim of a data breach in 2013[ii] offers a cybersecurity report card to its member organizations.[iii]

    As well, the Mutual Fund Dealers Association of Canada (MFDA) offers a 4-part toolkit that investors can use as a guide including checking out your advisor and the organization to see if either has been litigated against.

    Costs alone may lead to two factor authentication (TFA) become more widely used, as losses from data breaches or hacking can be fantastic. While industry certainly has financial motive to prevent exploits, DIY investors are making their thoughts on the matter heard too.

    In 2016, for example, Redditors had a vigorous debate over security at a popular online brokerage, Questrade. One redditor commented, “I think this should be a higher priority than their many website facelifts of recent months.”

    As they often do on the DIY investing forums, John, a support representative from Questrade, responded: “I can confirm that we have moved beyond the investigation phase and are working on a two-factor authentication solution. We will be announcing more details as the project progresses.”

    If your DIY investor account is breached, act fast

    In the event your account is compromised, there are several things that will need to be done relatively quickly to qualify for coverage of an online brokerage security guarantee.

    Here are a few:

    • Notify your online brokerage immediately.
    • Change all passwords immediately.
    • Determine what data has been breached.
    • Contact all credit reporting agencies.
    • Put stops on all your credit cards.

    DIY investor takeaways

    Although most Canadian online brokerages do offer guarantees protecting investors from unauthorized access, the fine print of what clients must do often varies from brokerage to brokerage. It is therefore important to ensure that you comply with your discount brokerage’s specific conditions to have the guarantee apply.

    Finally, here’s a list of a few extra resources to help boost online fraud awareness.

    Are you susceptible to fraud, security breaches and online vulnerability?


    [i] Sagan, A. (2016, June 29). Average cost of data breach in Canada is $6.03M: study.  Retrieved from

    [ii] The IIROC lost financial information for 52,000 clients involving 32 investment firms when a laptop went missing in February, 2013.  IIROC. (2016). IIROC to support clients whose personal information was on a lost portable device [Press release]. Retrieved from

    [iii] IIROC. (2016). IIROC issues cybersecurity report cards for dealer firms [Press release]. Retrieved from