Mr. Dallermassl, you are giving a lecture in Belarus on behalf of the European Security and Defense College (ESDC), a key player in the civil and military fields of training under the European Security and Defense Policy. What is the content of your presentation?
Christof Dallermassl: Yes, I hold international awareness training courses on behalf of the European Security and Defense College (ESDC). This means that I share knowledge with civil and military decision-makers about how hackers think and act, and thus creating bigger awareness of threats posed by cybercrime. My goal is to strengthen the community against all kinds of cyberattacks by imparting knowledge and raising awareness.
Data Security has not only been an issue since the recent scandals. How long have you been involved in information security?
I have always been interested in cyber security. In over ten years of professional practice, I have gained a lot of experience in the field of data security. At my last employer, I was responsible for the software product used to manage the intellectual property of multiple large enterprises. If you imagine that this data represents the "Holy Grail" of a company and that a security gap could mean a worst-case scenario, you have an idea on how high the requirements for data security were.
"Even NSA can’t access our data."
In relation to wealthpilot: How do you ensure data security here?
We rely on encryption! Every data transfer is encrypted by us. In such a way that nobody can read it, not even NSA. The assets themselves are also coded. No hacker can see who has what or how much. By the way, not just only hackers, but also all our employees - they cannot read the information either. In addition to encryption, we use many other security systems. For example, we "salt" passwords, meaning that we extend them so that they cannot be cracked even if a password database is used. Or we use the so-called Certificate Pinning, a system that always clarifies in advance whether the person requesting the data is really who they claim to be, and not a hacker.
Another point is that we assign completely anonymous usernames - consisting of letters and numbers, when registering someone to the wealthpilot software. This may be a bit annoying for some advisors and their clients because it’s not as easy to remember as your own email address, but in this way we ensure that no one can draw any conclusions about the owner of the data. But we don’t publish all our security-related methods on the website. After all, we don’t want to give hackers anything to work with…
But what if someone, for example from a relevant department of a financial institution, wants more information??
Then, of course, we will be happy to provide more detailed information. We have drawn up an internal document that describes our internal security processes in more detail for interested parties or security experts in banks and savings banks. This document is available on request. If there are still open questions or concerns, I am available to meet our customers personally.
Could a hacker, who gains access to wealthpilot's data, use it to withdraw money from clients' accounts?
No! We have read-only functionality for the accounts and deposits. No write functionality. In addition, since PSD2 you always need a two-factor-authorization of transactions and only the client has access here.
"Our security standard is rated A+ and therefore absolutely top class."
How is the security standard at wealthpilot determined? Are you certified externally?
As a company, we have been registered with BaFin as an account information service (KID - Kontoinformationsdienstleister) since last year. As already mentioned, no transactions can be executed technically via our interfaces. This is also part of the KID registration, as otherwise registration for the payment initiation service would be required. We host the data at DATEV, which has been managing sensitive data for over 40,000 members since 1966, mainly from the tax and auditing sectors. DATEV's data center also complies with ISO-27001 standard - a globally recognized IT security standard and has an up-to-date data protection seal of approval. Our clients' data is stored there, in our so-called "data vault".
There are also independent providers who check the security standards of software and award grades according to a rating system. We achieved a rating of A+ there. That is absolutely top class!
(Laughs) That reminds me of the rating for government bonds. Are there any other parallels with the financial sector? Emotions play a significant role in the markets.
Yes. Security has a lot to do with trust. We create this trust by adhering to the latest security standards and continuously developing them. But also, through good communication with the clients, for example in the form of more detailed information, which we can provide, as just mentioned.
How can someone contact you if they have any questions?
If you have any questions about how wealthpilot can help you to manage your data securely, our Support Team is the first point of contact. Simply send an email to firstname.lastname@example.org and we will answer all your questions, within a maximum of four hours. For more detailed data security questions, I’m available to answer them personally - my email address is email@example.com.
* * *