Security Concerns

It is a good thing to be concerned for the security of your trading account.

Reason for concerns

For web based trading platforms, our system asks for login credentials of your trading account. Obviously, this will raise questions about trading account security. Hence we have written this article to give our users an insight into our security.

Why is it needed?

All web based trading platforms are highly secured. So any outside system like AutoTrader cannot interact with your trading platform without proper access. People use AutoTrader APIs for automated trading or multi-account trading purposes; which requires actions to be performed in their trading account by communicating with their respective web based trading platforms.

If AutoTrader does not have credentials, then all communication with the trading platform will result in an error. And users will not be able to trade into trade into their accounts via AutoTrader.

How does it work?

AutoTrader uses the credentials entered by you to automatically login into the trading platform. It then perform actions requested by users or their trading strategies. Some of those common actions are:

  • Place/modify/cancel order
  • Read live portfolio

These credentials are saved by AutoTrader in following ways:

  • AutoTrader (old product) – Stores it on client’s local machine in a database
  • AutoTrader Web – Stores it in stocksdeveloper’s database in an encrypted form*

Just to give our users a look inside our system, here is a screenshot from our test database which shows sensitive information saved in an encrypted format.

Admin
encrypted-crendetials
Credentials stored in Encrypted format

* Encrypted form means the credentials are converted into (junk characters) that are meaningless to the user reading it. Only the system can understand it. Only the administrator has access to the database, but even he/she sees your credentials as a sequence of junk characters, which are meaningless.

One way hashing technique (BCrypt) ensures that the password can never be converted back to plain text format. API Key & trading account credentials are stored with two-way encryption as users might need to view it.

  • Trading account credentials are stored with two-way encryption. This is because the system needs to read them back while communicating with your trading platform.
  • AutoTrader Web’s internal API Key (which provides API access to AutoTrader Web) is stored with two-way encryption. This is because users might need to view it in case they forget the key.
  • User’s login password for AutoTrader Web is stored using one way hashing technique (BCrypt). It ensures that the password can never be converted back to plain text format.

Other security features

AutoTrader-Web has been built using the latest versions of Spring framework. Spring is the most widely used application development framework for Java. Spring security module provides many built-in security features for the web application. The details about those features can be found here.

Our servers use latest & stable version of Java 11. The standard in the Java world is still Java 8. But we have upgraded to Java 11 to make sure we use the latest & more secured tech.

Our vision is to always use the latest cutting edge technologies.

Network Security (SSL/HTTPS)

AutoTrader-Web’s server uses SSL/HTTPS, so all communication between your computer & the server is encrypted.

Uses Google’s infrastructure

Our website as well as back-end services are hosted on Google cloud’s Mumbai data center. They use security measures offered by Google & have been placed behind firewalls. This makes sure our services are not only secured but also deliver high performance with low latency along with 99% up-time.

What are the Risks?

Will stocksdeveloper trade in my account without my permission?

NO, never. This is our policy, all actions taken by our systems will always be as a result of our user’s actions. Example, users placing orders via excel utilities, users’ trading strategies placing orders.

Our staff has no access to your trading account. And our systems are built in such a way that they will never trade on their own.

You can always check all the activity into your trading platform and try to reconcile them with the activity done by you or your trading strategies.

If you ever face a scenario for which you do not find an explanation, you can always write to us.

Finally you can always change your trading platforms credentials. We can never change your credentials for following two reasons:

  1. Your credentials are saved in encrypted form, so we cannot read it
  2. Changing of trading platform credentials requires additional authentication via email or sms (which is going to be yours)

Will stocksdeveloper withdraw funds from my account?

No, we cannot do that. Please understand that a trading account is linked to your own bank account. So any withdrawal made will result in the amount being credited to your own bank account.

Will stocksdeveloper share my trading activity or portfolio statistics?

No.

Trading activity is stored only for logging and investigation purposes, which is useful for users to debug trading strategies and issues. This is only accessible to the user from Actvity screen.

Portfolio statistics are not stored in the database at all & they are not shared with anyone.

Why should a user trust us?

Stocksdeveloper is driven by a passion for technology, our focus is always on developing world class software. There is not much we can do, apart from trying to explain every detail to the users to gain their trust.

But, if you still have doubts then you can always use broker specific APIs. Nowadays there are many brokers who provide their own APIs. But doing so will not give you broker independence & the ability to manage multiple trading accounts from a single system.

What should a user do, if he/she has a doubt?

This is applicable if you have entered your trading account credentials in AutoTrader Web. If for some reason, you are doubtful about security; then you should immediately change your trading platform password.

Remember trading platform password change requires access to your email, so there is no way AutoTrader team can change your password.

Once you have changed your password, you are safe as AutoTrader Web will have an old password.

Questions

If you have any other questions, feel free to contact us.