Ross - I’ve already communicated with you by private email that we’ll certainly consider adding alternate third-party payment options in the future, but that right now, we’ve focused on other priorities.
For example, in the past week we’ve successfully added 448-bit strong encryption to credit card information stored in our data center. In addition we’ve entirely reworked our entire account password methodology to use one-way hashes. What this means is that no one can view your passwords – not even the folks here at C2. If you forget your password, the only thing we can do is reset it.
We’ve upgraded our proxy server and Web servers.
We’ve upgraded our internal Web applications to enhance security.
We’ve improved our firewall rules to lock down unneeded ports.
We’ve started running automated daily vulnerability scans, and we’ve retained a third-party consultant who will work with us on a long-term basis in order to continuously review our security procedures and enhance them.
Should all of those things have been in place a year ago? Yes. This was a painful lesson about the importance of being hyper-vigilant about security.
But while it was a painful lesson, it was a lesson that we learned from. Our small team has been working hard to guarantee that nothing like this ever happens again.
Regarding you complaint that I haven’t been as clear and responsive as you’d like:
At some level, you are correct; there are some matters about which I have been silent. But overall, I think this small company has been more open and forthright about this incident than most other companies – big or small – would have been. Have I shared absolutely everything with you, as if you were a Board Member of this company? No. There may be business, legal, security, or law-enforcement reasons that I can’t or don’t want to open the kimono entirely to you. But, on the major points, I think we’ve been transparent. I wonder how many other companies have faced a similar incident, but have chosen to remain mum, pay off their blackmailer, and hope their problem goes away, and their reputation remains unaffected.
I don’t seek your applause or approval, because we surely don’t deserve it. But I do want to address the specific questions out there: Have we taken appropriate steps to enhance the security of your information? Absolutely. Have we considered alternate payment systems? Yes, but it’s not a priority right now. Are we keeping you informed about our progress restoring AutoTrading? I’m trying my best, but in some cases, some of the decisions about timing are out of my hands. I’d rather keep silent than report inaccurate information. Even so, I will try to keep you posted as I learn more.
Hi Matthew,
Thank you very much for this clear words and all the information.
I appreciate your hard work and outstanding service. Hope that everything goes swimmingly in the future.
Best regards
Matthew,
Your explanation goes a long way in informing your clients here at C2 about what is going on with this very important security issue. I thank you for your response.
One thing I keep cringing about from many of your posts is your repeated mention of your “small” team or your “small” company. It really doesn’t inspire confidence in me when I hear that. In fact, it makes me wonder why you don’t farm out some of the critical functions (like payment processing, security, etc.) to firms that don’t have a “small” team.
I’m not trying to be difficult or even complain, but I wanted to express an opinion that many seem to share.
any update or date of resumption of operations?
Waiting for broker legal department to review.
Matt, it is getting closer to two weeks now from stopping the service. Any news of a prompt resumption?
I am still waiting to receive final word from optionsXpress and OpenECry. The latest I heard (yesterday) is that we are getting "close," but that they are still reviewing. I will try to ask for more detail so that I can provide it here. I am sorry that I do not have any additional information. I am as frustrated as you.
I am astonished about the cooperation between collective2 and OpenECry. They say, they are waiting for a statement from collective2 side, within collective2 I can setup and start the signals delivery - here it seems everything is ok.
Can you go in touch with OpenECry again? thanks
Robert -
I posted a notice in the C2 forums on last Friday that all trading has resumed! (And OpenECry told us that they would email all their C2 customers about this – perhaps that email missed you.)
In any case, OpenECry/C2 AutoTrading was back online as of 4 days ago, and so too was optionsXpress/C2 AutoTrading. In other words, all AutoTrading is up and running. Hooray!
