# Equity Story



## freebird54 (19 December 2017)

I have subscribed to many tipsheets etc. over the last 30 years, some good, some poor.
Does anyone have an opinion on the above please?


----------



## freebird54 (22 September 2018)

They have published their results - over 90% closed trades in profit

http://equitystory.com.au/


----------



## minwa (22 September 2018)

Publishing results for closed trades only means nothing. I can have 100% closed trade profitability by only closing profitable trades and still be down overall with unclosed losing trades. The fact that they don't disclose open trades and claim total transparency is a major red flag.

_*Past results are no guarantee of future returns. Assumes members bought and sold all recommendations at recommended price points. Does not take into account tax, or any transaction costs. *Does not take into account open recommendations.*_

They inserted that last line in their disclaimer so they are free from being in trouble from misrepresentation their performance.


----------



## minwa (22 September 2018)

You only need to do some simply digging and see all the holes.









So this guy used to run a financial reporting business with his business phone and ABN registered to a unit. Totally legit and respected.





Then you have the usual fake testimonial people. Chrome is also warning me "Not secure" site status. No legit business (not to mention this is financial of all things..) will not HTTP encrypt their site.


----------



## luutzu (22 September 2018)

minwa said:


> .... Chrome is also warning me "Not secure" site status. No legit business (not to mention this is financial of all things..) will not HTTP encrypt their site.




My understanding of the HTTPS/SSL is that it doesn't actually encrypt or mean the site is un-hackable or all interaction with it are encrypted.

It just mean that the site was verified by a hosting company/data centre and the likes, and is deemed "secured" and legitimate.

That just mean the site is certified to be hosted in legit DC with its own security etc... as opposed to being hosted in someone's bedroom or garage.

For that, it'll cost a few bucks for the cheaper version. Or hundreds a year for the top range tag.

As to data encryption....

such as entering your credit card details and the likes. Yes, for those the user must definitely only enter on https sites.

but the https designation itself doesn't encrypt anything in and of itself. It is merely a certificate from the certifier that the site is secured and its (important) transactions are encrypted.

Of course it mean that at the software level, the https-certified site that collect user's credit card details... require its client [the website you're on] to hash, encrypt, salt, decrypt etc., to be able to direct the user to its gateway.

So while the "unsecure" warning look scary, a green padlock do not mean it is safe and secure to enter your credit card either.

I'm not too sure this make it safer for users to be honest.

Used to be that only banks and financial institution need to secure/encrypt their transactions, as they should. 

To now put a safe padlock on any site with minimal checks... what's the prevent criminals from designing a replica of mastercard, say, and start collect paying user's card details on their own site.


----------



## minwa (22 September 2018)

Of course, being verified doesn't mean it's unhackable. Plenty of large companies get hacked all the time.

It's like having a physical padlock on your store. Break ins obviously still happen. But not having one and having your door open is simply more inviting and says a lot about the business. One that will hold your personal and payment info.

Giving your personal and payment info to the site in question is like depositing at a bank without basic security in place. Would you deal with such business ?


----------



## luutzu (22 September 2018)

minwa said:


> Of course, being verified doesn't mean it's unhackable. Plenty of large companies get hacked all the time.
> 
> It's like having a physical padlock on your store. Break ins obviously still happen. But not having one and having your door open is simply more inviting and says a lot about the business. One that will hold your personal and payment info.
> 
> Giving your personal and payment info to the site in question is like depositing at a bank without basic security in place. Would you deal with such business ?




If a site collects your payment on it, directly, then yes. Don't give it. 

I just checked, Equity Story does *seem to *link its payment to a secure payment gateway - eWay. 

I did look up eWay a few years back. They're one of the legitimate payment gateway system for online merchants. But I don't know what its payment form looks like. MasterCard's gateway doesn't have that much detail; so is PayPal... but I don't know.

With CBA for example, online merchants can have "unsecure" website [wthout https] and still collect payment. Just that payment are done from a post click that then encrypt the details, sent to MasterCard's server to be verified... then if passed and decrypted, direct the user to Mastercard's own secured payment gateway to enter their card details.

That's how it's done with practically all online merchants except for the big banks.

----------
I'm not defending EquityStory. Just saying that having a https on a website does not then mean users can trust it and pass their details thinking it's encrypted etc. It's not.

The new https as detected by Chrome is just a certificate proving the business name, host etc. is a registered business. It doesn't have anything to do with encryption. Well, maybe the data centre have their security procedure that protect the server better than if it's hosted from home, say.

Encryption and data privacy are done at the coding/software level. 

I'm in the process of getting an SSL certificate. My brother is taking care of the details but I know for a fact that the certifier doesn't require the website to encrypt any data. At least he haven't told me about it.

Data privacy and encrypting sensitive information like passwords, email address etc., that's just good programming practise. 

For example... you don't store clear text the name, address, password of your members just in case hackers get access to your database. Or your IT guy got a hold of it. Especially if you run a one-night stand/cheating application or escort services.

For such sensitive info, you'd hash, add salt that would scramble the text where only the original user can access it on the application, once the decryption is done.

Putting a padlock tag might sound like a good idea, and it will raise revenue for sure. But it's a false sense of security.


----------



## minwa (23 September 2018)

luutzu said:


> With CBA for example, online merchants can have "unsecure" website [wthout https] and still collect payment. Just that payment are done from a post click that then encrypt the details, sent to MasterCard's server to be verified... then if passed and decrypted, direct the user to Mastercard's own secured payment gateway to enter their card details.
> 
> That's how it's done with practically all online merchants except for the big banks.




This is incorrect. I struggle to find a well known Australian online merchant with "not secure".


----------



## luutzu (23 September 2018)

minwa said:


> This is incorrect. I struggle to find a well known Australian online merchant with "not secure".




Online merchant receives payment through a payment gateway. i.e. they themselves don't actually receive the payment, it is paid through their banker's payment gateway. Exception could be for the bank themselves or the really big guys. But practically all merchants go through a third-party, encrypted, authorised gateway.

Think of it like an actual brick and mortar shop. The bank doesn't really care whether the shop have an alarm system or any sort of security. They simply provide the shop keeper with those keypad device you tap or swipe your card.

So when you check out, your register gives you a total, hand over the pad and you enter your details.

That device encrypt your card details, pin... together with the merchant's id etc., and securely send it to a gateway the bank deals with. Say, Mastercard.

Mastercard decrypt, check your bank balance and ids... if all is good they send an encrypted message back with status - say, APPROVED or DECLINED... 

So as far as financial/payment transaction encryption is concerned, it's done through that gateway. The actual website/eStore you're at doesn't do any encryption on anything but what the bank tells them they have to to access that gateway.

i.e. browser/user private info, what they read, write etc., their encryption depends on the site operator, not the bank. 

What the SSL certifier does is certify that the merchant's business name and registration matches their URL. ie. they are who they say they are.

They do not vet whether the guy is encrypting user's messages or pw and such. There's no way they could do that, at least not for the fee they're charging.

I mean, there's no way they're going to check the database architecture; the encryption methodology the site's developer coded or not.

And if they were to demand that, 99% of the world's website will not be certified as it require crapload of specialised development work.
----------

It's confusing and, to me, just a way for Google to help drive business and appear like they care about security and privacy. 

Dangerous too in that we're so used to seeing https as a sign of high security we can trust our credit card on... when all it is now, at least from what I see, is just a business registration certificate for online businesses, payable to selected certifiers.

I mean, a currently innocent operator can have all the rego papers checked out... then set up a page that collect user's card details. Use it however they please until they get flagged. 

So the new https just forces every webmaster to better get a tag for a fee else their site will scare away users. But all the security and encryption were either in place already or they weren't. The certifier doesn't require it.

And as far as financial transaction is concerned, the banks have solved and required encryption from merchants a long time ago. 

In short, don't enter your card details unless you're doing it on a known financial institution's site [gateway].


----------



## minwa (23 September 2018)

luutzu said:


> Online merchant receives payment through a payment gateway. i.e. they themselves don't actually receive the payment, it is paid through their banker's payment gateway. Exception could be for the bank themselves or the really big guys. But practically all merchants go through a third-party, encrypted, authorised gateway.




You don't sound like you shop online much. Some do, some don't. Some process credit card directly off their site and lots of personal info is entered on the site themselves. I found 3 already on first page of googling pet food, as many as ones that send you off to Paypal and similar. Sure VISA/Mastercard is processing the payment but the info is entered on the vendor's site. Chrome's secure status is a very basic check but one would be adventurous to enter any info on a site without it.


----------



## luutzu (23 September 2018)

minwa said:


> You don't sound like you shop online much. Some do, some don't. Some process credit card directly off their site and lots of personal info is entered on the site themselves. I found 3 already on first page of googling pet food, as many as ones that send you off to Paypal and similar. Sure VISA/Mastercard is processing the payment but the info is entered on the vendor's site. Chrome's secure status is a very basic check but one would be adventurous to enter any info on a site without it.




I just developed an e-commerce site so I know the process and coding required under it. As in, I actually programme it, speak to CBA, set up an online merchant account with them, contacted their payment gateway tech support people... the whole nine yard.

So on an individual website/eStore... the site might collect puchase details, addresses and whatever else users care to give them. BUT...

but when they go to check out, the place where they enter their credit card are always secured and encrypted. And it is done on the gateway provider's own website, not on the individual store website.

Though it might look seemless, if you look at the url it's a different domain.

But yea, I'm sure there are other gateway providers, different bank might do things differently. And if a site is big or brave enough they'll develop their own gateway... most will either deal directly with their bank's preferred method, or go to their bank via an approved 2.5-party gatekeeper... that just mean less coding but more fees the merchant have to pay.

Point I tried to make was that google's security check doesn't mean it's safe and secure to enter your credit card on the site itself. And it doesn't mean that data user's entered on it are encrypted either.

Likewise, showing "not secure" doesn't mean the website is a fraud or its business is fake. It just mean that the webmaster haven't bothered to register their business with that domain.

You shouldn't enter CC details on any url that collect it directly. Only enter your details at a known gateway/financial institution portal... and you get to that from a website's re-direct.


Think of google's check like a check done by health and council inspector on shops in shopping centre or district... that as opposed to, say, the back of van or a tent along highways.

You can be more confident that the business is properly registered and you can complaint if they commit fraud on you... but there's no promise that fraud won't be committed or that your info are secure and encrypted.


----------



## freebird54 (23 September 2018)

luutzu said:


> I just developed an e-commerce site so I know the process and coding required under it. As in, I actually programme it, speak to CBA, set up an online merchant account with them, contacted their payment gateway tech support people... the whole nine yard.
> 
> So on an individual website/eStore... the site might collect puchase details, addresses and whatever else users care to give them. BUT...
> 
> ...



Thank you so much for your valuable input


----------



## luutzu (23 September 2018)

freebird54 said:


> Thank you so much for your valuable input




I think Minwa's input are more valuable and critical. I just focus on what I understand the encryption and site security to mean.

I don't know about the business, how valid its operation is. It might be suitable for some, might not for others.


----------



## freebird54 (23 September 2018)

I meant thanks to all for the input.
I like full transparency and disclosure.


----------



## MarketMatters (1 October 2018)

I think the initial question has been lost in data encryption and https site discussions. I believe he is located in Balgowlah (NSW) as per AFSL details (which must be updated within 10 days of any address changes) however I have also heard he was in 'North Sydney' previously too. His/their location should not be the primary determinant but rather is their style aligned with your investment trading behaviour. Look out for any seminars they may hold so you can raise questions with the organiser(s).

He appears to employ a high frequency style guided by the ASX300+ which differs from our approach although I would ultimately suggest you subscribe to their free trial and start navigating the site to determine your initial experience compared with other providers you have used.

Let us know how you go.


----------



## InsvestoBoy (1 October 2018)

luutzu said:


> My understanding of the HTTPS/SSL is that it doesn't actually encrypt or mean the site is un-hackable or all interaction with it are encrypted.
> 
> It just mean that the site was verified by a hosting company/data centre and the likes, and is deemed "secured" and legitimate.
> 
> That just mean the site is certified to be hosted in legit DC with its own security etc... as opposed to being hosted in someone's bedroom or garage.




This is 100% wrong.

HTTPS literally only means 1 thing and 1 thing only: your interaction with the site is encrypted on the network.

It has *nothing* to do with your site being verified by anyone nor does it speak to the security of your website *at all*. Your site can use HTTPS and still be an insecure pile of easily hackable junk.

You can absolutely host a website in your garage or bedroom with HTTPS.


----------



## luutzu (1 October 2018)

InsvestoBoy said:


> This is 100% wrong.
> 
> HTTPS literally only means 1 thing and 1 thing only: your interaction with the site is encrypted on the network.
> 
> ...




I did repeat quite a few time that https does not speak to the encryption of the website. That encryption and security are mainly at the source code level. 

I guess it depends on who issue the certificate, just that I'd imagine most wouldn't issue it if your business registration details don't match with the business name, say... and might give you a hard time if you're hosting it at home rather than a data centre where the host might offer extra protection to brute force attack; where they would do some preliminary check and would deny non-registered business... or at least can trace it if there's ever any scam.

But yea, like I also said, https does not mean the site is encrypted or safe to enter credit card details etc. And that is why the likes of Google branding a site safe or not through https registration make the web more dangerous, not safer.


----------



## InsvestoBoy (7 October 2018)

luutzu said:


> I did repeat quite a few time that https does not speak to the encryption of the website. That encryption and security are mainly at the source code level.
> 
> I guess it depends on who issue the certificate, just that I'd imagine most wouldn't issue it if your business registration details don't match with the business name, say... and might give you a hard time if you're hosting it at home rather than a data centre where the host might offer extra protection to brute force attack; where they would do some preliminary check and would deny non-registered business... or at least can trace it if there's ever any scam.
> 
> But yea, like I also said, https does not mean the site is encrypted or safe to enter credit card details etc. And that is why the likes of Google branding a site safe or not through https registration make the web more dangerous, not safer.




dude you have literally no idea what you are talking about!


----------



## luutzu (7 October 2018)

InsvestoBoy said:


> dude you have literally no idea what you are talking about!




Then why don't you read what I wrote, quote them then enlighten me.

I don't make claims to being any sort of cyber security expert, but what I have said pretty much agrees with what you're saying. 

That is, https does not mean the site is secured and encrypted. It'll cost me next to nothing (about $22+GST) to get a https certificate to my site. 

That and I have done actual coding and encryption interacting with payment gateways; hash, encrypt users' sensitive details and logins to secure access and privacy. 

So I do know a little bit.


----------



## freebird54 (31 October 2018)

Intesesting in light of the above my visa used for that subscription has been used for fraud c. $10000 in multiple small amounts in one day - I have cancelled card and have got some back so far

this is my first hack ever in 20 years of IT!


----------



## freebird54 (27 April 2019)

freebird54 said:


> Intesesting in light of the above my visa used for that subscription has been used for fraud c. $10000 in multiple small amounts in one day - I have cancelled card and have got some back so far
> 
> this is my first hack ever in 20 years of IT!



As an update they have been a disaster especially on small caps.

Also after a year I cancelled and they promised to refund month ago - fill in the rest.


----------

