Max Bowie: Phishing in the Liquidity Pools of the Capital Markets

It’s customary when beginning a new year to look forward to what we can expect or hope for from the next 12 months. But this year, as I look forward, I sincerely hope that what I expect to happen does not come to pass: a catastrophic hack on a financial institution or an exchange that manipulates the markets either for personal gain or merely to destroy wealth of corporations and individual investors.

In an unstable world, cyber-attacks represent a new age of warfare for terror groups and even rogue nation states. The infamous hack on Sony Pictures gave us some rare insights into what Hollywood celebrities and studio execs really think of one another in the form of leaked emails, while point-of-sale hacks at major retail stores have gleaned reams of customer credit card data. But these seem like small change compared to the lure of the trillions of dollars that change hands every day in the capital markets, and the potential of skimming some of that flow, or disrupting it and plunging the global financial markets into chaos.

Shocked 

In 2013, 53 percent of exchanges reported experiencing a cyber-attack, and I’d be shocked if that number has not already reached 100 percent. That doesn’t mean that any actually succeed, but it does create a huge burden for firms and marketplaces to deal with. And inevitably, one such attack will eventually succeed. Then, given the interconnected nature of modern markets, an intrusion in one market could conceivably wind up in another.

At last month’s Waters USA conference, Charles Blauner, global head of information security at Citi, noted a constant shortfall in the number of IT security specialists—to the tune of around 200,000 professionals worldwide—while the ranks of hackers continue to swell and their techniques become ever-more complex. While a large portion of hackers’ efforts are targeted at retail investors, phishing for bank account information or looking to install malware or spyware on their computers, hackers are also using individuals as a way into corporations, assuming that someone is just as likely to click on a link or open an image file at work as at home. And to be sure, while human judgment is usually the weak link in the cybersecurity chain, hackers are also targeting non-critical but connected network devices such as printers as a back door into a firm’s network, rather than mounting a head-on assault on a firm’s customer portal or trading front-end. 

Leaked emails and credit card data hacks must seem like small change compared to the lure of trillions of dollars that change hands every day in the capital markets.

Then there are more sophisticated types of “spoofing” attacks, where a hacker may try to overwhelm a wireless data signal with a stronger wireless feed of their own that introduces erroneous data—potentially causing the recipient to place disadvantageous trades that execute against stale or incorrect prices—or that subtly introduce incorrect timing data to confuse firms’ clock-synchronization systems.

Succeed Once 

As Blauner said, for a hacker to be successful, they need only to succeed once in penetrating an organization or individual’s defenses. But for IT security professionals to be successful, they need to block 100 percent of hacking attempts. Facing such an uphill challenge, even with the latest technologies at their disposal, and the cooperation of other firms generally considered competitors and other industry bodies, such as exchanges participating and sharing information in the World Federation of Exchanges’ Global Cybersecurity Committee, it seems almost certainly a matter of when—not if—a malicious hack will bring an important global marketplace or a significant portion of the entire financial system to its knees. 

So if you haven’t yet made a New Year’s resolution, make it this one: to safeguard your networks and internal and customer data. Because if you don’t value it enough to protect it adequately, there are plenty of people out there who value it enough to steal it.