Rob Daly: Securing the Markets

As the financial markets continue to globalize and interlink, protecting individual markets becomes more difficult—especially in these days of sub-millisecond executions.

A prime example of this is the Flash Crash that began in the futures market, but led to an intraday rollercoaster ride for the US equities market. There is still a debate in some quarters about the exact cause of the event, which the US Securities and Exchange Commission (SEC) attributes to a poorly chosen trading algorithm by one market participant. As a result, the Commission has implemented market-wide circuit breakers that would halt trading if something similar happened again.

This protects the markets from internal threats. But how about the markets protecting themselves from outside attacks? Since the start of the year, unknown individuals or organizations have managed to hack into the national registries of Austria, the Czech Republic, Germany and Romania and made off with 2 million European Union Allowances (EUAs) for carbon emissions trading. To put this in perspective, the theft represents a mere 0.02 percent of all EUAs traded on the carbon spot market, according to Commission officials.

To prevent the theft of additional permits, the Commission has exercised its right to prevent the internal or external transfers of permits until the various national registries bring their security up to snuff. In short, the Commission shut down the European carbon spot market. According to officials, the spot market is only 20 percent of the entire carbon trading market, so trading in futures contracts, where the deliverables do not need to be immediately transferred between counterparties, remains unaffected.

As soon as each national registry deploys an improved security infrastructure that meets the requirements that are being hammered out between the Commission and the various registries presently, each market can resume trading. This puts a lot of pressure on the Commission and the registries to make the right security decisions in a short timeframe, since every day the spot market is closed investors are losing money.

One Phish Story
The theft of the EUAs is most likely a crime of opportunity rather than a premeditated one. Some officials suspect that the thieves gained access to the various national registries through data acquired through the infostealer.Nimkey Trojan virus that popped onto the cyber scene last September. Apparently, the virus targets US users by directing them to tax publications hosted on an imitation web page for the US Internal Revenue Service in order to distract them from noticing that the virus is downloading additional malware from servers hosted in Poland, Moldova and Bosnia.

Once all of the malware is in place on the infected system, it gathers all of the digital certificates stored on it as well as their respective passwords via a key-logger component.

The virus most likely hit only a small number of PCs used by carbon traders and then sent the account information back to the virus writers, who then used it to break into the repositories posing as the actual traders.

As long as the market security is based strictly on passwords and digital certificates, this sort of exploitation can happen again. If the carbon spot market wants to be more secure, it must ramp up security by adopting a token-based protocol, for example, which requires a physical key along with a password and digital certificate, and is harder to crack since a hacker would need to duplicate the token as well.

It is a more expensive proposition and in all likelihood would take longer to roll out than a non-token-based security system, but this seems a small price to pay to secure a market and all those linked to it.