A Pothole on Wall Street

A financial services CISO ponders a huge, unchecked vulnerability in how the financial industry processes market news

I’m a CISO who has worked in the financial services industry both as a regulator and for a large services company. In this column I’m going to let you in on one of the biggest, dirtiest secrets in the industry: The companies that get the least amount of scrutiny from financial regulators actually present some of the greatest risks for systemic financial market manipulation and fraud. I’m talking about financial news and brokerage service companies.

Various companies (if you’re on Wall Street, you certainly know the names) lease computer terminal services to financial institutions that do securities trading. These terminals present the latest in market news and securities pricing. The securities traders at the financial institutions make decisions based on the information they receive from these computer terminals and, in turn, execute their trades using these same terminals. Because of the central function the terminals play in presenting market data and financial news, and executing trades, they are at the heart of the international financial system.

Yet few people realize the huge information security vulnerabilities that exist in the services provided on these terminals. These vulnerabilities have the potential to enable individual instances of fraud and could potentially have an enormous impact on financial markets. Once you start poking at how the system works, it’s hard not to think about how easy it would be for a ne’er-do-well to do something truly awful.

Let Me Count the Ways

The first vulnerability is in the financial feeds themselves. One major service that financial news companies provide is financial data from the markets around the world. These feeds let dealers know the up-to-the-second “buy” and “sell” prices of publicly traded securities. Based on this knowledge, the traders then make decisions that can result in hundreds of millions of dollars worth of trading.

To get a feeling for just how important this is for trading floors of large financial firms, consider this: I once knew a network systems engineer who was awarded an annual bonus of $1 million for reducing the transaction time of trades in his firm by one second. Yes, for these people time really is money—and big money at that.

Yet, in my experience, there is absolutely no authentication between the financial news companies that are receiving and broadcasting the data through their terminals, and the financial markets that put out the data. Data feed connections with financial markets have no authentication, are not encrypted and have no checks for data integrity. This lack of controls is primarily a function of the time pressures of the market. No one wants to slow down market pricing information with security controls. With such a blatant lack of security, it would be very easy to mount a successful man-in-the-middle attack.

How would this work? Let’s say our hypothetical hacker could tap in to the link between a financial market and the news company. The hacker could manipulate the price of a given stock to show that its share price had plummeted 20 percent. When this information reached all the traders using those company’s terminals, some (albeit not all) would see the drop and act on it by, say, selling off shares of that security. Remember, this may be done either through a conscious decision on the part of the traders, or simply through a preset computer algorithm that monitors and makes decisions based on fluctuations of a security’s pricing. This drop in price could, in turn, prompt other traders (even those using other companies’ terminals) to quickly dump the stock, which would drive down the price even further.

Meanwhile, the wily hacker could take advantage of the market’s going short on the stock to quickly snap up shares. When the market finally realized the mistake, there would be a correction as the stock returned to its fair market value price. Unfortunately, the hacker then could make off with a nifty fortune by selling the stock he bought at his “discounted” price. There might be an investigation by the Securities and Exchange Commission into the sudden drop in the stock, but with no authentication, encryption or data integrity checks in the market feed, there wouldn’t be a lot of evidence that could be used to detect the hacker.

To be fair, this is really not the financial news companies’ fault. If they want the data feeds from a market, then they have to play by that market’s rules. Because most financial markets refuse to put in authentication, encryption and data integrity checks for their feeds, the financial news companies have little choice but to go along. What other option do they have? Not provide the market information to their clients? Not likely.

A second major flaw in the operations of these companies is the manner in which financial news is reported. Like the market data feeds, market news can quickly affect the pricing of securities. Yet it is painfully ridiculous how easily market news can be spoofed.

For example, several years ago a fax was sent to the news division at one of the terminal services companies with a bogus press release from a publicly traded security, Emulex. The press release gave out bad news about the company. The news division failed to authenticate the fax and, given the tremendous pressure to be first to press with breaking market news, editors published the bogus information from the fax on their financial terminals. Other financial news companies, not wishing to be scooped, also began posting the same bogus information on their terminals. Predictably, the price of Emulex stock fell. The perpetrator of the fraudulent fax had, meanwhile, been waiting for the market to go short on Emulex, and he quickly bought up the stock at the reduced price.

The SEC later investigated and caught the perpetrator of the fraud, but the target of the investigation was the perpetrator of the fraud and not the lack of controls at the news organization that enabled the fraud to take place. Sadly, such a scenario could take place again today—it just takes the successful spoofing of one financial news company to create the fraud.

A third major flaw of financial news and service companies is with the terminals they provide to their clients. At a company I’m familiar with, the client logged on to the terminal using a fingerprint scanner. The scanner took an image of multiple points along the ridge lines of the customers’ finger. The image was then stored and matched against subsequent images taken at log-in. An 80 percent match in the position of the computer user’s finger ridge lines would produce a “match” and thus a successful authentication.

The only problem was that the image of the fingerprint was stored at the finger­print scanner at the terminal and not at the authentication server located at the terminal provider’s premises. Thus, a knowledgeable hacker could spoof a successful log-in by tampering with the fingerprint scanner in such a way as to get it to transmit the local fingerprint match to the terminal provider’s authentication server. To be sure, it would have to be a sophisticated hacker with detailed knowledge of how the scanner worked. But given that the fingerprint scanner is in wide usage in the industry, it would not be difficult to get such a device, monitor the authentication protocol traffic and then use a replay attack in order to complete a successful bogus authentication.

What would this bogus authentication gain the hackers? Well, they could potentially begin transmitting trades on the hijacked terminal. If they hijacked the right terminal of say, the head of market operations at one of the primary dealers in the financial services industry, then they could conceivably buy or sell off securities with a very large market value. Yes, it would be a difficult fraud to initiate, but given the potential payoff it would certainly be worth it to the hacker.

Why the Absence of Oversight?

Given all this, by now you’re probably wondering why these companies aren’t more closely regulated. After all, these vulnerabilities, if successfully exploited, could either result in enormous and systemic consequences to the financial markets or, at the very least, enable individual instances of fraud.

It’s not that the financial news and trading terminal service companies are deliberately overlooked by regulatory watchdogs; it’s just that they fall between the cracks. If they’re private companies, they don’t have any oversight from Sarbanes-Oxley. The Federal Reserve and the Office of the Comptroller of the Currency don’t regulate them because they aren’t banks. If they provide only the front-end interface (that is, the terminal), they can foist any potential SEC inquiries about trading operations onto the brokerage firms to which they’ve outsourced the back-office operations. They thus can rebuff just about any federal and state regulatory entity.

Given the current backlash against Sarbanes-Oxley, the financial services industry has a noticeable lack of appetite to undertake any new regulatory measures. So, although these security vulnerabilities exist and at great risk to the financial markets, the industry will probably muddle along until the day they actually cause the damage described in this article. Until then, the industry will continue to whistle past the graveyard.

Copyright © 2007 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline