Financial Markets: A Playground for Cybercriminals

Photo credit: lev radin/Shutterstock.com
Photo credit: lev radin/Shutterstock.com

The financial markets are supposed to be transparent, and efficient. But what happens if cybercriminals begin playing with them, and would we even know it was happening? Danny Bradbury investigates

It’s the kind of thing you might imagine happening in a cyberwar. Last year, a hacking attack wiped out 1% of the US stock market’s value – around $136bn – in a little over a second. It didn’t take months of careful orchestration, the theft of trading exchange source code, or the theft of insider information. All it took was the hacking of a Twitter account.

The Associated Press owns the account in question, and the attacker – still unidentified – gained access, using it to post a report saying the White House had been bombed, and the President injured. The market went wild. As stock prices slumped, US treasury bonds – a traditionally stable asset that people retreat to in times of extreme uncertainty – spiked. Futures contracts on the CBOE volatility index (known as the VIX, an index that tracks market volatility) also spiked in price. And it all happened in the space of about five minutes, at which point the AP corrected the bogus tweet, and the markets returned to normal.

There’s no sign that any individual profited wildly from the move. Indeed, we don’t even know if that was the intention. But the manipulation was obvious, and the potential for profit was enormous. While the pro-Assad Syrian Electronic Army claimed credit, if financial motives were behind this strategy, a smart hacker wouldn’t make a clear and obvious gain by massively and visibly shorting the Dow – they’d make their gains using a complex trading strategy designed to hide their tracks. The chances are, we’ll never know if this was a concerted attempt to cash out, a political statement, or a glorified frat party trick with a low opportunity cost.

No wonder Scott Borg, director and chief economist at the US Cyber Consequences Unit, sees financial market manipulation as the next big wave in cybercrime. “There is a limit to how much money you can steal by credit card fraud and improper account withdrawals”, he pointed out in a keynote discussion at last year’s (ISC)² Congress in Chicago. “There’s no limit to the amount of money you can make by manipulating a financial market”, he added.

Financial Manipulation

The markets are no stranger to manipulation. Pump-and-dump schemes have plagued naïve investors for years. Often focused on obscure, thinly traded, illiquid assets such as penny stocks, these attacks capitalize on the lack of market information about a company, and their susceptibility to price swings from relatively low trading volumes.

However, there are other ways to swing larger, more liquid financial markets in your favor rather than simply distributing misinformation. Infiltrating financial systems to eavesdrop on, or even manipulate financial data directly, could have a devastating effect, warns Tom Kellerman, managing director with Alvarez & Marsal, who has studied financial markets and cybersecurity for years, writing reports for organizations including the World Bank.

Moreover, Kellerman says the financial system has become more susceptible to manipulation by cybercriminals in the last few years thanks to changes in the way that central depositories operate.

After the 9/11 terrorist attacks, these organizations – which hold securities and other assets physically in a single location and document ownership changes electronically – prepared themselves for kinetic attacks such as bomb blasts. They moved many closed, private networks closer to the internet for the purpose of resiliency and business continuity, says Kellerman, while at the same time changing the way they executed their trades.

Changing Financial Operations

Instead of executing these trades manually, they moved to straight-through processing, in which transactions involving financial securities such as stocks were handled entirely electronically, to improve liquidity and efficiency. This meant that payments were being made in real time, rather than taking a day.

“Today as financial institutions you have maybe three hours to roll back a fraudulent transaction. In addition, should someone successfully hack a central depository or a major, significant brokerage exchange, they can effectively change the integrity of the data”, Kellerman observes. “Because as we know, money is based on time.”

There are several broad kinds of attack that could be mounted by those with early access to information. Front running is a favorite, in which a financial player anticipates another’s trading strategy based on advanced information, and acts on it for profit. It’s a form of insider trading, in which trades are executed based on privileged information.

This is a serious enough issue to warrant governmental investigation. Last year, the US Federal Reserve began conducting investigations into how so-called ‘low latency’ news organizations delivered information.
News from government departments is released at specific times, and trading systems react quickly, without human intervention. The Fed found that some traders enjoyed a seven-millisecond advantage when news was released after a Fed meeting.

In 2007, the US Department of Labor began similar investigations into how news agencies installed equipment in datacenter-based ‘lock-up’ rooms. The root cause for that review was the possibility that some traders might have electronic access to the lockup. When millions in assets can be traded inside a few milliseconds, such an advantage would be highly desirable.

High-frequency Trading

How do people trade on such news, in less time than it would take a human to react? High-frequency trading (HFT), or algorithmic trading, happens when people take the human element out of the equation altogether. For several years now, companies have developed algorithms to make automatic decisions about trades, which are then executed in microsecond windows, far faster than humans could ever react.

These systems are designed to move vast amounts of data around without human interaction. But what would happen if humans did tamper with such systems illegitimately?

There are already indicators that misdirected HFT could result in calamitous market movements. In 2010, 9% of the Dow’s value was wiped out for several minutes in what became known as the ‘Flash Crash’. At least two reports from the US Securities and Exchange Commission (SEC) and the Commodities and Futures Trading Commission (CFTC) suggested that a firestorm of trading activity among several HFT systems was a contributory factor.

Side Channel Attacks

Rony Kay, CEO at network performance monitoring firm cPacket Networks, believes that side channel attacks can be used to manipulate algorithmic trading systems. He defines a side channel attack as manipulating physical links shared by a victim, in order to manipulate the timing of traffic delivery between them.

“It gives me an ability to apply a modification to response times, in a way that isn't detectable by you, to gain a trading advantage”, he says. The idea here isn’t to create a single, cataclysmic event that would be obvious, such as the Flash Crash. Rather, it’s about ‘salami slicing attacks’ in which a number of smaller actions create a larger result over time.

“It’s not one time that I got info milliseconds before you”, Kay explains. “On a regular basis, I can slow every tenth trade that you do by a millisecond and sneak mine in front of it.” In short: it’s better for a criminal to earn a few dollars a second over a long period and remain undetected than it is to crash a market and try to make off with a fortune all at once.

Erosion of Market Trust

That may be true, but we shouldn’t rule out cataclysmic events altogether. While monetary gain is probably the clearest motive for cybercriminals intent on manipulating financial markets, it isn’t the only one. The financial services sector is listed as one of the 16 critical national infrastructure sectors by the US Department of Homeland Security.

When economies tank, nations suffer, making the markets a crucial chokepoint in any electronic conflict. Kellerman points out that visibly affecting a market repeatedly using cyberattack tactics could decrease confidence in a central depository, leading to “a dramatic flight of capital from the market.”

Does anyone have that capability, though? James Lewis, the director and senior fellow for the Strategic Technologies Program at the Center for International and Strategic Studies (CSIS), thinks so.

“I had one British official tell me that there were 20 to 30 cybercriminal gangs, mostly Russian, who have the same capabilities as a nation-state”, he reveals, quoting someone “relatively senior” at GCHQ. “These guys have just become more professional – more skilled.”

How Prepared Are We?

One of the biggest problems is that it’s difficult to detect these crimes, says Rodney Joffe, senior technologist at internet traffic analysis firm Neustar, who is also co-chair of the FCC’s CSRIC Network Security Best Practices sub-committee and sits on the ICANN Security and Stability Advisory Committee (SSAC).

“The SEC and the exchanges have people monitoring for the movement of stock. They’re effectively not able to stop it”, he says. “They’re trying to detect it in hindsight, and then go after them. That’s a sign that the crimes themselves are far more sophisticated.”

"The SEC and the exchanges have people monitoring for the movement of stock. They’re effectively not able to stop it"
Rodney Joffe, Neustar

What we do know, from a July 2013 report by the International Organization of Securities Commissions (IOSCO), is that over half of all exchanges (53%) reported a cyberattack in 2012. The dollar value of the breaches was relatively low, said the report, titled ‘Cyber-crime, Securities Markets and Systemic Risk’, but many exchanges envisioned scenarios in which a large-scale, coordinated and successful cyberattack on markets would have a substantial effect on market efficiency.

Detection

That may be one of the biggest problems facing financial markets today. They are now so complex and fast-moving, that it is difficult to detect exactly what attacks are occurring. “It’s something people are looking for”, says Lewis. “We know that cybercriminals have poked around Wall Street and the Federal Reserve.”

But in this sense, the financial markets are like black holes. These gigantic entities have so much gravity that even light cannot escape, making them impossible to see directly. Instead, physicists must look for evidence by examining phenomena around the edges. The modern financial markets turn in milliseconds, and are massively, intricately interconnected. Our biggest worry isn’t just that cybercriminals are manipulating the markets – it’s that we may not be able to see them.

What’s Hot on Infosecurity Magazine?