A Pothole on Wall Street

A financial services CISO ponders a huge, unchecked vulnerability in how the financial industry processes market news

I’m a CISO who has worked in the financial services industry both as a regulator and for a large services company. In this column I’m going to let you in on one of the biggest, dirtiest secrets in the industry: The companies that get the least amount of scrutiny from financial regulators actually present some of the greatest risks for systemic financial market manipulation and fraud. I’m talking about financial news and brokerage service companies.

Various companies (if you’re on Wall Street, you certainly know the names) lease computer terminal services to financial institutions that do securities trading. These terminals present the latest in market news and securities pricing. The securities traders at the financial institutions make decisions based on the information they receive from these computer terminals and, in turn, execute their trades using these same terminals. Because of the central function the terminals play in presenting market data and financial news, and executing trades, they are at the heart of the international financial system.

Yet few people realize the huge information security vulnerabilities that exist in the services provided on these terminals. These vulnerabilities have the potential to enable individual instances of fraud and could potentially have an enormous impact on financial markets. Once you start poking at how the system works, it’s hard not to think about how easy it would be for a ne’er-do-well to do something truly awful.

Let Me Count the Ways

The first vulnerability is in the financial feeds themselves. One major service that financial news companies provide is financial data from the markets around the world. These feeds let dealers know the up-to-the-second “buy” and “sell” prices of publicly traded securities. Based on this knowledge, the traders then make decisions that can result in hundreds of millions of dollars worth of trading.

To get a feeling for just how important this is for trading floors of large financial firms, consider this: I once knew a network systems engineer who was awarded an annual bonus of $1 million for reducing the transaction time of trades in his firm by one second. Yes, for these people time really is money—and big money at that.

Yet, in my experience, there is absolutely no authentication between the financial news companies that are receiving and broadcasting the data through their terminals, and the financial markets that put out the data. Data feed connections with financial markets have no authentication, are not encrypted and have no checks for data integrity. This lack of controls is primarily a function of the time pressures of the market. No one wants to slow down market pricing information with security controls. With such a blatant lack of security, it would be very easy to mount a successful man-in-the-middle attack.