Now this is interesting, coming from the annual “black hat” conference in Las Vegas (for those not involved in the computer security world, that’s an annual gathering of hackers where various presentations are made that amount to brags and bags that have or can be run on various parts of information technology):
Among the talks conspicuously absent from this year’s schedule: a presentation exposing security vulnerabilities in banks’ high-speed trading systems.
The talk, planned by security researchers Varun Uppal and Gyan Chawdhary, would have dealt with methods for hiding risky unauthorized trades in high-speed trading applications, as well as demonstrating a “sniffing” software tool capable of siphoning trading information to a faraway hacker to allow a high-tech form of real-time insider trading. But Uppal tells us that the talk has been cancelled after concerns were raised by a financial industry client of the security auditing firm he works for, Information Risk Management.
I suppose we’re supposed to believe that this is all theoretical, right?
Oh, somehow I doubt it.
Well, it wouldn’t have anything to do with firms intentionally ignoring security capabilities for reasons of SPEED, would it? (Note that encryption, in particular, is rather slow comparatively. Plain text is of course very fast.)
While security measures for FIX programs are available, Uppal says he’s audited firms that ignore them for convenience or speed. Uppal says that could allow a hacker to monitor a bank’s trades and make near-simultaneous ones, or even steal a bank’s unique trading algorithm.
Oh, they would do that. That’s very nice.
New? Oh no. It’s not new either
In a 2007 Black Hat presentation, David Goldsmith and Jeremy Rauch of Matasano Security listed systematic problems with the security of high speed trading systems such as the difficulty of encrypting trade data and banks’ reluctance to add any security that might slow down the transactions,
Right. Speed before security. Engage in an arms race and if someone else gets unlawful advantage as a consequence of your refusal to follow best practices, well, that’s too damn bad.
Let’s contrast that with what happens in the Interbank (e.g. Visa, MasterCard, Discover, etc) networks. There if you store unencrypted cardholder data (it’s faster and easier!) or if you use unencrypted transport between devices (it’s faster and easier!) and indeed if you store certain information you’re not allowed to at all (e.g. CVV data) you are in violation of your contract with the Interbank folks and that contract specifies that you may not only have your access to those networks terminated, but in addition you can be (and sometimes are) fined.
Looks like our so-called “secure” securities markets, those much-vaunted places where all Americans should trust that price discovery is fairly done, that everyone plays on a level field, and that best industry practices are followed for data security in point of fact are none of the above.
I’ll make two wagers:
CNBS won’t feature this
The SEC will not demand that each and every one of these offending systems be disconnected until all of the bypasses to good industry practice are removed, even if it does mean that your computer is one millionth of a second slower than it was before.
After all, it’s far more important to be have the fastest response (that’s what HFT is, right, getting in front of the other guy – a legal form of “front-running”?) and if someone manages to unlawfully glean what’s going on and does a bad thing as a consequence, well, that’s just tough.
For everyone else.
Hattip to the forum’s Breaking News area.