Stealing $136 Billion is as Easy as Hacking a Twitter Account

Bad Blue Bird

The financial industry is rightfully hyper-alert to the risk that a hacker might infiltrate their systems.  We know that foreign governments, sophisticated crime rings and even lone computer geniuses have been able to breach even the highly secure systems employed by large financial institutions.  The industry has been able, for the large part, to keep these hackers from pulling data out of the system.  The susceptibility that is too often overlooked is the potential for criminals to ‘put data in’ – that’s what happened recently to the Associated Press. 

The Hack

@AP hacked

The tweet heard ’round the Street.

On April 23rd the Twitter feed of the Associated Press was hacked. The culprit entered a tweet that read “Breaking: Two Explosions in the White House and Barack Obama is injured”.   The story was quickly re-tweeted and forwarded around the Internet.  Within seconds of the post, the Dow Jones Industrials had fallen 150 points.

All this was reported in the press in the days that followed, but the mass media seems to be missing an important element of the story.   A relatively simple computer hack had caused the most sophisticated financial market in the world to freefall, if only temporarily.

Regulators and politicians investigated the so-called “Flash Crash” of 2010 in which the market plunged 1000 points (including 600 points in 5 minutes).  Trading curbs and circuit breakers were instituted.  These reforms were intended to protect the system from high-frequency trading programs run amok.

Regulatory attention to date appears to have been focused on the latent risk of machine error causing trading losses.  However, the events of April suggest that there is a greater peril.  The truth is that the recent AP event demonstrates that our markets are incredibly susceptible to another threat.   Terrorists or political activists with even a modicum of technological competence can wreak havoc with our financial world.

Terrorists Exploiting Algorithms?

There has been no official pronouncement of who hacked the Associated Press thereby causing the crash.  (A group calling itself the Syrian Electronic Army has claimed credit.)   Whoever the culprit, the result is that we have learned that our system is vulnerable.  It is vulnerable in a way that it never was before.

Algorithms and high-frequency trading may improve liquidity and pricing for the market, but we must address the weaknesses they create in the system as a whole.

Algorithmic trading systems rely on the accuracy of the data being gathered from disparate sources – sources such as news services, like the AP, weather forecasting sites, government websites, and even household magazines.   If anyone of those sources is compromised the algorithms may react on false data and cause the market to fluctuate wildly.

A human trader on learning that the Associated Press was reporting an attack on the White House, would have recognized that such an event would be reported by multiple sources.  A human trader would have had the sense to recognize that not even the attentive Associated Press could have gotten the jump on the entire corps of journalists that surround the White House.  Machines, however, lacked that sense, and the result was a $136 billion yo-yoing of the market that has largely been written off as a technical glitch.

An ability to make the market swing in such erratic movements could also provide outlaws an opportunity to pilfer enormous sums through carefully placed, virtually untraceable, option strategies.  It could also quickly erode confidence in the market as a whole.

Secure News, Not Just Trading Platforms

While trading houses and regulators try to get their house in order, we must also look outside the arena of electronic trading.   The sources of data that influence the trading programs are vulnerable.  News sources, data feeds while not directly controlling trading are now important levers – capable of sending markets skyrocketing or spiraling – faster than humans can intervene.

The AP hack will prove an important milestone, whether its importance is appreciated or not.  It was the day we learned that the security of data sources can be as important as the security of the trading systems themselves.   If we fail to learn that lesson be assured that terrorists and other malefactors will make use of the weakness.

 


This post originally appeared in KYC360° May 22, 2013.

About Richard Magrann-Wells

Richard is a Executive Vice President with Willis Towers Watson’s Financial Institutions Group based in Los Angel…
Categories: Cyber Risk, Financial Services

Leave a Reply

Your email address will not be published. Required fields are marked *