Last month, five eastern European hackers were brought into court for cracking NASDAQ. They didn't touch the exchange itself, but they managed to compromise the internal email servers, giving them a clear window into the internal communications of one of the biggest stock markets in the world. By the time the FBI caught up with them, four years after the initial hack, they’d used similar tactics to make off with 160 million credit cards from retail banks. They never made it to NASDAQ's actual exchange, where stocks are bought and sold, but they came as close as anyone ever has.
53 percent of exchanges faced some kind of attack in the last yearThe European crew is part of a troubling trend: bank hackers are smartening up. The blunt-force DDoS attacks that inconvenienced banks last fall are turning into something smarter and more dangerous. "Attackers are moving up the sophistication scale," says CloudFlare CEO Matthew Prince, who helped fend off many of the DDoS attacks on banks. "You're seeing attacks being launched more against the underlying infrastructure."
Exchanges like NASDAQ are a particularly tempting target. The classic stock market trading floor is now almost entirely electronic, a high-speed network populated by humans and algorithm-driven robots alike, with millions of dollars changing hands every second. If a bad actor could sneak onto that electronic trading floor, or just disrupt it somehow, they could do a lot of damage.
"Attackers are moving up the sophistication scale."
And they’re trying. A recent study from the World Federation of Exchanges (WFE) found that 53 percent of exchanges had faced some kind of attack in the last year. Most were easily fended off, but as attacks grow more sophisticated exchange managers speculated to the WFE that large-scale attacks "might involve infiltration of several exchanges, probably most easily by email phishing campaigns involving stealth malware, access built up and maintained over a length of time."
Worse, one in ten exchanges had no plans or documentation to deal with criminal attacks on their network. That means that if they faced an action similar to last fall, in which intruders tried the same attack against a series of organizations, some of them would be caught flat-footed. "Generally, people in the finance industry do not have any solid understanding of security," says Adriel Desautels, founder of the penetration testing company Netragard. "They think they do, but they don't."
Attacks focus on simply disrupting business as usual
The biggest misconception is that attackers want to break in to steal money. None of the exchanges in the WFE report have seen a single instance of attempted financial theft, for the simple reason that it's so hard as to be nearly impossible. As the NASDAQ hackers discovered, exchanges are hard to get into, and even harder to get out of. The trading floor is an extremely closed network, and access is only given to a small number of heavily credentialed players. Simply getting the profile of the network is hard, never mind breaking in and walking away with some heist-sized chunk of money. Even the most sophisticated exploits, like the Stuxnet virus turned on Iranian nuclear plants, would have trouble sitting unnoticed on a stock exchange once they started making trades.
Instead, attacks focus on simply disrupting business as usual, a much easier task that can be every bit as harmful. No one's come close to putting a stock exchange in the dark yet, but because markets are so sensitive to uncertainty, halting trading for even a few minutes could send stock prices plummeting. "If you're looking to go after the stock market, it's much easier to screw things up," says Desautels. "You can do it a lot more efficiently that way." In fact, it’s happened before. This March, a string of attacks on South Korean banks and TV networks caused the nation’s stock market to plummet a full percentage point, momentarily vaporizing tens of billions of dollars. A dedicated attacker might even be able to make money off it by shorting stocks and then using attacks to induce a flash crash.
"Anything that's passing across the public internet is up for grabs."
Another possibility is stealing information. Exchanges are well protected, but as Prince points out, "There's something between the front page of the website and NASDAQ's trading platform. Anything that's passing across the public internet is up for grabs." That could mean malware-assisted insider trading or plain-old corporate espionage. Intruders might not even need to exploit any software vulnerabilities to get in. "People in finance tend to be very easy to socially engineer," says Desautels, describing the industry as plugged in, but not always technologically savvy. A phishing attack like the one that snared the New York Times might work just as well against smaller banks.
The result is a lot of uncertainty. As any security pro will tell you, absolute security is impossible, but it's not all bad news for finance. The banking system has the reputation and the money to attract all manner of unsavory web-dwellers. But at the same time, they have the funds to protect themselves, and their security doesn't have to be perfect — it just has to be better than the next available target. "Getting in isn't a problem," says Desautels, "but as a hacker, you're going to go after the lowest-hanging fruit."