Information security and the stock market

The stock market ground to a halt on 9/11.
The stock market ground to a halt on 9/11.
Khalid Kark, Forrester Research
Khalid Kark, Forrester Research
Ted DeZabala, Deloitte
Ted DeZabala, Deloitte
Fran Rosch, VeriSign
Fran Rosch, VeriSign
The huge economic downturn that has shaken the financial sector has already left people with a worrying distrust of the financial markets.
The huge economic downturn that has shaken the financial sector has already left people with a worrying distrust of the financial markets.

It was a day we all remember. Planes crashed into two of the most recognized buildings in the world. They collapsed into dust, thousands of lives were lost, and the stock market ground to a halt. What no-one knew was that some of the companies in Manhattan that thought they had built redundancy into their networks by renting network capacity from different providers were unwittingly running everything over the same physical cable.

"Who was going to be responsible for looking at the wiring diagrams under the Hudson river?"

Ted DeZabala

"The major telcos were all leasing lines from each other. What was discovered was that they were all leasing the same basic pipe," says Ted DeZabala, who leads the security and privacy practice in the USA at Deloitte, which conducted a review for some financial firms after the event. "Who was going to be responsible for looking at the wiring diagrams under the Hudson river?"

That's the problem with oversight - it's easy to understand what should have been done in hindsight. It's harder to understand what threats lie in the future, and how we should protect the markets against them. Yet in information security terms, the stock market may be one of the most heavily pressured systems in the world. Investment banks in a post-Enron world are subject to regulations that mandate strict internal controls to avoid the unnecessary imposition of corporate risk.

And the US government is extremely worried about that risk. It identifies the financial sector as part of the critical national infrastructure with good reason, says DeZabala. "The big clearing companies take care of the clearing and settlement of trillions of dollars in trades per day. If you shut them down for a single day, it would have a material impact on the economy of the world," he warns.

Losing Face

No wonder that IT security spending among companies closest to the stock market has been dropping less than in other areas. Deloitte's 2008 security report recently showed that generally, IT security teams are feeling underfunded. But Khalid Kark, principal analyst at Forrester Research, argues that the spending in information security hasn't followed that trend. "What's interesting is that the spending in security hasn't really decreased to the same degree that their spending has decreased in other areas," he says. Some banks that are going through huge restructuring are keeping their contracts with information security vendors and in some cases increasing their budgets.

The main reason for this sustained investment in information security is fear of reputational damage, says DeZabala. Banks are worried about losing face due to fraud. Banks, investment and otherwise, thrive on trust, which is supposed to be their core competency. Fraud reduction is therefore vital if they are to maintain customer confidence.

And of course, they need to maintain customer confidence more than ever before after the events of the last six months. The huge economic downturn that has shaken the financial sector has already left people with a worrying distrust of the financial markets. It also presents challenges for internal information security, argues Kark. Following debacles like Barings in 1994, in which trader Nick Leeson effectively bought down the merchant bank by overexposing himself on futures, and a similar but much larger incident at Société Générale early last year, investment banks will be more nervous about over-exposure, and will want to impose internal controls to prevent trangression of the rules.

Kark also warns that disgruntled and desperate employees losing their jobs in the financial downturn also raises the threat of rogue actions that threaten a bank's financial stability. Role-based access control and identity management systems will likely be high on investment banks' agendas as a means of mitigating the information security threat.

Technological Monoculture

The consolidation that the economic crisis forced in the industry, as fallen banks were scooped up by others, has left the financial sector potentially more vulnerable, warns DeZabala. The reason? The gradual move towards a technological monoculture, with fewer points of failure.

"There's a lot of fear that because of the consolidation of the technology infrastructure that supports the trading environment in the USA, that it's more susceptible to someone attacking it and shutting down the system," he warns.

That consolidation has also bought together some elements of the industry surrounding the stock market. There have traditionally been three classes of company operating in this space. The buy-side companies are the large investment banks that control the mutual, hedge, and pension funds. The sell side contains the trading companies that broker the transactions, and finally the utilities are the places where the trades are made (such as the stock exchanges).

"Having pumped up the value of the stock with these transactions, they sell off their own stock at a huge profit, take the cash, and run."
 

There has traditionally been some crossover between the buy and sell side, in that many of the investment banks offer trading services in a similar way to companies like eTrade. With the consolidation of the market, we're seeing more of the trading function being drawn into bank holding companies, DeZabala says.

From a regulatory perspective, there was a level of advantage to being a stand-alone securities company rather than part of a bank holding company, because the conditions applied by regulators for banks were stricter than the regulations faced by sell-side firms. "Now, with everyone converting to bank holding companies and being acquired, there will be far more consistency in terms of how the brokerage side of this will be regulated," he says.

Federal Financial Institutions Examination Council (FFIEC) has had guidelines around multi-factor authentication for online banking, but not for online brokerage applications. And DeZabala argues that the back-end infrastructure of these applications are often different, in cases where they were developed by different teams or organizations. We'll start to see the normalization of those infrastructures as the brokerage houses come under the purview of the bank holding companies, he says.

Pumping and Dumping

Fran Rosch, senior vice president of product and strategy at VeriSign, disagrees with DeZabala on the security of online brokerage applications. DeZabala argues that these accounts are less ripe for attack than online banking accounts because it's more difficult to move the money out of them. However, Rosch points to several instances where online brokerage accounts have been used for 'pumping and dumping' stock.

"They've become more sophisticated. They harvest user names and passwords for a lot of accounts across many different brokerage companies. They buy a lot of a particular penny stock themselves, and then they access these accounts to buy a lot of that penny stock using accounts owned by a lot of different people," Rosch says. The fraudsters use a lot of accounts to keep below the thresholds that might otherwise raise fraud alarms in the brokerage houses. Then, having pumped up the value of the stock with these transactions, they sell off their own stock at a huge profit, take the cash, and run.

Reports indicate that eTrade got hit for US$18m in fraud-related losses from pump and dump activities in late 2006. TD Ameritrade was also said to have lost money to pump and dump fraudsters that year. Last September, Indian national Thirugnanam Ramanathan got two years in prison and over US$300 000 in fines after being caught along with two others orchestrating a similar scheme the previous year.

The identity theft that originally enabled these accounts to be used for pump and dump schemes might have been stopped by the use of appropriate authentication technologies, as mandated by the Federal Financial Institutions Examination Council (FFIEC) in 2005. However, this is merely one form of pump and dump scam. Another involves the mass emailing of potential victims in a bid to drive up interest in stock price.

Ultimately, the information security landscape has to change on several fronts to further protect the stock market from what amounts to a form of information warfare. Financial institutions must take steps to better protect brokerage accounts from compromise. They must work closely with the SEC to mitigate the effects of email-based pump and dump schemes. The drastic consolidation of buy-side firms must be matched by increased security to prevent undue exposure of the financial system due to the concentration of system ownership. And companies must also continue to prepare themselves for potential physical attacks by applying extra diligence to their business continuity strategies.

What’s hot on Infosecurity Magazine?