Max Bowie: Phishing in the Liquidity Pools of the Capital Markets
In 2013, 53 percent of exchanges reported experiencing a cyber-attack, and Max would be shocked if that number has not already reached 100 percent.

It’s customary when beginning a new year to look forward to what we can expect or hope for from the next 12 months. But this year, as I look forward, I sincerely hope that what I expect to happen does not come to pass: a catastrophic hack on a financial institution or an exchange that manipulates the markets either for personal gain or merely to destroy wealth of corporations and individual investors.
In an unstable world, cyber-attacks represent a new age of warfare for terror groups and even rogue nation states. The infamous hack on Sony Pictures gave us some rare insights into what Hollywood celebrities and studio execs really think of one another in the form of leaked emails, while point-of-sale hacks at major retail stores have gleaned reams of customer credit card data. But these seem like small change compared to the lure of the trillions of dollars that change hands every day in the capital markets, and the potential of skimming some of that flow, or disrupting it and plunging the global financial markets into chaos.
Shocked
In 2013, 53 percent of exchanges reported experiencing a cyber-attack, and I’d be shocked if that number has not already reached 100 percent. That doesn’t mean that any actually succeed, but it does create a huge burden for firms and marketplaces to deal with. And inevitably, one such attack will eventually succeed. Then, given the interconnected nature of modern markets, an intrusion in one market could conceivably wind up in another.
At last month’s Waters USA conference, Charles Blauner, global head of information security at Citi, noted a constant shortfall in the number of IT security specialists—to the tune of around 200,000 professionals worldwide—while the ranks of hackers continue to swell and their techniques become ever-more complex. While a large portion of hackers’ efforts are targeted at retail investors, phishing for bank account information or looking to install malware or spyware on their computers, hackers are also using individuals as a way into corporations, assuming that someone is just as likely to click on a link or open an image file at work as at home. And to be sure, while human judgment is usually the weak link in the cybersecurity chain, hackers are also targeting non-critical but connected network devices such as printers as a back door into a firm’s network, rather than mounting a head-on assault on a firm’s customer portal or trading front-end.
Leaked emails and credit card data hacks must seem like small change compared to the lure of trillions of dollars that change hands every day in the capital markets.
Then there are more sophisticated types of “spoofing” attacks, where a hacker may try to overwhelm a wireless data signal with a stronger wireless feed of their own that introduces erroneous data—potentially causing the recipient to place disadvantageous trades that execute against stale or incorrect prices—or that subtly introduce incorrect timing data to confuse firms’ clock-synchronization systems.
Succeed Once
As Blauner said, for a hacker to be successful, they need only to succeed once in penetrating an organization or individual’s defenses. But for IT security professionals to be successful, they need to block 100 percent of hacking attempts. Facing such an uphill challenge, even with the latest technologies at their disposal, and the cooperation of other firms generally considered competitors and other industry bodies, such as exchanges participating and sharing information in the World Federation of Exchanges’ Global Cybersecurity Committee, it seems almost certainly a matter of when—not if—a malicious hack will bring an important global marketplace or a significant portion of the entire financial system to its knees.
So if you haven’t yet made a New Year’s resolution, make it this one: to safeguard your networks and internal and customer data. Because if you don’t value it enough to protect it adequately, there are plenty of people out there who value it enough to steal it.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: https://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Emerging Technologies
Academic warns of systemic risk from AI-powered trading
Strategies generated by LLMs exhibit “very strange, correlated trading behavior”, says Lopez Lira.
Anthropic partners with S&P, TT to build AI hub, Talos acquires Coin Metrics, and more
The Waters Cooler: Bloomberg adopts agentic AI, DSB report homes in on fairer data costs, and asset managers are coming for your utilities in this week’s news roundup.
The Model Context Protocol brings agents to life—along with risk
Waters Wrap: From chat to infrastructure modernization, Anthropic’s MCP offers a ‘bridge’ to agentic AI, but its early days may prove disillusioning.
BofA ramps up AI deployment, patents
The bank has 1,400 patents in AI and machine learning, either granted or pending, alongside a growing portfolio of 250 models.
BNY CEO updates on ‘platform’ operating model, AI rollout
In its Q2 earnings call, the bank outlined its progress on rolling out its new operating model and ‘Eliza’ internal AI assistant.
NZX outlines plans to bolster fast-growing dark pool
Since launching one year ago, NZX’s dark book has 5.5% of the exchange’s total turnover, and price improvement per trade on average is 11 basis points, but the exchange has more in store.
Waters Wavelength Ep. 325: Octaura’s Brian Bejile
The CEO joins the podcast to talk about the vendor’s modernization efforts in credit and CLOs.
Agentic AI comes to Bloomberg Terminal via Anthropic protocol
The data giant’s ubiquitous terminal has been slowly opening up for years, but its latest enhancement represents a forward leap in what CTO Shawn Edwards calls, “the way we should talk to the world.”