Max Bowie: Phishing in the Liquidity Pools of the Capital Markets
In 2013, 53 percent of exchanges reported experiencing a cyber-attack, and Max would be shocked if that number has not already reached 100 percent.

It’s customary when beginning a new year to look forward to what we can expect or hope for from the next 12 months. But this year, as I look forward, I sincerely hope that what I expect to happen does not come to pass: a catastrophic hack on a financial institution or an exchange that manipulates the markets either for personal gain or merely to destroy wealth of corporations and individual investors.
In an unstable world, cyber-attacks represent a new age of warfare for terror groups and even rogue nation states. The infamous hack on Sony Pictures gave us some rare insights into what Hollywood celebrities and studio execs really think of one another in the form of leaked emails, while point-of-sale hacks at major retail stores have gleaned reams of customer credit card data. But these seem like small change compared to the lure of the trillions of dollars that change hands every day in the capital markets, and the potential of skimming some of that flow, or disrupting it and plunging the global financial markets into chaos.
Shocked
In 2013, 53 percent of exchanges reported experiencing a cyber-attack, and I’d be shocked if that number has not already reached 100 percent. That doesn’t mean that any actually succeed, but it does create a huge burden for firms and marketplaces to deal with. And inevitably, one such attack will eventually succeed. Then, given the interconnected nature of modern markets, an intrusion in one market could conceivably wind up in another.
At last month’s Waters USA conference, Charles Blauner, global head of information security at Citi, noted a constant shortfall in the number of IT security specialists—to the tune of around 200,000 professionals worldwide—while the ranks of hackers continue to swell and their techniques become ever-more complex. While a large portion of hackers’ efforts are targeted at retail investors, phishing for bank account information or looking to install malware or spyware on their computers, hackers are also using individuals as a way into corporations, assuming that someone is just as likely to click on a link or open an image file at work as at home. And to be sure, while human judgment is usually the weak link in the cybersecurity chain, hackers are also targeting non-critical but connected network devices such as printers as a back door into a firm’s network, rather than mounting a head-on assault on a firm’s customer portal or trading front-end.
Leaked emails and credit card data hacks must seem like small change compared to the lure of trillions of dollars that change hands every day in the capital markets.
Then there are more sophisticated types of “spoofing” attacks, where a hacker may try to overwhelm a wireless data signal with a stronger wireless feed of their own that introduces erroneous data—potentially causing the recipient to place disadvantageous trades that execute against stale or incorrect prices—or that subtly introduce incorrect timing data to confuse firms’ clock-synchronization systems.
Succeed Once
As Blauner said, for a hacker to be successful, they need only to succeed once in penetrating an organization or individual’s defenses. But for IT security professionals to be successful, they need to block 100 percent of hacking attempts. Facing such an uphill challenge, even with the latest technologies at their disposal, and the cooperation of other firms generally considered competitors and other industry bodies, such as exchanges participating and sharing information in the World Federation of Exchanges’ Global Cybersecurity Committee, it seems almost certainly a matter of when—not if—a malicious hack will bring an important global marketplace or a significant portion of the entire financial system to its knees.
So if you haven’t yet made a New Year’s resolution, make it this one: to safeguard your networks and internal and customer data. Because if you don’t value it enough to protect it adequately, there are plenty of people out there who value it enough to steal it.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: https://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Emerging Technologies
S&P’s $1.8 billion buy, an FIA restructure, a tokenization craze, and more
The Waters Cooler: CAIS creates CAISey, BNY deploys EquiLend, and more in this week’s news roundup.
When it comes to cybersec, the walls of separation are too high
Waters Wrap: Anthony examines some recent statements made by prominent cybersecurity experts and why those words might ring hollow.
Larry Fink: ‘We need to be tokenizing all assets’
The asset manager is currently exploring tokenizing long-term investment products like iShares, with an eye on non-financial assets down the road.
Examining how adaptive intelligence can create resilient trading ecosystems
Researchers from IBM and Wipro explore how multi-agent LLMs and multi-modal trading agents can be used to build trading ecosystems that perform better under stress.
Waters Wavelength Ep. 335: Some tech talk...kinda
This week, Wei-Shen and Tony talk about some recent events making headlines.
Moody’s exploring blockchain’s impact on digital bond ratings
Blockchain and crypto were meant to eliminate conventional finance’s risks, but Risk Live North America panelists said such risks have not been reduced, and new ones have been introduced.
S&P Global partners with IBM, Eventus launches Frank AI, Tradeweb expands algo execution abilities, and more
The Waters Cooler: Arcesium makes waves with Aquata Marketplace, NYSE Cloud flows into Blue Ocean Technologies, and more in this week’s news roundup.
Is market data compliance too complex for AI?
The IMD Wrap: Reb looks at two recent studies and an article by CJC, which cast doubt on AI’s ability to manage complexity.