Rob Daly: Securing the Markets

As the financial markets continue to globalize and interlink, protecting individual markets becomes more difficult—especially in these days of sub-millisecond executions.
A prime example of this is the Flash Crash that began in the futures market, but led to an intraday rollercoaster ride for the US equities market. There is still a debate in some quarters about the exact cause of the event, which the US Securities and Exchange Commission (SEC) attributes to a poorly chosen trading algorithm by one market participant. As a result, the Commission has implemented market-wide circuit breakers that would halt trading if something similar happened again.
This protects the markets from internal threats. But how about the markets protecting themselves from outside attacks? Since the start of the year, unknown individuals or organizations have managed to hack into the national registries of Austria, the Czech Republic, Germany and Romania and made off with 2 million European Union Allowances (EUAs) for carbon emissions trading. To put this in perspective, the theft represents a mere 0.02 percent of all EUAs traded on the carbon spot market, according to Commission officials.
To prevent the theft of additional permits, the Commission has exercised its right to prevent the internal or external transfers of permits until the various national registries bring their security up to snuff. In short, the Commission shut down the European carbon spot market. According to officials, the spot market is only 20 percent of the entire carbon trading market, so trading in futures contracts, where the deliverables do not need to be immediately transferred between counterparties, remains unaffected.
As soon as each national registry deploys an improved security infrastructure that meets the requirements that are being hammered out between the Commission and the various registries presently, each market can resume trading. This puts a lot of pressure on the Commission and the registries to make the right security decisions in a short timeframe, since every day the spot market is closed investors are losing money.
One Phish Story
The theft of the EUAs is most likely a crime of opportunity rather than a premeditated one. Some officials suspect that the thieves gained access to the various national registries through data acquired through the infostealer.Nimkey Trojan virus that popped onto the cyber scene last September. Apparently, the virus targets US users by directing them to tax publications hosted on an imitation web page for the US Internal Revenue Service in order to distract them from noticing that the virus is downloading additional malware from servers hosted in Poland, Moldova and Bosnia.
Once all of the malware is in place on the infected system, it gathers all of the digital certificates stored on it as well as their respective passwords via a key-logger component.
The virus most likely hit only a small number of PCs used by carbon traders and then sent the account information back to the virus writers, who then used it to break into the repositories posing as the actual traders.
As long as the market security is based strictly on passwords and digital certificates, this sort of exploitation can happen again. If the carbon spot market wants to be more secure, it must ramp up security by adopting a token-based protocol, for example, which requires a physical key along with a password and digital certificate, and is harder to crack since a hacker would need to duplicate the token as well.
It is a more expensive proposition and in all likelihood would take longer to roll out than a non-token-based security system, but this seems a small price to pay to secure a market and all those linked to it.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: https://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Trading Tech
NZX outlines plans to bolster fast-growing dark pool
Since launching one year ago, NZX’s dark book has 5.5% of the exchange’s total turnover, and price improvement per trade on average is 11 basis points, but the exchange has more in store.
Agentic AI comes to Bloomberg Terminal via Anthropic protocol
The data giant’s ubiquitous terminal has been slowly opening up for years, but its latest enhancement represents a forward leap in what CTO Shawn Edwards calls, “the way we should talk to the world.”
M&G Investments braves cost headwinds in pursuit of AI
The UK asset manager’s AI ambitions started with the creation of a data lake to ensure high-quality data is being fed into models.
Asic probe piles pressure on ASX to deliver Chess replacement
But market insiders think late intervention by regulators could even slow down implementation.
Stakes raised for UK bond, EU derivatives tapes after Ediphy clinches win
The pressure is on for TransFICC, Etrading, Finbourne, and Propellant Digital, who are still vying to provide the UK’s fixed income consolidated tape after Esma awarded the EU’s tape to Ediphy and its partners.
Exchange M&A, US moratorium on AI regs dashed, Citi’s “fat-finger”-killer, and more
The Waters Cooler: Euronext-Athex, SIX-Aquis, Blue Ocean-Eventus, EDM Association, and more in this week’s news roundup.
LSEG officially sunsets Eikon
The exchange operator withdrew the platform from its product lineup this week.
Cloud Wars: Are EU and APAC firms really pining for homegrown options?
Waters Wrap: In the wake of tariffs and regional instability, there’s chatter about non-US firms lessening their dependency on the major hyperscalers. Anthony is not buying it.