July 28, 2017
By John Divine
Is the stock market actually safe? In truth, no system is impenetrable. Millions of Americans rely on the stock market as their primary wealth-‐‑ building tool. Without it, the “American dream” would be even more unachievable than it is today.
People put an incredible amount of faith in the stock market. By implication, investors must think Wall Street is well-‐‑protected – that when you buy a stock, it may naturally go up or down, but it could never disappear from your account or have its price manipulated by nefarious actors.
But, let’s just ask it: Could the stock market ever be hacked? And the short answer is yes.
Despite flaws, there are strong protections. First off: Don’t run out and sell all your stocks. The stock market has serious protections in place to prevent any sort of “hack,” or fraud-‐‑based fiasco brought on by hostile actors.
“A hack might cause a temporary outage, however any fraud perpetrated or operational mistakes on the exchange would be unwound by the participants or covered by the brokers and their insurance,” says Philip Lieberman, president of Los Angeles-‐‑based Lieberman Software.
“When there is an irregularity, the exchange is simply shut down,” Lieberman says. “This has happened multiple times and it does not cause a panic. The exchange is reopened when everyone is calmed down.”
Penny stocks, pink sheets and unregulated exchanges are a different story. “Generally, it’s bad news for all involved if there’s fraud on an unregulated exchange. You bought the ticket, you’re taking the ride to the end,” Lieberman says.
But despite all the protections that the biggest exchanges have, they don’t always function smoothly.
One need only look at the infamous 2010 “Flash Crash” – which in a matter of minutes saw the Standard & Poor’s 500 index lose, then regain, roughly 9 percent – to remind themselves that the market isn’t immune from rather serious hiccups.
More recently, on the evening of July 3, the stock prices for Amazon.com (ticker: AMZN), Alphabet (GOOG, GOOGL), Microsoft Corp. (MSFT), Apple (AAPL) and other tech stocks all magically went to $123.47, which seemed to imply that AMZN and GOOG had fallen 87 and 86 percent, respectively. No trades were made at those prices and their correct values were soon back on display.
At the end of the day though, these instances were all essentially glitches; moreover, they were brief and almost immediately corrected.
If you don’t find that too reassuring, consider this: The exchanges aren’t connected to the internet, rendering one of the most ubiquitous and effective scamming techniques completely impotent.
Go phish. Phishing scams, which are typically email campaigns where attackers pretend to be an authoritative entity you know and trust, are both popular and effective.
UDT’ Chief Information Security Officer Mike Sanchez says his company frequently tests enterprise security systems to identify and fix breaches.
“We performed an engagement just last week for a financial institution. They gave us a list of 500 employees,” to email, Sanchez says. “Seventy-‐‑five percent of them clicked on a link asking for their user ID and password information – and gave it to them.”
Since major stock market exchanges run on their own offline networks though, phishing just wouldn’t cut it.
One-‐‑off ways to “hack” the stock market. Russia sought to manipulate the 2016 election in part by using botnets to pump fake news stories on social media. The same method could be employed “to manipulate the high-‐‑ speed trading algorithms, convincing them there’s an issue with a company, which would trigger a short crash,” says Andrew Howard, and chief technology officer at Kudelski Security.
“Attacks targeted at sources of information, such as the AP’s Twitter account, can quickly impact stock prices,” says Nathaniel Gleicher, lllumio’s head of cybersecurity strategy and former director of cybersecurity policy under President Barack Obama.
Gleicher doesn’t draw this example out of thin air. In 2013, hackers gained access to the Associated Press’s Twitter account, tweeting, “Breaking: Two Explosions in the White House and Barack Obama is injured.”
That tweet, sent at 1:07 p.m., caused the Dow Jones industrial average to shed 150 points instantly, although the losses were regained quickly as the hoax was unraveled. But in that short period of time, equities lost over
$130 billion in market value.
A low-‐‑likelihood, high impact scenario. While manipulating algorithms is a concern, if it got too out of control, the major exchanges have “circuit breakers” that halt trading at certain pain points. For example, if the New York Stock Exchange falls 7 percent in a day, trading stops. It stops again at 13 percent, and again at 20 percent. And if fraud was under way, any questionable trades would be reversed.
A large-‐‑scale attempt to infiltrate the stock market would have to be different. And despite the exchanges operating offline, all security systems have pros and cons.
The biggest con of a closed system like this isn’t actually technology – it’s people. “It would be much more concerning if an intruder were able to ‘dwell’ within the trading network for weeks or months and subtly manipulate trades,” Gleicher says.
When contacted, a spokeswoman for the NYSE declined to comment, and similar queries to a Nasdaq representative were not returned.
But there is precedent for a large-‐‑scale attack on corporate America that relied on human error for its success.
In 2013, hackers stole up to 40 million credit and debit card numbers from Target Corp. (TGT) shoppers. The attackers were able to collect that incredible amount of information because their malware had been “dwelling” in Target’s data centers for quite a while.
“I think for an average of 74 days – and all it did was scan and collect information,” Sanchez says.
The hackers were able to physically access Target’s data center, where they supposedly left USB devices – with malware on them – lying around, according to Sanchez.
“Someone, probably an employee, placed it inside their PCs,” Sanchez says. If putting a random USB in your computer seems like a bad idea, it is. But apparently it’s not at all uncommon. “We see this all the time,” Sanchez says.
Sanchez thinks a large-‐‑scale stock market attack would “absolutely” work the same way. “That’s how I would do it.”
Forty million compromised credit and debit cards a mind-‐‑numbing amount of financial fraud, but if somehow an attacker was able to “dwell” inside the financial system and manipulate trades, the impact on the stock market – which stores tens of trillions of dollars of wealth – is literally unfathomable.
“Trying to unwind the effects of this could send shock waves through the financial system, as regulators wrestle with how to deal with innocent trades made based on manipulated stock values. This would take lots of money and time to sort out,” Gleicher says.
Complete story here.