/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBikash Barai
Cyber attacks on stock exchanges are not new. NASDAQ was attacked in 2010. Though the attack was foiled before the malware could create any havoc, this shook up everybody including FBI, NSA or the White House. Consequently, SEBI has announced its plans to put together a detailed guideline for stock exchanges and other market infrastructure companies. Here are some attack vectors that can possibly shake the stock exchange and it’s connected ecosystem.
Attack vectors on Stock Exchanges
Using CSRF for Inadvertent sell or forced transaction
Such attacks are possible when a hacker can make a user do a forced transaction without his/her knowledge. You may click a different link sent by the attacker over your email while you are logged into your trading account and this may trigger a transaction. Such type of attacks called CSRF (Cross site request forgery) can cause losses for an individual investor.
MITM attacks- Somebody buys stocks in their name while you pay the money
In this case, it may seem to you that you are paying money to buy stocks in your name, but instead you actually buy it for the hacker. Such type of fraudulent transactions can be carried out using hacking techniques like MITM or Man-in-the-Middle attacks.
Bikash Barai, CEO & Co-Founder - iViZSocial engineering attacks using private customer information stored in stock exchanges
Hacker can easily steal the confidential personal information by hacking into stock exchange systems. Such information can also be stolen from the user by targeting the user’s system or by doing social engineering. The hacker can utilize the personal information to conduct social engineering attacks and steal further confidential information. As an example the attacker can pose as a credit card agent reporting a fraudulent transaction in your card. The attacker can look more convincing since she has the knowledge of your personal information. During the process, the attacker may ask for your credit card number and PIN to disable your card and then happily use your credit card for her transactions.
Front running attacks
By compromising the stock exchanges, attackers can track the transactions of people who are associated with the organization. Studying such person’s and their connected network of close people’s behavior can reveal potential insider trading. Insider trading does happen in small or big scale and utilizing such indications can help an attacker to do front running attacks and use it for profit.
Trade Limit manipulation attacks
The hacker may misuse manipulate trading limits and utilize it to do transactions beyond limit from one or more accounts. Such attacks can be detected unless the attacker also manipulates or turns off the anomaly or fraud detection systems.
Automated circular trading using dormant third party account
The attacker can conduct automated circular trading using third party accounts to manipulate the price of a stock and use it to her advantage.
Attacks on algorithmic trading
Algorithmic trading configuration and parameters can be manipulated by the attacker and this can create small or large scale impact on either limited users or even impact the whole market by driving sentiments in a way that satisfies the intent of the attacker.
Denial of Service attacks to stop the stock exchange from functioning
Hackers can launch DOS or DDOS attacks on stock exchanges and prevent the exchange from functioning. This can have a severe impact on the stock market including stock prices to go down as people lose confidence. This can not only cause people to lose money but the entire economy of the country can get impacted at least in the short term.
Cross border cyber espionage and cyber war risks
NASDAQ attack was a cross border attack. Today cross border hacking attack is too common. Such attacks are used to collect intelligence for cyber espionage or for disrupting target country’s critical infrastructure. A high profile attack on our stock market will have a very large short and medium term impact on shareholder’s sentiment and will drive down share prices. This can cause tremendous losses for the investors.
But the devil is in the detail….
SEBI’s proposed guideline is welcome. But the devil is in the detail. Guidelines and compliances help but do not ensure security. The industry already has ISO 27001, PCI, HIPAA and several other guidelines and compliances for years. Yet every month major corporations are hacked. Several go out of business. Security is a complex problem. It is similar to “Happiness Problem”. There is no easy way to be happy and you cannot always be happy. So what will make the difference? SEBI should have the right team which has the right expertise to create such a guideline. This sounds easy but it is not. And the most important thing will be the implementation. We need to keep in mind that the guideline or the compliances is only the path. The real goal is “real security”!
(The author is the CEO & Co-Founder of iViZ)