The Economist on Hacking the Financial System

The Economist has an article on the potential hacking of the global financial system, either for profit or to cause mayhem. It's reasonably balanced.

So how might such an attack unfold? Step one, several months before mayhem is unleashed, is to get into the system. Financial institutions have endless virtual doors that could be used to trespass, but one of the easiest to force is still the front door. By getting someone who works at an FMI or a partner company to click on a corrupt link through a "phishing" attack (an attempt to get hold of sensitive information by masquerading as someone trustworthy), or stealing their credentials when they use public Wi-Fi, hackers can impersonate them and install malware to watch over employees' shoulders and see how the institution's system functions. This happened in the Carbanak case: hackers installed a "RAT" (remote-access tool) to make videos of employees' computers.

Step two is to study the system and set up booby traps. Once in, the gang quietly observes the quirks and defences of the system in order to plan the perfect attack from within; hackers have been known to sit like this for years. Provided they are not detected, they pick their places to plant spyware or malware that can be activated at the click of a button.

Step three is the launch. One day, preferably when there is already distracting market turmoil, they unleash a series of attacks on, say, multiple clearing houses.

The attackers might start with small changes, tweaking numbers in transactions as they are processed (Bank A gets credited $1,000, for example, but on the other side of the transaction Bank B is debited $0, or $900 or $100,000). As lots of erroneous payments travel the globe, and as it becomes clear that these are not just "glitches", eventually the entire system would be deemed unreliable. Unsure how much money they have, banks could not settle their books when markets close. Settlement is a legally defined, binding moment. Regulators and central banks would become agitated if they could not see how solvent the nation's banks were at the end of the financial day.

In many aspects of our society, as attackers become more powerful the potential for catastrophe increases. We need to ensure that the likelihood of catastrophe remains low.

Posted on July 25, 2016 at 6:10 AM • 34 Comments

Comments

Alien JerkyJuly 25, 2016 6:35 AM

Cash is king. The only excuse I keep hearing for eliminating cash is the faux war on terrorism and others cannot get rich from transaction fees from cash transactions. The entire economic system is about gaming the system for individual short term profit at others expense. The theories of modern economics have shown repeatedly to be false.

bickerdykeJuly 25, 2016 7:00 AM

I wouldn't call this "hacking the financial system" but more specific "hacking the computer system that runs the financial system". Even if results are identical (economic mayhem) there are more than enough "bugs" or attack vectors in the financial system itself, so it would be worth to establish that disambiguation as early as possible.

Direct hacks of the financial system would use weaknesses in that system itself, like insider trading or the Libor "hacking"/manipulation while using RATs is an attack on an intermediate system.

And you need to handle those threats separately, so they should have different names, too.

sleJuly 25, 2016 7:16 AM

I worked once in a clearing house. It has the strongest security I’ve ever met.

It was defense in depth covering most aspects from risk provisioning, HR to IT. There was a home made SOC and SIEM more than a decade ago… There were practices, I don’t find today in standard offers from security providers.

And in worst case, there were numerous emergency procedures, including one without IT. Due to the segregation of duties I don’t know it exactly, but it was mostly the following. A few times during the day positions were printed, and a manual list of the biggest transactions was held and could be settled manually if required and then propagated to Custodians.

For some reasons, the largest banks have usually the largest TX. It was used to build a list of the “20” tx accounting for a large chunk of daily amounts.

This manual resolution wouldn’t prevent agitation and uncertainties and afterward remediations, but I’m considering there much less risk and consequences in the IT system of Central Clearing Houses than in many others industries (chemical for example).

Clive RobinsonJuly 25, 2016 7:27 AM

@ bickerdyke,

I wouldn't call this "hacking the financial system" but more specific "hacking the computer system that runs the financial system"

Err no I would disagree. The attack is on the settlement system required by the various banking codes and licences. The attack just happens to be facilitated via computer systems.

You could perform a similar attack by disconnecting the communications system used for settlement reporting (however a pencil and paper and courier would get around this).

Have a look at what was going on with the London Inter Bank Offer Rate (LIBOR) a little closer, it was an insider run attack to manipulate a reporting mechanism. It's a very similar attack to this but run by insiders for gain, not outsiders for disruption / chaos. All that was used in LIBOR was word of mouth between traders, in one case by one trader leaning backwards to have a word in the ear.

TõnisJuly 25, 2016 7:53 AM

With the entire trans-Atlantic financial system on the verge of collapse, I wouldn't be surprised to see such a false flag attack, a "financial 9/11" so to speak, blamed on "hackers." It's almost to be expected.

TedJuly 25, 2016 8:23 AM

This is a little off topic, but maybe not entirely. Has anyone read this book? I have not, yet. Here is one community review.

"Coding Freedom" is written in a more academic style than I was expecting, but maintains a strong and engaging "storytelling" vibe throughout. The book covered more issues and topics than I had imagined it would; from an anthropological analysis of the typical hacker (which felt oddly like reading a biography of friends of mine!) - to a thorough analysis of Debian, and the F/OSS movement. A particular highlight for me was a section towards the end of the book, which looked at the effects the open source movement has had, and is having, on today's politics and society, and the increasingly important role hackers are having in maintaining and fighting for free and democratic societies.”
"Overall: highly, highly recommended, both for those who are already involved in F/OSS, or in and around the hacker movement, and wanting to know more, but also to those who are working in, or interested in, current politics more generally speaking. Having an understanding of this world will be nothing but beneficial to those working in politics, and this book is the perfect one to provide that."
"(Aside: I'd love to read a similar anthropological analysis of hackers who are coming out of countries with different cultural/political contexts to the ones mentioned here, and I wonder how much crossover there would be...)"
"http://www.goodreads.com/book/show/14891812-coding-freedom

ianfJuly 25, 2016 8:25 AM


@ Alien Jerky:

“Cash is king. The only excuse I keep hearing for eliminating cash is the faux war on terrorism and that others cannot get rich from transaction fees from cash transactions.”

Errr, no. The first is a faux (and partly parallel constructed) excuse; the second is outright false: banks do charge even for cash transactions, deposits, withdrawals atop that which they make in profit on working capital; the only time there are no surcharges are direct cash transactions between individuals (but factor in risk for robbery etc). Hence cash rules only in pretty small amounts, essentially usable for wallet/ pocket change.

As soon as we're talking serious money, such with more than 4 zeros attached, there's no escaping some kind of electronic exchange, which as we all know involves wired transfer of electrons between clearance houses. So quit dreaming of a imaginary make-believe world—where btw, cash shouldn't be needed either – since it'd be ideal, and everything would be free.

PS. banks are useful in other ways. I once bought a brand new MacBook in Manhattan delivered from a store in NJ across the Hudson, where sales tax was much lower (I think I saved ~$200 on a $3000 item). The handover took place in the seated waiting area on 3rd floor of a Midtown branch of Chemical Bank, where I arranged it. There were several tellers present, and a guard nearby, but we were just 2 walk-in businessmen quietly looking at papers, exchanging a package for Travelers Checks… what's the bank got to do with it, got to do with it.

Tim BradshawJuly 25, 2016 9:01 AM

I liked this article, although I think it was a little naïve in two ways.

Firstly it wasn't clear enough that the 'recover from a serious incident in two hours' claim is fantasy. Of course everyone would *like* to be able to do that, and there are mechanisms in place (DR systems, snapshot volumes and so on) which, *for a suitably nice incident*, will allow very rapid recovery, if everyone is on the ball. But for the serious incidents as described in the article -- for instance incidents where you don't trust your data, and soon realise that all your backups for some unknown but long interval are also suspect -- the recovery time is *much* longer than two hours. Indeed, the important question would be whether recovery is possible at all. There have been much smaller incidents, not caused by malice, where complete recovery was never achieved in the sense that some transactions were lost altogether: there is no reason to assume that full recovery is even possible from a really major attack.

Secondly and more seriously the article perpetrates the myth of 'state sponsored actors': the assumption being that only with the resources of a state would such an attack be possible, and states have no interest in this kind of chaos. This is a touchingly 1950s view: although everyone knows how to make, say, a fission weapon, to actually make one you need to be able to mine huge quantities of ore, run vast numbers of centrifuges and so on, *and do this secretly and securely*, and only states have that kind of resource. The argument seems to be that breakng into computer systems is somehow a similarly industrial enterprise: perhaps you need vast caverns with serried ranks of hacker drones, relentlessly typing billions of lines of code or something. Well, of course, you don't: you need a small number (possibly one) of sufficiently motivated people with the right skills. And while states may not be interested in chaos, these tiny groups may be.

In summary: it's a good article but it understates the consequences, and misrepresents the likely attackers.

JaysonJuly 25, 2016 9:04 AM

@sle
"I worked once in a clearing house. It has the strongest security I’ve ever met."

I'm astonished to read this. The apathy about security in finance is palpable. And with good reason. The scenario above wouldn't be remotely plausible. Who would spend years embedding hooks into byzantine, buggy legacy software on a single firm to ruffle a bunch of transactions and hope the regulators notice?

This would be solved by an overnight team working manually to reconcile the trades. Maybe longer, but if needed they would explain that to the regulators along with how they were going to improve the system. This is routinely done with internal failures due to incompetence...a far greater force than malevolence.

What the banks lack in security is made up for with lot of money and huge overseas teams that work around the clock fixing broken systems all the time.

Keith AlexanderJuly 25, 2016 10:27 AM

To protect yourself against a "cyber-assault that could bring the world economy to a halt," all you need to do is remit $1 million per month to Iron Net security!

http://www.bloomberg.com/news/articles/2014-06-20/ex-nsa-chief-pitches-advice-on-cyber-threats-to-the-banks

Threat inflation makes for effective marketing and even better free content in the Economist. It's "reasonably balanced" if you're a public relations hack masked as a very serious person.

The world as we know it will end. Oh the humanity.

Paging Mr. Spielberg.

sleJuly 25, 2016 10:56 AM

@Jayson
"The apathy about security in finance is palpable. And with good reason."

While I agree that the risk is probably lower than exposed in the article. However my perception is that European clearing houses were taking security seriously.

They are big facilities inducing a systemic risk that they are trying to reduce. And they have some motives to do so, at least in order to reduce their assurance costs.

For example: the insurer may release his responsibility if "the company is an obstacle to justice or police investigations", in IT that was translated in a very good technical traceability… which was a good feed for the SIEM, which was monitored by the reactive SOC.
Once, they caught me using inadvertently an improper chain of accounts to log in on prod. I was very surprised and afterward I didn’t want to try anything weird that may put me back on their radars. While I was working above my corruption level (an average day was 100 billions of USD), they reduced the insider risk, at least with me.

Add some segregation of duties and defense in depth,then even an administrator cannot attack alone (or without monitored traces). And you can’t attack in group either as everybody prefer recurrent yearly bonus than hypothetical gains with any hazardous attack. On the IT side, the insider risk starts to be residual.

This and other measures were packed in a continuous improvement process. That gave me a perception of security willingness, probably driven by assurance costs…

LevJuly 25, 2016 11:44 AM

Debt of Honor by Tom Clancy had an attack like this, however on the exchanges more than the banking sector. So does this make it a "Movie Threat"?

wiredogJuly 25, 2016 12:15 PM

I'm much more worried about legacy Cobol code running the banks that no one can maintain because the original authors are dead. Of old age.

Bagehot's screaming skullJuly 25, 2016 12:44 PM

This is so when Deutsche Bank's €18 billion net derivatives exposure and 11.5% capital ratio blow up and counterparties use netting and closeout rules to loot the enterprise, its insurers, and the fisc, again, clueless aspirational Economist readers will let them get away with it, again, because this time everybody's screaming RUSSIAN HACKERS!!!1!

BrookeJuly 25, 2016 2:52 PM

"Cash is king" is fine for normal issues or smaller issues but if something like describeed happens don't be shocked when your dollars, or other currencies, are totally worthless or not trusted/accepted as a payment for anything. Major US banks go down, US dollar goes down, local places might accept payment for a little while but it'll snowball quickly. Stores and hospitals and other things you rely on may be unable to purchase from anywhere in or out of country. Collapse of economic systems in a hurry.

ianfJuly 25, 2016 3:17 PM


@ wiredog is “worried about legacy Cobol code running the banks that no one can maintain because the original authors are dead. Of old age.

I wouldn't worry about that, as the banks, if anything, have gone through several hardware generations, and no COBOL code, even were it recompiled for newest platform, would be speedy enough for their needs. I used to maintain a couple of similar FORTRAN routines, precursors to FEM-analysis of similar age, which were not time-critical, but I never heard of anyone trying to extend life of COBOL programs. Banks (the sole example I ever knew from inside) are certainly pretty conservative, but I don't think they run their data services themselves any more… that's all been outsourced to financial DP off-shots of giants such as Deloitte, KPMG, Cap Gemini etc.

albertJuly 25, 2016 4:54 PM

What's the big deal?

The global financial system collapses by itself every so often, instigated by greed and corruption. Politics isn't the only show playing. It's all theater.

No hackers required.

. .. . .. --- ....

ianfJuly 25, 2016 5:33 PM


@ albert,
               the big deal is the (slowly approaching) v. much real risk of a total systemic collapse, an financial Extinction Level Event, not one of the recurring grave, but ultimately "recoverable" burst bubbles/ market crashes. The fabric of trust in never to be repaid debt is getting thinner all the time…

EXHIBIT A: "The Mandibles," post-financial apocalypse America novel by Lionel Shriver (Mexico erects a wall along the border to keep out fleeing Yanks and other such previews of coming distractions. Don't believe this could happen
               It happens as we speak on the border of Venezuela, one of the oil-richest yet badly managed countries in the world, and Colombia, in perpetual war with gangsters over coca. It's the Venezuelans, 35000 last weekend, who cross en masse to Colombia to purchase food that's absent at home… take a look at the map.)

furloinJuly 25, 2016 11:12 PM

@albert

*Puts tin foil hat on*

Well those FEMA camps will be the Americans version of concentration camps.

*takes tin foil hat off*

@ianf

First due to how the system works the debt could never be re payed *WITH* interest, look it up.

As history has shown peasant rebellions usually result in most of the peasants being murdered and being a complete and utter failures depending on if the upper class/nobles/whatever they were called during that time period supported it.

Although I found something arguing for a longer cycle this time around.

digitalJuly 25, 2016 11:39 PM

@Alien Jerky Cash is not king it's mostly digital. If god made a man in his own image why aren't we all like.... INVISIBLE. I chose the road less traveled... Now I don't know where the hell I am :)

rino19nyJuly 26, 2016 1:27 AM

trying to solve this with technology alone will not do. a change of work attitude and expectations MUST be implemented.

we all know that security is inversely proportional to ease of use. and to a lot of companies, users insists on ease of use.

so if a company really is concerned with security, they know what to sacrifice.

draconian yes but necessary. crackers don't care anyway.

DroneJuly 26, 2016 4:08 AM

Don't worry, Big Government will make thousands of pages of regulations and zillions in new taxes to fix the problem - just as soon as they can chase away all the bad people from Russia infesting their servers to help Donald Trump.

Tim BradshawJuly 26, 2016 7:18 AM

@ianf: Banks (at least some of them) certainly maintain their own systems, and critical parts of those systems are still in COBOL. At least fairly recently (8 years ago) there was still System 360 assembler as well (all running on some Z-series system).

GarrettJuly 26, 2016 8:25 AM

@albert:

There's a difference between a recession or depression, and what's being talked about here. What you're referring to as a collapse usually involves a lot of people unexpectedly losing a lot of money or assets all at once. What's being described here is where a lot of people no longer have the ability to know what assets they (or anybody else) have. That's vastly different.

ianfJuly 26, 2016 9:19 AM


@ furloin […] “due to how the system works the debt could never be re payed *WITH* interest, look it up.

Before you progress to be giving advice, perhaps first learn the basics of grammar and spelling in your native (I assume) tongue? It's repaid here, and nothing else. As for repayments of—that's just it, some nations, notably but not solely the USA, are by now so indebted to others, that there isn't half a chance in eternity, that the principal, let alone the interest, will ever be repaid.

Loan givers and loan takers essentially are in cahoots for relatively short-term gains, at the expense of future major bills due. We are living in a self-perpetuating bubble of interdependent trusts, until it bursts. That's the message of Lionel Shriver's book, and her vision of how such an "debubbled" America would look like (except not so much out West, where most post-apocalyptical road movies take place, but in a crumbling urban setting.)

    Lastly, if unsure you feels the need to shore up own arguments with some 3rd party fodder, you do not tell me to "look it up," but look up [whatever it you had in mind] yourself, and cough up a URL. Otherwise you just talk the talk, and not very coherently at that.

albertJuly 26, 2016 10:43 AM

@ianf, furloin, Garrett,

As long as the 'banking system' (and that includes the private Federal Reserve and their govt lapdogs) continues as it is, there will be bubbles, bursts, and bailouts*. The current fad among large corporations is stock buy-backs with interest-free loans (to keep stock prices up). This e-money is even more fiat than our greenbacks. That's why some folks are recommending buying gold (the metal) as a fallback position. They recommend to keep 10% of your portfolio in gold. Precious metals retain their intrinsic value. (1)

Of course, your average Joe is just trying to stay alive. Unfortunately, the bank owns his home, car, and anything else he bought on credit. The (smart)rich buy hard assets. The US dollar is fairly stable, -for now-, but who knows what tomorrow will bring?

It would be very interesting to see what would happen if the e-banking system collapsed by hacking. I suspect the results wouldn't be as serious as portrayed. Who stands to lose the most? It's the one-percenters, of course.

Let's see, Trump gets elected, the banking system fails....

Armageddon?

I don't think so.

------------
*the three B's of modern banking.

1. That $20 gold piece your great-granddad paid for his bespoke suit in 1930 will buy a bespoke suit today, for around $1300.
That house your dad bought in 1951 for $18,000 in silver in 1951, can be replaced today for the same amount of silver, worth $270,000.

. .. . .. --- ....

Doug CoulterJuly 26, 2016 1:16 PM

@Tim Bradshaw
I'm responding to your earlier comment about "state sponsored hacking".
There are still quite a few of us around who, back in the day, did embedded programming and almost by-definition could reverse engineer nearly anything, as when you were working at the bleeding edge back then, the vendor documentation wasn't so great. As you point out, brains and ability to use them are not a monopoly of the state, by any means, if anything, it's the opposite of that.

The well-known Bunnie Huang isn't the only guy out there who can do this kind of thing by quite a long shot. You just have to know your stuff and want to. His hack of SD (and by extension USB) memory wasn't even difficult by the standards we used to hold ourselves to: https://www.bunniestudios.com/blog/?p=3554
(which gently implies that not only is USB security broken, it can't be fixed without breaking all existing devices)

I admit to having a bit of amusement about "russian hackers" and the DNC emails. As if attribution were a sure thing...and as if it mattered who did it if the content is actually factual. The recent stir and resignations seem to say "yup, and we're afraid there's more, we know what we did". It's the cockroaches that scatter when the light is turned on.

Sure maybe some exfiltrated data hit a russian IP address at some point, which wouldn't surprise me one bit. When I ran a software consultancy, I sometimes hired Russians (or nearby) nationals as contract labor - and darn, those guys were GOOD. Doesn't mean their government (of which most of the ones I knew had a fairly dim view) had to be involved.

No matter who did it, perhaps they did us a service. Transparency rarely offends me, no matter who the lens is pointed at.

I admit to being a bit sick that we tolerate virtually anything as long as we know who to point a finger at (let's fix the blame, not the problem), and are even easily manipulated in that. Is it the hacker's fault that whatever was revealed was truth? And not just this case.

Example - Snowden might have messed up a few careers in the TLAs, but did he harm our security? That's pretty arguable, and golly, these TLA Guys think they ARE the USA, not our servants. So harm to them == harm to USA. Not the case.
Yet all too many but that.

albertJuly 26, 2016 2:33 PM

'Attribution' doesn't lead to mitigation, or any kind of solution. It functions only to apply -retribution- to the enemy. We have many enemies, both within and without. Military states like us need enemies, otherwise we can't maintain the war economy. Sovereign states are good; they put faces on the enemy. Wars against concepts, like terrorism and drugs, also need faces. The Unwashed Masses respond to better to countries as enemies when they see 'those foreigners' on MSM 'news'.

Current bogeymen are Russia, North Korea, and China, all major geopolitical forces. There are at least dozen or so minor states which I don't feel like enumerating, but that you know about.

So, I'm sick and tired of hearing about attribution; I'd go so far to say it's meaningless as far as hacking is concerned. It -is- useful to maintain the bogeyman status of our enemies, and to redirect the publics 'attention' away from actually useful mitigation and correction efforts.

Speaking of which, where is the factual information about what's being done to prevent more OPM attacks? Or did it serve its purpose?

I can't research this myself, because I don't want to dilute my cynicism, which took decades for me to develop and fine tune.

. .. . .. --- ....

BadNewsBears_6789July 27, 2016 5:11 PM

All interconnected computer systems are inherently subject to compromise. Money in financial transactions is just electronic numbers in an account up to a point, it's prone to manipulation. The one thing I would suggest the finance industry take action on immediately would be to offer an opt-out from international transactions. I will never have any need to wire money to a foreign country, many real estate title and escrow houses have no need to ever wire money overseas. Shutting down all foreign wire-transfers or at least putting additional checks on such transactions for accounts that have no expected need, could dramatically reduce the attack surface area of the financial system.

TrustyIdentity I haveJuly 27, 2016 5:32 PM

I've been working one a system that could provide real time identity verification and attribution for authenticating any sort of transaction. I think it would be useful in combating many forms of transaction fraud. I don't have the resources to build a real company around it, but I'd love suggestions from the security community on which company would be worth approaching that you think would actually have the desire and ability to drive market adoption. Not pitching anything here, just looking for ideas.

ianfJuly 27, 2016 11:37 PM


Looking for ideas”… for WHAT?

It goes without saying that in order to gain any traction, one first needs to explain what it is one is looking for ideas, comma, for. So first you have to develop a pitch, or a description on how you are going to solve other people's problems, and why they're a problem in the first (second) place. Then you need a strategy on how to approach potential buyers in such a way, as to overcome the Not Invented Here syndrome, and other maladies of early development processes. Lastly, you need a patent, and/or a demo with quantifiable and verifiable results with which to accost investors.

    Remember that selling an idea is really about selling trust in yourself as the project leader who WILL bring this to fruition within budget. Since you obviously are not in this line of work (otherwise you would not have asked as you did), your chances of succeeding are slim anyway—so how about saving yourself the bother, and doing something else instead?

TrustyIdentity I haveJuly 28, 2016 4:20 PM

@ianf Understood, I realize what I put out is is a bit vague to be actionable. The lack of a patent bars me from publicizing it. I'm not the right person to be the project leader, I just have a concept that I think would be useful. I'm looking for a company that can see the the value and put it to use, maybe going the open source route would be better and just let the market decide if there is merit. I might first just try Paypal, Square and a couple others and see what happens.

rJuly 29, 2016 6:36 PM

@TrustyIdentity,

Do yourself a favor, if you have an idea - patented or not. Physically mail it to yourself - that's one of the copyright tricks and should work also as 'prior art'.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.