Detect, Test, Screen and Audit: Models of defence for better Cybersecurity in FX

Nicholas Hastings explores why the FX market with its massive daily turnover and multiplicity of traders, providers, platforms, brokers and lines of communications is particularly attractive to cyber attackers and what can be done to protect against them.

First Published: e-Forex Magazine 75 / Special Report / March, 2017

From stories of Russia hacking the U.S. elections, Google being attacked by China and just plain old personal bank accounts being emptied, the increase in cyber attacks has become a high profile sign of the times. Even the Queen was recently roped into opening the U.K.’s new National Security Cyber Centre showing just how high profile the issue has become in nearly every walk of life.

The foreign exchange market is no exception. In fact, with its massive daily turnover of over $5 trillion and its multiplicity of traders, providers, platforms, brokers and lines of communications, the market is particularly attractive to cyber attackers in their many guises.

Since late 2015, the number of attacks has exploded with some industry experts reckoning that the FX market alone attracts over one billion attacks a day from countries such as China, Russia, Turkey and Taiwan. And the size and complexity of these attacks is only growing.

Jubin Pejman, Managing Director of FCM360, a managed service provider focusing on e-commerce and managed cloud hosting services, notes that 18 months ago the size of the so-called distributed denial of service (DDOS) attacks, in which a target system is overwhelmed with data and forced to shut down, was in the region of just 40-80 gigs. This then grew to about 300 gigs and now it attacks are as big as 500 gigs or more.

Software can only do so much and FX firms, like many others, find that they need to stay ahead of the game, anticipating the increasing sophistication of the cyber attackers themselves.

The urgency is summed up by Paul Smith, Managing Director of Mobile Trading Partners: “It is not a question of will attacks occur, but only when and where they will take place.”

Paul Smith

Paul Smith

“It is not a question of will attacks occur, but only when and where they will take place.”

INCREASING VULNERABILITY

Although foreign exchange may not be any more prone to cyber attacks than other capital markets, the use of so much online trading does leave it more exposed. Smith sees these attacks coming in many forms – theft of customer credentials; theft of customer information; fraudulent transfer of funds; fraudulent balance affecting actions through bonuses or deposits; impersonation of account holders leading to identity theft; denial of service blocking access to essential business functions; vandalism of website or trading portal; or the diversion of funds from the real trading system to an imposter. And then, of course, there is the highly prevalent DDOS attacks that completely swamp a server and shut it down.

On top of this, Smith points out: “All or any of these may be subject to a demand for a ransom from the wrong actor for removal of the threat.”

FCM360’s Pejman points to a case where, having lost several million dollars in an FX deal with a broker, an Asian trader turned around and threatened to launch an attack on the broker if he didn’t refund the lost money. The broker refused and got attacked.

“I know people who have gone out of business because of these problems,” Pejman said.

Mobile Trading’s Smith likens these attacks to the pre-internet era when “the most effective form of attack would be what is called the “rubber hose attack” - this is when the person who has access to the information is kidnapped and beaten (with the rubber hose) until he or she gives up the keys, files or passwords. The Internet allows more insidious versions of these attacks to take place remotely, and (in the worst cases), invisibly; it also adds quite a few more dimensions of threat, as can be seen on a daily basis in every industry. No business that ignores these risks will be serving its clients or shareholders well.”

Smith argues that just adding more layers of IT automation is not necessarily going to help.

These four goals connect your security strategy to business performance
These four goals connect your security strategy to business performance

He points to notes from the Financial Conduct Authority: “Automation may reduce a firm’s exposure to some ‘people risks’ (including by reducing human errors or controlling access rights to enable segregation of duties), but will increase its dependence on the reliability of its IT systems.”

Smith said that if one watches the progress of risk management and public security, taking a look at aviation safety, for example, one could be forgiven for thinking that most security precautions are aimed at blocking things that have happened before.

“In IT and information security, most professionals would say that they can anticipate and are not bound by history. The threats evolve as the defences improve. Of course, the depressing reality is that amongst the successful attacks that do occur, many could be avoided by very taking simple precautions. Others require more advanced forms of defence and are more costly to deal with. None can be ignored.”

Simple precautions are also highlighted by other industry experts. Phil Packman, security director at BT, points to the key role that employees play in this high stress environment when so much is at their fingertips. “People can be less cautious. For example, they become more susceptible to phishing as they are less likely to notice that key e-mail when they are so busy,” he says.

The Benefits of Threat Sharing
The Benefits of Threat Sharing

And as attackers find more sophisticated ways to get into an organization, the pressure on the employees become that much greater, said Packman. So, who is most at risk?

FCM360’s Pejman reckons that is not the big banks or the very large brokerages – the Tier 1 institutions who are all well interconnected and use bank to bank connections.

Jubin Pejman

Jubin Pejman

“I know people who have gone out of business because of these problems,”

“It is the Tier 2 and smaller brokers most at risk as they are exposed to the internet to access servers and to connect with clients. No one in these organizations know how to protect themselves. The larger companies and banks are paying staff to write software and analyse attacks. But the smaller companies need to buy these services in. They don’t have their own security officer on staff. Sure, they may have a high profit business if they can get the clients but without the security they may not be able to keep those clients.”

THREE KEYS ON HOW TO MITIGATE RISK OF ATTACK

According to Yousaf Hafeez, Business Development Manager at Radianz, BT’s global service that provides distribution and access for the fi nancial services industry, the foreign exchange market is already highly integrated and so should not need “end-to-end processes and security controls.”

He argues that both local and international regulators go some way to address the problem but it can always improve. “The framework we have today is better than having none at all but I would like to see more coordinated effort between regulators and capital markets – more joining up.”

Smith at Mobile Trading suggests that although solutions to cyber attacks may not be FX specifi c, the risks are magnifi ed by the sheer structure of the FX business.

“As a result the more widely applied solutions are all imperative for them,” He said, outlining three key areas of that would help to mitigate the threat of attack: staff training, proper penetration testing and due diligence with suppliers.

Paul Van Kessel, Advisory Global Cybersecurity Leader, EY.

The importance of Cyber Resilience

Paul van Kessel, Advisory Global Cybersecurity Leader, EY.

“Detecting cyber risks and protecting the company are important components of a cyber-security framework in capital markets. Since there are two types of fi nancial institutions - the ones that have been hacked and the ones that don’t know it yet - we strongly emphasize on a usually neglected component – ‘cyber resilience’ - which focuses on what needs to be done after a company experiences a hack. It is an emerging space in capital markets where investments are increasingly being made in crisis-management, incident response, communication plans & investigations as well as ensuring that the organization returns to a ‘business-as-usual’ mode quickly.”

EY’s Global Information Security Survey 2016-17‘s visual for Sense, Resist, React
EY’s Global Information Security Survey 2016-17‘s visual for Sense, Resist, React

“First and foremost, invest in staff training. Information security training is necessary for every employee and director, and it needs to take place regularly (once a quarter, together with compliance training). Topics should include matters such as password and credential management, how to spot and avoid phishing attacks, and the details of the company's security policy,” Smith said.

He suggested that operational policies should be clear and concise and deal with important matters such as who authorises payments and how. For example, a current high-risk attack is the receipt of an email purporting to be from senior management that requests a funds transfer. However, this email is not sent from a genuine email address, but this can only be detected only if the recipient looks closely.

Secondly, Smith said, ensure that the obvious stuff is done first. “It’s surprising how many brokers have account management portals with open internet access, requiring only simple username and password. Instead, they should use twofactor authentication, limit access to specific IP addresses only, have proper penetration testing conducted to ensure that there are no backdoor entrances.”

To put it simply, Smith advises taking specific advice from experts and develop a significant information security policy that is manageable, achievable and measurable. Then go on and make sure it is fully implemented across the business.

Attacks come in many forms as does protection
Attacks come in many forms as does protection

Finally, Smith pointed to the need for due diligence down the chain. “Do appropriate due diligence with your suppliers and make sure they have the experience needed to deliver solutions that embody information security best practice. Don’t try to treat security as a separate problem to the rest of your IT investment. The solutions that work are joined-up solutions, not assembled piecemeal.”

Again, this where FCM360’s Pejman sees a problem with smaller brokers who do not have the expertise or the money to provide in-house security but are equally reluctant to buy in or outsource their protection as this would mean sharing information and giving up control. But, as Pejman said, you have to have one or the other.

“You need to have an entire framework about what is touching your server at your fingertips to provide adequate cyber protection. You need an audit trail of things that have happened on the server to track and analyse attacks. You need an archive of bad actors. And as this changes all the time you need to keep developing to ensure that you still have best practice. Do these brokers really think they will get a good product for nothing?”

Yousaf Hafeez

Yousaf Hafeez

“The framework we have today is better than having none at all but I would like to see more coordinated effort between regulators and capital markets.”

MORE SHARING AND COLLABORATION NEEDED

Even with the best protection in the world most firms, not just those in FX, remain vulnerable to attack as the attackers themselves find new ways to break through defences. And if it is not one firm being hit then it is another. This is where sharing and collaboration become even more vital.

“No one wants to see a competitor attacked as it could happen to anyone,” BT’s Packman pointed out. “As the industry become more adept at fending off attacks, the attackers become more sophisticated,” he warned. “Everyone needs to be aware of this – like a neighbourhood watch.”

But, of course there are problems with intelligence sharing. Who wants to admit that they have been attacked and broadcast that their integrity has been undermined? The obvious solution is some sort of forum where this information and intelligence can be shared anonymously “There is room in the industry for a place for sharing information about attacks and suspected bad actors. Every attack vector that goes unmentioned is a potential surprise for another broker. I see that many dealers would be concerned about reputational risk here, but it would not be too hard to create a moderated and anonymous forum for that purpose,” argues Smith.

But, he also warns of the dangers of complacency through using forums. “I’d be very wary of any initiative that gave brokers the feeling they can just join some forum and then relax Many small brokers have limited IT teams and few brokers of even a medium size budget for staff with in-depth information security experience. They rely on their suppliers for this kind of thing, which is all well and good. But security begins at home. It requires fundamentally intelligent business design. It is not something that can be affi xed like a sticking plaster. It is often tough for brokers without those critical skills to do anything about this without external help, of course.”

Cyber Program Management (CPM) framework
Cyber Program Management (CPM) framework

Then there is the problem over what to tell clients. In many countries disclosure of an attack is a statutory requirement as it allows the affected individuals to protect their assets and information.

“This allows them to change passwords and take other steps to protect themselves,” BT’s Hafeez said, noting that customers generally want to be notified as quickly as possible.

Despite all this, industry experts admit that there is probably a lot more sharing of information taking place informally through one group or another even though it hasn’t been formally recognized.

And once again there is probably a difference between Tier 1 players and the rest of the FX market.

“There may be an ecosystem of sharing among Tier 1 banks but they are not going to want to help Tier 2 and Tier 3 players,” said FCM360’s Pejman. “The people that have the time for sharing and collaboration are with the large brokerages and banks it is a matter of having the resources,” he added, noting that even arranging forums of collaboration with the banks, brokers and security agencies, both private and official, can prove to be an expensive undertaking.

NO SILVER BULLET FOR THE INDUSTRY

There are certainly already global guidelines for IT security in the industry under the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) called the 27001 and 27002. It is a specification for an information security management system (ISMS) and organizations which meet the standard may be certified compliant by an independent and accredited certification body on successful completion of a formal compliance audit.

There is also Information Security Forum and the Standard of Good Practice and, of course, the book of regulations of security provided by London’s Financial Services Authority.

Even so, “I don’t think there is a silver bullet,” says BT’s Packman. “It often comes down to organizations that have the strategy to adapt to changing threats. Some companies are better at this than other. They understand where the threats are coming from.”

Smith says that “there is some room for establishing some foreign exchange industry ‘best standards’ amongst suppliers.” “But,” he added, “overall the FX industry would do well to follow existing rules first. There is a huge scope for FX technology vendors and brokers to improve their practices.”

FX firms need to stay ahead of the game anticipating the increasing sophistication of the cyber attackers themselves.
FX firms need to stay ahead of the game anticipating the increasing sophistication of the cyber attackers themselves.

IS THE COST WORTH IT?

Spending on security against cyber attacks has spiralled over the last 3 or 4 years as more people have become aware of the risks both personally and professionally with many firms now having chief security officers where once there would have been none.

Smith is among those who recommends that at least 5% of a firm’s IT budget should be spent on security but in reality that spend should be closer to 10%. “The essence of my thesis is that it is pointless spending lots of money on advanced solutions if one is going to ignore basic precautions that cost little. Security is a broad problem that requires a comprehensive approach. Attend to the small pieces, and budget adequately for the large pieces. Pay for the best possible advice and don’t forget that real security for your business is holistic - it’s about people as well as technology, business-wide processes as well as automated systems,” he says.

Packman also warns against overspending in the wrong areas. “At the same time that you can make yourself almost impenetrable (to attacks) you can also bankrupt yourself in the process because of the cost and because of the fact that you make yourself less nimble as a trader by encumbering your systems with too much security. There is a constant security balance – it is about risk,” he concludes.

Mobile FX Trading Apps - presenting new risks

Mobile trading apps may not be any more vulnerable to cyber attacks than a web-based application but they do add new dimensions for an attacker to go after and so may prove vulnerable in unexpected ways.

Paul Smith, managing director at Mobile Trading Partners, which designs and develops mobile apps, web widgets, charting and sales tools for FX, and provides cloud services to support FX brokers, explains why it is all down to the developers:

“Mobile apps run on a device that needs to be secure both in terms of the process and the data exchange with the trading system. In fact, there are several reasons why mobile should be a lot more secure than web-based applications but the developers and operations team need to take great care to ensure this as the working are less ‘visible’ and so harder to test. Careless developers can very easily create an insecure app.”

Start with account credentials, which need to be highly protected.

Very few people know how easy it is to unpack and “decompile” an Android app.
Very few people know how easy it is to unpack and “decompile” an Android app.

”If they are stored in plain text in the app’s private directory, they will be vulnerable to theft if the user’s device backups are purloined, or if a bad actor gets access to the device. On Apple’s iOS, it’s possible to store credentials securely in the system keychain and for that to be secured using biometrics. Android has comparable features. There is no equivalent to this in a normal web browser, so a native mobile app can handle this much better than a web app,” Smith argued.

As mobile apps use web application program interfaces (API’s) to communicate with the broker trading system, customer relationship management and account management systems, they too need to be carefully crafted.

“These APIs must be designed very carefully to ensure that the information is encrypted (using secure socket layers or SSL) and that the connection is authenticated carefully. All the other safeguards applicable to creating a web API apply too: those risks are no different to any other web application. The advantage that a native mobile app has is that authentication can go further than a normal web browser. You can store an authentication certificate in the app and combine this with other information gained during a first login to your servers to ensure that the connection cannot be faked later on, even if credentials are stolen.”

Smith’s final warning is about how easy it can be unpack API keys, especially when it comes to Android apps.

“Very few people know how easy it is to unpack and “decompile” an Android app. This means the developer has to be aware how they package API keys and other private credentials used within their apps. For example, Amazon Web Services are an essential building block for many cloud based systems. If credentials are included in your apps, they need to be limited to access only the functions strictly needed for the app itself (i.e. to send a message or open a URL) and no more. You really don’t want some bad actor to steal your account credentials and create 100 Virtual Machines for Bitcoin mining!”