We all know that hackers have had retail banks in their sights for ages and they have no limit to their wickedness. They have done - and are doing nearly everything: stealing customer account info, phishing for PINs, creating bogus IDs in order to steal money, and even creating elaborate devices that withhold cash when a customer uses an ATM.
But now hackers have broadened the scope of their attack. They are looking at stock exchanges and the very foundation of modern capital markets.
In an indictment of Eastern European hackers last week, the New Jersey Attorney for the United States also charged Aleksander Kalinin with breaching the servers inside Nasdaq two years and vandalizing some data. While the young Russian computer programmer did not access and disrupt the servers that power the trading inside the market making firm, his brazenness and lack of detection for more than two years show that your neighborhood bank may be small fish in a very big pond for hackers.
As the New York Times reports:
While Mr. Kalinin never penetrated the main servers supporting Nasdaq's trading operations -- and appears to have caused limited damage at Nasdaq -- the attack raised the prospect that hackers could be getting closer to the infrastructure that supports billions of dollars of trades each hour.
"As today's allegations make clear, cybercriminals are determined to prey not only on individual bank accounts, but on the financial system itself," Preet Bharara, the top federal prosecutor in Manhattan, said in announcing the case.
It is a pivotal moment, just a week after a report from the World Federation of Exchanges and an international group of regulators warned about the vulnerability of exchanges to cybercrime. The report said that hackers were shifting their focus away from stealing money and toward more "destabilizing aims."
Unsurprisingly, the exchanges and their business representative bodies are downplaying the efficacy of tighter measures. Following the SEC's urging that the exchanges adopt stronger rules that were once mere voluntary recommendations a few years ago, the major exchanges are complaining that any new guidelines would be expensive and ineffective. Here's what SIFMA, the financial lobbying group that never met a regulation it didn't like or try to delay, wrote about the new exchange proposals:
SIFMA believes the costs of the proposed rule are difficult to quantify given the vagueness of various provisions of the proposed rule. We are concerned that such costs are very likely to be significantly understated. Our analysis is currently ongoing and we plan to provide the Commission with additional comments about the estimated costs once the analysis is completed.
(Yes, after a quarter of record profits, the banks cannot be expected to spend money to protect itself from an attack it knows is coming.)
While some experts have described going after hackers as a never-ending game of whack-a-mole, exchanges must prepare for these cyber attacks. It's happening right now beyond Wall Street and in the halls of the US military, the State Department, and the Capital. In this day and age of do-gooder lawbreakers -- think of leakers like Julian Assange, Bradley Manning and Edward Snowden -- a few geeks with dreams of bringing down capitalism may just be a click away.
Wall Street has been warned.