Assume breach: The cyber threat to traders
The hacker’s mindset
A round of beer arrives. Ozkaya smiles and pulls out the camera on his phone.
The beer he orders is brewed at a facility not far from his former high school in Germany.
Born and raised in Germany, but of Turkish descent, Ozkaya has advised Microsoft Corporation (MSFT) in Redmond, Wash., spearheaded security initiatives at casinos in Las Vegas and led IT security for his firm in Dubai. He’s pursuing his PhD in IT Security from Charles Sturt University in Australia.
The bar is crowded for a Thursday night, every stool is filled as the post-work crowd watches the Chicago Cubs play the Milwaukee Brewers.
Citing the research of Timothy Summers (see “How Hackers Think,” page 19), an expert on cognitive hacking, the next question on the table is simple: “When you look at this crowded bar, what vulnerabilities do you see?”
Bradley and Mr. Green begin to speak, but Ozkaya springs a finger into the air. “I’d like to answer that first,” he says. He turns to the front door, where a party of five is asking for a table. “When I look around, I notice there’s only one exit door to this building. If someone were to put up on a screen that there was a terror attack or a threat in this room, people would rush out of the bar — they might trample over each other.” He adds, ”If someone posts on Twitter that a bomb threat or terrorist threat is imminent, that spreads across social media right away.”
It’s a terrifying introduction, but it’s also based on previous incidents. Just two years ago, a hack of the Associated Press’s Twitter account claimed a bombing in the White House. The stock market slumped more than 140 points, and every media channel ran with the story with little verification. It was real-time information discovery company Dataminr that determined the hack was a fraud by triangulating Tweets of other individuals in the proximity of the White House.
The media finally recognized the hoax.
The other men at the table are nodding in agreement that patrons in the bar likely didn’t check for the fire exit sign in the back of the bar when they entered.
“Wow, that’s intense,” I say, shaking my head. “I thought you were just going to tell me that you could turn off the televisions without anyone noticing.”
A laugh follows. “Oh,” one of the four men says, nodding to the wall. “I can do that too.”
Behind the table, two of the three televisions previously airing the Cubs game have been shut off. The prankster smiles, awaiting the next question.
Traders on edge
In August, Australian authorities thwarted several Russian hackers who allegedly breached CommSec and E*Trade accounts and purchased shares without customers’ knowledge.
In an interview with the Australian Broadcasting Channel (ABC), Greg Yanco, who supervises the Australian Securities and Investments Commission (ASIC), said the hackers sold blue chip shares in each breached account. By building up a large pool of liquidity, they bought and bid up stock prices of shares already owned in the portfolios. After prices hit a specific level, the hackers sold everything at market through their own trading accounts.
“This is a relatively sophisticated attack because the perpetrators have discovered customers with online broking accounts and they’ve used that to alter the share price to their own advantage,” Nigel Phair, internet safety director at the University of Canberra, told ABC.
Authorities recognized the unusual trading behavior before the positions were settled. A judge froze more than $77,000 in illicit profits from being exported from the country. Given a three-day period to clear each transaction before money can be transferred, authorities are always looking for unusual patterns. ASIC contacted the hackers to discuss their withdrawals, but received no reply.
Despite successful work by authorities, Yanco admitted the ASIC’s success won’t improve security of online brokerages from future breaches. “Our first line of attack, I guess, defense, is to really hold that money and absolutely deter people from doing this again,” he told ABC.
At the table, the four hacking experts explain that attacks are going to grow only more complex and elaborate in the future. “[Traders] need to understand that the cyber world is different than the physical world,” says Bradley.
No longer is money protected solely in vaults. It’s spread across digital accounts. It’s now being transferred through cloud networks. The digitalization of money has heightened security vulnerabilities.
“In the 1960s, if you wanted to break into a bank, criminals needed weapons, a getaway car and a strategy to get past other men with guns,” says Ozkaya. “Today, all you need is an Internet connection and a [hardware] device. It’s just a process of using the online [access] and exploiting systems and humans in order to achieve their grand heist.”
Following the attack on Australia, Nigel Phair offered antiquated advice on how traders can protect their accounts. “Good solid passphrases that contain numbers, letters and symbols [are] a good way to go,” he told ABC.
Solid passphrases? Letters and symbols?
When they’re mentioned to this group as proposed solutions to cyber security, Bradley tinkers with his phone as he explains that that’s not enough.
How to hack an institution
Hollywood has created a projection of what it thinks hackers look like. The typical character is either a skinny 20-something with a streak of green in his hair, or a single geeky tech nerd full of paranoia and anti-government angst.
No one at this table resembles these stereotypes.
Bradley is soft-spoken and looks like he’s more suited for hosting a backyard barbeque than hacking client security networks from a back office. The mischievous smile of a man who feels that he’s being paid to misbehave appears.
After unlocking his phone, he clicks a few buttons. Then, he holds up a black screen with a flurry of multicolored lines that resemble a series of bell curves. The highest bell curve line is pink and has the restaurant’s name floating beside it. There’s another line, red, which features the word Xfinity, the name of a Comcast Wi-Fi hotspot. Several other lines are flatter. This screen doesn’t appear impressive, but it’s a hacker’s treasure trove. “This is the strength of every Wi-Fi signal in this bar right now,” Bradley says.
The bar has its own Wi-Fi network for guests. There’s no security; no password required. Patrons can connect their computers or phones, check sports scores and sign into their e-mail.
“There are two options. I can either watch the data coming over the open network, or I could create an open network of my own through my phone or another device and allow users to sign on to my network.”
It sounds innocent. But Bradley explains a scenario that could be troubling for any financial company within the Chicago Loop.
“We’re just a few blocks away from the CBOT and the offices of trading companies. What do you think the odds are that someone who works in one of these companies or exchanges might be in this bar right now [or any bar in the area]? If they sign on to my network, I’m seeing and collecting their data. If they sign into their work e-mail or trading accounts, I can see everything,” he says.
That includes passwords and vital network configuration data. One person checking his or her work e-mail on an unsecure network can provide a welcome mat to a would-be attacker.
It only takes one person.
As Mr. Green explains, many companies don’t realize that their vulnerabilities are actually at the peak when employees leave the office. “Employees are ready to go home. Maybe they come to a bar, have a drink and their phones or devices connect to a network. Sometimes, their phones might connect without them knowing. That’s when a company is actually the most vulnerable.”
New generations of phones and networks have facilitated easy connection between devices. Sometimes, a phone might automatically connect to a network like Xfinity simply because a user has signed into a hotspot in the past and casually clicked a link that instructed the phone to “Don’t Ask Again” when trying to connect to that network in the future.
Or, users just blindly connect to an open network with the name of a nearby restaurant or company without realizing that it could be fake and designed to collect a person’s data without their knowledge.
What good are strong passwords with letters and symbols if someone can obtain this data through alternative means? Bradley explains that by gaining access to sign-in information for an employee’s work e-mail, it’s possible that he can exploit any configuration weakness in a company’s network to target the data of executives in the company, the firm’s software or trading applications, its finances or any other place where security is deemed vulnerable.
“That’s just one way to do it,” Mr. Green says.
There are other ways to attack a company. Some so simple, it invites paranoia.
“You could just park your car in front of the CFO’s house and break into his home network,” Bradley says.
Then, there’s the long-con.
“Or you can target the CFO’s secretary,” Mr. Green says, with a short laugh.
Bradley’s leans in and smiles. Mr. Orange too.
Then Ozkaya grins. Turning the interview on the interviewee, he asks, “Are you on Facebook?”
Not after tonight.