An emphasis on speed and a lack of security makes automated trading in financial markets ripe for exploitation and fraud, a security researcher warned today.
Most stock trades in the U.S. and many around the world in general are now made by data-crunching computers that buy and sell stocks in microseconds--something that used to take human traders minutes to do. With these algorithm-based, high-frequency trades a fraction of second can be worth millions of dollars for an investor. (See CBS 60 Minutes report on this.)
In the push for greater speed and thus higher profits, security is sacrificed, James Arlen, principal at Push the Stack Consulting, told CNET in a preview of a presentation he will give at the Black Hat security conference in Las Vegas next week titled "Security When Nano Seconds Count."
Basically, traders are using automation to speed the analysis of information on stocks and do more trades faster.
"In this race toward faster we've gone from human time scale, trading decisions in hours or minutes to milliseconds, or thousands of a second...Now we're talking about microseconds, a millionth of a second, and nanoseconds, one-thousandth of a microsecond," he said. "We're compressing the markets, pulling them closer together, and putting in custom hardware that does things like skip the operating system. The application making the decisions is actually building an Ethernet frame in its own memory and then pushing that frame down into the wire side of the networking card."
The implementations are built for speed and not for security, which slows down functions, according to Arlen. Traders are choosing the stripped down and fast sports car over the sedan with air bags and other security measures, he added. "We've left security behind. These implementations have no security at all," he said.
The potential for problems isn't purely theoretical--automated trading was found to have contributed to a market crash in the U.S. in May 2010 in which the Dow Jones dropped 600 points, the second-largest point swing in one day.
What if someone were able to create an unfair market advantage by introducing some latency in a competitor's system? "Are you ever really going to notice?" Arlen wondered. "This can be a very nefarious, very small game."
The complexity of the trades, often based on multiple consecutive transactions and leveraging the price differences on different markets with simultaneous trades, amplifies the potential for problems and makes oversight more difficult, he added.
"It's highly likely or statistically likely that someone is abusing a market somewhere in the world. Will they be caught at any time in the short term? Probably not," he said. "That level of complexity makes it really hard to point a finger. This is going to be hard to find in the real world."
Arlen said he doesn't have a solution. He just wants to get the industry talking about the problem so something can be done to prevent problems. His timing couldn't be better.
The so-called "Flash Crash" of May 2010 has spurred the U.S. Securities and Exchange Commission to action. It voted unanimously yesterday to adopt a rule requiring large traders like banks and hedge funds to identify themselves and to maintain transactions records.
"May 6 dramatically demonstrated the need to enhance the SEC's ability to quickly and accurately analyze market events. The large trader reporting rule will significantly bolster our ability to oversee the U.S. securities markets in a time when trades can be transacted in milliseconds or faster," said SEC Chairman Mary L. Schapiro in a statement. "This new rule will enable us to promptly and efficiently identify significant market participants and collect data on their trading activity so that we can reconstruct market events, conduct investigations, and bring enforcement actions as appropriate."