For financial firms, availability too often trumps security

Researchers say startling weaknesses in key protocols such as FIX and an addiction to availability have left the financial services industry in need of a security wake-up call.

Financial services organisations are considered to be on the bleeding edge of information technology, but the market's widespread use of subpar security protocols for financial transactions could soon leave deep scars across the industry.

In a presentation at Black Hat 2007, researchers with Matasano Security lifted the shroud on some of popular exchange protocols and found a shocking lack of security baked in. For many financial services firms, the overwhelming pressure to keep trading applications available coupled with the need to conduct the majority of their communications over private networks has nudged security to the back of the development line.

"When you look at the priorities around trading protocols, performance and availability are the most important parts. The faster they can communicate, the better they can capitalise on situations," said Dave Goldsmith, president of New York-based Matasano and a founding member of vaunted consultancy @Stake.

"With automated trading, microseconds do count," he said. "Any kind of security that introduces latency is going to be frowned upon in these systems."

Security with many of these protocols relies on insider trust, familiar security mechanisms like firewalls, and segregating communication over private networks. And within the financial services realm, this makes sense.

"As a pen-tester, we're concerned with traditional systems about how we can get root [access]. When we found availability issues, we'd get their eye faster than when we found confidentiality issues," Goldsmith said. "The system must stay up and running. A bad trade will be caught, but if a server goes down, it costs them money."

Goldsmith and his partner, Matasano's Jeremy Rausch, dove into the Financial Information Exchange (FIX) protocol, one of the most transparent protocols used today -- FIX specifications are available online for anyone to review.

FIX runs over TCP and includes a messaging and application layer. It specifies, for example, how transactions are to be conducted using Web services over HTTP or other messaging standards, like MQ or other multicast UDP. Security, however, is never mentioned among the thousands of pages that make up the specification.

Special Black Hat coverage

Check out more of's special news coverage of Black Hat USA 2007.
Compounding the problem is the fact that while transactions run on a dedicated line, once they're inside an internal network, there's nothing preventing them from traversing other network segments where a transaction could be exposed.

Worse still, increasing awareness regarding FIX's security shortcomings is a challenge because unless an IT professional happens to be intimate with FIX -- or other financial protocols like QIX, OUCH, OTTO, RASHport, DROP, CTCI or ITCH -- it's unlikely that he or she would find much information about it.

One thing working in the financial industry's favor is that exploits haven't been publicly reported, but as Goldsmith pointed out, successful attacks on financial systems likely wouldn't be publicised.

"There isn't a lot of public information about what people should do, and there's good reason for that," Goldsmith said. "This has generally been between people who have been trading together since before computers. It's challenging because as more and more people are developing FIX applications, more people run the risk of getting it wrong."

Read more on Antivirus, firewall and IDS products