Over the past month, computer hackers penetrated computer systems at the OMX.Nasdaq stock market and the European Union's system of registries that keep track of carbon offsets. Headlines around the world warned that the "market breaches" represented a "severe blow" to "investor confidence" in stocks and carbon offsets.
Those headlines, however, have proven to be horribly off-base.
The breaches were, on close inspection, completely avoidable and didn't impact the trade-matching function of either market. They were carried out not because sophisticated hackers managed to penetrate the financial world's most sophisticated defenses, but because the financial world failed to implement its most sophisticated defenses on certain parts of its terrain.
In the case of Nasdaq, hackers didn't get into order-routing or funds-transfer territory; they got into information territory.
Specifically, they hacked the exchange's Directors Desk service, which is a tool that boards of directors use to arrange and execute board meetings. That includes sharing confidential documents, which could have given hackers access to insider information. The hackers gained access because the heads of Directors Desk didn't see information as being worthy of the same level of security as stocks and bonds. Changing that perception will change the level of security.
In the case of the carbon credit breach, hackers gained access to the EU's carbon registries by going after the weakest links in a system that was in the midst of an upgrade.
And, like the Nasdaq breach, the hackers didn't get into the order-routing system – they got into the registry system. Registries don't match trades, and they haven't, until recently, seen themselves as being custodians of anything that anyone would want to steal. What they do is keep track of where credits originate, and who owns them in succession. The goal is to make sure that every credit represents a bona fide emission reduction, and to prevent companies from double-dipping by selling the same offset more than once. They were set up to guarantee environmental integrity – and early designers didn't see any reason someone would want to steal that. Furthermore, because every carbon credit has a serial number and a history, it can't be sold on an open market. It can only be transferred within the system, and has no value without it.
The hackers who broke into the EU system, however, never transferred the credits out of the system. Instead, they opened a dummy account on the Estonian registry, and then they hacked into the Czech registry and transferred a batch of offsets to the Estonian account. Then they sold the offsets to legitimate players in Germany, Luxembourg, and elsewhere. The credits never left the system, but the cash from the transaction did – at least until the thieves were caught a few days later.
Ironically, a key security upgrade was set to be implemented by the end of the week in which the breaches occurred. All that upgrade would have done is require that anyone accessing the system key in both a static password and a randomly-generated password that is delivered by mobile phone on the spot. The hackers had gained the static passwords for non-commercial users, but would not have been able to get the randomly-generated new ones.
Furthermore, the European system of registries itself is on its way out – due to be replaced by a single registry before the next phase of trading kicks in at the end of 2011. The current system, which requires an individual registry in each country, was created long before most people realized that carbon offsets would have value. Indeed, in the months leading up to the January breach, the European Commission had been warning the smaller exchanges that they were vulnerable to just this sort of attack.
None of this means that our modern electronic markets are foolproof or that we should cease being diligent in guarding our financial services transactions. Rather, it means that the technology needed to keep information safe exists – and it works where it's been deployed. The key is deploying it widely and efficiently enough to prevent these kinds of breaches from happening in the future. That's not a complex solution – but it may be an expensive one.
