It probably went unnoticed by most of the security community, but yet another Twitter hack this week exposed more flaws with high frequency trading systems. When someone took control of the Associated Press twitter account and injected a fake news announcement that bombs had exploded in the White House, many people (unsurprisingly) believed the tweet without attempting to verify. That a 140-character message sent the stock market down in a “flash crash” – 140 points in a matter of minutes.
From CNN Money:
One scary – and false – tweet, and the Dow quickly plunged 140 points, or roughly 1%. Many are pointing fingers at high speed trading by computers for the swift decline. The Dow quickly bounced back. The sharp sell-off highlights just how disruptive computer-driven high-frequency trading can be. The S&P 500 lost $121 billion of its value within minutes. High-speed computer trading accounts for roughly 50% of all trading. That’s down slightly from a few years ago, but traders on the ground say it feels more dominant. And mini flash crashes have become an all too familiar daily occurrence.
Those of you who set limit orders on stocks at below-market prices, have been the unintended beneficiaries of some briefly well-priced stocks. A simple compromise of an outdated identity management system was leveraged for social engineering, which in turn triggered a domino effect across automated trading systems, which moved the whole stock market twice – the drop and the rebound. The perpetrators have not been identified so it is not clear whether it was just for the lulz but they certainly had an impact. The BATS exchange spokesperson who called this a non-issue is way off the mark – it is clear that both Twitter’s identity management and trading bot logic need serious reworking.