20 February 2018
visit www.ebaday.com

FIX applications open to attack - report

10 July 2007  |  5199 views  |  0 Security/Risk

Security vulnerabilities in the Financial Information Exchange (FIX) protocol have left many automated trading applications at banks open to hack attacks, according to New York-based Matasano Security.

Since its establishment in 1992 as a communications framework for equity trading between Fidelity Investments and Salomon Brothers, FIX has become the messaging standard for pre-trade and trade communication globally within the equity markets.

But in an article on security Web site Dark Reading, Matasano CEO David Goldsmith argues that the FIX standard wasn't built for security and applications supporting the protocol can be affected by electronic eavesdropping as well as denial-of-service, session hijacking and man-in-the middle attacks.

Goldsmith says the FIX has no session-layer encryption built into it, which makes it difficult to encrypt sessions, so most companies use external devices like VPNs with an SSL overlay, or SSH tunnels over ther Internet.

Goldsmith points out that many FIX-enabled financial systems don't use passwords because they were originally built for use internally rather than over the Internet and the applications are mostly written in C and C++ code that isn't always well audited. Furthermore, he argues, the protocol hasn't been well served by security tools, and isn't generally supported by intrusion detection systems or vulnerability scanners

Goldsmith says companies can help protect their systems with firewalls and external session-layer encryption.

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Swift to move SwiftNet FIX customers to third-party service

Swift to move SwiftNet FIX customers to third-party service

09 March 2007  |  6132 views  |  0 comments
FPL releases FIX 5.0

FPL releases FIX 5.0

05 January 2007  |  5248 views  |  0 comments
Support and version control key to FIX expansion

Support and version control key to FIX expansion

09 December 2005  |  9600 views  |  0 comments
FIX Protocol pulls out of Swift messaging pact

FIX Protocol pulls out of Swift messaging pact

01 December 2005  |  12961 views  |  0 comments
ICMA drafts FIX standard for fixed income new issues

ICMA drafts FIX standard for fixed income new issues

18 November 2005  |  5673 views  |  0 comments
Bear Stearns teams with Charles River to deliver FX trading via FIX

Bear Stearns teams with Charles River to deliver FX trading via FIX

25 August 2005  |  6713 views  |  0 comments
South African bond market begins shift to FIX

South African bond market begins shift to FIX

01 June 2004  |  3494 views  |  0 comments

Related company news

 

Related blogs

Create a blog about this story (membership required)
Visit https://www.capgemini.comvisit www.nextgenbanking.co.ukvisit www.swift.com/your-needs/instant-payments

Top topics

Most viewed Most shared
Saudi central bank provides sandbox for banks to try out Ripple techSaudi central bank provides sandbox for ba...
11699 views comments | 16 tweets | 12 linkedin
ABN Amro moves escrow accounts to the blockchainABN Amro moves escrow accounts to the bloc...
9316 views comments | 15 tweets | 13 linkedin
ECB launches staunch defence of cashECB launches staunch defence of cash
9149 views 10 comments | 22 tweets | 26 linkedin
Coinbase and Visa at loggerheads over erroneous charges on customer crypto accountsCoinbase and Visa at loggerheads over erro...
7849 views comments | 13 tweets | 11 linkedin
FCA explores creation of global sandboxFCA explores creation of global sandbox
7229 views comments | 19 tweets | 18 linkedin

Featured job

Competitive
Germany, Austria or Switzerland

Find your next job