Security vulnerabilities in the Financial Information Exchange (FIX) protocol have left many automated trading applications at banks open to hack attacks, according to New York-based Matasano Security.
Since its establishment in 1992 as a communications framework for equity trading between Fidelity Investments and Salomon Brothers, FIX has become the messaging standard for pre-trade and trade communication globally within the equity markets.
But in an article on security Web site Dark Reading, Matasano CEO David Goldsmith argues that the FIX standard wasn't built for security and applications supporting the protocol can be affected by electronic eavesdropping as well as denial-of-service, session hijacking and man-in-the middle attacks.
Goldsmith says the FIX has no session-layer encryption built into it, which makes it difficult to encrypt sessions, so most companies use external devices like VPNs with an SSL overlay, or SSH tunnels over ther Internet.
Goldsmith points out that many FIX-enabled financial systems don't use passwords because they were originally built for use internally rather than over the Internet and the applications are mostly written in C and C++ code that isn't always well audited. Furthermore, he argues, the protocol hasn't been well served by security tools, and isn't generally supported by intrusion detection systems or vulnerability scanners
Goldsmith says companies can help protect their systems with firewalls and external session-layer encryption.