Full Disclosure mailing list archives
Re: Is Your Online Bank Vulnerable To Currency Rounding Attacks?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 10 Jan 2012 10:43:24 +1300
adam to Jeffrey Walton to Memory Vandal to Jeffrey Walton:
I believe the term is "arbitrage" (not rounding attacks).Nope: https://en.wikipedia.org/wiki/Arbitragehttp://www.google.com/?q=currency+arbitrage. *sigh*.Plus: https://www.google.com/?#q=arbitrage&tbs=dfn:1&fp=1
Now, it may be fashionable to bag ACROS here due to their initially over-zealous description of the likely magnitude of the "binary planting" "vulnerability", BUT did any of you _other than Memory Vandal_ actually read the ACROS blog _at all carefully_? If so _and_ you really understand what arbitrage is, you would recognize that Memory Vandal is right -- this aint arbitrage, at least not as classically understood. Let's look at your own justifications of your incorrect positions... To quote the first result in adam's search: The simultaneous buying and selling of securities, currency, or commodities in different markets or in derivative forms in order to take advantage of differing prices for the same asset To quote the first result from Jeffrey's search: A forex strategy in which a currency trader takes advantage of different spreads offered by brokers for a particular currency pair by making trades. Different spreads for a currency pair imply disparities between the bid and ask prices. Currency arbitrage involves buying and selling currency pairs from different brokers to take advantage of this disparity. For example, two different banks (Bank A and Bank B) offer quotes for the US/EUR currency pair. Bank A sets the rate at 3/2 dollars per euro, and Bank B sets its rate at 4/3 dollars per euro. In currency arbitrage, the trader would take one euro, convert that into dollars with Bank A and then back into euros with Bank B. The end result is that the trader who started with one euro now has 9/8 euro. The trader has made a 1/8 euro profit if trading fees are not taken into account. So, we see that arbitrage involves playing a difference in cross-rates _between two [or more] markets_. As the ACROS folk carefully and clearly point out, _if_ you actually bothered to read the whole article at all closely, the issue they are describing is purely possible due to _the customer_ executing trades at one level of mathematical precision (as provided by the bank) and _the bank_ rounding the payout to the customer to a lesser degree of precision. _If_ the customer is able to take advantage of this situation _at a small enough unit of currency_ the rounding "error" (it's not really an error, but it contributes to what the bank may consider an erroneous or undesirable outcome) will swamp the _loss_ that should be expected in the actual trade (ACROS went to some length to explain that the trade should actually make a loss -- that is, after all, how banks make a profit on currency trades -- _and_ explained the magnitude of this loss -- if you missed that, go read it again). Also, notice that _if you already have USD_ (an entirely likely, even probable situation here) there is only one direction of trading necessary here, so clearly not arbitrage at all. So, adam and Jeffrey, much as you may not be pre-disposed to accept what ACROS might say, you are wrong about this being simple arbitrage and ACROS is correct that it is all about rounding practices and banks trading currencies at different levels of precision from that at which they payout transactions (the latter is typically due to the fact that historically currency is always tracked in whole units of the smallest denomination,or perhaps more accurately, in whole single units of the smallest denominational breakdown -- in NZ, my bank tracks my accounts to the cent, but as NZ's smallest legal tender coin is now 10c, if I cash out an account, they will round the payout to a 10c boundary). Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Is Your Online Bank Vulnerable To Currency Rounding Attacks? ACROS Security Lists (Jan 09)
- Re: Is Your Online Bank Vulnerable To Currency Rounding Attacks? Jeffrey Walton (Jan 09)
- Re: Is Your Online Bank Vulnerable To Currency Rounding Attacks? Memory Vandal (Jan 09)
- Re: Is Your Online Bank Vulnerable To Currency Rounding Attacks? Jeffrey Walton (Jan 09)
- Re: Is Your Online Bank Vulnerable To Currency Rounding Attacks? adam (Jan 09)
- Re: Is Your Online Bank Vulnerable To Currency Rounding Attacks? Nick FitzGerald (Jan 09)
- Re: Is Your Online Bank Vulnerable To Currency Rounding Attacks? Memory Vandal (Jan 09)
- Re: Is Your Online Bank Vulnerable To Currency Rounding Attacks? Jeffrey Walton (Jan 09)