Yep - I was actually hoping to see your talk on Starfighter last week, but work kept me in a different state. :)
My experience has been in finance for the past ten years at an ops/sysad level and can frankly say that security at these places may be a lot worse than you think. Much of it just seems to be out of laziness/not understanding best practice. Attacks would by no means be trivial, but they're certainly possible with (edit: relatively) low risk.
Keep in mind that the finance field is largely based on very, very old legacy systems that only upgrade as a last resort, including patching. Managing legacy systems on top of improper management of organizational complexity leads to some very, very poorly implemented security. It's pretty frightening.
Things I've seen in finance -
(edit: deleted long list that probably shouldn't stay within easy internet accessible reach)
Technical security at financials, especially in application code and especially in application code that is closer to infrastructure than to line-of-business or retail, is very bad.
But the business processes that are driven by that infrastructure tends to be surprisingly manual and/or reversible, and, for reasons having little to do with technical security, is heavily audited.
I think unless you're the online equivalent of the robbery crew from Heat, if you SQLI your way into a bank (or trading firm or exchange) and try to move large volumes of cash directly, what's really going to happen is you're going to end up in prison before you get a spendable dollar.
This is a better conversation over beer than on HN. There's definitely stuff you can do! But I don't think financial firms are low-hanging fruit.
My experience has been in finance for the past ten years at an ops/sysad level and can frankly say that security at these places may be a lot worse than you think. Much of it just seems to be out of laziness/not understanding best practice. Attacks would by no means be trivial, but they're certainly possible with (edit: relatively) low risk.
Keep in mind that the finance field is largely based on very, very old legacy systems that only upgrade as a last resort, including patching. Managing legacy systems on top of improper management of organizational complexity leads to some very, very poorly implemented security. It's pretty frightening.
Things I've seen in finance -
(edit: deleted long list that probably shouldn't stay within easy internet accessible reach)