Insecure Online Stock Trading Platforms Can Be Hacked
Cyber Security researcher warns that various of stock trading platforms are vulnerable.
According to the security researcher Alejandro Hernandez, a security consultant at IOActive said, there are 40 major online trading platforms are not secure.
The most of security testing was performed using a demo account, including a few accounts with real money. Alejandro analyzes 34 mobile apps, 30 websites and 16 desktop application, including major trading platform like Robinhood, Yahoo! finance, Binance, Bitfinex, Kraken, Metatrader and more.
Devices used:
- Windows 7 (64-bit)
- Windows 10 Home Single (64-bit)
- iOS 10.3.3 (iPhone 6) [not Jailbroken]
- iOS 10.4 (iPhone 6) [not Jailbroken]
- Android 7.1.1 (Emulator) [rooted]
Unfortunately, the results proved to be much worse compared with applications in retail banking. For example, mobile apps for trading are less secure than the personal banking apps reviewed in 2013 and 2015.
In research, there are 9 desktop applications (64%) and in 2 mobile apps (6%), transmitted data unencrypted was observed. Most applications transmit most of the sensitive data in an encrypted way, however, there were some cases where cleartext data could be seen in unencrypted requests.
Data stored Unencrypted
Among the data seen unencrypted are passwords, balances, portfolio, personal information and other trading-related data. In most cases of unencrypted transmissions, HTTP in plaintext was seen, and in others, old proprietary protocols or other financial protocols such as FIX were used.
An attacker can easily do Man In The Middle (MITM) attack in public WiFi and cause a user to buy or sell securities based on misleading information.
Some of the platform support encryption, but by default, it does not enable Secure Socket Layer (SSL) On. The Non-technical users won’t enable it on the login screen and login without encryption.
In Trading platform Mobile Apps and desktop application, the user’s password were stored unencrypted in a configuration file or sent to log files. Local access to the computer or mobile device is required to extract them, though. This access could be either direct or through malware.
DOS Vulnerability was found in an online trading platform too. Where a configuration item to allow the user to control the behavior of the TCP order server, such as controlling the maximum number of orders sent per minute as well as the number of seconds to wait between orders to avoid bottlenecks.
But the frightening thing is, the session is Valid still after the Log Out. Could you imagine how it is the most Vulnerable thing?
The automatic Logout feature can control security for the user, it protects the customer’s private information by the shoulder-surfing attack. Two-Factor authentication also works to increase your account security.
Security Recommendation:
- Trading platforms are less secure than the applications seen in retail banking.
- There’s still a long way to go to improve the maturity level of security in trading technologies.
- End users should enable all the security mechanisms their platforms offer, such as 2FA and/or biometric authentication and automatic lockout/logout. Also, it’s recommended not to trade while connected to public networks and not to use the same password for other financial services.
- Brokerage firms should perform regular internal audits to continuously improve the security of their trading platforms.
- Brokerage firms should also offer security guidance in their online education centers.
Developers should analyze their current applications to determine if they suffer from the vulnerabilities described in this paper, and if so, fix them. - Developers should design new, more secure financial software following secure coding practices.
- Regulators should encourage brokers to implement safeguards for a better trading environment. They could also create trading-specific guidelines to be followed by the brokerage firms and FinTech companies in charge of creating trading software.
- Rating organizations should include security in their reviews.