It’s never been easier to trade stocks; just a few taps or clicks will do the trick. But most of the platforms that millions of market participants rely on to move their money suffer from cybersecurity shortcomings, new research warns. As if stocks weren’t risky enough already.
A new report from Alejandro Hernández, a security consultant at IOActive, found that nearly all of the 40 major online trading platforms he investigated had at least some form of vulnerability. While they range widely in severity and scope, the overall picture is of an industry that has not taken security measures proportional to the sensitive information involved. Hernández will present his research at the Black Hat security conference in Las Vegas on Thursday.
Hernández analyzed 16 desktop applications, 34 mobile apps, and 30 websites, comprising 40 trading platforms in all. That includes major legacy players like Fidelity and Charles Schwab, mobile-first upstarts like Robinhood, and less common names like Kraken and Poloniex. And while some companies, like Schwab and Merrill Edge, earned mostly high marks for their security hygiene, the overall picture seems bleak.
Well over half of the desktop applications Hernández examined, for instance, transmitted at least some data—things like balances, portfolios, and personal information—unencrypted. That leaves traders vulnerable to a potential attack from someone on the same Wi-Fi network, who could observe that information and potentially intercept and alter it using a fairly straightforward man-in-the-middle attack.
Lack of robust encryption seems endemic to the industry.
Also troubling: Several mobile apps and a handful of desktop applications stored passwords unencrypted locally, or sent them to logs in plain text. With access to the device, either physical or through malware, an attacker could steal that password, then use the newfound account access to, say, add a new bank account and transfer money to it. Two-factor authentication would prevent that scenario, but while most of the web platforms Hernández looked at offer it, they don’t enable it by default. That’s a shame, especially given how much sensitive information a desktop trading app, in particular, is privy to.
Lack of robust encryption seems endemic to the industry, but narrower issues show up as well. Hernández found that on the web platforms of companies like Charles Schwab and E-Trade, logging out didn’t immediately end the session on the server side. If you think of authentication as a handshake, in other words, the site leaves its arm extended after you’ve already walked away. If someone steals your session token, they could get in.
“There are hundreds of ways that an attacker could intercept your communication,” Hernández says. The attacker could trick you to click on a malicious link that allows a man-in-the-middle attack, for example. Imagine the attacker has your session ID. If the authentic user realizes he was compromised, the user would log out." Ideally, the server would end the session at that point, too, overwriting the ID and stopping any unauthorized snooping. But if the session doesn't immediately end on the server side—and Hernández found that some sessions stayed active for as long as a few hours—then the attacker is free to continue as he pleases.
Another vulnerability Hernández emphasizes is, as they say, a feature, not a bug. Several trading platforms let users create their own bots through proprietary programming languages. Those plugins get passed around in online trading forums, a network of get-rich-quick bots that a user can import on a whim. The problem? Those programming languages are themselves based on common ones like C++ and Pascal, making it relatively simple for a malicious coder to hide a backdoor or other malware in what looks like a friendly, automated options-trading assistant.
The research builds on a specific look at mobile app security in trading spaces that Hernández released last fall. If anything, the problems he found on the web and on desktop applications are even more alarming, both in severity and scope.
“Desktop applications are the entire package,” Hernández says. “They’re more susceptible to vulnerabilities, because they implement more features, and the attack surface is bigger.”
This is also the first time Hernández is naming names; he previously let companies remain anonymous to give them adequate time to fix the issues. That process appears to be ongoing.
'There are hundreds of ways that an attacker could intercept your communication.'
Alejandro Hernández, IOActive