Serious security flaws found in trading platforms
Written by Peter Walker
Serious security vulnerabilities have been discovered in several leading mobile, desktop and web stock trading applications by IOActive.
Alejandro Hernandez, senior security consultant at the cyber security firm, tested 16 desktop applications, 30 websites and 34 mobile applications, finding “major vulnerabilities” that can allow malicious actors to gain access to a user’s personal banking information, steal money and gain insights into net worth and investment strategies.
Those trading platforms identified by the report as needing to improve security include: Charles Schwab, Fidelity, Interactive Brokers, TradeStation, Plus500 and IQ Option.
Specifically, Charles Schwab was found to have partially unencrypted communications, trading-related data stored unencrypted and sessions that are left valid serverside after logout. Fidelity meanwhile, had sessions valid serverside after logout, session cookies without proper attributes and a lack of some HTTP security headers.
Following up on similar research in 2017, Hernandez commented “it’s deeply concerning that some of the same vulnerabilities have still not been fixed”.
He found that usernames and passwords can easily be stolen from stock trading networks, with vulnerabilities including unencrypted authentication, communications and remote Denial of Service (DoS) able to leave applications useless.
“Imagine a stock trader in a coffee shop, using public Wi-Fi – an attacker would be able to easily perform a man-in-the-middle attack and identify or modify the network traffic that is unencrypted,” explained Hernandez. “For example, the attacker could see the username and password of the trader’s account and later login through a web browser, link his or her bank account, sell the stocks at market price to liquidate the investments, transfer the money, remove the added bank account and log out.”
Jennifer Steffens, chief executive of IOActive, said the discovery of major flaws in stock trading technologies will hopefully be a wake-up call to the financial industry. “They need to implement the strong security controls they already have in place for banking applications and follow industry best practices to properly develop mobile, desktop and web applications, and continuously scan them for vulnerabilities.”
All of the vendors impacted by these stock trading vulnerabilities have been notified, although IOActive cannot confirm whether or not they are fixed yet.