A Q&A with security researcher Alejandro Hernández, who has unearthed a long list of vulnerabilities in leading online trading platforms that may expose their users to a host of security and privacy risks
Much ink has been spilled on how the COVID-19 pandemic has shut down or disrupted many aspects of our lives. To some extent, however, it has also given us a sneak peek into the future, opening up new avenues of opportunity and shifting numerous developments that were already well under way into a higher gear. One notable example is the accelerated adoption of various digital banking and payment services. Electronic trading platforms – which give practically everybody the opportunity to strike it rich or go broke (or everything in between) almost in a flash – have been no laggards, either.
Leaving other concerns aside, it’s only natural that the spike in the usage of trading apps should throw some spotlight on the cybersecurity side of things. Just as obviously, online traders face a slew of cyber-threats, including impostor apps, phishing attacks preying on their account credentials – and possibly even attacks exploiting vulnerabilities in their trading software of choice.
Trading platforms came under scrutiny in 2017 and 2018, when security consultant at IOActive Alejandro Hernández carried out extensive research into the security posture of 16 desktop applications, 34 mobile apps, and 30 websites offered by a total of 40 popular trading platforms. More than two years have passed, and we’ve reached out to Alejandro to glean insights into just how (in)secure your trading experience might ultimately be.
Welcome, Alejandro! Prior to digging into the security of trading apps, what were your research interests?
Thanks for having me!
Well, I’m very versatile when it comes to security research, and I’ve done various things, including code reviews, Open-source Intelligence (OSINT) and dissecting remote-control apps for cars. In recent years, I’ve been more focused on fintech technologies, particularly stock trading applications.That’s interesting. So what drew you towards e-trading apps?
It’s mainly because I’ve been trading in securities for a few years now, so I was curious to see how secure these technologies were. I assumed they were super-secure, but proved myself wrong. This is an assumption we normally have about the technology we use – until a security researcher tells you how insecure the technologies may in fact be.
That sounds disconcerting. Should people be worried that trading platforms are putting their money or data at risk of theft?
Not really, to be honest. Based on my observations, the platforms per se are not insecure in a way that an attacker can easily steal your money from your account. It’s really not as straightforward as in the movies.
On the other hand, many platforms aren’t as secure as, say, banking apps. For instance, around half of the trading apps I looked into store trading-related data unencrypted. This means that if an attacker has access to your laptop’s file system, for example via malware, that data could be extracted easily. When it comes to mobile apps, it’s true that modern mobile operating systems encrypt data by default, but if someone steals your phone and can access the unlocked phone, they can also steal the data. The same goes for computers or unencrypted backups.
You looked at 16 desktop applications, 34 mobile apps and 30 websites, including those from market leaders, and you tested them via a diversity of operating systems and devices. The scale of your testing was large, to say the least. Was this a gut instinct that you’d find the “mother lode” or just methodology?
Before I started dissecting the apps, I had this feeling that I’d find flaws in the apps of smaller brokers. I was somehow wrong though, since I also found “interesting stuff” in the apps of some of the biggest brokers. Nevertheless, having a strict checklist-based methodology helped me make sure I’d test all the controls on each app.
You asserted in your research that “desktop applications are the entire package…” having a larger attack surface because of the richer feature-set. Do you see any evidence of the risks balancing out because of people moving to mobile apps in such large numbers and/or increasingly rich feature sets in mobile apps? Maybe people are less cautious while trading from mobile platforms?
I have no evidence or figures regarding the number of users moving from desktop to mobile. However, the good news about it is that, in my opinion, modern mobile OS are pretty secure nowadays, and it’s harder to attack a mobile device than a typical computer running Windows. Mobile trading apps have significantly improved over the years, and I see updates from the brokerages in the apps store very often, including those that improved security.
On the other hand, I haven’t heard of any security-related issues in desktop platforms in recent years. Only availability problems, but this affects both desktop and mobile.
How did the brokerage firms respond to your findings? Have they since fixed the flaws? Would you say that trading platforms in general are more secure now than they were in 2017/2018?
The biggest brokerages replied very promptly to the security advisory we sent to them. I believe it’s because they’re more committed to protecting their customers and have bigger budgets for cybersecurity.
Two years after, I’ve seen more security controls implemented in trading platforms, including stronger password policies, two-factor authentication and a lot of opt-in notifications of operational things, such as valid/invalid login attempts, buy/sell orders, withdrawal/deposit of money, etc. So yes, trading platforms are more secure now than they were two years ago.
That sounds encouraging. Still, people shouldn’t take security lightly. What would be the typical attack vectors for criminals trying to access traders’ accounts?
Since most traders don’t enable two-factor authentication, even if this option is increasingly common, to perform important actions such as linking new bank accounts, attackers are able to guess or brute-force the passwords, sell the stocks and transfer the money into attacker-controlled bank accounts.
Recently, there were reports about some Robinhood accounts being looted. I think this was because the victims reused their passwords across multiple accounts and didn’t use two-factor authentication.
This actually brings us to another important point – what can the average trader do to stay safe?
Last year I gave a webinar that also included tips for secure trading. In short, people should:
- enable 2FA for critical operations, such as linking new bank accounts
- enable FaceID/TouchID in mobile apps for authentication
- avoid public Wi-Fi networks
- use a password that’s different from their passwords for email and banking apps – and make sure the password is a strong one
- enable automatic logout after a certain amount of idle time
- enable email/SMS notifications
Let’s look at secure coding practices now. It’s safe to say that no software is free of vulnerabilities, but how can developers slash the odds that their apps will be riddled with gaping security craters?
Interestingly, I found that trading applications developed by an unnamed financial institution are less secure than the banking applications developed by another group of developers within the same company. I think it’s because there’s a lack of communication between development teams and in my opinion, the cybersecurity people must bring those teams together to improve the security posture of all products they offer, including by sharing experience and secure coding tips, testing each other’s software, and so on.
Also, trading technologies are partially developed by people with strong financial backgrounds; however, there is a visible lack of training in secure programming.
What can other parties involved, such as the financial industry and regulators, do to reduce traders’ cybersecurity risks?
Definitely, regulators and rating organizations should also be involved.
There are popular websites among traders that often rate the apps and brokerages in terms of usability, fees, customer service, etc. But they do not consider security. They should.
Regulators should also give guidance to fintech companies on how to develop secure technologies and should also provide a checklist of the minimum requirements a trading platform must have prior massive deployment. In the long run, I think they should play a more active role in auditing the brokerages, like regulatory compliance, just like Payment Card Industry Data Security Standard (PCI DSS).
Thanks for the interview, guys. My pleasure.