Author: Brian Barrett / Source: WIRED
It’s never been easier to trade stocks; just a few taps or clicks will do the trick. But most of the platforms that millions of market participants rely on to move their money suffer from cybersecurity shortcomings, new research warns.
As if stocks weren’t risky enough already.A new report from Alejandro Hernández, a security consultant at IOActive, found that nearly all of the 40 major online trading platforms he investigated had at least some form of vulnerability. While they range widely in severity and scope, the overall picture is of an industry that has not taken security measures proportional to the sensitive information involved. Hernández will present his research at the Black Hat security conference in Las Vegas on Thursday.
Hernández analyzed 16 desktop applications, 34 mobile apps, and 30 websites, comprising 40 trading platforms in all. That includes major legacy players like Fidelity and Charles Schwab, mobile-first upstarts like Robinhood, and less common names like Kraken and Poloniex. And while some companies, like Schwab and Merrill Edge, earned mostly high marks for their security hygiene, the overall picture seems bleak.
Well over half of the desktop applications Hernández examined, for instance, transmitted at least some data—things like balances, portfolios, and personal information—unencrypted. That leaves traders vulnerable to a potential attack from someone on the same Wi-Fi network, who could observe that information and potentially intercept and alter it using a fairly straightforward man-in-the-middle attack.
Also troubling: Several mobile apps and a handful of desktop applications stored passwords unencrypted locally, or sent them to logs in plain text. With access to the device, either physical or through malware, an attacker could steal that password, then use the newfound account access to, say, add a new bank account and transfer money to it. Two-factor authentication would prevent that scenario, but while most of the web platforms Hernández looked at offer it, they don’t enable it by default. That’s a shame, especially given how much sensitive information a desktop trading app, in particular, is privy to.
Lack of robust encryption seems endemic to the industry, but narrower issues show up as well. Hernández found that on the web platforms of companies like Charles Schwab and E-Trade, logging out didn’t immediately end the session on the server side. If you think of authentication as a handshake, in other words, the site leaves its arm extended after you’ve already walked away. If someone steals your…
The post Online Stock Trading Has Serious Security Holes appeared first on FeedBox.