22 October 2017
visit www.response.ncr.com

IOActive warns of vulnerabilities in 21 most popular mobile trading apps

26 September 2017  |  2815 views  |  0 Source: IOActive

IOActive today released details of cybersecurity vulnerabilities found in many of the most popular mobile stock trading applications.

The 21 apps tested have millions of users worldwide and process billions of dollars in transactions each year. IOActive has warned that the results of its tests thus far have proved trading app security to be much worse than personal banking apps tested in 2013 and 2015, and could allow malicious actors to trade a user’s stocks, steal their money, and gain insight into their net worth and investment strategy.

The test results, conducted by IOActive senior security consultant, Alejandro Hernandez, were outlined in a blog post published today. Key findings include:

• 19 percent of apps expose user passwords in clear text, meaning an attacker with physical access to the device could easily log in to trade their stocks or steal money
• 62 percent send sensitive data to log files and 67 percent store it unencrypted, allowing attackers with physical access to gain insight into a user’s net worth, investment strategy and balances
• Two apps use unencrypted HTTP channels to transmit and receive data, and 13 of the apps that use HTTPS do not check the authenticity of the remote endpoint by verifying its SSL certificate - making it possible to perform man-in-the-middle attacks to eavesdrop and tamper with the app data via pub Wi-Fi hotspots
• Three quarters (76 percent) of apps support fingerprint-reading as a security measure, which means they can be used by anyone that has their fingerprint registered to the device e.g. children or a spouse

“We have better security in the mobile apps used to check our bank balance and pay the gas bill than in the trading apps that transfer billions in shares and shape the financial market as we know it” said Hernandez. “The days of shouting on stock exchange trading floors are gone. Mobile devices and apps are the investment management tools of choice, but there is a major gap in security and understanding from both developers and users. Cybersecurity is not the first concern for people in the FinTech space, most of which are not technical, and nor are the people using the apps themselves. Most don’t know what’s sensitive and what needs to be properly secured. By comparison, it’s far easier to understand what constitutes sensitive information in a personal banking app, hence they are far better secured. Historically, security researchers have disregarded trading apps as well, probably because of a lack of understanding of money markets.”

In addition to fixing the vulnerabilities identified in these tests, Hernandez says that the industry has a responsibility to improve the maturity level of security in mobile trading apps, and that desktop/web platforms should also be tested and improved. In the blog post, Hernandez suggests that developers need to design new, more secure financial software; that brokerage firms should be required to perform regular internal audits; and that regulators should encourage brokers to implement safeguards for a better trading environment.

“As part of my research, I couldn’t find any recommended guidance for secure software development to educate brokers and FinTech companies on creating quality products,” continued Hernandez. “Regulators must do much more to encourage brokers to implement safeguards for a better trading environment and develop trading-specific guidelines for creating trading software. I wouldn’t discourage people using from using all mobile trading apps, but all security features should be enabled and apps must be used with an understanding of the potential risks involved. The stock market is not a casino where you magically get rich overnight. If you lack an understanding of how stocks or other financial instruments work, there is a high risk of losing money quickly. Cybersecurity has the same high stakes.

IOActive reached out to 13 of the brokerage firms whose trading apps presented some of the higher risks vulnerabilities, and has received two responses thus far. In total, 21 mobile trading applications were tested.

Comments: (0)

Comment on this story (membership required)

Related blogs

Create a blog about this story (membership required)
visit www.niceactimize.comRegister now

Top topics

Most viewed Most shared
Mastercard to roll out blockchain APIMastercard to roll out blockchain API
14623 views comments | 17 tweets | 28 linkedin
HSBC partners Bud for open banking trialHSBC partners Bud for open banking trial
13136 views comments | 22 tweets | 28 linkedin
satelliteGates Foundation backs Ripple collaboratio...
9815 views comments | 13 tweets | 10 linkedin
Sibos 2017: API or the highwaySibos 2017: API or the highway
9728 views comments | 12 tweets | 23 linkedin
IBM uses blockchain to improve cross-border payments processingIBM uses blockchain to improve cross-borde...
8823 views comments | 9 tweets | 18 linkedin

Featured job

Competitive base, double ote, benefits
London, UK

Find your next job