Serious security vulnerabilities have been discovered in several leading mobile, desktop and web stock trading applications by IOActive.
Alejandro Hernandez, senior security consultant at the cyber security firm, tested 16 desktop applications, 30 websites and 34 mobile applications, finding “major vulnerabilities” that can allow malicious actors to gain access to a user’s personal banking information, steal money and gain insights into net worth and investment strategies.
Those trading platforms identified by the report as needing to improve security include: Charles Schwab, Fidelity, Interactive Brokers, TradeStation, Plus500 and IQ Option.
Specifically, Charles Schwab was found to have partially unencrypted communications, trading-related data stored unencrypted and sessions that are left valid serverside after logout. Fidelity meanwhile, had sessions valid serverside after logout, session cookies without proper attributes and a lack of some HTTP security headers.
Following up on similar research in 2017, Hernandez commented “it’s deeply concerning that some of the same vulnerabilities have still not been fixed”.
He found that usernames and passwords can easily be stolen from stock trading networks, with vulnerabilities including unencrypted authentication, communications and remote Denial of Service (DoS) able to leave applications useless.
“Imagine a stock trader in a coffee shop, using public Wi-Fi – an attacker would be able to easily perform a man-in-the-middle attack and identify or modify the network traffic that is unencrypted,” explained Hernandez. “For example, the attacker could see the username and password of the trader’s account and later login through a web browser, link his or her bank account, sell the stocks at market price to liquidate the investments, transfer the money, remove the added bank account and log out.”
Jennifer Steffens, chief executive of IOActive, said the discovery of major flaws in stock trading technologies will hopefully be a wake-up call to the financial industry. “They need to implement the strong security controls they already have in place for banking applications and follow industry best practices to properly develop mobile, desktop and web applications, and continuously scan them for vulnerabilities.”
All of the vendors impacted by these stock trading vulnerabilities have been notified, although IOActive cannot confirm whether or not they are fixed yet.
Sanctions evasion in an era of conflict: Optimising KYC and monitoring to tackle crime
The ongoing war in Ukraine and resulting sanctions on Russia, and the continuing geopolitical tensions have resulted in an unprecedented increase in parties added to sanctions lists.
Achieving operational resilience in the financial sector: Navigating DORA with confidence
Operational resilience has become crucial for financial institutions navigating today's digital landscape riddled with cyber risks and challenges. The EU's Digital Operational Resilience Act (DORA) provides a harmonised framework to address these complexities, but there are key factors that financial institutions must ensure they consider.
Legacy isn’t the enemy: what FSIs can do to keep their systems up and running
In this webinar we will examine some of the steps FSIs have already taken to rigorously monitor and test systems – both manually and with AI-powered automation – while satisfying the concerns of regulators and customers.
Optimising digital banking: Unifying communications for seamless CX
In the digital age, financial institutions risk falling behind their rivals if they fail to unite fragmented communications ecosystems to deliver seamless, personalised customer experiences.
This FStech webinar sponsored by Precisely explores vital strategies to optimise cross-channel messaging through omnichannel orchestration and real-time customer data access.
This FStech webinar sponsored by Precisely explores vital strategies to optimise cross-channel messaging through omnichannel orchestration and real-time customer data access.
© 2019 Perspective Publishing Privacy & Cookies
Recent Stories