A Seattle based Cyber Security Company named IOActive has disclosed that some of the world’s top stock trading apps are filled with security flaws triggering a mobile security alert. The lists of the apps which are riddled with security flaws include TD Ameritrade, Charles Schwab, E-Trade, and fidelity.
Alejandro Hernandez, the senior security consultant working at IOActive found that unlike banking systems where info is centralized into a single financial entity, the global exchange markets work in a distributed way where records are not secured in a central repository. This includes records of what is being purchased, owned, to whom and all such derivates. Thus, hackers are attacking such environments in a different way where their efforts are being rewarded to full scale.
Hernandez discovered that trading apps are being operated by millions of global users to process billions of dollars in transactions every year. But the vendors who are offering these apps are not at all serious when it comes to a security issue.
To prove this point, Alejandro tested 14 security controls on the world’s top trading apps and found that more than 19 of 21 apps exposed user passwords in clear texts and without encryption protections in place. So, this could easily allow hackers to access a user’s device and login to steal their money.
The security consultant disclosed that many of his tests carried out on apps reciprocated high failure rate. This includes privacy mode (95%), SSL certificate validation (62%), secure data storage (67%), root detection (95%), sensitive data in logging console (62%) and hard codes secrets in code (62%).
Coming to apps which hold insecure communication, Hernandez found that 2 apps were using unencrypted HTTP channels to transmit and receive all data, and 13 of 19 were using HTTPS which doesn’t check the authenticity of the remote endpoint by verifying an SSL certificate. Therefore, in such situations, hackers can perform Man in the Middle (MITM) cyber attacks to either tamper data or conduct espionage.
Finally, the security expert turned consultant wants to conclude that regulators must start doing more to encourage brokers to implement security strategies for a better trading environment. And if they choose to still neglect, then it can spell a doom for their business on a long run.
