Is it safer trade

Interview: How secure are trading apps?

An interview with security researcher Alejandro Hernández, about security gaps in online trading platforms and the associated security and data protection risks for their users.

Lately you have read a lot about how the corona pandemic has influenced and changed many areas of our lives. To a certain extent, this has also given us a glimpse into the future, opened up new opportunities and accelerated numerous developments. A notable example is the increased use of digital banking and payment services. Electronic trading platforms, where you can get rich or go bankrupt in no time at all, are in no way inferior.

Leaving other possible concerns aside, the increased use of trading apps will certainly bring cybersecurity to the fore. It is obvious that online retailers are exposed to a number of cyber threats such as fake apps, phishing attacks or exploits by trading venues.

In 2017 and 2018, Alejandro Hernández, security advisor at IOActive, scrutinized such trading platforms. He examined the security of 16 desktop applications, 34 mobile apps and 30 websites, from a total of 40 popular trading platforms. More than two years have passed since we turned to Alejandro to talk to him about the current level of security for trading apps.

Interview with security researcher Alejandro Hernández

Welcome Alejandro! What were your research interests when you started looking at trading app security?

Thanks for the invitation! Well, I'm very versatile when it comes to security research. I've been into a variety of things so far, including code reviews, Open Source Intelligence (OSINT), and disassembling remote control apps for cars. In the past few years I've focused more on fintech technologies, especially trading apps for stock trading.

What made you interested in e-trading apps?

This is mainly because I have been trading securities for a number of years. So I was curious to see how safe these technologies are. I assumed they were super safe, but that soon turned out to be wrong. This is how we feel in general with many of the technologies that we use. We think they're safe until a security researcher tells us how unsafe they actually are.

That sounds unsettling. Should users worry about trading platforms putting their money or data at risk of theft?

Not really, to be honest. In my observations, the platforms themselves are not so insecure that an attacker can easily steal money from users' accounts. It's really not as easy as in the movie.

On the other hand, many platforms are not as secure as banking apps. For example, I was able to access unencrypted trading data on roughly half of the trading apps. This means that if an attacker has access to your laptop's file system via malware, for example, they can easily read such data. When it comes to mobile apps, modern mobile operating systems encrypt data by default. However, if someone steals your phone and can access the unlocked phone, they can steal that data too. The same applies to computers or unencrypted backups.

You've looked at 16 desktop programs, 34 smartphone apps, and 30 websites, including some from market leaders, and tested them on a variety of operating systems and devices. Your tests were very extensive. Did you have a gut feeling that you would come across a "gold vein"?

Before I started disassembling the apps, I felt like I was more likely to find bugs in small apps. However, I was wrong because I found "interesting things" in the apps of some of the largest brokers. Thanks to a strict, checklist-based approach, I was able to ensure that all controls in every app were tested.

In your study you mentioned that desktop applications offer a larger attack surface due to their extensive range of functions. Nowadays, however, more and more people are using mobile apps and the app functions are becoming more extensive. Do you think that this will mean that the risks will be more evenly distributed in the future? Are people perhaps less cautious about trading on mobile platforms?

I don't have any numbers regarding the number of users switching from desktop to mobile. The good news, however, is that, in my opinion, modern mobile operating systems are pretty secure these days. It is more difficult to attack a mobile device than a typical Windows computer. Mobile trading apps have improved a lot over the years. I see updates to e-trading apps in the Apps Stores very often, including security updates.

On the other hand, I haven't heard of any security issues on desktop platforms in the past few years. Availability issues only, but this affects both desktop and mobile devices.

The results of your research were even more serious than a comprehensive review of mobile banking apps in 2015. To what extent?

Absolutely, the trading apps are much more insecure than banking apps. Nowadays, most banking apps recommend activating FaceID or TouchID and two-factor authentication as soon as you install and open the apps for the first time. That doesn't happen with trading apps. I'm pretty sure there are more banking apps behind the scenes that encrypt all communications than trading apps that only partially do it. The same applies to stored data.

Why do you think that is the case?

One of the main reasons I believe that banking apps are more secure is because they are mainstream and used by people of all ages. Therefore, they are extensively audited by many parties including internal auditors, external compliance auditors, and internal and external security auditors.

How did the trading platforms react to your results? Have they since fixed the shortcomings and would you say trading platforms are generally more secure now than they were in 2017/2018?

The largest trading platforms were very quick to respond to the safety recommendations we sent them. I think that's because they are more committed to protecting their customers and have bigger budgets for cybersecurity.

Two years later, more security controls have been implemented on trading platforms, including stricter password policies, two-factor authentication and many opt-in notifications about operations in the apps, such as valid / invalid login attempts, buy or sell orders, withdrawals / deposits of money, etc. That means that trading platforms are more secure now than they were two years ago.

That sounds encouraging. Even so, people shouldn't take security lightly. What would be the typical attack methods for criminals trying to access trader accounts?

Since most traders do not activate two-factor authentication, even if this option is available, attackers can guess the passwords or crack them using a brute force attack. They can gain access to accounts, trade stocks and transfer money to bank accounts controlled by attackers.

Recently there have been reports of some Robinhood accounts being looted. I think that was because the victims were reusing their passwords across multiple accounts and not using two-factor authentication.

This actually brings us to another important point - what can the average trader do for their safety?

Last year I did a webinar that also included tips on how to trade safely. In short, this is what people should do:

  • Enable two-factor authentication (2FA) for critical operations such as linking new bank accounts
  • Enable FaceID / TouchID in mobile apps for authentication
  • Avoid public Wi-Fi networks
  • Use a different password than the password for email and banking apps. Make sure the password is secure
  • Enable automatic logout after a certain period of idle time
  • Enable email / SMS notifications

Let's look at best practices for safe programming. It is said that no software is free from security vulnerabilities. How can developers reduce the likelihood that their apps contain serious security vulnerabilities?

Interestingly, I've found that applications developed by unnamed financial institutions are less secure than banking applications developed by developers within the same company. I think that's because there is a lack of communication between the development teams. In my opinion, cybersecurity staff need to bring these teams together to improve the security of the products. This includes exchanging experiences and tips for safe coding as well as testing each other's software. And so on.

In addition, trading technologies are in part developed by people with a strong financial background. However, there is a visible lack of training on safe coding.

What can other stakeholders like the financial industry and regulators do to reduce merchants' cybersecurity risks?

In any case, supervisory authorities and rating organizations should also be involved. There are popular websites among traders who often rate apps and providers for ease of use, fees, customer service, etc. You should also consider the security of the apps.

Regulators should also give fintech companies guidance on how to develop secure technologies and define minimum requirements that trading platforms must meet. In the long term, I think they should play a more active role in examining the platforms' deals such as: B. when checking compliance with legal regulations, just like with PCI DSS (Payment Card Industry Data Security Standard).

Thank you for the interview, Alejandro.