eLearningClasses.com
Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

IOACTIVE WARNS OF VULNERABILITIES IN 21 MOST POPULAR MOBILE TRADING APPS: HACKERS ABLE TO TRADE USERS’ STOCKS, STEAL MONEY AND ACCESS DATA

IOActive today released details of cybersecurity vulnerabilities found in many of the most popular mobile stock trading applications. The 21 apps tested have millions of users worldwide and process billions of dollars in transactions each year. IOActive has warned that the results of its tests thus far have proved trading app security to be much worse than personal banking apps tested in 2013 and 2015, and could allow malicious actors to trade a user’s stocks, steal their money, and gain insight into their net worth and investment strategy.

The test results, conducted by IOActive senior security consultant, Alejandro Hernandez, were outlined in a blog post published today. Key findings include:

  • 19 percent of apps expose user passwords in clear text, meaning an attacker with physical access to the device could easily log in to trade their stocks or steal money
  • 62 percent send sensitive data to log files and 67 percent store it unencrypted, allowing attackers with physical access to gain insight into a user’s net worth, investment strategy and balances
  • Two apps use unencrypted HTTP channels to transmit and receive data, and 13 of the apps that use HTTPS do not check the authenticity of the remote endpoint by verifying its SSL certificate – making it possible to perform man-in-the-middle attacks to eavesdrop and tamper with the app data via pub Wi-Fi hotspots
  • Three quarters (76 percent) of apps support fingerprint-reading as a security measure, which means they can be used by anyone that has their fingerprint registered to the device e.g. children or a spouse

“We have better security in the mobile apps used to check our bank balance and pay the gas bill than in the trading apps that transfer billions in shares and shape the financial market as we know it” said Hernandez. “The days of shouting on stock exchange trading floors are gone. Mobile devices and apps are the investment management tools of choice, but there is a major gap in security and understanding from both developers and users. Cybersecurity is not the first concern for people in the FinTech space, most of which are not technical, and nor are the people using the apps themselves. Most don’t know what’s sensitive and what needs to be properly secured. By comparison, it’s far easier to understand what constitutes sensitive information in a personal banking app, hence they are far better secured. Historically, security researchers have disregarded trading apps as well, probably because of a lack of understanding of money markets.”

In addition to fixing the vulnerabilities identified in these tests, Hernandez says that the industry has a responsibility to improve the maturity level of security in mobile trading apps, and that desktop/web platforms should also be tested and improved. In the blog post, Hernandez suggests that developers need to design new, more secure financial software; that brokerage firms should be required to perform regular internal audits; and that regulators should encourage brokers to implement safeguards for a better trading environment.

“As part of my research, I couldn’t find any recommended guidance for secure software development to educate brokers and FinTech companies on creating quality products,” continued Hernandez. “Regulators must do much more to encourage brokers to implement safeguards for a better trading environment and develop trading-specific guidelines for creating trading software. I wouldn’t discourage people using from using all mobile trading apps, but all security features should be enabled and apps must be used with an understanding of the potential risks involved. The stock market is not a casino where you magically get rich overnight. If you lack an understanding of how stocks or other financial instruments work, there is a high risk of losing money quickly. Cybersecurity has the same high stakes.

IOActive reached out to 13 of the brokerage firms whose trading apps presented some of the higher risks vulnerabilities, and has received two responses thus far. In total, 21 mobile trading applications were tested.