Lack of encryption and sessions that don’t end automatically leave user accounts exposed
Users of online stock-trading platforms may want to be careful: data related to their investment accounts may not be as secure as they think.
In a recent investigation of 40 major US-based online trading platforms, IOActive security consultant Alejandro Hernández has found that nearly all had at least some form of vulnerability, reported Wired. All in all, he looked at 16 desktop applications, 34 mobile apps, and 30 websites.
More than half of the desktop applications he examined transmitted at least some sensitive data such as account balances, portfolios, and personal information unencrypted. That means malicious actors using the same Wi-Fi network as a trader could intercept and alter that information with a “man in the middle” attack.
Password protection was a concern in several mobile apps and a handful of desktop applications, which were found to store passwords locally without encryption or sent them to logs in plain text. An attacker who gains physical or malware-mediated access to the device could steal the password; from there, transferring funds to the bank account of their choice wouldn’t be so difficult. Most of the web platforms Hernández studied offered two-factor authentication, but didn’t enable it by default.
He found a more specific problem on web platforms of companies like Charles Schwab: logging out of a session didn’t automatically end the session on the server side. That’s a concern for users who click on a malicious link while logged into their account, and try to log out upon realizing they’re compromised. If the session stays active on the server side — which Hernández found could last for a few hours in some cases — an attacker with the session ID could continue with his plans.
Some trading platforms also allow users to create their own automated trading assistants through proprietary programming languages, which can then be passed around in online trading platforms. But because the programming languages are based on common ones like C++ and Pascal, explained Wired, it would be fairly simple for a malicious program to create a backdoor or other piece of malware and pass it on to others, using a seemingly helpful trade plugin as a Trojan horse.
“Desktop applications are the entire package,” Hernández said. “They’re more susceptible to vulnerabilities, because they implement more features, and the attack surface is bigger.”