Trading apps vulnerable to hacking, report says

Stock trading platforms such as AvaTrade and IQOption are failing to secure sensitive data including passwords, according to a report exposing significant vulnerabilities in their software.

Cyber security company IOActive discovered that many desktop, web and mobile apps used to trade stocks were often far less secure than retail banking apps, opening the way for cyber criminals to intercept data and communications. IOActive examined 16 desktop applications, 34 mobile apps and 30 websites in the past year.

Alejandro Hernandez, senior security consultant at IOActive, plans to reveal the flaws in a presentation at the Black Hat cyber security conference in Las Vegas this week. He said the research has only uncovered the “tip of the iceberg” in terms of trading apps’ vulnerabilities.

“If this was in banking apps, it would be unacceptable,” he said, comparing the level of security to that found in retail banking apps six to eight years ago.

IOActive found that passwords were stored unencrypted in about a fifth of the desktop and mobile apps including AvaTrade, IQOption, and Markets.com. Once armed with a password, a hacker could do anything that an ordinary user would be able to.

In a quarter of all cases, users were not able to use the safeguard of a second factor authentication — such as a text message code.

Almost two-thirds of desktop apps, including those from Charles Schwab and Interactive Brokers, only partially encrypted communications. Interactive Brokers said an update of its software in May 2018 meant all sensitive information was encrypted by default. Customers have always had the opportunity to encrypt all traffic and encryption was enforced by default in markets where regulation required it, the company said.

Some 13 desktop and mobile apps stored trading-related data unencrypted, including TD Ameritrade’s app and its Thinkorswim platform and Robinhood’s mobile app, according to IOActive. TD Ameritrade said it had made progress in addressing the issues noted in the report, while Robinhood said it used “developer platform best practices” to store select trading-related data on mobile devices for faster load times.

Hackers could exploit these vulnerabilities to mount three kinds of attack: theft, including on some apps being able to transfer the balance into a new bank account, espionage, by stealing details about a trading strategy or a users’ net worth, and to cause chaos on a wider scale by tampering with the stock prices the app shows.

To intercept data, hackers would have to be on the same network, for example, within a company or on a public WiFi network. But they could first use malicious software to enter a network from afar.

The brokers said cyber security was a high priority. Avatrade said it would examine the report’s findings to ensure that customers were well protected, in addition to its regular security inspections and tests. Interactive Brokers said it was “one of the most advanced brokers on the technology front” in terms of security. IQOption said it complied with all cyber security standards. Markets.com did not comment.

Most of the large brokers had better security than smaller operations, IOActive found. TDAmeritrade, Charles Schwab and Robinhood were among the platforms the researchers found to be the most secure.

Charles Schwab said it viewed all feedback as “positive” and used it to review its security measures. “Our multi-layered applications are continuously tested and regularly updated to meet the demands of a constantly evolving security landscape — all in an effort to provide a secure experience for our clients,” it said.