Anyone can take part in operations on financial markets. In order to join the trading, it is enough to visit the website of a brokerage company or install an application on your phone. On investing.com, one can find a list of more than 700 trading applications: trading terminals that let you buy and sell stocks, bonds, futures, currencies, and other assets. For asset trading, you need to find the best prop firm that can fund you.
When choosing a trading platform, traders are primarily guided by the available functionality, which facilitates their tasks. For example, built-in tools for market analysis and experts’ recommendations help to create one’s own trading strategy, while the possibility of automatic trading enables traders to open and close deals without taking part in it. However, not everyone thinks about the security of these applications. If a hacker gains access to any of the functions, say, can change the parameters of the automatic deal closing, the trader will suffer losses. In addition, a lot of confidential information is stored in users’ personal accounts: data about current and planned transactions, transaction history, information about the available funds in the balance.
When working with a terminal, a trader must be sure that his or her information is reliably protected, that he or she gets reliable information about the market situation and that no one can interfere in the process of trading. Do trading apps meet these requirements? To answer this question, the experts from Positive Technologies analyzed the trading platforms of six vendors, which are popular not only among private traders but also among banks, investment funds, and other organizations, whose activities are related to exchange trading. Together, these platforms comprised 11 mobile applications (for Android and iOS), four web applications, and three desktop versions. The research was conducted with respect to the client parts of the applications.
The conclusions drawn may not reflect the current state of security of information systems in other organizations. The analysis was conducted to draw the attention of IS specialists in the financial industry to the most urgent problems and to help them identify and eliminate vulnerabilities in a timely manner.
Existing threats
Vulnerabilities were found in every application studied, with 72% of applications containing at least one critical vulnerability. In all cases, security flaws allowed users to be attacked.
- The following threats pose the greatest threat to bidders:
- Performing transactions on behalf of a user,
- stealing credentials to authorize in the application,
- Misleading the user (spoofing displayed prices).
Thirty-three percent of the applications in four of the six trading platforms examined have vulnerabilities that allow financial transactions to be conducted on behalf of other users. Such attacks can cause prices to change in the market in the attacker’s favor.
Here is an example. Let’s assume that an attacker has bought shares of a company. However, their price is not growing or is growing too slowly. In this case, he needs to artificially increase the demand: if other investors began to actively buy the shares, they would go up in price. Since it can take a long time to wait for such a moment, the attacker makes trades on his own for other participants, after which he sells his shares at a bargain price. Similarly, an attacker can manipulate exchange rates – if the attack affects large players or a large number of users.
In 61% of cases, an attacker can gain control over a user’s personal account. Deficiencies in the protection of mobile and desktop versions of platforms allow them to find out someone else’s credentials and authorize in the application if two-factor authentication is not used. When attacking the web app, an attacker can hijack a user’s session and gain access to their personal account.
Vulnerabilities, by which an attacker can spoof prices displayed to the user, affect 17% of applications. As a result, the trader will make decisions based on fake data and make loss-making trades.
There are two common attack scenarios:
- A trader uses the same device to use a trading terminal and visits Internet sites. A hacker has placed malicious JavaScript code on one of the sites he visits, which, without requiring any additional action from the user, attacks his terminal and buys or sells assets. Antivirus will not react to the execution of the malicious code because the attack does not require uploading a file to the user’s computer or executing commands in the OS. Internally, the network segment where trading takes place should be isolated, but in practice this may not be the case and traders will have access to the Internet. The disadvantages of segmentation are often revealed by our experts during penetration tests on the internal network.
- The intruder is in the same network as the trader; for example, the trader is connected to the network via Wi-Fi or via equipment controlled by the intruder. In this way, the attacker can intercept and modify the user’s traffic.
An attack is also possible if the communication channel is insufficiently secured and traffic is intercepted on the ISP side, as recently happened to MyEtherWallet users.
Control over trader’s computer
Two of the analyzed applications contained dangerous vulnerabilities that allowed executing arbitrary commands on the user’s computer. In this way an intruder could gain access to important user information stored on the workstation and even take full control over the user’s computer. One of these applications checks for updates when launched. The request to the server and the reply containing the update file are transmitted in clear text, so if you tamper with the server’s reply, the malware will be installed instead of a new version.
Operations spoofing
By default, one of the applications transmits data in clear text, which can be exploited by an attacker who is in the same network as the user under attack. The attacker can intercept and modify the traffic: spoof the request from the trader and hence execute an unwanted operation on his behalf.
Misrepresentation
The vulnerabilities detected could have been used to change the prices shown in the terminal, forcing the trader to change his decision to buy or sell certain assets.
During the research, our experts managed to fake a “Japanese candlesticks” type interval chart that displays changes in the quotes for a certain period of time. On the basis of this graph, the trader draws conclusions about how the exchange rate is moving and makes decisions about further transactions. Information about prices comes from the broker’s server and is recorded in the local database, and then based on these values the application draws charts. If the content of the database is tampered with, then the screen will display the kind of “candlesticks” the attacker wants.
Identity theft
One of the applications transmits credentials without using encryption. An attacker with the ability to intercept user traffic can gain access to the user’s personal account.
Identified vulnerabilities
The vulnerabilities that were found in the applications are the lack of encryption of transmitted data and the ability to execute arbitrary commands. To protect against some types of attacks aimed at arbitrary code execution, DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) technologies are used. DEP is used to prevent code execution from those memory areas where data should be stored, and ASLR changes the location of data structures in the address space randomly. These techniques make it difficult to exploit vulnerabilities that may be present in the source code. No flags indicating the need for DEP or ASLR were set during the compilation of the two applications.
Mobile apps
The study tested six Android apps and five iOS apps. Users of these apps were exposed to the following threats:
- Performing actions on behalf of the user;
- Identity theft;
- spoofing pricing information;
- PIN matching of the app;
- Phishing attacks.
Identified vulnerabilities can be exploited if one of the conditions is met:
- the attacker is located in the same network as the user and has the ability to intercept traffic;
- The attacker has gained physical access to the device;
- the user’s device is infected with malware (especially if root or jailbreak rights are available).
Conclusion
The results of the study show that popular merchant terminals are not immune to cybercriminals. Cyber-attacks can affect a large number of users, affect private traders and large companies such as banks, international trading corporations, financial-investment institutions; cause turmoil on exchanges and lead to loss of money.
When choosing a trading platform traders should pay attention not only to its functionality but also to its safety. Otherwise, the trader risks finding out that unauthorized persons make transactions on his behalf, and the real situation on the financial market does not correspond to what he sees on the screen. It is necessary to use only current versions of applications and timely install updates released by the vendor.
Private traders, who use trading platforms on their personal devices, need first of all to protect these devices – use antivirus tools and do not download applications from unreliable sources. It is not recommended to install mobile versions of applications on devices with root permissions or jailbreaks. To prevent unauthorized access to your personal cabinet you need to use the two-factor authentication if this function is supported by the application. When working with the trading terminal, you should not connect to unsecured networks, such as public Wi-Fi access points, because the data transmitted over them can be intercepted by an intruder. In addition, it is important to consider the possibility of social engineering attacks: do not follow links to suspicious resources, be cautious about sites with incorrect certificates, carefully enter credentials for accessing personal accounts on web resources, and check all attachments received via email.
Incorporate systems, a separate network segment should be allocated, in which the trading terminals are located, and provide protection for this segment. However, effective protection is possible only if a high level of infrastructure security is maintained and an intruder who penetrates the user segment of the network in one way or another will not be able to develop an attack and gain access to critical resources. This requires following the basic recommendations for providing an acceptable level of security of corporate information systems, and in particular, training employees on information security rules. It is recommended that effective antivirus tools be used to protect endpoints and that technical solution aimed at the timely detection of suspicious activity in the network (SIEM systems) be used. It is important to conduct regular external and internal penetration tests to identify potential attack vectors and evaluate the effectiveness of the protection measures taken.
Developers need to take a more thorough approach to information security to ensure the security of personal data and the safety of their customers’ money. Regular security testing of applications is recommended. The most efficient way to do it is to use the white-box testing method, i.e., analysis of the source code. Implementation of the secure software development lifecycle (SSDL) allows you to avoid many errors already at the design stage of application, and analysis of code while creating it helps you to detect and eliminate vulnerabilities much faster. To protect web versions of trading platforms, it is recommended to additionally use preventive protection measures such as a web application firewall (WAF), which detects and prevents known attacks on web applications and detects exploitation of zero-day vulnerabilities.