Online Stock Trading Has Serious Security Holes

An analysis of dozens of trading platforms reveals a range of cybersecurity concerns across mobile, desktop, and the web.
Image may contain Text Scoreboard Number and Symbol
An analysis of dozens of trading platforms reveals a range of cybersecurity concerns across mobile, desktop, and the web.Getty Images

It’s never been easier to trade stocks; just a few taps or clicks will do the trick. But most of the platforms that millions of market participants rely on to move their money suffer from cybersecurity shortcomings, new research warns. As if stocks weren’t risky enough already.

A new report from Alejandro Hernández, a security consultant at IOActive, found that nearly all of the 40 major online trading platforms he investigated had at least some form of vulnerability. While they range widely in severity and scope, the overall picture is of an industry that has not taken security measures proportional to the sensitive information involved. Hernández will present his research at the Black Hat security conference in Las Vegas on Thursday.

Hernández analyzed 16 desktop applications, 34 mobile apps, and 30 websites, comprising 40 trading platforms in all. That includes major legacy players like Fidelity and Charles Schwab, mobile-first upstarts like Robinhood, and less common names like Kraken and Poloniex. And while some companies, like Schwab and Merrill Edge, earned mostly high marks for their security hygiene, the overall picture seems bleak.

Well over half of the desktop applications Hernández examined, for instance, transmitted at least some data—things like balances, portfolios, and personal information—unencrypted. That leaves traders vulnerable to a potential attack from someone on the same Wi-Fi network, who could observe that information and potentially intercept and alter it using a fairly straightforward man-in-the-middle attack.

Also troubling: Several mobile apps and a handful of desktop applications stored passwords unencrypted locally, or sent them to logs in plain text. With access to the device, either physical or through malware, an attacker could steal that password, then use the newfound account access to, say, add a new bank account and transfer money to it. Two-factor authentication would prevent that scenario, but while most of the web platforms Hernández looked at offer it, they don’t enable it by default. That’s a shame, especially given how much sensitive information a desktop trading app, in particular, is privy to.

Lack of robust encryption seems endemic to the industry, but narrower issues show up as well. Hernández found that on the web platforms of companies like Charles Schwab and E-Trade, logging out didn’t immediately end the session on the server side. If you think of authentication as a handshake, in other words, the site leaves its arm extended after you’ve already walked away. If someone steals your session token, they could get in.

“There are hundreds of ways that an attacker could intercept your communication,” Hernández says. The attacker could trick you to click on a malicious link that allows a man-in-the-middle attack, for example. Imagine the attacker has your session ID. If the authentic user realizes he was compromised, the user would log out." Ideally, the server would end the session at that point, too, overwriting the ID and stopping any unauthorized snooping. But if the session doesn't immediately end on the server side—and Hernández found that some sessions stayed active for as long as a few hours—then the attacker is free to continue as he pleases.

Another vulnerability Hernández emphasizes is, as they say, a feature, not a bug. Several trading platforms let users create their own bots through proprietary programming languages. Those plugins get passed around in online trading forums, a network of get-rich-quick bots that a user can import on a whim. The problem? Those programming languages are themselves based on common ones like C++ and Pascal, making it relatively simple for a malicious coder to hide a backdoor or other malware in what looks like a friendly, automated options-trading assistant.

The research builds on a specific look at mobile app security in trading spaces that Hernández released last fall. If anything, the problems he found on the web and on desktop applications are even more alarming, both in severity and scope.

“Desktop applications are the entire package,” Hernández says. “They’re more susceptible to vulnerabilities, because they implement more features, and the attack surface is bigger.”

This is also the first time Hernández is naming names; he previously let companies remain anonymous to give them adequate time to fix the issues. That process appears to be ongoing.

"Given that our approach to security is risk-based, findings that are truly impactful or relatively easy to exploit are fixed in an expedited fashion, while those with only minor impact or low exploitability factor are not as important to address right away, and some are of such low risk that in the interest of achieving the right balance between security, usability, and performance, we consciously decide not to address,” says Boris Kogan, chief information security officer at Interactive Brokers, which the IOActive report cites for issues across its web, desktop, and mobile offerings. Interactive Brokers did not disclose which specific issues it had fixed, citing security concerns, but did say that “all high-risk issues have been resolved.”

Other responses to WIRED were more cavalier. An inquiry via a web form at IQ Option, which Hernández found storing passwords unencrypted, yielded this response from support staff: “Rest assured your data is securely kept, and no misuse may happen.” Inquiries to several other trading platforms, large and small, went unanswered altogether.

That speaks to an issue Hernández encountered repeatedly. “Many brokers do not have a main point of contact to receive vulnerabilities in their products in general,” he says. “We used to send the vulnerabilities to a generic support@broker.com email address. In some cases they replied, but there were many contacts where we didn’t receive any answer.”

To that end, Hernández recommends sticking with large companies—the ones that have resources to invest in cybersecurity and respond to issues like the ones he found—to help minimize your vulnerability risks. He ranks TD Ameritrade, Charles Schwab, Merril Edge, and Robinhood as especially adept, if not entirely free of issues.

“We view all feedback as positive and use it to review the measures we have in place to ensure our clients and their data remain secure,” Schwab spokesperson Peter Greenley says. “Our multilayered applications are continuously tested and regularly updated to meet the demands of a constantly evolving security landscape.”

Otherwise, safety tips for online trading apps look a lot like they do on every other corner of the web. Enable two-factor. Don’t reuse passwords. And for the love of Gordon Gekko, don’t buy a put on public Wi-Fi networks.


More Great WIRED Stories