Mobile trading apps and web platforms are much less secure than banking apps, according to a report from U.S. cybersecurity firm IOActive Inc., which found a variety of vulnerabilities in a series of recent tests.
Overall, the firm reports, its tests of the security on a variety of brokerage firms’ trading apps, which were carried out from mid-2017 to mid-2018, found brokers’ security measures to be much weaker than comparable banking apps. Among other things, it found weaknesses with encryption, denial of service and authentication measures.
In particular, it found desktop apps and mobile apps that transmitted some data unencrypted, including passwords and certain personal information. It also found passwords that are stored unencrypted, which could be vulnerable to hackers.
“In a hypothetical attack scenario,” the report says, “a malicious user could extract a password from the file system or the logging functionality without any in-depth know-how (it’s relatively easy), log in through the web-based trading platform from the brokerage firm, and perform unauthorized actions. They could sell stocks, transfer the money to a newly added bank account, and delete this bank account after the transfer is complete.”
The report concludes that there is “a long way to go” to improve the security of trading technologies. In the meantime, it recommends that investors enable any security mechanisms that their trading platforms offer, such as two-factor authentication, biometric authentication and automatic lockout/logout.
“Also, it’s recommended not to trade while connected to public networks and not to use the same password for other financial services.”
The firm also recommends that regulators “encourage brokers to implement safeguards for a better trading environment. They could also create trading-specific guidelines to be followed by the brokerage firms and fintech companies in charge of creating trading software.”