With the advent of electronic trading platforms and networks, the exchange of financial securities now is easier and faster than ever; but this comes with inherent risks. Nowadays, not only rich people can invest in the money markets, but also anyone with as little as \$10 could start trading stocks from either a mobile phone, a desktop application or a website.
The problem is that this area of the fintech industry has not been fully under the cybersecurity umbrella. Sometimes we assume that a product is secure by its nature, such as technologies that are used to trade hundreds of billions per day, but security testing tells us a different story.
In this talk, vulnerabilities that affect millions of traders will be shown in detail. Among them are unencrypted authentication, communications, passwords and trading data; remote DoS that leave the applications useless, weak password policies, hardcoded secrets, poor session management, etc. Also, many of these applications lack of countermeasures such as SSL certificate validation and root detection in mobile apps, privacy mode to mask sensitive values, anti-exploitation and anti-reversing mitigations.
Moreover, the risk of social trading will be discussed too as well as how malicious expert advisors (trading robots) and other plugins could include backdoors or hostile code that would be hard to spot for non tech-savvy traders.
The analysis encompassed the following platforms, which are some of the most used ones: - 16 Desktop applications - 29 Websites (7 focused on cryptocurrencies) - 34 Mobile apps
Finally, the gap between the security in online banking vs trading technologies will be clearly observed. There's still a long way to go to improve the security of the trading ecosystem, but the wheel is already invented and common security countermeasures could be applied.
Alejandro Hernandez is a security consultant who has been involved in the scene for over 15 years. Nowadays, he works for the company IOActive, where he has had the chance to work in companies in different countries including Mexico, South Africa, Germany, China, Netherlands, United States, South Corea and England. As a research enthusiast, he had the chance to present twice in Black Hat Arsenal: in 2011, DotDotPwn (directory traversal fuzzer), and in 2014, Melkor (ELF file format fuzzer). He has also been speaker in other conferences such as DEF CON (Village) and BruCON (Belgium). Recently, he has been bridging cybersecurity with another subject he has interest in: money markets. Self-forged initially, later on he took some stock trading courses in the Mexican Stock Exchange (BMV) to gain the understanding on how the digitally-ruled financial markets work nowadays.