Transcription
AbstractThe advent of electronic trading platforms and networks has made exchangingfinancial securities easier and faster than ever; but this comes with inherent risks.Investing in money markets is no longer limited to the rich. With as little as 10,anyone can start trading stocks from a mobile phone, desktop application, orwebsite.This paper demonstrates vulnerabilities that affect numerous traders. Among themare unencrypted authentication, communications, passwords, and trading data;remote DoS that leaves applications useless; trading programming languages thatallow DLL imports; insecurely implemented chatbots; weak password policies;hardcoded secrets; and poor session management. In addition, many applicationslack countermeasures, such as SSL certificate validation and root detection inmobile apps, privacy mode to mask sensitive values, and anti-exploitation and antireversing mitigations.The risks associated with the trading programming languages implemented in someapplications is also covered, including how malicious expert advisors (tradingrobots) and other plugins could include backdoors or hostile code that would be hardfor non-tech savvy traders to spot. 2018 IOActive, Inc. [1]
ContentsDisclaimer . 4Introduction . 5Scope . 7Results . 10Common Vulnerabilities . 14Unencrypted Communications . 14Passwords Stored Unencrypted . 24Trading and Account Information Stored Unencrypted . 30Authentication . 39Weak Password Policies . 40Automatic Logout/Lockout for Idle Sessions . 42Privacy Mode . 42Hardcoded Secrets in Code and App Obfuscation . 44No Cybersecurity Guidance on Online Trading Threats . 48Desktop-specific Vulnerabilities . 50Denial of Service . 50Trading Programming Languages with DLL Import Capabilities . 55Authentication Token as a URL Parameter to the Browser . 56Lack of Anti-exploitation Mitigations . 59Other Weaknesses. 60Mobile-specific Vulnerabilities. 61SSL Certificate Validation . 61Root Detection . 62Other Weaknesses. 63Web-specific Vulnerabilities . 64Session Still Valid After Logout . 64Session Cookies without Security Attributes . 66Lack of HTTP Security Headers . 66Other Weaknesses. 67Statistics . 69Responsible Disclosure . 70Regulators and Rating Organizations . 72Further Research. 73Conclusions and Recommendations . 76Side Note . 77References . 78Appendix A: Code . 79MetaTrader 5 Backdoor Disguised as an Ichimoku Indicator . 79Thinkorswim Order Pop-up Attack . 82 2018 IOActive, Inc. [2]
Generic Port Stressor . 83 2018 IOActive, Inc. [3]
DisclaimerMost of the testing was performed using paper money (demo accounts) provided online bythe brokerage houses. Only a few accounts were funded with real money for testingpurposes. In the case of commercial platforms, the free trials provided by the brokers wereused.Only end-user applications and their direct servers were analyzed. Other backend protocolsand related technologies used in exchanges and financial institutions were not tested.This research is not about High Frequency Trading (HFT), blockchain, or how to get richovernight. 2018 IOActive, Inc. [4]
IntroductionThe days of open outcry on trading floors of the NYSE, NASDAQ, and other stockexchanges around the globe are gone. With the advent of electronic trading platforms andnetworks, the exchange of financial securities now is easier and faster than ever; but thiscomes with inherent risks.From the beginning, bad actors have also joined Wall Street’s party, developing clevermodels for fraudulent gains. Their efforts have included everything from fictitious brokeragefirms that ended up being Ponzi schemes[1] to organized cells performing Pump-and-Dumpscams[2] (Pump: buy cheap shares and inflate the price through sketchy financials andmisleading statements to the marketplace through spam, social media and othertechnological means; Dump: once the price is high, sell the shares and collect a profit).When it comes to security, it’s worth noting how banking systems are organized whencompared to global exchange markets. In banking systems, the information is centralizedinto one single financial entity; there is one point of failure rather than many, which makesthem more vulnerable to cyberattacks.[3] In contrast, global exchange markets aredistributed; records of who owns what, who sold/bought what, and to whom, are not storedin a single place, but many. Like matter and energy, stocks and other securities cannot becreated from the void (e.g. a modified database record within a financial entity). Onceissued, they can only be exchanged from one entity to another. That said, the valuableinformation as well as the attack surface and vectors in trading environments areslightly different than those in banking systems. 2018 IOActive, Inc. [5]
Picture taken from http://business.nasdaq.com/list/Over the years, I’ve used the desktop and web platforms offered by banks in my countrywith limited visibility of available trade instruments. Today, accessing global capital marketsis as easy as opening a Facebook account through online brokerage firms. This is how Igained access to a wider financial market, including US-listed companies. Anyone can buyand sell a wide range of financial instruments on the secondary market (e.g. stocks, ETFs,etc.), derivatives market (e.g. options, binary options, contracts for difference, etc.), forexmarkets, or the avant-garde cryptocurrency markets.Most banks with investment solutions and brokerage houses offer trading platforms tooperate in the market. These applications allow you to do things including, but not limited to: Fund your account via bank transfers or credit card Keep track of your available equity and buying power (cash and margin balances) Monitor your positions (securities you own) and their performance (profit) Monitor instruments or indexes Give buy/sell orders Create alerts or triggers to be executed when certain thresholds are reached Receive real-time news or video broadcasts Stay in touch with the trading community through social media and chatsNeedless to say, whether you're a speculator, a very active intra-day trader, or simplysomeone who likes to follow long-term buy-and-hold strategies, every single item on theprevious list must be kept secret and only known by and shown to its owner.Last year, while using my trading app, I asked myself, “with the huge amount of moneytransacted in the money market, how secure are these platforms?” So, there I was, one 2018 IOActive, Inc. [6]
minute later, starting this research to expose cybersecurity and privacy weaknesses insome of these technologies.ScopeMy analysis started mid-2017 and concluded in July 2018. It encompassed the followingplatforms; many of them are some of the most used and well-known trading platforms,and some allow cryptocurrency trading: 16 Desktop applications 34 Mobile apps 30 WebsitesThese platforms are part of the trading solutions provided by the following brokers, whichare used by tens of millions of traders. Some brokers offer the three types of platforms,however, in some cases only one or two were reviewed due to certain limitations: Ally Financial AvaTrade Binance Bitfinex Bitso Bittrex Bloomberg Capital One Charles Schwab Coinbase easyMarkets eSignal ETNA eToro E-TRADE ETX Capital ExpertOption Fidelity Firstrade 2018 IOActive, Inc. [7]
FxPro GBMhomebroker Grupo BMV IC Markets Interactive Brokers IQ Option Kraken Markets.com Merrill Edge MetaTrader Money.Net NinjaTrader OANDA Personal Capital Plus500 Poloniex Robinhood Scottrade TD Ameritrade TradeStation Yahoo! FinanceDevices used: Windows 7 (64-bit) Windows 10 Home Single (64-bit) iOS 10.3.3 (iPhone 6) [not jailbroken] iOS 10.4 (iPhone 6) [not jailbroken] Android 7.1.1 (Emulator) [rooted] 2018 IOActive, Inc. [8]
The following security controls/features were reviewed, which represent just the tip ofthe iceberg when compared to more exhaustive lists of security checks per platform. It’svery important to mention that some of these tests could not be performed on certainplatforms due to certain limitations, such as not being able to create demo or realaccounts, not being able to install the Android app in the emulator, apps performing SSLvalidation, and platforms not implementing the feature to be tested.DesktopMobileTwo-factor authenticationBiometric authenticationEncrypted communicationAutomatic logout/lockout for idle sessionsAutomatic logout/lockout for idle sessionsPrivacy modePrivacy modeEncrypted communicationSensitive data in log filesSSL certificate validationSecure data storageSession managementSoftware vulnerabilitiesClient-side data validationHardcoded secrets in the applicationSensitive data in logging consoleAnti-exploitation mitigationsSecure data storageAnti-reverse engineeringRoot detectionApp obfuscationHardcoded secrets in codeWebTwo-factor authenticationWeak password policyEncrypted communicationAutomatic logout/lockout for idle sessionsSecurity attributes in session cookiesSession valid after logoutSensitive data in URLInsecure site redirectCross-site Scripting (XSS) [GET]Cross-site Request Forgery (CSRF) [GET]ClickjackingSecurity headersInfrastructure vulnerabilitiesCybersecurity guidance 2018 IOActive, Inc. [9]
ResultsUnfortunately, the results proved to be much worse compared with applications inretail banking. For example, mobile apps for trading are less secure than thepersonal banking apps
Interactive Brokers IQ Option Kraken Markets.com Merrill Edge MetaTrader Money.Net NinjaTrader OANDA Personal Capital Plus500 Poloniex Robinhood Scottrade TD Ameritrade TradeStation Yahoo! Finance Devices used: Windows 7 (64-bit) Windows 10 Home Single (64-bit) iOS 10.3.3 (iPhone 6) [not jailbroken] iOS 10.4 .
