Security vulnerabilities in stock trading apps could allow hackers to steal money, researchers have warned.
After testing 16 desktop applications, 30 websites, and 34 mobile apps, “major vulnerabilities” were identified which could give criminals opportunities to conduct financial espionage or take funds.
Alejandro Hernandez, from the cyber security company IOActive, found that hackers could “access a user’s personal banking information through desktop and web applications” as well as “steal money and gain insights into net worth and investment strategies”.
The warning, issued at hacking conference Black Hat, follows initial research which was published by Mr Hernandez.
He said: “It’s deeply concerning that some of the same vulnerabilities have still not been fixed.”
Major trading platforms operated by international financial organisations such as Bloomberg and Capital One are “the most secure”, the research suggests.
However, other platforms are so insecure that the researchers declined to name them for fear that criminals would immediately begin to target users.
Among the most significant issue were the apps’ failure to use encryption to protect their communications against anybody in the middle of the network between the app and the back-end systems.
Mr Hernandez said: “Imagine a stock trader in a coffee shop, using public WiFi.
“An attacker would be able to easily perform a man-in-the-middle attack and identify or modify the network traffic that is unencrypted.
“For example, the attacker could see the username and password of the trader’s account and later login through a web browser, link his or her bank account, sell the stocks at market price to liquidate the investments, transfer the money, remove the added bank account and log out.”
Jennifer Steffens, the chief executive of IOActive, said: “Alejandro’s continued research and discovery of major flaws in stock trading technologies will hopefully be a wake-up call to the financial industry.
“They need to implement the strong security controls they already have in place for banking applications and follow industry best practices to properly develop mobile, desktop and web applications, and continuously scan them for vulnerabilities.”
IOActive stated that all of the vendors impacted by the stock trading vulnerabilities it discovered have been notified.
However, the company said it cannot confirm whether the flaws have been fixed yet.