Exposing Security Flaws in Trading Technologies - Alejandro Hernandez - AppSecUSA 2018
Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies
With the advent of electronic trading platforms and networks, the exchange of financial securities now is easier and faster than ever; but this comes with inherent risks. Nowadays not only rich people can invest in the money markets, but also anyone with as little as $10 could start trading stocks from either a website, a desktop application or a mobile phone
The problem is that this area of the fintech industry has not been fully under the cybersecurity umbrella. Sometimes we assume that a product is secure by its nature, such as technologies that are used to trade hundreds of billions per day, but security testing tells us a different story.
In this talk, vulnerabilities that affect millions of traders will be shown in detail. Among them are unencrypted authentication, communications, passwords and trading data; remote DoS that leave the applications useless, weak password policies, hardcoded secrets, poor session management, etc. Also, many of these applications lack of countermeasures such as SSL certificate validation and root detection in mobile apps, privacy mode to mask sensitive values, anti-exploitation and anti-reversing mitigations
Moreover, the risk of social trading will be discussed too as well as how malicious expert advisors (trading robots) and other plugins could include backdoors or hostile code that would be hard to spot for non-tech-savvy traders.
The analysis encompassed the following platforms, which are some of the most used ones:
- 30 Websites (7 focused on cryptocurrencies)
- 17 Desktop applications
- 34 Mobile apps
Finally, the gap between the security in online banking vs trading technologies will be clearly observed. There's still a long way to go to improve the security of the trading ecosystem, but the wheel is already invented and common security countermeasures could be applied.
Speaker
Alejandro Hernandez
Sr. Consultant, IOActive
Alejandro Hernandez is a security consultant who works for IOActive, where he has had the chance to work in companies in different countries including Mexico, South Africa, Germany, China, Netherlands, United States, South Corea and England.
-
Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...