Forgery of charts, substitution of quotes and price manipulation: how to hack applications for trading on the stock exchange
Positive Technologies specialists conducted an analysis of the security of trading applications - trading terminals that allow you to buy and sell stocks, bonds, futures, currency and other assets. According to the study, in 61% of applications it is possible to obtain unauthorized access to personal accounts, in 33% - conducting financial transactions on behalf of other users without access to a personal account, in 17% - changing the displayed quotes. Such attacks can cause a change in prices in the market in favor of the attacker, provoke a panic on the stock exchange and cause significant financial damage to users of vulnerable applications.
The most common trading application vulnerabilities
Experts have studied trading platforms that are popular not only among private traders, but also widely used in banks, investment funds and other organizations related to exchange trading. Studies were conducted in relation to client parts of the platforms. Desktop trading terminals were analyzed, as well as mobile (for Android and iOS) and web-based trading applications.
In 61% of applications, an attacker can gain control over the personal account of the user of the trading terminal. This will allow you to trade user assets, obtain information about the available funds on your balance sheet, change the automated trading parameters, view the history of operations and planned operations. Interception of credentials in desktop terminals is possible in the absence of traffic encryption, and in mobile applications this is facilitated by root-rights or jailbreak on the device. Access to your personal account can be obtained in some web versions of applications by intercepting a user session.
What all this threatens traders
The vulnerabilities discovered by Positive Technologies experts in every third application allow unauthorized persons to make deals on the sale or purchase of shares on behalf of the user and without access to the personal account. An attacker can increase the value of the securities of interest by mass buying them on other people's accounts or reduce the value of shares by actively selling them. Similarly, currency rates can be manipulated - if the attack affects major players or a large number of users. Purchase and sale of exchange assets from someone else's name is possible both in desktop and in mobile and web terminals.
Attacks on the web version of trading terminals can be widespread. An attacker could embed a script into a web application or place a malicious link on another popular site. Then, on behalf of any user who enters the application or follows the link, an illegitimate operation will be performed. This allows attacks against a large number of market participants.
A trader using a vulnerable application also risks finding out that the real situation in the financial market does not correspond to what he sees on the screen of a trading terminal. The substitution of displayed quotes is possible in 17% of applications. For example, in the process of analyzing desktop applications, experts managed to forge an interval chart of the “Japanese Candles” type, which displays changes in quotes for certain periods.
Some desktop applications allow you to take control of the trader's computer, for example, by replacing the update file with malware. Typically, an attacker needs special conditions for attacking trade terminals for a computer or mobile devices, such as the ability to intercept traffic or physical access to the device. However, in the case of a target attack on a major player, the motivation of the offender may be quite sufficient to provide such conditions. An example of such an incident: in February 2015, offers to sell $ 500 million (as a result of a cyber attack or a bank operator’s error) were withdrawn to the market, which sharply lowered the exchange rate of the US currency, allowed other market participants to buy dollars at a lower price and caused jar huge losses.
How to protect
Illegitimate access to trading applications threatens serious turmoil for the market and users of vulnerable applications. When choosing a trading platform, traders should pay attention not only to its functionality, but also to security. You must use the latest version of the application and install updates issued by the vendor in time.
For private traders who use trading platforms on their personal devices, experts recommend using anti-virus tools and not downloading applications from unreliable sources. You should not install mobile versions of applications on devices with root or jailbreak rights. When working with the terminal, it is not recommended to connect to unsecured networks, such as public Wi-Fi access points. To prevent unauthorized access to your account, you need to use two-factor authentication, if this function is supported by the application.
In corporate systems, you should allocate a separate network segment in which trading terminals are located, and ensure the protection of this segment. It is necessary to follow basic guidelines for ensuring an acceptable level of security for corporate information systems, and in particular, to train employees in information security rules.
In turn, developers of trading terminals should regularly test application security and implement a secure development cycle. To protect the web versions of trading platforms, experts recommend using preventive security measures, such as application-level firewall.
On Tuesday, October 16, at 14:00 , during a free webinar, Jaroslav Babin, head of banking systems security research at Positive Technologies, will talk about the study and give advice on choosing a secure trading application.
To participate in the webinar, you must register .