Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies

Conference:  BlackHat USA 2018



The talk discusses vulnerabilities in trading technologies and the need for improved cybersecurity measures.
  • Electronic trading platforms and networks have made trading easier and faster, but also come with inherent risks.
  • Many trading technologies lack proper cybersecurity measures, leaving traders vulnerable to attacks.
  • The analysis covered 16 desktop applications, 29 websites (including 7 focused on cryptocurrencies), and 34 mobile apps.
  • The talk also discusses the risks of social trading and the potential for malicious expert advisors and plugins.
  • Regulators and organizations should provide more guidance on cybersecurity measures for trading technologies.
  • Recommendations for end-users include enabling all security features offered by brokers and using strong passwords and biometric authentication.
The speaker shares that he comes from a computer science background and decided to bridge his interests in finance and technology. He found interesting results in his analysis of vulnerabilities in trading technologies.


With the advent of electronic trading platforms and networks, the exchange of financial securities now is easier and faster than ever; but this comes with inherent risks. Nowadays, not only rich people can invest in the money markets, but also anyone with as little as $10 could start trading stocks from either a mobile phone, a desktop application or a website.The problem is that this area of the fintech industry has not been fully under the cybersecurity umbrella. Sometimes we assume that a product is secure by its nature, such as technologies that are used to trade hundreds of billions per day, but security testing tells us a different story.In this talk, vulnerabilities that affect millions of traders will be shown in detail. Among them are unencrypted authentication, communications, passwords and trading data; remote DoS that leave the applications useless, weak password policies, hardcoded secrets, poor session management, etc. Also, many of these applications lack of countermeasures such as SSL certificate validation and root detection in mobile apps, privacy mode to mask sensitive values, anti-exploitation and anti-reversing mitigations.Moreover, the risk of social trading will be discussed too as well as how malicious expert advisors (trading robots) and other plugins could include backdoors or hostile code that would be hard to spot for non tech-savvy traders.The analysis encompassed the following platforms, which are some of the most used ones:- 16 Desktop applications- 29 Websites (7 focused on cryptocurrencies)- 34 Mobile appsFinally, the gap between the security in online banking vs trading technologies will be clearly observed. There's still a long way to go to improve the security of the trading ecosystem, but the wheel is already invented and common security countermeasures could be applied.