Duration 50:52
16+
Play
Video

Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies

Alejandro Hernandez
Senior Security Consultant at IOActive
  • Video
  • Table of contents
  • Video
Black Hat USA 2018
August 4 2019, Las Vegas, USA
Black Hat USA 2018
Video
Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
6.76 K
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speaker

Alejandro Hernandez
Senior Security Consultant at IOActive

Alejandro Hernandez is a security consultant who has been involved in the scene for over 15 years. Nowadays, he works for the company IOActive, where he has had the chance to work in companies in different countries including Mexico, South Africa, Germany, China, Netherlands, United States, South Corea and England. As a research enthusiast, he had the chance to present twice in Black Hat Arsenal: in 2011, DotDotPwn (directory traversal fuzzer), and in 2014, Melkor (ELF file format fuzzer). He has also been speaker in other conferences such as DEF CON (Village) and BruCON (Belgium). Recently, he has been bridging cybersecurity with another subject he has interest in: money markets. Self-forged initially, later on he took some stock trading courses in the Mexican Stock Exchange (BMV) to gain the understanding on how the digitally-ruled financial markets work nowadays.

View the profile

About the talk

Topic: IT

In this talk, vulnerabilities that affect millions of traders will be shown in detail. Among them are unencrypted authentication, communications, passwords and trading data; remote DoS that leave the applications useless, weak password policies, hardcoded secrets, poor session management, etc.

02:33 What the New York Stock Exchange looks like now

04:05 The specifics of cyber attacks on stock exchanges

06:08 What is the Meta Trader platform for

Share

Hi everyone, good morning. 00:00 Thank you for being here. 00:00 I'm super excited to be here. 00:04 This is my very first briefing. 00:06 I do on Black Hat. 00:08 Previously, I had a chance to present 2 tools on the Arsenal in 2000 and 00:10 , 12:15 but this is my first time here. 00:16 My name is Alexandro Hernandez. 00:18 I'm from Chapas, Mexico, which is in the SE of the country right over there. 00:20 And I have been doing consulting and research, 00:26 for you, active for almost 6 years now. 00:29

I come from our computer Sciences background. 00:32 I didn't study anything related to finance or economics. 00:35 I must self doubt on these topics. 00:39 An later on. 00:41 I took a couple of courses in the Mexican Stock Exchange in Mexico City, 00:41 an with a few other brokers. 00:48 And in the end I decided decided to breach both topics. 00:50 I'm interested in right and I found interesting results. 00:53 I will share with you today. 00:57 Um. 00:59

This will be the agenda will be discussing today a quick introduction. 01:02 The core of my research of my analysis, 01:07 the boner abilities. 01:10 The responsible disclosure process regulators organizations. 01:10 Some other ideas. 01:16 I have in mind that either me or you could develop in the future after the talk and in the end recommendations and conclusions for training up 01:16 a quick disclaimer. 01:27

All the testing was performed using paper money, 01:27 which is demo accounts fake money right. 01:32 I I only tested applications for end users mobile websites and desktop applications and the web servers that communicate these applications. 01:36 I didn't test anything else, 01:45 the steel. 01:47 There are a lot of technologies behind this there. 01:47 A lot of protocols that are a lot of other devices for example, 01:51 phones with embedded software. 01:55

I didn't have access to this information and finally this talk is not about high frequency trading nor blockchain nor how to get rich. 01:55 Overnight. 02:06 If you find that talk about that? 02:09 Let me know in other years, 02:11 so this is how the stock markets looked. 02:13 Dusable the orders book where hand made all the people jelling sending orders etc. 02:17 Then we adopted technology. 02:24 This is in the 80s nineties I guess. 02:24 People computers this is the NYSE. 02:30

And now the NYSE looks like this. 02:33 More computers less people. 02:39 They open outcry is gone and it was replaced by computers by technologies, 02:46 which are faster cheaper and easier to use nevertheless there are some risks involved in this. 02:51 And I I will explain in a bit now. 02:58 Quick introduction whenever the companies one money to develop their their projects or to grow. 03:02 They can go either with private banks or with private investors. 03:09

Or they can go public when they go public. 03:13 They are recognized or or distinguished by these symbols right. 03:16 We have Amazon Apple, etc. 03:21 And they flow through different network routers. 03:23 Different switches like stock exchanges right there like they are in charge of communicate all this trading information. 03:26 The most famous one in the US evidently is the New York Stock Exchange. 03:35

NASDAQ and we have other important ones in Tokyo in London in Shanghai, 03:40 etc now. 03:45 Watt information on what securities flow in them, 03:45 the common stocks. 03:50 Other instruments such as ETF's in our particular industry cyber security. 03:50 We have to famous ETF's that I love the tickers hack and silver that's clever that's cool. 03:57

And also we have derivatives markets futures options contracts for differences that are getting famous nowadays and other markets such as Forex and Crypto market right. 04:05 Now it's important to distinguish the relationship between the different peers on banking system. 04:19 We have only one entity a financial entity right so the attackers come focused into hacking. 04:26 This entity so they can change information into databases on the records etc. 04:33

On is on the other hand on exchange markets the information is distributed on different ledgers. 04:39 There are logs everywhere. 04:46 You cannot suddenly. 04:46 100 shares of Apple Bee cause that won't work. 04:50 You might still it in one peer in one point but it wouldn't be the same in another appear in the network that said. 04:53 The valuable information. 05:02 And the attack surface. 05:05

On the vectors are slightly different for those in retail banking right doesn't make sense. 05:05 Information is different have different and the attack. 05:13 Is services is different now? 05:17 The brokers offer trading platforms and in these platforms. 05:21 You can do different things such as funding your account. 05:25 By credit card or through other banks you can monitor your balance is cash balances your network your equity your buying power etc. 05:29

Your positions and their performance right you can create alerts you can buy and sell securities ET cetera. 05:39 Now. 05:47 Independently, if you are on Speculator, 05:48 an intraday trader or a buy and hold investors. 05:51 Whatever kind of investor. 05:54 You are this information should be known only by and only by you and your broker right. 05:54 This is sensitive information now? 06:01 How many users use these platforms. 06:03 Let's see it by figures. 06:06

TD Ameritrade 11,000,000 funded accounts Charles Schwab. 06:08 10,000,000 accounts, Meta Trader is a very cool platform is a very complete flower platform you can link your brokers. 06:13 Do their software and you can trade using your account is the most famous one we have their cofinance initially you can finance was. 06:21 It was only a market data provider nowadays you can link your trading account. 06:31 Your broker account on Yahoo Finance. 06:36

So you can keep track of your positions, 06:39 etc, which are probably hood we have Coinbase Market.com. 06:42 Oh IQ options arbitrate this is famous in Spain and in Latin America plus 500. 06:46 Uh. 06:54 Money.net ninja trader etc. 06:57 Now many of you recognize this, 06:57 this show right. 07:02 It is billions. 07:02 And this is Bobby Axlerod Chameleons. 07:06

It is very often very often, 07:08 you see these screens, but they are easily recognizable because these keyboards are from Bloomberg Terminal. 07:10 Bloomberg Terminal is a cost costly software is a costly environment. 07:17 I didn't have access to this platform because they are expensive. 07:22 They are up to $2000 or more per month for terminal never delays. 07:27 I check on their website and I think they have Top notch security. 07:32

They have cutting edge security on their platforms, 07:37 etc. 07:41 In another episode. 07:41 I exported what we actually wrote using this application and then I remembered a wait a minute. 07:41 I think I have seen some of these labels before. 07:49 I think Bobby uses TV Ameritrade. 07:52 I don't know probably this one was included in my analysis is one of my favorite training applications now? 07:55

What did I tested I tested 16 desktop applications 34 moral apps for Android and iOS an theory websites from 40 brokers these ones. 08:04 I like financial arbitrate. 08:16 Mizzell, 08:16 which is the biggest cryptocurrency market in Mexico. 08:19 Bloomberg for mobile phones, I didn't have access to that. 08:23 But I only did that basic reverse engineering in this Capital One Charles Schwab Coinbase signal it'll it trade. 08:27 Fidelity frustrate. 08:35

A group or Balsamic Chicken, 08:38 Iowa loaders, which is the Mexican stock market IQ option, 08:40 Merrill Edge Meta Trader. 08:44 Wander foreign exchange. 08:46 Plus, 500 Robin Hood squad rated the Ameritrade recession and finally Yahoo Finance. 08:49 And I did it using Windows 7 Windows 10. 08:55 An iPhone 6 with 2 different versions of iOS and the Android emulator. 08:59 The iOS non jail broken Andy Android emulator rooted by default of course. 09:04

Now, what did I check I check this security controls in here. 09:11 For desktop I checked for example, 09:15 do they implement 2 factor authentication? 09:17 Do they encrypt communication. 09:20 Privacy mode secure data stored in secure database and to log files? 09:20 Unrelated stuff like anti exploiting mitigations or anti reverse engineering similar to mobile including including SSL certificate validation. 09:28

Group detection and for the web portion, 09:39 you know the classic things we'll know they all was Top 10 cross eyed scripting Crosseyed request forgery. 09:42 Security headers in for vulnerabilities, 09:49 which password policies automatic logout lookout, 09:54 etc. 09:59 Take a look at this. 09:59 This is a very basic checklist right, 10:02 it's like 10 items 15 items. 10:04 This is only the tip of the iceberg for a more complete checklist at a real application should pass through right. 10:06

The results Unfortunately. 10:15 Compared with retail banking, 10:15 these results are way worst than those shown in 2013 and 2015. 10:20 A colleague of mine from bio active Ariel Sanchez did this research this analysis for mobile banking. 10:25 Back then and this results. 10:32 Nowaday 2018 are even worst than those ones for banks. 10:34 I don't know why I mean? 10:38 Banking is one area and trading is another area and even if they are from the same financial entity for some reason. 10:41

They're not doing it, there good doing it good, 10:51 but not good enough as banking right as their coffins. 10:54 Before I show you my results. 10:59 I would like to clarify that I don't I. 11:03 I don't want you I don't want to transmit you fear uncertainty and opt. 11:05 It's not easy to hack or to steal money from stock applications right. 11:11 It is possible through different means. 11:15

It is possible through the the following vulnerabilities that will show you if an attacker have access to this information. 11:18 Of course, it will be possible that any of the attackers could still you money, 11:25 but not with 2 or 3 clicks. 11:30 The biggest problems. 11:33 Encryption in communication. 11:33 And in storage. 11:38 Of passwords of trading data. 11:38 Another problem is the OS. 11:44 An authentication and session management problems. 11:47 Now. 11:51

Unencrypted communications. 11:52 64% of the desktop apps and 6% 11:55 of them or labs. 11:58 They sent information on encrypted either partially or fully unencrypted. 11:58 Uh what is the problem with that if you are not in a coffee place, 12:05 but wherever you are in a public network on your information is unencrypted evidently an attacker would be able to intercept your username and password right or alt are the 12:10 traffic say. 12:23 You send a quote for a particular stock. 12:23

And before the price comes back to you to decide whether to buy or to sell. 12:28 Our security. 12:33 The attacker modifies the price if the real price is $100. 12:33 The attacker could temper these to 95. 12:39 Bucks so you think this is real information, 12:42 but you would be trading based on misleading information right. 12:45 The attacker wouldn't gain. 12:49 This still is possible right. 12:49 It could trick the users to buy stocks. 12:53 You wouldn't have in normal circumstances. 12:56

Now the traffic normally goes over HTTP. 12:59 Over fixed I will explain this in a bit another property protocols binary protocols. 13:04 See this, this is arbitrate. 13:11 Is the login page? 13:14 Even when you see the username the password is encrypted, 13:19 but after you're logged in you can see for example. 13:23 This order, you're buying an instrument and you can see everything your account number, 13:26 the amount. 13:32 The price. 13:32 Etc. 13:35 This is another one. 13:35

Normally desktop applications use 3rd party service providers for charting for Market Research. 13:38 Etc and in this case out a chartist for example, 13:46 the trader is sending a token in clear text. 13:50 All I had to do was copied his talk and put it in my browser and I could take over the session from outer chart is now here I am 13:53 logging in logged in as the broker right. 14:03 This is a paid service. 14:06 So it's just a quick example. 14:08 This is an interesting example. 14:10

This is a signal the signal is a signal provider. 14:12 You know on trading. 14:16 The people who have the information fast or the guys who trades and get the more profit of it right the fastest information the more the 14:16 profit. 14:31 So. 14:31 In my understanding data manager. 14:34 Is a software is a bridge so you can connect to the Internet to the service you pay for this is a paid service. 14:37

Once you are connected to receive the real time market data and later on, 14:44 you can connect the rest of your software. 14:49 You're trading applications to this signal provider so you receive real time market data. 14:51 The problem is whenever you log in. 14:57 To the website your password is going in clear text and then I saw the Copyright message 99 data Broadcasting Corporation. 15:00

I did a quick search and I found a necessary documents stating that this company renamed. 15:10 Uh to Interactive Data Corp who are the owners of the signal so I think it is easy to see that this is a nanny house develop development. 15:16 That has been carried to this new century right 20 years ago. 15:27 We are still using these protocols. 15:30 This is another example in the login page, 15:33 you see cleartext passwords. 15:36

Sorry cleartext usernames not the password, 15:36 but still, you can enumerate users for example. 15:42 Now let's move on to financial oriented protocols. 15:47 This one fix financial information exchange protocol. 15:50 It was initially from 92. 15:54 Is widely used by exchange traders? 15:57 There are guidelines on how to implement it securely however? 16:00 I think not all the people implement it securely. 16:04 Uh as you can see this is ASCII. 16:09 Binary ASCII. 16:12

And these are many of the users of this protocol from the bite size hillside. 16:16 Banks regulators brokers. 16:22 Hedge funds etc. 16:22 This is widely use. 16:25 Institutional trading between houses not not retail trading. 16:25 However, I have found a couple of applications that support this protocol. 16:30 And yeah, let's see for example, 16:36 this application, Netflix Pro. 16:39 They have. 16:39

They're price server or their trade server, 16:43 and a connection can be made in plain text using fixed. 16:46 Now let's see a demonstration this is Interactive Brokers. 16:50 They use encryption for almost everything they communicate. 16:56 Sexually, however, these new feature they implemented I bought which is a boys or comment assistant. 17:01 Since the information unencrypted over fix. 17:11 Can. 17:24 Can you please enable my volume of my computer please? 17:24

OK, in this second, I sent a voicemail message price of Netflix right, 17:36 I got the price. 17:41 1 second. 17:46 The scenery. 17:54 It's OK, no worries. 17:54 It's only for these these demo. 17:58 I think so. 18:05 Thank you. 18:18 So I set up word shark. 18:24 OK, it's it's not it's not working OK, 18:38 however you say the voice message price of Netflix. 18:41 Then I say buy 100 shares of Netflix at market price. 18:46 I'm finally I submitted the order. 18:54 The rest of the communication is encrypted. 19:03

The order went through. 19:05 But in the end, 19:05 you finalize with Wereshark. 19:08 Work has a fixed protocol decoder a basic one. 19:08 And. 19:14 Embedded Reaser Plain text Jason message. 19:14 That if you follow the TCP stream you can see everything somehow encrypted partially encrypted, 19:20 but the user input. 19:27 Went unencrypted you can see these their buy 100 shares of Netflix at market price. 19:29 This is a basic example right the communication is implemented properly. 19:36

But, except in a few parts of it. 19:42 Thank you. 19:47 Now you can see positions. 19:51 How much stuff do you have you can see clear text stuff right the attackers could gain insight of your portfolio this one you have your balance is your cash 19:53 balance is sent to log files. 20:07 Right now, this one is interesting in the login form, 20:10 they have an SSL button, 20:14 which is disabled by default. 20:16 We all understand what SSL stands for right. 20:19

What about those traders that are not tech savvy and have no idea what SSL means? 20:23 They would be like well if this comes by default and he's not enable. 20:30 I want to watch it because I have no idea what it is. 20:33 And some of. 20:36 Their communication would be unencrypted now. 20:36 Even with this button enabled I notice that in this particular application Interactive Brokers. 20:41 They were sending. 20:48 Sorry. 20:51

This is glitching right, 20:51 they were sending up diagnostic log to their servers in cleartext. 20:53 The load that I showed you before with balances with information, 20:57 etc is being sent unencrypted as a zip file. 21:01 This is Charles Schwab. 21:05 You have. 21:07 Your watchlist to invest later some symbol center and you can see them. 21:07 In plain text. 21:15 I think this is appropriate Ari Protocol, 21:15 not sure. 21:17 Uh this is a key option. 21:17

This one is interesting all the information both through HTTPS insecure. 21:21 However, I think one of the developers forgot. 21:25 A request that goes over HTTP unencrypted so one request was enough to intercept the session. 21:29 Cookie DSS ID, so it's easy to put it in your browser and hijack the session because they're only using this token. 21:36 This is another one. 21:46 Ninja trader television or not socket do connect no authentication. 21:46

And you start receiving values cash, 21:55 etc of the accounts. 21:59 Now let's move on to denial of service problems. 22:04 Many of these applications listen on TCP IP ports, 22:11 so you can integrate other applications. 22:14 You know the information flows over TCP IP the still the programs are. 22:16 Doing problems we have in the 90s in 2000. 22:21 If you do not limit the number of concurrent connections. 22:26 Evidently, there will be a problem right or if you do not free. 22:30

The resources upon termination say the ram memory there will be a memory leakage. 22:35 Memory exhaustion right, some of these services listen on the local interface port. 22:41 However, there are ways to reach or to attack the local port such as using this function in JavaScript. 22:46 XML HTTP request or this is way would be. 22:54 Financial oriented, malware right see this example. 22:56

This is TV America race thinkorswim their TCP order server 3 problems. 23:01 2 problems well, 3 problems they would say no limit for concurrent connections, 23:07 not waiting time between between the buy or sell orders and finally there is no obfuscation on their final application, 23:13 so I could reverse engineer their TCP software. 23:22 So this is listening from the local port if I connect to the local port and send random comments. 23:38 I can see syntax error. 23:45 Then. 23:48

I went to the application. 23:48 I reverse engineered the celebra I found it. 23:50 It took me a couple of hours to do the reverse engineering, 23:53 I found the syntax error. 23:56 I looked for uh where exactly they were throwing this error. 23:58 And I found the parts comment with this, 24:04 I notice. 24:07 I followed you know, 24:07 I follow the rabbit basically. 24:09 Till I found the correct format. 24:12 They order types market types limit orders in the end. 24:20

This is the format accepted order for the symbol. 24:24 The amount the type of the order could be limit or market order right and I wrote this small C code. 24:28 That basically. 24:36 Sense order. 24:36 Every amount of seconds. 24:36 Every time you send an order to the local port. 24:44 Thank you everything you sent. 24:47 Uh in order to local board. 24:49 There is a pop up in the application that Raider must submit the order. 24:51 However, every time the pop up. 24:56 Pops up. 24:58

Uh you can do anything else unless you until you close the window as you can see this is the order pop up attack. 24:58 There are a lot of popups. 25:08 The Trader basically can do anything on the application rendered useless. 25:09 This is a form of denial of service right. 25:13 Imagine a malware that doesn't allow you to do anything on your application. 25:16 Plus. 25:21 For some reason is triggered Arnoul Pointer Dereference. 25:21

In Java and the 3rd problem is with this error, 25:27 the Noel Pointer DRF. 25:31 You can send a troubleshoot shooting reported that developers. 25:31 Which is a zip file containing a lot of information including any screenshot? 25:38 You can see here view the report. 25:46 If you see the seed file which is the report. 25:50 You can see any screenshot. 25:52

There could be a privacy issue in this be cause in this screenshot your disclosing to the developers your profit last or any anything you're showing in your main screen 25:54 like balances cash balances, etc could be disclosed to the developers is that necessary for the developers and know how much money you have invested. 26:03 Or not I don't know what they could do is. 26:12

Mask this information to avoid disclosing sensitive information they fix these vulnerabilities. 26:15 We we have been working closely with these guys. 26:21 And they fix it quickly to the Ameritrade so feel free to. 26:25 To use these these feature. 26:29 Secondly, E signal the signal provider. 26:33 This is a classic memory leak through JavaScript listening on the local port. 26:36 So this is a basic JavaScript right. 26:45 What I'm doing here? 26:48

When it loads is some endless loop and I'm sending a request to localhost. 26:48 Through this now. 26:57 Imagine the 26:57 The investor clicks on a malicious link. 27:02 Orchestrating. 27:05 Computer. 27:05 Do you really know what's going on while you're reading this? 27:13 4. 27:18 Almost 5000 users connected. 27:18 Until. 27:22 It breaks. 27:22 Now, as I said, before there are different applications that connect to the service. 27:28 Automatically will be disconnected. 27:32 This is another training application. 27:32

This is a denial of service right. 27:37 So, your signal providers are not providing you signals anymore. 27:38 What they should do? 27:44 What we did in 2000 in in the 90s limited numbers of connections timeouts on evil tations seconds between orders you know to control bottlenecks, 27:44 etc. 27:55 Like these guys from Interactive Brokers. 27:55 They do not allow you to connect more than 51 times they simply refuse you the connection. 27:58 Now let's move onto another interesting. 28:04

Think this is not a book seriously this is a feature. 28:08 Programming languages that allow DLL imports. 28:16 White. 28:20 Would they? 28:20 Do that because it's needed? 28:20 In order to their customers to develop sophisticated tools sophisticated trading robots advanced chartings charts indicators, 28:25 etc. 28:34 They give this extra functionality. 28:34 So you create your own stuff and these trading languages are based on other languages CC teach our Pascal. 28:37

Nevertheless, some of them allow DLL imports. 28:46 Some others warn you about that and some other state do not allow it at all. 28:50 So the most used application Meta Trader. 28:56 Days report DLL imports, however, 29:00 they warn you they tell you 8. 29:02 Are you sure you want to allow the only imports and these are small tick. 29:05 Tick box again? 29:10 We all know what a DLL is of course, 29:10 and the risks involved? 29:14 What about those non tech savvy traders out there. 29:14

If you go to the Internet, 29:21 you will find many tutorials on how to download. 29:22 These indicators are just imported to your meta trader and follow by step by step, 29:26 tutorial, including this check. 29:31 Mark just check this an you will be fine and all the people, 29:31 including me wants to get rich overnight. 29:37 Of course, so you follow this tutorial step-by-step right. 29:40

However, there is a risk involved in generator for example, 29:44 they do not warn you still this report. 29:48 DLL imports. 29:50 This is an example of Ninja Trader. 29:50 This is cock popping up popping up. 29:54 And we'll see a more realistic scenario. 29:58 This is a backdoor. 30:02 These guys are some ichimoku indicator ichimoku clouds are famous technical analysis indicators. 30:02 So this is Meta Trader. 30:12 Right we are going to open the. 30:15 Trading language editor this is an indicator. 30:19

What I'm doing here I mean? 30:24 I'm importing the indicator library the cloud library? 30:26 Which is shared32.dll? 30:30 And I'm telling the user an here on in it. 30:33 I'm going to render to draw your pretty each smoke cloud and for this. 30:37 I'm going to download the cloud for HMO clouds at all, 30:42 which is some something weird in there is a base 64 something. 30:46 And I'm telling the Trader area here. 30:53 I'm going to decode the cloud and I'm going to launch the cloud. 30:55

So the naive trader if he doesn't have any idea of the risks involved he would download it. 31:00 Imported. 31:08 He would open a chart in this case is an euro USD and whenever he drags the chart. 31:08 You can see. 31:17 All the day before the dependencies Here allow DLL imports this is dangerous. 31:17 Still, if it. 31:25 There are these are the clouds. 31:29 Behind. 31:32 This another box. 31:32 I do netcat to the remote port and I need to have access to the computer. 31:32 And that's it. 31:44

So basically the back door this guys assigned technical analysis indicator. 31:44 Thank you. 31:53 OK, 15 minutes, I have a lot of stuff to show you a lot of it. 31:57 I'm going to speak faster and I'm going to go quicker in here passwords stored unencrypted. 32:02 They sent the password either to a config file or to the log files. 32:12 And how attackers could extract this from Europe mobile or from your computer. 32:17

You have either local axis like physical access to the computer or malware. 32:23 Mal group would be the easiest way to extract the information. 32:28 If you know the path of the word information is stored you can go and Exfiltrate. 32:32 This see this is a user password is encrypted. 32:37 Not here QWERTY Foobar. 32:41 Knew change that password QWERTY, 32:45 who are more passwords base 64 is not encryption please. 32:48 Covert if over this is a very famous Cryptocurrency app. 32:58

I cannot name. 33:02 It becaus do too. 33:02 Responsible disclosure things. 33:05 Still, I can show you a screenshot the unlock pin cleartext. 33:05 In our SQL Lite database. 33:12 These guys I reported them IQ option last year. 33:14 Clear text password, I change the password to 123456 and this year. 33:18 Yeah, they think that it is encrypted here, 33:23 however, if you enable 2FA. 33:26 The two factor authentication password is 123656 in a different file same problem. 33:29

There are there are others that are sending the password in cleartext the log files and. 33:36 Through. 33:43 Saturday, through as a parameter on the URL? 33:43 What is the problem with this. 33:46 Even if it goes over HTTPS if you put the password in a parameter or any other sensitive information. 33:48 This URL will be stored in the Web Server access logs all will be stored in the browser history right so it is not a good idea to transmit information 33:56 our get. 34:06

Interactive Brokers even when they encrypt their password locally, 34:06 they're not encrypting through party services password such as the signal in here. 34:12 Secret. 34:19 Now. 34:19 Trading data stored on encrypted. 34:19 The same problem. 34:25 I order data I don't know why developers love to. 34:25 This close your balance is your orders your positions even personal information into log files. 34:31 I. 34:40 I have been a developers developers. 34:40

I developer in different uh technologies different languages. 34:44 and I know how good is, 34:49 is are the print FS right or is the debugging print. 34:51 However, in your final release. 34:55 You should you must. 34:57 Remove this information otherwise will happen. 34:57 What's happening here now more than 50% 35:03 of the applications send? 35:06 Dating data when encrypted. 35:09 The mobile apps as well. 35:09 The attackers could gain insight into your strategy into your network group, 35:13 etc. 35:20

Portfolio balances orders watchlist, 35:20 see portfolio. 35:24 This is Yahoo Finance whenever you link to the other brokers. 35:28 These are my stocks my positions, 35:33 the amount of them the cost base and they are all in cleartext the symbols. 35:35 They used to be now. 35:40 We fix it. 35:41 We've been closely working with them as well. 35:41 Another one. 35:46 And another one. 35:46 Personal information names, addresses, credit card information. 35:50

Only the name not the rest when you are funding your training account when markets.com. 35:54 Orders. 36:03 These guys even draw a pretty neat ASCII art like there. 36:03 Is the same form this? 36:12 Is this is cool still there disclosing it? 36:14 The order you sent the server responses. 36:17 Portfolios portfolios the symbols you. 36:23 Look up. 36:27 They're disclosed. 36:29 The details of the symbols. 36:29 Now passwords some traders allow you to choose 1234. 36:34

As a password orders tell you wait wait a second. 36:40 The password you enter is too long hold on. 36:42 Choose a weaker one please. 36:46 The maximum 12 chars. 36:50 There are authors, such as IQ option markets. 36:54 They implement a password policy, 36:57 but client side on JavaScript, 36:59 but silverside is not implemented. 37:01 You can see here. 37:05 The password 123 was accepted by the server now authentication problems 2FA. 37:05 Most this is interesting. 37:13

Most applications implemented but not by default, 37:13 the user says to water the configuration and enable it, 37:18 either by SMS or email. 37:23 And but not most, desktop applications. 37:25 They do not implement it even when they belong to the same broker right. 37:28 From the mobile app 1/4 of them. 37:33 Do not implement the finger print out even when they are installed in a pin up Phone with biometric sensor they do not implement this. 37:36 Now, another interesting example. 37:46

Session tokens passed through the URL. 37:46 When you're using your desktop application. 37:53 You click in some bottom they send you to the browser to see your account your balances, 37:56 etc. 38:02 However this token, which is the single sign-on token could be stolen by the attacker. 38:02 Imagine up infinite loop running on the process list. 38:08 So you can still it is a race on who wins the token right. 38:11 Like this one IQ option. 38:16 This is a Linux box. 38:17

I can see the process here with the token so I wrote up quick loop to see who wins the race right. 38:19 The first was sent this request takes over the session. 38:26 We have a demo for this, 38:32 I will skip it, I would like to. 38:33 To talk to you about other things. 38:36 Uh. 38:38 Themoney.net implement their own web UI it inside the application properties this problem. 38:38 Uh this is another problem session is still by the lead after logout. 38:46

On web platforms, you click on the log out button. 38:52 Your session is destroyed client side but not server site. 38:55 I saw these 1 unit rate shall show up Fidelity and recently Yahoo Finance. 38:59 This is eco financed I'm logged out. 39:05 5 hours later, I send this request. 39:08 I got before to the server an I could still transact. 39:11 Iterate the same charge show up the same I'm not sure. 39:15 If they have fixed this bones. 39:20

I haven't had time to test it another interesting thing privacy mode. 39:22 Against the shoulder surfing attacked. 39:27 We can see here Thinkorswim desktop before privacy mode after privacy mode. 39:30 Whenever you are creating on probably spaces right and you wouldn't want people to see how much money you have invested this is a good feature. 39:37 And there were nevertheless not all the applications implement this. 39:46 This is for Mobile. 39:50

This is Jack, 39:50 who financed you can see the important information is masked. 39:52 Now hardcoded secrets. 39:56 It is easy to reverse engineer applications for example, 39:56 Merrill Edge for Android They. 40:01 Uh. 40:04 They obfuscate everything so it make it harder to reverse engineer. 40:04 The rest of them, they love to disclose internal state internal IP addresses internal cause name private keys still. 40:10 Um. 40:18

Or 3rd party service partner passwords for example, 40:18 these one whose names. 40:22 Private key over here. 40:25 For encryption hostnames IP addresses. 40:25 Now, one and exploitation mitigations will know ASL our depth stock canneries. 40:32 Most of the desktop apps do not have it implemented. 40:37 Even the services that listen for TCP connections that are more exposed do not have these flags for Linux. 40:40

They do not have the read only relocation stable or position, 40:47 independent code or calories as well in the case of IQ option. 40:51 Ninja trader and many more. 40:56 Only 232% validate ASL. 40:59 Certificate on I on mobile labs only Charles Schwab warn you if there is an invalid certificate. 40:59 The board certificate and allows you to continue. 41:09 A similar thing happens with root detection almost 80% 41:13 of the app do not detect it. 41:16 Unlike banking apps banking apps. 41:18

They detected and normally they don't run on compromise environment. 41:21 These applications allow you to do that. 41:26 For example, TV Ameritrade. 41:28 Only warned you about the root environment. 41:28 But they allow you to trade on these environments and then I found more vulnerabilities. 41:33 I encourage you to water. 41:38 The White Paper and read them in detail who kind of deceptions the classic cross eyed scripting on where platforms. 41:40 When the website. 41:53

Health percent. 41:53 1/2 of them the applications do not have their secure or the HTTP only flags on session cookies and the 70% 41:57 of the applications do not implement the classic security headers. 42:05 We all know the CSP policies. 42:10 The strict transport security, the anti access, 42:12 etc. 42:15 I only checked only the Distri Only But. 42:15 70% do not implement them this is a high level think I checked. 42:19 They invite you. 42:25

To to to their Education Center, 42:25 but they educate you on trading, 42:30 mostly but not on cyber security only frustrate for example, 42:32 they have a cyber security centre, 42:37 they help you. 42:40 They give you some guidance on how how to try to save or how to stay safe online right TD Ameritrade. 42:40 How are browser checker they give you safety tips etc? 42:49 I think this is important to educate users on cyber security if I were a broker there is more content. 42:53

So, please check. 43:00 Also, the white paper that will be available on the web. 43:00 Blackhead material now, what happened with the reported brokers. 43:05 We found another issue, there. 43:10 The brokers do not have a main point of contact to receive bones under products like. 43:12 We reported many of the vulnerabilities and many of the brokers didn't reply toes. 43:20 Quickly. 43:27

The brokers who communicated on work more closely with bio active with us to fix their bones are TD Ameritrade child show up Yahoo Finance and more recently, 43:31 Interactive Brokers to fix their bones. 43:41 So this is basic correlation here that I notice the biggest players. 43:44 The guys who have more money. 43:50 Are the ones who invest more in cyber security you can see it. 43:53 You can feel it while you're testing their products. 43:57

When you're using their products right you have this sense of security while you are creating right so there is a correlation of it so. 44:00 Invest more in cyber security if you're a broker now. 44:10 Some ideas for you. 44:14 On this research. 44:14 I found many applications that implement social trading. 44:17 Now there are things like copycat trading like followers on Twitter if at Trader is earning a lot of money or did a lot of money in the past months 44:21 or weeks. 44:31

You can copy exactly the same trade, 44:31 the user did etc. 44:35 Writing there are many risks involved now everything. 44:35 Is connected now even the New York Stock Exchange or NASDAQ? 44:40 They are posting Instagram stories are involved with the people now we invite you. 44:44 They they teach you what an ETF is what an IPO is etc. 44:50 So social trading risk is an interesting topic for example, 44:54 sentiment analysis. 44:58 Is a metric? 44:58

On the acceptance on rejection of certain instruments by the people. 45:02 For example, these 1. 45:08 This is TV Ameritrade and In addition to the fundamentals and technicals analysis. 45:08 There is a social signals tab in this tab. 45:16 You can see indicators such as a sentiment analysis. 45:19 That means that 73% of the people is talking positively about Nintendo about talking about in the Pokémon go Mario and there are some selected tweets so I was thinking. 45:23

Well, how easy or how hard would be to bypass this filter who select these tweets. 45:35 A machine are human you know things like that. 45:40 I think would be good to test. 45:43 This this software. 45:45 There are other risks like fake news. 45:45 You know, injecting fake data on Twitter or confusion confusion do you remember the PDP Bach? 45:49 Thing in the encryption software recently. 45:56 Well. 45:59 Normally on social media you use the dollar sign to refer to a stock? 45:59

For some reason the encryption software that the problem we did. 46:06 Cows at the drop on the stock price of this company with the same symbol PGP. 46:11 It doesn't have to do anything with encryption software. 46:17 Still, many people was like. 46:20 Hey wait a SEC there's a problem with PGP, 46:21 but not this PGP is a different thing. 46:23 The drop. 46:26

And they recovered I wish I could spotted that next time you know what I'm going to do a Python script to identify software and companies that do 46:26 not belong to this and when I see any anything like this, 46:37 I'm going to go short. 46:41 Another interesting topic for the research for for protocols back of his protocols in exchanges in institutional trading. 46:45 This is only retail trading. 46:54

This is only the surface of everything I'm just scratching the applications right, 46:56 but behind there are way more things to cover there are more protocols. 47:02 Today I only talked about HTTP fix and a bit of binary protocols? 47:07 What you can see here taken from Wikipedia alot of. 47:12 Different protocols for routing for orders, 47:16 etc, mostly of them are used by institutional trading. 47:19 You know between the institutions in back office is not on retail so. 47:23

Are these protocols being forced or these protocols being? 47:28 I don't know secured encryption etc. 47:32 I think it would be worst to take a look at this. 47:35 What regulators say I went to the SEC to the web sites to the funeral to the Sigma and I couldn't find anything related to fintech any guidance of them. 47:39 The only offer basic guidance on online threats by rules fish is fishing, 47:50 etc. 47:55 Generic guidance I think they should develop basic guideline. 47:55

To the Fintechs who will develop? 48:01 A gnu trading software right, 48:03 he's like Hey. 48:05 Wait, a second are you going to implement this on mobile on desktop. 48:05 Please ensure you at least have these features or test. 48:11 These features I didn't find anything in them also there are rating organizations that rates dearly. 48:15 They're different brokers and they give accolades. 48:22 Which is the best to worst etc related to their commissions their tools. 48:26

The research the easy of use but I don't see security up here. 48:32 I think it should be here. 48:37 At least, there should check I don't know the password policy. 48:39 2 factor authentication and if they go over HTTP as at least. 48:44 Finally, recommendations for end users. 48:50 Enable the security features in your broker offers you to FA you strong password use biometric auth. 48:54

Do not reuse passwords is a common practice to use the same password for banking on your training applications don't do that, 49:02 try to avoid public hotspots. 49:12 Use VPN for developers and brokers firms test your applications against these these basic checklists. 49:15 While we were contacting the different bro. 49:23 Crashes all of them were like Oh no. 49:26 No, you're wrong. 49:28 We are secure. 49:28 We use military grade encryption. 49:30 We do this we do that, 49:32 we support well. 49:34

My tests my results. 49:34 Say, a different story. 49:38 So. 49:38 Audit your applications internally, but seed your problems outside from the box as well. 49:44 Hire typical 3rd party companies to test your applications as well. 49:51 The takeaways trading applications are less secure than banking applications nowadays. 49:58 And user. 50:04 Please enable your security features and finally brokers. 50:06 Do not only improve your applications also focus on your back. 50:10

When your back end technologies your protocols your software. 50:16 I there's a lot behind behind these applications. 50:20 I only had access what any of you have it could have access right application from on. 50:24 On play store, etc on the Internet, 50:31 but what about institutional trading, 50:35 etc. 50:38 And that's it. 50:38 Thank you very much waste. 50:38 You have time for questions or any question no so if you have any questions, 50:42 we can go to the next room. 50:47 Thank you. 50:49

Cackle comments for the website

Buy this talk

Access to the talk “Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies”
Available
In cart
Free
Free
Free
Free
Free
Free

Video

Get access to all videos “Black Hat USA 2018”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “IT”?

You might be interested in videos from this event

September 28 2018
Moscow
16
125
app store, apps, development, google play, mobile, soft

Similar talks

Patrick Wardle
Chief Research Officer at Digita Security
Available
In cart
Free
Free
Free
Free
Free
Free
Sen Nie
Security Researcher at KeenLab, Tencent
+ 3 speakers
Ling Liu
Engineer at KeenLab
+ 3 speakers
Wenkai Zhang
Security Researcher at KeenLab
+ 3 speakers
Yuefeng Du
Security Researcher at KeenLab
+ 3 speakers
Available
In cart
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
516 conferences
20141 speakers
7406 hours of content