A brief guide to fintech security

What do trading platform developers and operators need to keep in mind?

In 2019, the global stock market grew by $17 trillion, and despite world markets being battered — to put it mildly — by the pandemic, interest in investment has not gone away. Since the beginning of 2020, the number of trading app users has only risen.

On the downside, the assets and personal data of e-traders are attractive prey for cybercriminals, and in the event of an incident, it is trading platform operators that have to deal with the consequences. In this post, we talk about the main threats companies face and how to defeat them.

App vulnerabilities

Like any software, trading platforms have vulnerabilities. In 2018, cybersecurity expert Alejandro Hernandez found holes in 79 such apps including not using encryption to store or transmit data (anyone could see or change it) and not logging out users after a period of inactivity. Design-level flaws included permitting weak passwords.

A year later, analysts at ImmuniWeb carried out similar research and reached an equally negative conclusion: Out of the 100 fintech developments they tested, all were vulnerable to some extent. Issues were found in both Web and mobile apps, with many bugs inherited from third-party developments and tools used by the programmers. For some of the vulnerabilities, patches had long existed but hadn’t been applied. One such patch was released back in 2012, but the authors of the fintech app never got around to installing it.

As sure as night follows day, if a product has security issues, they will make themselves known, potentially harming companies’ reputations and scaring away customers. And if, as a result of a bug in an app, users suffer a data leak or financial loss, the developer could face a big fine or be forced to pay damages.

Sometimes, a platform’s creator is the only victim. For example, the authors of the Robinhood trading app failed to spot a bug that allowed premium users to borrow unlimited funds from the platform to trade securities — and one user borrowed a million dollars against a deposit of just $4,000. Traders dubbed it the “infinite money cheat code.”

To avoid losses associated with bugs and vulnerabilities, trading platform coders need to consider security in the development stage, thinking in advance about such things as automatic user logout, encryption, and a ban on weak passwords. They should also regularly review the code for errors and fix them promptly.

Supply-chain attacks

To save time and money, most companies not only write their own code, but also employ third-party developments, frameworks, and services. If a provider’s infrastructure is compromised, the companies that use it can also suffer.

That’s what happened to currency broker Pepperstone, for example. In August 2020, cybercriminals infected the computers of a company contractor, gaining access to its account in Pepperstone’s CRM system. Although the break-in was quickly neutralized, the attackers still managed to steal some client data. The broker says its financial and trading systems were not affected. All the same, recall that data leaks can be very costly for companies even if third-party code is to blame.

To avoid potential burns, always choose reliable, security-minded partners, and never rely on their protection mechanisms alone. Any company in the field of finance should adopt a stringent security policy.

Spear-phishing

The human factor is often the cause of cyberincidents. That’s why attackers use company employees to infiltrate corporate infrastructures.

In that context, in July of this year, cybersecurity researchers connected a series of attacks on fintech institutions in the EU, the UK, Canada, and Australia to the APT group Evilnum. The cybercriminals sent e-mails to company employees with a link to a ZIP archive hosted in a legitimate cloud service. The messages were disguised as business correspondence, and the archive contents as documents or images. Although the promised document or image appeared on the screen, opening it set the infection chain in motion.

Sometimes attackers break into corporate e-mail accounts, which makes their phishing even more convincing. In August of this year, such an attack hit trading company Virtu. According to company reps, cybercriminals got into the mailbox of a top manager and spent the next two weeks sending e-mails to the accounting department with instructions to transfer large sums of money to China. Blind trust cost the company close to $11 million.

To repel such attacks, cybersecurity staff needs proper training. Compile a list of phishing red flags in e-mails and use it to engineer a course of action in the event that a colleague, partner, or client asks you (or seems to be asking you) to send a couple of million — or even a bit less than that — to Jane Doe.

Client problems

Sometimes users lose money through no fault of your company or app — by downloading malware, entering passwords on phishing sites, or otherwise acting irresponsibly. Here too, alas, they may make claims against the trading platform. In some countries, companies are legally bound at least to figure out what happened, so it is worth warning traders from time to time about potential dangers and urging them to protect themselves (and, by extension, you).

It is also a good idea to periodically remind clients that any third-party software, especially if pirated or obtained from dubious sources, can pose a threat. For example, it might steal passwords, including ones for trading accounts.

Warn clients that cybercriminals might pose as your service to extract their credentials. Advise them to pay close attention to e-mails about problems with the service, and to carefully check the sender’s address and the message for typos and bad grammar. Recommend they manually enter the URL in a browser, open the app, or call client support in case of any doubt.

How to protect your money and reputation

Handling money comes with great responsibility, and neglecting security can cost fintech companies a lot. Therefore:

  • Monitor the security of your apps and programs. Scan them for vulnerabilities and show zero tolerance for bugs and errors.
  • Install a reliable security solution on work devices, ideally one that is cloud-based and managed through a single control panel.
  • Train employees in the fundamentals of cybersecurity, so they won’t make mistakes that cost you and your clients money and stress.
  • Use the strictest practicable security policy for employees and third-party suppliers.
  • Remind clients that their money’s security depends largely on them. Recommend they install a security solution on the device they use for trading, and keep it junk-free.
  • Implement security mechanisms in your developments from day 1. That means starting with a ban on weak passwords, encryption, and automatic logout of inactive users as a bare minimum.
Tips