Dozens of applications used for online trading by retail investors have cybersecurity vulnerabilities, some of which could lead to hackers siphoning funds from account holders, according to security consultant IOActive Inc.
Ten of the 80 applications tested over a one-year period store passwords of their subscribers without encryption, a flaw that could lead to funds being stolen, IOActive reported at the Black Hat cybersecurity conference Thursday in Las Vegas. Those included software by AvaTrade Ltd. and IQ Option, according to the report.
Software at
ETrade Financial Corp. and
TD Ameritrade Holding Corp. stores trading data without encryption, the report found.
The largest brokers offer the best security, yet still have weaknesses, said Alejandro Hernandez, a senior security consultant and author of the report. The biggest firms have been responsive to IOActive's findings and are fixing the issues, Mr. Hernandez said.
Rebecca Niiya, a TD Ameritrade spokeswoman, said the company investigates any reported vulnerabilities and has "already made progress in addressing the potential issues noted in the IOActive report."
Representatives for ETrade, AvaTrade and IQ Option didn't have any comment or didn't respond to emails seeking a response.
The analysis looked at desktop, mobile and website-based trading software and found the web platforms to be the most secure. Desktop applications were the least secure.
Using the same criteria, banking applications on all platforms are many times more secure than trading apps, Mr. Hernandez said. Retail investors could have a false sense of security because they probably equate their trading applications with their banking software, he said.
