Hernández (a security consultant) analyzed 16 desktop applications, 34 mobile apps, and 30 websites, comprising 40 trading platforms in all. That includes major legacy players like Fidelity and Charles Schwab, mobile-first upstarts like Robinhood, and less common names like Kraken and Poloniex. And while some companies, like Schwab and Merrill Edge, earned mostly high marks for their security hygiene, the overall picture seems bleak.
1. Apps transmitted some data in unencrypted form.
2. Mobile apps and a handful of desktop applications stored passwords unencrypted locally, or sent them to logs in plain text
3. Multi Factor Authentication not enabled
4. logging out didn’t immediately end the server side session.
5. Several trading platforms let users create their own bots making it relatively simple for a
malicious coder to hide a backdoor or other malware
Details:
Well over half of the desktop applications he examined, for instance, transmitted at least some data—things like balances, portfolios, and personal information—unencrypted.
(Here is the best part) Several mobile apps and a handful of desktop applications stored passwords unencrypted locally, or sent them to logs in plain text.
Two-factor authentication would prevent that scenario, but while most of the web platforms Hernández looked at offer it, they don’t enable it by default.
He found that on the web platforms of companies like Charles Schwab and E-Trade, logging out didn’t immediately end the session on the server side
Several trading platforms let users create their own bots through proprietary programming languages making it relatively simple for a malicious coder to hide a backdoor or other malware
https://www.wired.com/story/online-stock-trading-serious-security-holes/