Redtail isn't the only firm with cybersecurity issues

Study of 30 mobile apps found vulnerabilities at 29 firms

May 28, 2019 @ 2:24 pm

By Ryan W. Neal

Redtail Technology is the latest firm dealing with the fallout of a cybersecurity issue, but it likely won't be the last.

In an email sent to advisers last week, Redtail blamed its leak on systems that inadvertently stored investors' personal information on a debug log file. These files record database operations, system processes, and errors for software developers in case they need to fix something. Redtail's debug file was publicly accessible to anyone with an internet connection.

But Redtail is hardly alone, said Alissa Knight, a senior analyst with Aite Group's cybersecurity practice. In a recent study of the security of 30 mobile apps from financial services firms in the U.S. and Europe, information stored inappropriately on a debug file that could be accessed publicly was identified as a common issue.

"Many of the apps I looked at were also mistakenly configured to log in debug mode, logging everything happening within the app, including sensitive data to log files," Ms.Knight said.

(More:State regulators release model cybersecurity rule)

While she wouldn't disclose the name of the firms she studied, they spanned banking, retail brokerage, financial technology vendors and auto insurance, she said.

Ms. Knight concluded that there is "a systemic problem" across both financial services firms and fintech: "a widespread absence of application security controls and secure coding."

Despite the amount of sensitive data these firms handle, many are still failing to apply adequate security to apps, she said.

Ms. Knight found vulnerabilities in 29 of the 30 apps analyzed. It took her less than nine minutes to identify the issue at many of them.

Especially concerning is the application programming interfaces (APIs) that companies use to integrate data with third-parties, she said. Financial services companies and fintech vendors have a habit of hard-writing credentials and API keys into the code. Anyone who knows where to look can gain access.

And hackers know where to look.

"Hackers are beginning to shift their focus to attacking organizations and end users via their mobile apps by finding vulnerabilities in the code due to a lack of code obfuscation being employed to secure apps," Ms. Knight wrote in her report.

The increase in the number of API codes that can be seen publicly on the internet is one reason hackers are increasingly focusing there, she said. Also, it's relatively easy to learn the company's API URLs by looking at the company's mobile app source code.

If security experts know this can be a problem, why is it happening? One reason might be companies outsourcing app development offshore to save costs.

(More: Fintech goes international to find top tech talent)

"I was talking to some of the fintech companies and asked this very thing," she said. "They tell me a lot of the time companies they outsource to will publish the code and the fintech or financial services companies aren't even involved in the process."


What do you think?

View comments

Most watched


Young professionals see lots of opportunity to reinvent the advice experience

Members of the 2019 InvestmentNews class of 40 Under 40 have strategies to overcome the challenges of being young in a mature industry.


Young advisers envision a radically different business in five years

Fintech and sustainable investing are two factors being watched closely by some of the 2019 class of InvestmentNews' 40 Under 40.

Latest news & opinion

New Jersey fiduciary rule: Pressure leads to public hearing, comment deadline extension

Industry push results in chance to air grievances on July 17 and another month to present objections.

InvestmentNews' 2019 class of 40 Under 40

Our 40 Under 40 project, now in its sixth year, highlights young talent in the financial advice industry. These individuals illustrate the tremendous potential of those coming up in the profession. These stories will surprise, entertain, educate and inspire.

Galvin to propose fiduciary rule for Massachusetts brokers

The secretary of the commonwealth is proposing a fiduciary standard in response to an SEC investment-advice rule he views as too weak.

Summer reading recommendations from financial advisers

Here are some books that will keep you informed and entertained during summer's downtime

4 strategies for Roth conversions

There's never been a better time to do a Roth conversion, and here are several ways to go about it.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print