I use this service a lot and this is purely to shine more light into the issue and get other users opinions on it.
Recently I started worrying a little about my account security so I did some experiments in a separate account just for my peace of mind.
On this account I logged in from a different computer (replicating a scenario where my password is stolen)
Then I used the saved credit card to deposit more cash onto the account (I only tried with 10ÂŁ but I urge others to try with more)
Then I added a different card of a different person, issued on another country and currency just to top it off and made a small deposit of 1ÂŁ so that the card was saved.
Lastly I did two withdraws of 1£ to the “hacker” credit card and then “10£” to the “hacker” credit card again. (I have received the refunds in the account already)
This pretty much shows that someone can use trading212 to charge your card for 1000ÂŁs and withdraw it to their card and also sell your positions.
I have only tried with small amounts but I don’t see why this would change if i were using 10x the amount.
TL;DR
I was able to deposit more money into the account and withdraw it to a different person credit card in barely 5 minutes
I like this app and what to continue using it but I hope for some security fixes.
Thanks
If I am not wrong, withdrawals are possible only on cards belonging to the account holder (Name is checked if it matches). Did you use another credit card on your name?
Yeah that’s what they say but I just added a card with a different name but on the trading212 I used the account holders name and it worked with no issue.
As I am concerned now, I might give a try depositing money from my sister’s account and try a withdrawal. However, I had one of my friends who had his deposit rejected and the card was not saved when deposited with his mother’s bank card, it was the first deposit.
The way it is supposed to work is that the money can only be withdrawn to the cards that deposited it. I don’t really understand how this happened. Did you set it up though Google Pay/ Apple Pay etc? Bit confusing so I’m sure people will be glad when 2-factor authentication comes about.
Regular debit cards, that statement is true the first time that’s why I can only withdraw 1£ but after that the card is still selectable for bigger withdrawals
The key point here is he used someone else’s account to deposit but changed the name on the deposit to make it look like it was coming from him. (and somehow that was accepted) Then you can withdraw to that account since it is “yours”
If that’s really the case, T212 should set up some sort of email/phone confirmation system when money is being moved and maybe add optional double auth on login…
Yes I get it, I just want to understand why. The team really need to take a look at it and hopefully it was just a one off case that slipped through somehow and they can patch up the bug
Sure I know you mean. But think it’s complicated. If two people have the same name for instance and how to distinguish between them to say its not the same person depositing?
On a side note similar issue brought up reddit here months ago
I think it’s the same as other broker accounts. If you got my username/password for my last broker you could log in. Go to the linked account page. Change it to anything you want then withdraw the money.
The “security” is the username and password alone really.