How a hacker can drain your account and bank: step by step

Hello community,

I use this service a lot and this is purely to shine more light into the issue and get other users opinions on it.

Recently I started worrying a little about my account security so I did some experiments in a separate account just for my peace of mind.

On this account I logged in from a different computer (replicating a scenario where my password is stolen)
Then I used the saved credit card to deposit more cash onto the account (I only tried with 10£ but I urge others to try with more)
Then I added a different card of a different person, issued on another country and currency just to top it off and made a small deposit of 1£ so that the card was saved.

Lastly I did two withdraws of 1£ to the “hacker” credit card and then “10£” to the “hacker” credit card again. (I have received the refunds in the account already)

This pretty much shows that someone can use trading212 to charge your card for 1000£s and withdraw it to their card and also sell your positions.
I have only tried with small amounts but I don’t see why this would change if i were using 10x the amount.

TL;DR
I was able to deposit more money into the account and withdraw it to a different person credit card in barely 5 minutes

I like this app and what to continue using it but I hope for some security fixes.
Thanks

12 Likes

This is extremely concerning. @Team212

4 Likes

If I am not wrong, withdrawals are possible only on cards belonging to the account holder (Name is checked if it matches). Did you use another credit card on your name?

Yeah that’s what they say but I just added a card with a different name but on the trading212 I used the account holders name and it worked with no issue.

Please give it a try and share what happened so that is not only my story

With respect I think you could have just emailed this, T212 should read this, investigate and take the thread down ASAP

3 Likes

All this is very very concerning. Never tried.
I imagine if your money disappear to a different card user you can claim it easily with T212.

Why? If this is true is very concerning, and all of us should now about…

1 Like

I have tried several ways, nonetheless this is not critical unless your password is exposed so most users will be ok

As I am concerned now, I might give a try depositing money from my sister’s account and try a withdrawal. However, I had one of my friends who had his deposit rejected and the card was not saved when deposited with his mother’s bank card, it was the first deposit.

The way it is supposed to work is that the money can only be withdrawn to the cards that deposited it. I don’t really understand how this happened. Did you set it up though Google Pay/ Apple Pay etc? Bit confusing so I’m sure people will be glad when 2-factor authentication comes about.

Regular debit cards, that statement is true the first time that’s why I can only withdraw 1£ but after that the card is still selectable for bigger withdrawals

The key point here is he used someone else’s account to deposit but changed the name on the deposit to make it look like it was coming from him. (and somehow that was accepted) Then you can withdraw to that account since it is “yours”

1 Like

If that’s really the case, T212 should set up some sort of email/phone confirmation system when money is being moved and maybe add optional double auth on login… :nerd_face:

3 Likes

Yes I get it, I just want to understand why. The team really need to take a look at it and hopefully it was just a one off case that slipped through somehow and they can patch up the bug

1 Like

I don’t disagree but having a thread with the title worded as it is, doesn’t make any part of the situation any better

1 Like

Sure I know you mean. But think it’s complicated. If two people have the same name for instance and how to distinguish between them to say its not the same person depositing?

On a side note similar issue brought up reddit here months ago

I agree, it’s a little clickbait but I didn’t know what to put

It’s more the fact that if there are any security flaws, it’s a huge green light to any opportunistic hacker/thief, to try their luck.

I think it’s the same as other broker accounts. If you got my username/password for my last broker you could log in. Go to the linked account page. Change it to anything you want then withdraw the money.

The “security” is the username and password alone really.