How a hacker can drain your account and bank: step by step

So, let’s see. Op makes claims, zero evidence, zero screenshot. Uses 1£/10£ example. Everyone joins the discussion.

Please @ OP can you do 100£/1000£ action, also please, provide screenshot before making such claims?

Have a nice weekend. :partying_face:

I believe they did it. Seems feasible. For me though the events and their probablity are like this:

  1. username and password stolen: extremely difficult - almost impossible
  2. login and pretend you are me: easy
  3. withdraw money using card trick: easy

So for me step 1 is enough security, only thing I can think of is losing a phone without a) a pin lock on the phone and b) without a pin lock on the app which again is very unlikely and user error which is just common sense to keep your phone secure.

And also more in depth checks are probably done on larger withdrawals which we don’t know about

This is what happens when customers demand automation. Anyhow, if you had withdrawn a higher amount, it would have never gone through I believe (it goes via a manual review - perhaps with threshold increasing with each successful withdrawal in the same payment method).

Secondly with SCA (Strong Customer Authentication) entering force, card verification will be more sophisticated and secure.

Lastly, T212 doesn’t ensure that the card name matches, hence the reason they make you tick the box that you are depositing from your own card, for their security. :slight_smile:

3 Likes

I once tried the same with a US broker, more than 10.000$ via bank transfers. All went through. Names didn’t match. :slight_smile:

Disclaimer I had permission and access to do it from the legal owner.

It may just fail with bigger amounts and I hope so. I may try tomorrow and see what happens

It may be feasible on 1£/10£, not on 1000£ example. Because it always goes towards source of funding, tried and tested.

But ofc click bait titles, none ever tried, joined bandwagon.

Each person here should rather be thinking. “Hmm if someone can break my password, they can break my phone, mobile banking, take all cash”

But yes 1£/10£ claims make headlines. :partying_face:

Hackers are know to drain 1£/10£ from accounts. They live frugal lives.

3 Likes

Step one may not be so impossible if you get phished with a link like https://trading212.pro or something where you type your password

Yes but that goes for any site you login to. I don’t see T212 being less secure with their username and password than any other sites.

Well in all honesty, getting phished is very common since decades. If someone on this forum harvests some emails and then start to phish, ~1-3% success rate can make them rich.

Or if one was to make another little service/app/plugin where T212 users enter their email, one can get tens of thousands of emails, and that could lead to 100s of accounts being compromised.

With 2FA and withdrawal password missing, T212 is in a bad position. So the OP does bring a valid concern in terms of security.

Another disclaimer: I’m a Information Security expert, worked for companies in Silicon Valley and EU.

3 Likes

From what I’ve read 2FA isn’t the magic bullet that solves all phishing security concerns. Sure it helps but many articles explaining dangers of 2FA and why it doesn’t solve all problems and actually let’s users think they are safer when they are not.

So IMO by implenting 2FA users won’t be 100% “safe” from hackers and phishing attacks.

Maybe the password on withdraw is a good idea which can help but if they hack the password they will know this anyway.

Edit… See article from today about Robinhood “hack”… users who were hacked had 2FA enabled and it didnt help them…

Bloomberg: Robinhood Users Say Accounts Looted, No One to Call.
https://www.bloomberg.com/news/articles/2020-10-09/robinhood-users-had-accounts-looted-say-there-s-no-one-to-call

Security is only as strong as its weekest link.

I wanted to join the debate, but then decided to go to bed. More secured that way. :thinking:

2 Likes

Couldn’t agree more, Why post this on the forums. Email to Tech support and stop being a scare monger. No cool.

1 Like

Yup. T212 will setup 2FA to tick that box and keep people “safe” then they will continue to store their login details in notepad on their desktop, (with password123 password) click on dodgy emails and give out their details to cold callers.

Speaking of Robinhoob… We will soon be targets as well.

I just saw that too. And in the bloomberg article I was reading the users said they were using 2FA and unique password for the site and they were still compromised.

Robinhood is the best broker. I don’t believe it. They have never had problems. They will be the best when they come to UK. :crazy_face:

@ the OP,
I’m no techie but did you use the same PC when you did this test, I’m just wondering if that might be why it let you withdraw etc?

Sorry just re-read your first post, you used a different PC.

Col.

I wouldn’t even go that far as to need verification for each withdrawal. An email verification when a new card is added or removed would be good enough for me.

1 Like

I was just thinking, when I use PayPal to do any transaction I have set it to send a verification code to my phone to authenticate it, maybe if we could use PP for all the accounts might be a good idea.

Col.