So, letās see. Op makes claims, zero evidence, zero screenshot. Uses 1Ā£/10Ā£ example. Everyone joins the discussion.
Please @ OP can you do 100Ā£/1000Ā£ action, also please, provide screenshot before making such claims?
Have a nice weekend. 
I believe they did it. Seems feasible. For me though the events and their probablity are like this:
- username and password stolen: extremely difficult - almost impossible
- login and pretend you are me: easy
- withdraw money using card trick: easy
So for me step 1 is enough security, only thing I can think of is losing a phone without a) a pin lock on the phone and b) without a pin lock on the app which again is very unlikely and user error which is just common sense to keep your phone secure.
And also more in depth checks are probably done on larger withdrawals which we donāt know about
This is what happens when customers demand automation. Anyhow, if you had withdrawn a higher amount, it would have never gone through I believe (it goes via a manual review - perhaps with threshold increasing with each successful withdrawal in the same payment method).
Secondly with SCA (Strong Customer Authentication) entering force, card verification will be more sophisticated and secure.
Lastly, T212 doesnāt ensure that the card name matches, hence the reason they make you tick the box that you are depositing from your own card, for their security. 
3 Likes
I once tried the same with a US broker, more than 10.000$ via bank transfers. All went through. Names didnāt match.
Disclaimer I had permission and access to do it from the legal owner.
It may just fail with bigger amounts and I hope so. I may try tomorrow and see what happens
It may be feasible on 1Ā£/10Ā£, not on 1000Ā£ example. Because it always goes towards source of funding, tried and tested.
But ofc click bait titles, none ever tried, joined bandwagon.
Each person here should rather be thinking. āHmm if someone can break my password, they can break my phone, mobile banking, take all cashā
But yes 1Ā£/10Ā£ claims make headlines.
Hackers are know to drain 1Ā£/10Ā£ from accounts. They live frugal lives.
3 Likes
Step one may not be so impossible if you get phished with a link like https://trading212.pro or something where you type your password
Yes but that goes for any site you login to. I donāt see T212 being less secure with their username and password than any other sites.
Well in all honesty, getting phished is very common since decades. If someone on this forum harvests some emails and then start to phish, ~1-3% success rate can make them rich.
Or if one was to make another little service/app/plugin where T212 users enter their email, one can get tens of thousands of emails, and that could lead to 100s of accounts being compromised.
With 2FA and withdrawal password missing, T212 is in a bad position. So the OP does bring a valid concern in terms of security.
Another disclaimer: Iām a Information Security expert, worked for companies in Silicon Valley and EU.
3 Likes
From what Iāve read 2FA isnāt the magic bullet that solves all phishing security concerns. Sure it helps but many articles explaining dangers of 2FA and why it doesnāt solve all problems and actually letās users think they are safer when they are not.
So IMO by implenting 2FA users wonāt be 100% āsafeā from hackers and phishing attacks.
Maybe the password on withdraw is a good idea which can help but if they hack the password they will know this anyway.
Editā¦ See article from today about Robinhood āhackāā¦ users who were hacked had 2FA enabled and it didnt help themā¦
Bloomberg: Robinhood Users Say Accounts Looted, No One to Call.
https://www.bloomberg.com/news/articles/2020-10-09/robinhood-users-had-accounts-looted-say-there-s-no-one-to-call
Security is only as strong as its weekest link.
I wanted to join the debate, but then decided to go to bed. More secured that way. 
2 Likes
Couldnāt agree more, Why post this on the forums. Email to Tech support and stop being a scare monger. No cool.
1 Like
Yup. T212 will setup 2FA to tick that box and keep people āsafeā then they will continue to store their login details in notepad on their desktop, (with password123 password) click on dodgy emails and give out their details to cold callers.
Speaking of Robinhoobā¦ We will soon be targets as well.
I just saw that too. And in the bloomberg article I was reading the users said they were using 2FA and unique password for the site and they were still compromised.
Robinhood is the best broker. I donāt believe it. They have never had problems. They will be the best when they come to UK. 
@ the OP,
Iām no techie but did you use the same PC when you did this test, Iām just wondering if that might be why it let you withdraw etc?
Sorry just re-read your first post, you used a different PC.
Col.
I wouldnāt even go that far as to need verification for each withdrawal. An email verification when a new card is added or removed would be good enough for me.
1 Like
I was just thinking, when I use PayPal to do any transaction I have set it to send a verification code to my phone to authenticate it, maybe if we could use PP for all the accounts might be a good idea.
Col.