Please include Multi-Factor authentication as a security feature, I work in security and the app not having this is extremely worrying to me
I canāt overstate how important security is in an app like this, and how a single blunder that a normal user canāt prevent will undermine trust for the app.
Please add this, its terrifying to plan for the future without basic security features on it.
The previous reply from Freetrade seems to fundamentally miss the point. They mention that a user can enable 2FA on their email. This is essentially passing off the security of Freetrade user accounts to an unknown third party.
Itās fundamentally flawed, and I can only imagine itās near the top of the head of infosecs risk register. (And if itās not heās missed an issue)
Freetrade cannot know what security if any a user has on their email, or even if theyāre the only ones who have access to it, so they should be assuming that the email has on average very basic username and password security. And as worst, that itās shared or compromised.
The idea that a user should secure their email while good advice isnāt a solution for Freetrade. Itās just bad security practice.
So I do agree that better security is needed at least when logging into the app the first time. It seems to till be a simple email link? Which isnāt any form of secure login in my mind, never mind 2FA.
I totally agree, āmostā people need to be forced into security features too, itās not enough to just have it laying around buried in the settings, it could seriously damage the platform when and I mean when and not āifā a breach happens.
MFA at first login and logout if there is a significant location change, specially when logging in from a high risk country (risk factor authentication) is not just a āfeatureā that is good to have, it is a feature that is necessary if you want to keep freetrade as your main investing platform. How can you sleep knowing that your money is not as secure as you need it to be?
Yeah donāt get me wrong there is other protections around linked bank accounts etc. But the trend to using just an email link to login seems ill advised in the long run. Thereās more security for me to authenticate to Freetrade on my phone than there is to set it up on a strangers device
Agree that 2FA on login would be good, SMS with a one-time code for example.
For those concerned by the RH breach, its unlikely it could be exactly replicated here. As some others have noted, FT only allow you to withdraw to a linked bank account, which would limit an attackers options to buying and selling shares with your existing funds (appreciate also not ideal) or trying to social engineer the FT team to update the account details (in my experience they normally do additional validation at this point).
I donāt see the need for this for Freetrade, as previously stated the existing security measures would prevent the RH issue anyway.
Also while FT is an app it already requires access to the userās phone which should be enough security. I concede that a webapp may require an additional factor.
If people donāt have 2FA on their email then Iām not sure they can be helped anyway. Whatever measures you put in place will probably be undermined by password post-its and the like.
Itās not really about that. From Freetrades perspective it has zero insight into another unknown companies security. Every user could have 2FA on their email and Freetrade would never know. You canāt base security on a coin flip.
Itās not so much about access to the app on your phone, as you say Freetrade do think about the security of that. Itās that the first time login is based on an email for which Freetrade assumes on faith is secure, and for the most part of probably is, but Freetrade has no idea.
It would be the same as having zero security on the app and not bothering to check if the phone has any security enabled and just hoping it is.
Itās not a huge deal, but it is an issue, especially if thereās no other checks when making an initial login to the app on a new device.
As has been mentioned already, you can only make withdrawals from Freetrade to a linked bank account. We have a stringent set of rules in place for people that want to change their linked account. That would make the kind of attack described in the Bloomberg article very hard to carry out.
As to 2FA, I will be totally transparent and say that, while itās something that we do want to add, there are other app features and products that are much more in-demand from customers. We have to focus on those first. I do appreciate that this is frustrating but itās also worth remembering that our existing security procedures are still very stringent.
Thanks for the response. Could I suggest a possible alternative could be to add some information about securing your account somewhere, pin, faceid, and email security etc. This would ensure thereās somewhere people can go to know what the basics are that they need to do.
As you say withdrawing money still has its security checks in place, but what about the app being installed on other devices if someoneās email if compromised? (Correct me if Iām wrong and thereās something in place to stop this?) Information can be as important as the money in many cases.
With the recent RH news coming to fruition, it honestly should be a necessary requirement, particularly as Freetrade is dealing with money - it will just be a matter of time it will become targeted by malicious users.
Freetrade should really be taking security seriously - if you are to graduate among the ābig boysā.
It is a bit unfortunate that management is prioritising features/bells and whistles over core functionality (security).
Using airlines as an exampleā¦ you only need one crash/failure to tarnish your reputationā¦
Just to add my 2 penny stocks worth, security is not āa nice feature to haveā. It is a requirement.
I donāt think itās a valid argument to say that MFA is not needed because the same thing that happened to RH canāt happen here. Sure they canāt withdraw money, but they can sell all your holdings and cost you thousands.
Another point is that your FT account holds a lot of information regarding you, such as address, email as well as the amount you have in the account. This opens up multiple avenues in which an attacker can exploit and use for social engineering attacks.
So whilst I would love to see FT add more functionality and improve the UX (which they are doing well imo) security needs to be top of the list.
Again, security is not a nice to have feature, it is must have requirement.
Even if money canĀ“t be withdrawn, imagine the volume that can be moved on penny stocks to generate winnings somewhere else by taking over a few dozen accounts.
This is a serious security concern. At least for first login and risk country logins it needs to be addressed.
āMagic emailā logins and codes are security theatre: it doesnāt matter if your mail account logins are locked down like fort Knox, emails are fundamentally plaintext. It takes a single hop to a bad-actor mail server for the contents to be read, as there is no enforced end-to-end encryption (any in-flight encryption is purely by servers pinky-swearing not to peek).
With 2FA now in place even for bog standard online transactions, there is zero excuse for it not to be present for access to an account controlling potentially tens of thousands of pounds. Itās not just withdrawal theft that is a concern, having a pool of vulnerable users makes for a nice target for active stock manipulation attacks, for example. And even a basic attack like an unwanted buy or sell order will royally piss off an affected user.
I would agree with the points raised on this thread. As far as I can tell anyone who can access my email account has full control of my Freetrade portfolio (perhaps not withdrawing money but that is not inconceivable). Therefore FT is reliant on unknown email providers for the security of client accounts. Iām not sure this is acceptable for a financial services company. I canāt think of another finance app I have come across that does security this way, surely that rings alarm bells.
I use firebase authentication via a magic link for a game app, thereās no way I would rely on it for anything involving money.
I understand the point about having a linked bank account but regardless of whether money can be stolen, taking over an account would be disastrous for FT. The upcoming SIPP offering is great but one security problem in the media would wipe out all the hard work. In that situation I donāt think blaming it on someoneās poor email security will look very good.
IMO this is core app functionality / security, not a feature. Itās my biggest concern as an investor.
Thatās a very surprising reply. Itās always going to be, and is for every company that has 2FA on their app/website, a tiny minority of customers that ask for 2FA. (Enterprise customers aside.) Customer doesnāt always know best.
Offer it, even enforce it, and reap the reward when you donāt get bad press for not having it, or save the day by having it. Honestly, seeing as everyone else has it, I just assumed it was an FSA requirement; itās certainly the norm, and wouldnāt look good if something happened and some journalist realised 2FA was the obvious missing solution.