The previous reply from Freetrade seems to fundamentally miss the point. They mention that a user can enable 2FA on their email. This is essentially passing off the security of Freetrade user accounts to an unknown third party.
It’s fundamentally flawed, and I can only imagine it’s near the top of the head of infosecs risk register. (And if it’s not he’s missed an issue)
Freetrade cannot know what security if any a user has on their email, or even if they’re the only ones who have access to it, so they should be assuming that the email has on average very basic username and password security. And as worst, that it’s shared or compromised.
The idea that a user should secure their email while good advice isn’t a solution for Freetrade. It’s just bad security practice.
So I do agree that better security is needed at least when logging into the app the first time. It seems to till be a simple email link? Which isn’t any form of secure login in my mind, never mind 2FA.
I totally agree, “most” people need to be forced into security features too, it’s not enough to just have it laying around buried in the settings, it could seriously damage the platform when and I mean when and not “if” a breach happens.
MFA at first login and logout if there is a significant location change, specially when logging in from a high risk country (risk factor authentication) is not just a “feature” that is good to have, it is a feature that is necessary if you want to keep freetrade as your main investing platform. How can you sleep knowing that your money is not as secure as you need it to be?
Yeah don’t get me wrong there is other protections around linked bank accounts etc. But the trend to using just an email link to login seems ill advised in the long run. There’s more security for me to authenticate to Freetrade on my phone than there is to set it up on a strangers device
Agree that 2FA on login would be good, SMS with a one-time code for example.
For those concerned by the RH breach, its unlikely it could be exactly replicated here. As some others have noted, FT only allow you to withdraw to a linked bank account, which would limit an attackers options to buying and selling shares with your existing funds (appreciate also not ideal) or trying to social engineer the FT team to update the account details (in my experience they normally do additional validation at this point).
It’s not really about that. From Freetrades perspective it has zero insight into another unknown companies security. Every user could have 2FA on their email and Freetrade would never know. You can’t base security on a coin flip.
It’s not so much about access to the app on your phone, as you say Freetrade do think about the security of that. It’s that the first time login is based on an email for which Freetrade assumes on faith is secure, and for the most part of probably is, but Freetrade has no idea.
It would be the same as having zero security on the app and not bothering to check if the phone has any security enabled and just hoping it is.
It’s not a huge deal, but it is an issue, especially if there’s no other checks when making an initial login to the app on a new device.
As has been mentioned already, you can only make withdrawals from Freetrade to a linked bank account. We have a stringent set of rules in place for people that want to change their linked account. That would make the kind of attack described in the Bloomberg article very hard to carry out.
As to 2FA, I will be totally transparent and say that, while it’s something that we do want to add, there are other app features and products that are much more in-demand from customers. We have to focus on those first. I do appreciate that this is frustrating but it’s also worth remembering that our existing security procedures are still very stringent.
Thanks for the response. Could I suggest a possible alternative could be to add some information about securing your account somewhere, pin, faceid, and email security etc. This would ensure there’s somewhere people can go to know what the basics are that they need to do.
As you say withdrawing money still has its security checks in place, but what about the app being installed on other devices if someone’s email if compromised? (Correct me if I’m wrong and there’s something in place to stop this?) Information can be as important as the money in many cases.
With the recent RH news coming to fruition, it honestly should be a necessary requirement, particularly as Freetrade is dealing with money - it will just be a matter of time it will become targeted by malicious users.
Freetrade should really be taking security seriously - if you are to graduate among the “big boys”.
It is a bit unfortunate that management is prioritising features/bells and whistles over core functionality (security).
Using airlines as an example… you only need one crash/failure to tarnish your reputation…
Just to add my 2 penny stocks worth, security is not “a nice feature to have”. It is a requirement.
I don’t think it’s a valid argument to say that MFA is not needed because the same thing that happened to RH can’t happen here. Sure they can’t withdraw money, but they can sell all your holdings and cost you thousands.
Another point is that your FT account holds a lot of information regarding you, such as address, email as well as the amount you have in the account. This opens up multiple avenues in which an attacker can exploit and use for social engineering attacks.
So whilst I would love to see FT add more functionality and improve the UX (which they are doing well imo) security needs to be top of the list.
Again, security is not a nice to have feature, it is must have requirement.
‘Magic email’ logins and codes are security theatre: it doesn’t matter if your mail account logins are locked down like fort Knox, emails are fundamentally plaintext. It takes a single hop to a bad-actor mail server for the contents to be read, as there is no enforced end-to-end encryption (any in-flight encryption is purely by servers pinky-swearing not to peek).
With 2FA now in place even for bog standard online transactions, there is zero excuse for it not to be present for access to an account controlling potentially tens of thousands of pounds. It’s not just withdrawal theft that is a concern, having a pool of vulnerable users makes for a nice target for active stock manipulation attacks, for example. And even a basic attack like an unwanted buy or sell order will royally piss off an affected user.
I would agree with the points raised on this thread. As far as I can tell anyone who can access my email account has full control of my Freetrade portfolio (perhaps not withdrawing money but that is not inconceivable). Therefore FT is reliant on unknown email providers for the security of client accounts. I’m not sure this is acceptable for a financial services company. I can’t think of another finance app I have come across that does security this way, surely that rings alarm bells.
I use firebase authentication via a magic link for a game app, there’s no way I would rely on it for anything involving money.
I understand the point about having a linked bank account but regardless of whether money can be stolen, taking over an account would be disastrous for FT. The upcoming SIPP offering is great but one security problem in the media would wipe out all the hard work. In that situation I don’t think blaming it on someone’s poor email security will look very good.
IMO this is core app functionality / security, not a feature. It’s my biggest concern as an investor.
That’s a very surprising reply. It’s always going to be, and is for every company that has 2FA on their app/website, a tiny minority of customers that ask for 2FA. (Enterprise customers aside.) Customer doesn’t always know best.
Offer it, even enforce it, and reap the reward when you don’t get bad press for not having it, or save the day by having it. Honestly, seeing as everyone else has it, I just assumed it was an FSA requirement; it’s certainly the norm, and wouldn’t look good if something happened and some journalist realised 2FA was the obvious missing solution.