Security of account access

Hello. I’m still trying to get to grips with the Freetrade process, I’ve established that I’ve opened a BASIC ISA account and I’ve hacked my way through the ISA Transfer form having encountered a couple of “bugs”. The process so far has been flakey, not particularly well designed and quite frankly, has left me feeling a bit insecure. So I’m assuming my Fidelity ISA is now on its way into my Freetrade ISA, so far so good. But now I’ve moved on to being concerned about the security of my funds as follows.

1. Digital access control. To log into my account on my mobile phone all I have to do is enter 4 numeric digits, this feels weak and eminently hackable (so just 24 possible combinations) compared to every other mobile app I use (e.g., Interactive Investor, Fidelity, First Direct, Starling, Cynergy, etc, etc,) which requires email address and a strong shared secret password / passphrase as a minimum.
2. Identification and verification. The only credentials Freetrade requested from me when opening my account were my name, address and email address, they have not asked me to add a user ID, password or other shared secret information (mother’s maiden name, etc). Once I opened the account I didn’t receive a customer ID or anything. If they have (because I forgot that they asked) then I’m not aware because I don’t have an account opening confirmation email I could check. I guess Freetrade might scrape my NI number from my ISA transfer form and also they’ll have my mobile phone number I guess but this is very easy to obtain by the average fraudster (e.g., my mobile phone number is displayed on my company web site).

So…can anybody offer any assurances about access control and ID&V for the funds I have in my Freetrade account (the non-techy version, maybe by comparing / benchmarking Freetrade with the kind of competitor providers I’ve listed above)?

There’s a lot more combinations from 4 digits than 24!

Indeed. 10^4. So 10000.

To 1.
That’s indeed an issue with Freetrade. You got that right. However, the only thing someone that hacked your account can do would be buy/sell and withdraw to your linked bank account. Your money is never going to vanish.

Freetrade are FCA regulated with 1.3 million people managing over £1bn in assets. They’re okay

On 1.

There are 10,000 combinations for a 4 digit pin.

Now realistically this can usually be reduced if you have more information about the account owner as often they use familial numbers.

However (I’m not going to test it at the minute) you also get a set number of attempt I believe limiting how many you can attempt.

You also have to have the persons phone to require access to the app.

If your phone has no security on it then this is a failure on your part not freetrades. You need to secure your own phone.

Saying that freetrade should work on the assumption that your not securing your phone.

That does present some problems. Not because the pin isn’t secure. But because your entire digital life is insecure as anyone with access to your phone will have access to your email and subsequently access to every account you ever made online.

I’m no fan of how freetrade does their initial login on first install. They use your email to authenticate you. It’s rubbish and they shouldn’t use it. But the pin is generally fine.

Especially if your securing your phone… which your should be, and I hope you are.

Buy an iPhone. My app uses Face ID to unlock it. then if that fails my passcode

It also supports fingerprint id if you have that, Mine keeps failing because I keep ruining my fingerprints rock climbing

Regarding the ID verification they do go through the anti money laundering “Know you customer” stuff. It actually took a few days to do the verification when I first signed up

Hello. Thank you all for your responses. I’m flattered. Here are my reflections (please don’t be offended).

Digital security. Yep my bad, there are more combinations of any 4 numerics than 24, but the materiality of the point is still valid I think, a 4 numeric digit code is eminently hackable, but good point about limits on the number of access attempts to help prevent a successful brute force attack. Yep, Android also have good biometrics (actually like a lot of the android ecosystem where developers compete over who can offer the best apps, its probably too good, so good its easy to get lost in the complexity, I changed from IOS to Android just over a year ago and I sometimes miss the simple but often frustrating “one way of doing everything” approach with IOS). I use finger print rather than facial (wrt facial I worry about my mood / facial expression and whether or not I’m wearing my specs) but sometimes (at least every week with Interactive Investor) the provider fails to recognise the biometric login and requests a minimum of provider assigned customer ID and strong password (rather than a 4 digit code) to get back up and running again with biometric. wrt. just trusting Freetrade because they have a lot of money under management, I think its fair to say that much larger, established and august financial services organisations have had their systems cracked by hacks, so that doesn’t help me sleep at nights. I have a similar concern about the assurance that the only place my money can go is into my linked bank account, I guess if my account is hacked then those extremely clever hackers / fraudsters might also figure out how to change the linked bank account details to theirs. ps. I recently worked for an org. who have a lot of issues with overseas call centre agents hacking into customer accounts, so its not just externals I worry about. So I’m left with the dilemma of trading off worries about the security of my money with the temptation of free platform fees and trading. Well, its a very small % of my overall portfolio so I’ll take the risk and keep my buttocks clenched!

ID&V. Thanks for advising that Freetrade will have taken me through KYC. Assuming that they probably did (but I didn’t recall) I clicked on the little profile icon to the top right of my phone screen to see what credentials they recorded about me and how I might modify them … but I saw nothing other than name, postal address and email address and no option to modify them. Can anyone advise me how I can view (and modify) all the credentials Freetrade have about me? Please don’t tell me I can simply request a change using the “contact us” option in Help & Support…that would feel like a really big trojan horse!

That depends if they just do it without asking for further verification. I think they would want some evidence. Although whether they get that from you or use other sources (electoral register etc.) I’m not sure.

The PIN / biometric / faceID is the last line of defense. At this point your phone is unlocked and the attacker has control. This means they have access to your email, 2FA application if you have one, SMS 2FA, google 2FA. I think you will have bigger problems than your FT account.

Honestly, I am not sure the PIN matters at all. If someone has access to your email they can login on Freetrade on any device with the “magic link”.

By the way, this “magic link” only contains 8 digits. A link looks like http:[doubleslash]magic[dot]freetrade[dot]io[slash]?otp=XXXXXXXX … I am sure that otp only lasts a few minutes, but realistically if a malicious party just tried random combinations every second or so it would manage to log into an account in a matter of months

I’d argue that Freetrade’s best line of defense is that changing the bank account requires the user to go through a lengthy procedure and to receive emails about that, plus some security info (I got asked the last digits of my NIN, and some other stuff), so even if someone gets access to your account they can’t actually steal the money.

I too am slightly concerned about ease of access ( 4 digit pin) when compared to the Hargreaves’s app which requires username / password/ 6 digit pin/ DOB and generally feels much more secure.

I’ve just transferred my SIPP over to FT and am now using as my main/only brokerage with a significant amount in.

As a FT shareholder I also want all users to be happy. Could it be a feature request to offer additional security to those that want it; and retain the 4 digit pin option as the default standard to new customers?

As a Cyber Security Engineer (in training), I can tell you the PIN length does not matter. It is not like anyone can try more than a few attempts on any particular device before it gets locked and flagged within the FreeTrade system.

To illustrate, let’s assume the maximum number of failed attempts is 10 (I believe it’s less tho), then the chance of anyone guessing your PIN right is 0.1 % (this is already low enough). But then, they must have first broken your device PIN. Assuming the PINs are different and the device PIN is also a 4-digit number with a maximum of 3 failed attempts, then the chance of anyone breaking into your FreeTrade app is 0.00003 %. But If we are to be precise we need to add the chance of the phone being stolen in the first place (which is 31% based on this source). So the final chance of your account being compromised with a particular PIN is about 0.0000093 %. Cryptography is all about probabilities and this number would be extremely sufficient for me to ever approve such a security measure.

Overall, the approach FreeTrade went with is even more secure, however. FreeTrade PINs are local to a device (true to one single app installed on a particular device) and hardware-backed. (similar to Windows Hello PIN)

Anyone stealing your PIN can’t do anything with it unless they have your phone, and even then they won’t be able to get in with the few attempts they have, this is already assuming they broke your device PIN or lock pattern to get in in the first place. This is even ignoring the fact both your phone and even the app support biometric access.

The verdict: It is completely unfounded to be worried about this.

Now, this analysis is ignoring ALL the other security measures which are in place such as ML fraud detection, withdrawals limited to linked accounts and more, which would need to be considered if the question was "Can anyone steal my funds? instead of “Can anyone access my account?”.

Just a note (and this has been brought up before). Freetrade cannot make any positive assumption on device security (and you shouldn’t either as a security engineer) unless they can verify independently that the device is secure.

If they can’t, they have to go on assuming the weakest security position of the device which would be no pin or weak pin if they’re able to get a pin/no pin type info.

Also, your calculations on the pin aren’t quite right. You’ve not taken into consideration the human factor. Both from the user and attacker side.

Freetrade doesn’t limit what pin can be used (another weakness in the system). Want to make your pin 1234 you can go right ahead. This means that people are more likely to make a weak or memorable pins from known information. This issue can be compounded by the likelihood that someone trying to access their existing device (the only reason you’d even need to know the pin) is going to be someone they know, and they’ll know many key numbers in that person’s life to try.

(you get 3 attempts with a 10 minute lockout, there doesn’t seem to be any permanent lockout)

Freetrades login and security system is weak, but it’s not the worst in the world, its ok, but could be much better. On the other hand, your suggestion that the pin is impossible to break also isn’t really reality, the pins are relatively secure, and i agree there generally shouldn’t be too much to worry about with the use of a pin on the device, it’s just not as secure as you suggest and could be incredible weak for many users if they use weak pins (which isn’t prevented).

Worth another note as well @Ste1’s concern is around login, not the app pin. HL doesn’t use an app pin and requires full login details to login to the app (with an option after login for biometric login on supported devices)

The pin its self isn’t really the biggest problem, it’s the reliance on email and a single link for complete account access. Which again Freetrade can’t assume is secure, it’s not their system, they have zero visibility of it, and should if they’re doing their job right, they should assume its insecure.

Currently, the only thing you need to log into an account is access to the persons email or access to the login link that’s created. There’s no verification, it just lets you right in. Thats the real issue.

To add on to the issue with the magic link, Freetrade don’t expose any information on logins to the users. There’s no session information, there’s no alert to newly logged in devices. No letters sent on new devices or account changes, no emails, no in app notification. They don’t even prevent account logins from foreign locations. You’d have no idea if someone had access to your investment account.

As a sec engineer in training something to keep in mind is not to make positive assumptions around security measures where you don’t actually know if they’re implemented. If a security measure is options, then you have to work from the base that it’s not enabled.

As someone working within Cyber security - albeit very recently and not as an engineer or expert, what I’ve learned is that we should all be concerned about the security of anything we do online. It’s not completely unfounded to be worried, it’s a legitimate concern. Our personal details are often easily available via social media and a 4 or 6 digit code chosen by the user will often have some personal significance, which reduces the combination options.

If anyone wants to test their passwords/pin codes, pop them into here. It’ll tell you how long it could take to brute force and gain access to whatever it is protecting. (It’s telling me that a 4 digit pin can be hacked in 11.11 seconds - but that’s assuming an automated system of brute force software creating 1,000 guesses per second.) I would think that if a hacker is going to invest in that software, and go to the trouble of breaking into Freetrade somehow, it won’t be through one of our accounts, they’d go for the main FT system. I am choosing, at this point, to assume that as FT os FCA approved, that they have some pretty robust security behind our individual accounts.

We all need to be careful with our information, and be security aware.

This statement is wrong because they’re not going to have 1000 guesses/s.

I never said this. With due respect, this is just false and unfair from you. I’d also disagree with your objection on “positive assumptions”, if you read my analysis carefully I’m simply making a preliminary analysis and multiple times point out different numbers relevant to a question at hand. Of course, as in any engineering field, one must and will inevitably make informed evidence-backed assumptions, you can see it in all cyber systems around us. If it wasn’t the case it would take you 5 minutes to authenticate (because of all the measures in place) into every single service and account you use and not 10 seconds as it in fact does.

This is your claim, which is to suggest that its effectively not going to be broken. As you’re new to the field of security i was just making some observations that i hoped would be helpful. Statistics and data based on sterile environment rarely if ever reflect reality and it always misses the human factor, which is what you did, which is all i was pointing out.

There’s no permanent lockout that I’ve seen, so they would have 1000 guesses. But as mentioned the pin isn’t the problem, its relatively recure in many cases.

It is not a claim but an actual probabilistic analysis. That fact that you call it impossible is your claim.

This was meant to be guesses/s.