Security of account access

Hello. I’m still trying to get to grips with the Freetrade process, I’ve established that I’ve opened a BASIC ISA account and I’ve hacked my way through the ISA Transfer form having encountered a couple of “bugs”. The process so far has been flakey, not particularly well designed and quite frankly, has left me feeling a bit insecure. So I’m assuming my Fidelity ISA is now on its way into my Freetrade ISA, so far so good. But now I’ve moved on to being concerned about the security of my funds as follows.

  1. Digital access control. To log into my account on my mobile phone all I have to do is enter 4 numeric digits, this feels weak and eminently hackable (so just 24 possible combinations) compared to every other mobile app I use (e.g., Interactive Investor, Fidelity, First Direct, Starling, Cynergy, etc, etc,) which requires email address and a strong shared secret password / passphrase as a minimum.
  2. Identification and verification. The only credentials Freetrade requested from me when opening my account were my name, address and email address, they have not asked me to add a user ID, password or other shared secret information (mother’s maiden name, etc). Once I opened the account I didn’t receive a customer ID or anything. If they have (because I forgot that they asked) then I’m not aware because I don’t have an account opening confirmation email I could check. I guess Freetrade might scrape my NI number from my ISA transfer form and also they’ll have my mobile phone number I guess but this is very easy to obtain by the average fraudster (e.g., my mobile phone number is displayed on my company web site).

So…can anybody offer any assurances about access control and ID&V for the funds I have in my Freetrade account (the non-techy version, maybe by comparing / benchmarking Freetrade with the kind of competitor providers I’ve listed above)?

There’s a lot more combinations from 4 digits than 24!

8 Likes

Indeed. 10^4. So 10000.

To 1.
That’s indeed an issue with Freetrade. You got that right. However, the only thing someone that hacked your account can do would be buy/sell and withdraw to your linked bank account. Your money is never going to vanish.

1 Like

Freetrade are FCA regulated with 1.3 million people managing over £1bn in assets. They’re okay :ok_hand:t2:

On 1.

There are 10,000 combinations for a 4 digit pin.

Now realistically this can usually be reduced if you have more information about the account owner as often they use familial numbers.

However (I’m not going to test it at the minute) you also get a set number of attempt I believe limiting how many you can attempt.

You also have to have the persons phone to require access to the app.

If your phone has no security on it then this is a failure on your part not freetrades. You need to secure your own phone.

Saying that freetrade should work on the assumption that your not securing your phone.

That does present some problems. Not because the pin isn’t secure. But because your entire digital life is insecure as anyone with access to your phone will have access to your email and subsequently access to every account you ever made online.

I’m no fan of how freetrade does their initial login on first install. They use your email to authenticate you. It’s rubbish and they shouldn’t use it. But the pin is generally fine.

Especially if your securing your phone… which your should be, and I hope you are.

Buy an iPhone. My app uses Face ID to unlock it. :slightly_smiling_face: then if that fails my passcode

It also supports fingerprint id if you have that, Mine keeps failing because I keep ruining my fingerprints rock climbing :rofl:

Regarding the ID verification they do go through the anti money laundering “Know you customer” stuff. It actually took a few days to do the verification when I first signed up

1 Like

Hello. Thank you all for your responses. I’m flattered. Here are my reflections (please don’t be offended).

Digital security. Yep my bad, there are more combinations of any 4 numerics than 24, but the materiality of the point is still valid I think, a 4 numeric digit code is eminently hackable, but good point about limits on the number of access attempts to help prevent a successful brute force attack. Yep, Android also have good biometrics (actually like a lot of the android ecosystem where developers compete over who can offer the best apps, its probably too good, so good its easy to get lost in the complexity, I changed from IOS to Android just over a year ago and I sometimes miss the simple but often frustrating “one way of doing everything” approach with IOS). I use finger print rather than facial (wrt facial I worry about my mood / facial expression and whether or not I’m wearing my specs) but sometimes (at least every week with Interactive Investor) the provider fails to recognise the biometric login and requests a minimum of provider assigned customer ID and strong password (rather than a 4 digit code) to get back up and running again with biometric. wrt. just trusting Freetrade because they have a lot of money under management, I think its fair to say that much larger, established and august financial services organisations have had their systems cracked by hacks, so that doesn’t help me sleep at nights. I have a similar concern about the assurance that the only place my money can go is into my linked bank account, I guess if my account is hacked then those extremely clever hackers / fraudsters might also figure out how to change the linked bank account details to theirs. ps. I recently worked for an org. who have a lot of issues with overseas call centre agents hacking into customer accounts, so its not just externals I worry about. So I’m left with the dilemma of trading off worries about the security of my money with the temptation of free platform fees and trading. Well, its a very small % of my overall portfolio so I’ll take the risk and keep my buttocks clenched!

ID&V. Thanks for advising that Freetrade will have taken me through KYC. Assuming that they probably did (but I didn’t recall) I clicked on the little profile icon to the top right of my phone screen to see what credentials they recorded about me and how I might modify them … but I saw nothing other than name, postal address and email address and no option to modify them. Can anyone advise me how I can view (and modify) all the credentials Freetrade have about me? Please don’t tell me I can simply request a change using the “contact us” option in Help & Support…that would feel like a really big trojan horse!

That depends if they just do it without asking for further verification. I think they would want some evidence. Although whether they get that from you or use other sources (electoral register etc.) I’m not sure.

The PIN / biometric / faceID is the last line of defense. At this point your phone is unlocked and the attacker has control. This means they have access to your email, 2FA application if you have one, SMS 2FA, google 2FA. I think you will have bigger problems than your FT account.

2 Likes

Honestly, I am not sure the PIN matters at all. If someone has access to your email they can login on Freetrade on any device with the “magic link”.

By the way, this “magic link” only contains 8 digits. A link looks like http:[doubleslash]magic[dot]freetrade[dot]io[slash]?otp=XXXXXXXX … I am sure that otp only lasts a few minutes, but realistically if a malicious party just tried random combinations every second or so it would manage to log into an account in a matter of months

I’d argue that Freetrade’s best line of defense is that changing the bank account requires the user to go through a lengthy procedure and to receive emails about that, plus some security info (I got asked the last digits of my NIN, and some other stuff), so even if someone gets access to your account they can’t actually steal the money.