We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Investment Platform with 2 Factor Authentication
Options
Comments
-
Presumably that means that it does not use two factor for any machine that has been previously verified using the email code? That is a rather diluted two factor implementation, which would be effective in the instance of a data breach, but not a great deal of good in the malicious acquaintance scenario of #16.The fidelity scheme doesn't need devices. Key stored locally and email with code if different machine used
Anyone who can gain physical access to (or remotely compromise) the machine previously used to log in could defeat this measure.
Ideally, the second factor should be required (if the user opts in) prior to the first trade being placed during each login session (i.e. it should work rather like the systems in place for most current accounts).0 -
Well you'd be pretty upset to log in one day and find all your investments sold and invested in some penny share about to go bust; or your funds eaten up by repeated trading by the hacker.
I am sure their are a lot more serious risks in life than that. Why on earth should anyone go to all that effort to achieve something that only provides some malicious fun. Surely someone with those skills could find something a little more lucrative.0 -
I am sure their are a lot more serious risks in life than that. Why on earth should anyone go to all that effort to achieve something that only provides some malicious fun. Surely someone with those skills could find something a little more lucrative.
My thoughts exactly. If someone is going to the effort of hacking an account then they'd balance up the risks vs benefits. Even trying to move the price of a share to fix the market is unlikely to have any impact with the contents of an ISA.Remember the saying: if it looks too good to be true it almost certainly is.0 -
I am sure their are a lot more serious risks in life than that. Why on earth should anyone go to all that effort to achieve something that only provides some malicious fun. Surely someone with those skills could find something a little more lucrative.
Why do you think people write computer viruses? For the most part they don't get anything out of it APART FROM malicious fun!0 -
That may have been the case in the past but it's certainly not now. The vast majority of viruses now are created or spread by criminal networks to gain financial reward either by directly stealing bank details, by ransomware to extort money or by stealing details to sell on to others. The days of viruses being schoolboy fun are long gone.Why do you think people write computer viruses? For the most part they don't get anything out of it APART FROM malicious fun!Remember the saying: if it looks too good to be true it almost certainly is.0 -
Try telling that to someone who's account gets hacked and their investments trashed.
Seems like it can and does happen:
https://www.moneysmart.gov.au/scams/investment-scams/online-stockbroking-scams0 -
Try telling that to someone who's account gets hacked and their investments trashed.
Seems like it can and does happen:
https://www.moneysmart.gov.au/scams/investment-scams/online-stockbroking-scams
Looks like made-up examples.:
How do the scammers use "a separate account to benefit from these loss-making trades"? Telling the broker by phone to transfer large amounts of money to a foreign bank account I would have thought would be extremely unlikely to work these days and has nothing to do with online account login procedures - it could just have easily have been done by telephoning your banker.
You cant get credit from the standard on-line brokers other than prepayment of tax or sales so those events couldnt have happened at least in the UK.0 -
Presumably that means that it does not use two factor for any machine that has been previously verified using the email code? That is a rather diluted two factor implementation, which would be effective in the instance of a data breach, but not a great deal of good in the malicious acquaintance scenario of #16.
Anyone who can gain physical access to (or remotely compromise) the machine previously used to log in could defeat this measure.
Ideally, the second factor should be required (if the user opts in) prior to the first trade being placed during each login session (i.e. it should work rather like the systems in place for most current accounts).
The fidelity scheme seems like the gmail scheme (which I like).
As you say it is not protecting you against the risk that you are hacked by someone with access to a device you normally use. (But nor will full 2FA protect you against some risks e.g. against someone with access to your phone if that is how the code is sent.)
But, as an extra level of security, I like the gmail implementation of 2FA because it has minimal inconvenience for me, while making it significantly harder for someone who does not know me to get access to my account. (Whereas if they sent the code every time I logged on then that would be annoying.)0 -
If the Fidelity scheme were just like the gmail scheme, then that would be much better. The gmail scheme allows the user to register specific computers not to require the second factor and also setup other computers to always require verification codes at sign in. If that's how the Fidelity system actually works, then that would fulfil the conditions I described above. One could set up their home PC, to which nobody else has access, to log in without the code, but their workplace PC, from which they may occasionally want to make a trade, to always require a code.The fidelity scheme seems like the gmail scheme (which I like).
As you say it is not protecting you against the risk that you are hacked by someone with access to a device you normally use. (But nor will full 2FA protect you against some risks e.g. against someone with access to your phone if that is how the code is sent.)
But, as an extra level of security, I like the gmail implementation of 2FA because it has minimal inconvenience for me, while making it significantly harder for someone who does not know me to get access to my account. (Whereas if they sent the code every time I logged on then that would be annoying.)0 -
For a one-off cost of £10 and then included in the £10 monthly subscription a well known online game offers RSA token only access. They can also be provided as phone apps.
This stuff isn't hard or even particularly expensive once initially set up.
Considering most %age based online traders are taking millions a year in platform fees it's ridiculous this isn't even offered as an option
Edit: Already mentioned previously0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards