Trading 212 Account Hacked

AmityNeon

masonic said:

mark_cycling00 said:

masonic said:

The issue of effective denial of service by maliciously submitting login requests is something most sites are vulnerable to. Obvious precaution is to use a hard to guess username. Some sites make this difficult by insisting on using your email address as your username, but in those instances a random email address can be set up specifically for important accounts and not used for anything else (it does make things difficult if you ever have to read it out over the phone though!)

Is this a denial of service attack against 212 where people are trying to overload the platform with requests?

Or is it that the poster's username exists on one or more databases of hacked sites like linkedin etc. and lots of amateur hackers around the world are giving it a go?

It's the deliberate targeting of a specific individual using their email address (by someone who knows them and their email address). If you use the same email address for sensitive accounts and casual communication, then you are at risk. The email address you use to log in to sensitive accounts should really be kept as secret as your password for those accounts. Better still, sensitive sites should be using a separate username that is not linked to your contact information, and there should be a straightforward process to change your username if someone starts spamming the login page with the intention of locking your account.

My oldest hotmail email account is still active but littered all over the dark web as a result of multiple data breaches from various websites. When I previously checked the sign-in activity for my Microsoft account, there were at least 30+ login attempts seemingly from all over the world, per day every day (at least once an hour), stretching back as far as the log history would show. As the password attempts were always unsuccessful, I never received any notifications whatsoever and 2FA was never triggered either.

Fortunately, Microsoft allows the creation of aliases and crucially, disabling email addresses for login purposes while keeping them active for sending/receiving emails. I'm surprised this feature is not more commonly available as standard for any service where your login username is publicly visible by default, as it immediately stops malicious access attempts in their tracks.

gt94sss2

andy_jambo said:

I have not been able to access my Trading 212 account for ten days as a result of someone attempting to access it and trying to re-set my password.

I have had no response from Trading 212 when I reported it to them by email. They have no phone or chat support that I have been able to find to date.

Has anyone had a similar experience experience with this company or been able to get in touch with them to have a similar issue resolved? Thanks.

Have you considered posting on their forum?

https://community.trading212.com/

Their staff actively engage on it.

gravel_2

m_c_s said:

Trading 212 has a larger customer base than Hargreaves Landsdown (2.5m vs 1.9m). I have ISA, SIPP and GIA accounts spread across both and Trading 212 has been excellent both terms of performance and customer service. HL has been struggling lately to process SIPP drawdowns but still customer service is ok. 

To be clear, from what I can see HL has something like 50x the assets under administration. It's not entirely useful to compare purely based on number of customers. T212 is undeniably targeting the smaller investor. By my reckoning the average user on T212 has around £1,000 invested on the platform. At HL it appears to be over £85k.

T212 can afford to do this because it is a stripped back/focussed services without traditional (call-centre) customer support. HL is a broader product offering which should, hypothetically, be in a better position to support its customers.

masonic

AmityNeon said:

masonic said:

mark_cycling00 said:

masonic said:

The issue of effective denial of service by maliciously submitting login requests is something most sites are vulnerable to. Obvious precaution is to use a hard to guess username. Some sites make this difficult by insisting on using your email address as your username, but in those instances a random email address can be set up specifically for important accounts and not used for anything else (it does make things difficult if you ever have to read it out over the phone though!)

Is this a denial of service attack against 212 where people are trying to overload the platform with requests?

Or is it that the poster's username exists on one or more databases of hacked sites like linkedin etc. and lots of amateur hackers around the world are giving it a go?

It's the deliberate targeting of a specific individual using their email address (by someone who knows them and their email address). If you use the same email address for sensitive accounts and casual communication, then you are at risk. The email address you use to log in to sensitive accounts should really be kept as secret as your password for those accounts. Better still, sensitive sites should be using a separate username that is not linked to your contact information, and there should be a straightforward process to change your username if someone starts spamming the login page with the intention of locking your account.

My oldest hotmail email account is still active but littered all over the dark web as a result of multiple data breaches from various websites. When I previously checked the sign-in activity for my Microsoft account, there were at least 30+ login attempts seemingly from all over the world, per day every day (at least once an hour), stretching back as far as the log history would show. As the password attempts were always unsuccessful, I never received any notifications whatsoever and 2FA was never triggered either.

Fortunately, Microsoft allows the creation of aliases and crucially, disabling email addresses for login purposes while keeping them active for sending/receiving emails. I'm surprised this feature is not more commonly available as standard for any service where your login username is publicly visible by default, as it immediately stops malicious access attempts in their tracks.

Yes, aliases are a good workaround, although those that use a '+' or similar suffix like gmail does, sometimes get rejected as valid email addresses when entering them into forms. The random string alternative, as provided by duckduckgo and I'm sure others, are a nice compromise, but I am wary of using a third party redirector service in case it one day goes dark.

I'm curious about "disabling email addresses for login purposes". What do you mean by that? Surely microsoft cannot prevent, say Trading212, using a microsoft email address as the username for an account? Do you just mean OAuth based logins (not usually used by financial services)?

When I'm signing up to a financial service, I resent being forced to set my username as masonic@some.webmail.provider and would much rather use U=Q&X3f)6.uXBHL2Bi-W or similar. And I'd like to be able to change it if I start receiving spurious password reset emails or find my account is inexplicably locked for too many login attempts, requiring me to jump through some hoops to recover it.

wmb194

Northern_Wanderer said:

wmb194 said:

Northern_Wanderer said:

wmb194 said:

Northern_Wanderer said:

wmb194 said:

I like it but make sure you set up 2FA.

If you just use their website (not the app) 2FA says it's sending a code to your browser but I never got the codes....webchat as useless as a chocolate watch. Unpleasant when you have an ISA in there that you cannot access. I appreciate many people have had a good experience. I was being a rate tart, the only reason I moved to them, I have now forfeighted the higher interest rate for a proper bank.

I use the website in a PC browser 99% of the time but have the 2FA setup on my phone with Google Authenticator and have had zero issues.

Lucky you.

My point is that even when you use a web browser most of the time you don't have to use a 2FA authenticator plugin on that browser, you can use the more reliable ones available on phones and tablets.

Not everyone wants to bank on their phone or have to install apps to be able to participate and the point is that Trading 212 have got crap CS if you have a problem like I or the OP does.

You shouldn't use these types of newer providers in that case as things always seem to go better with them when you're willing to use phone/tablet apps.

wmb194

m_c_s said:

Trading 212 has a larger customer base than Hargreaves Landsdown (2.5m vs 1.9m). I have ISA, SIPP and GIA accounts spread across both and Trading 212 has been excellent both terms of performance and customer service. HL has been struggling lately to process SIPP drawdowns but still customer service is ok. 

IIRC its latest YouTube advert says it has 3m+ customers. I suspect it could be reaching the point where it's becoming a victim of its own success. So far my interactions with its customer service has been same day responses and fine but it may depend on some combination of luck and the type of query/issue.

booneruk

If I'm reading this right, the account hasn't been hacked, it's just been disabled due to frequent failed authentication attempts. Disabling the account in such situations is the right thing to do, and will happen with many banks, utilities etc (I've seen 'you have 2 login attempts left before your account is frozen' type messages across lots of my app and web based accounts.

Even if someone did manage to successfully 'hack' and enter someone's account, the worst they could do would be to sell some stocks and withdraw money to the nominated linked bank account?

The problem, which isn't security, seems to be one of support. As a relatively new firm in this country I hope they remedy this by adding more support methods.

booneruk

wmb194 said:

IIRC its latest YouTube advert says it has 3m+ customers. I suspect it could be reaching the point where it's becoming a victim of its own success. So far my interactions with its customer service has been same day responses and fine but it may depend on some combination of luck and the type of query/issue.

From what I gather T212 have been a thing in other countries for years now

Alexland

Magstar1001 said:

Love 212, highly recommend them. Never had a problem and will continue to recommend to all my friends.
They are very highly rated and been around a long time.
It's funny how people that would never have used them anyway suddenly saw "that's another one to avoid" or similar
Bit of research and you will find they are a Greta company and have even been recommended on MSE for their high interests rates

If you have never had a problem then you can't really comment on the quality of their service when a problem does occur. The OP's experience in not even being able to contact them sounds entirely unsatisfactory. Be careful what you recommend. MSE have not recommend them. I have tried them alongside nearly every other UK retail platform and will not be staying. Frankly there are usually better choices worth paying a modest amount for.

savvysavings2024

wmb194 said:

I like it but make sure you set up 2FA.

Sorry, what's 2FA?

I have a cash ISA with Trading 212 and haven't had any issues with it (though I haven't needed to contact them). I was planning on transferring my 2023-2024 ISA allowance that matures on 31/01/25 in the 1 year fixed term ISA it's currently in, but this post has made me nervous - never heard of 2FA - could you explain what it is please?