> The issue didn’t stem from a breach of Robinhood’s systems, the spokesman said.
I disagree.
The Robinhood system includes their disbursement process.
In this case, someone with access to a username and password managed to, without passing any of the other typical 2FA checks in finance (Calling the the account holder, snail-mail confirmation, actual 2FA tokens) managed to get Robinhood to wire them money.
This is absolutely a compromise of their disbursement system. If a bank gave all my money to some random asshat that showed up to a branch with my debit card, the blame for that lies on my bank.
I think it's important not to stop at simply offering security systems, but to require them when appropriate. Hey you've got $1000 in your account now, that's awesome! Let's set up 2FA to protect that money!
more than that. For Robinhood to even allow initial account setup without robust (reda: no SMS) 2FA is bordering on criminal negligence.
the only explanation to not doing that is feat that it would reduce their signup completion rate. Which fits Robinhood's prior behavior.
This should be a class action at minimum, companies cannot shovel this kind of risk onto the general public.
Sure, but those laws don't require 2FA (maybe they should) and Robinhood is far from the only institution that doesn't require it. A startling lot still think 'state your name, SSN/PIN/ or account number and birthday over the telephone' is sufficient.
The downside is that they don't mandate properly secure 2FA, so we have a mishmash of SMS, time-based tokens and whatever else passes for various banks under the regulations.[ß]
Not sure what you mean laws but there is certainly regulatory guidance that assessors will be using.
The agencies consider single-factor authentication, as the only control mechanism, to be
inadequate for high-risk transactions involving access to customer information or the
movement of funds to other parties. Financial institutions offering Internet-based products and
services to their customers should use effective methods to authenticate the identity of
customers using those products and services. The authentication techniques employed by the
financial institution should be appropriate to the risks associated with those products and
services. Account fraud and identity theft are frequently the result of single-factor (e.g.,
ID/password) authentication exploitation. Where risk assessments indicate that the use of
single-factor authentication is inadequate, financial institutions should implement multifactor
authentication, layered security, or other controls reasonably calculated to mitigate those risks.
Enabling 2FA by default is probably a good idea, but I do believe quite strongly that users should be able to turn it off. You don't know the user's situation—maybe they don't have consistent access to a single phone, for instance—and if they actually use a strong and unique password, that should be sufficient.
Additional factors are of course always safer, but everything is a trade-off between security and usability, and users should have control.
If someone shows up with your debit card and pin, which is similar to knowing someone's account credentials, wouldn't the bank give you that cash up to some amount (without further verification) because it's insured anyway?
For a singular transaction, a thief might limit themselves to something well under $10k. If a thief makes multiple withdrawals totaling $16k, which is over the FDIC insured amount, would a bank really just compensate you for that?
Wouldn't that be out of the graciousness of the bank (or PR)?
In the US, as long as you notify the bank within 60 days of receiving a statement that has fraudulent transactions, your maximum liability is $500, and that goes down substantially if you notify the bank promptly of a lost/stolen card, or if the card was not lost in the first place[0]. So yes, the bank really would[1] just compensate you for that, provided you notice the fraud within 2-3 months of it occurring (depending on how quickly you get a bank statement).
Edit: You may still be on the hook for overdraft fees from e.g. authorized payments, and it may take some time for the bank to indemnify you, which is why the conventional wisdom is that CCs are safer than debit cards from a fraud perspective.
At least in EU that would be a legal requirement (Payment Services Directive rules that limit liability for unauthorised transactions), not graciousness/PR of the bank.
FDIC insurance (and its equivalent in other countries) is something completely unrelated - it's for cases when the bank is unable to pay you because it goes bankrupt for some reason (which may include massive fraud done to the bank or by the bank), it's not for cases when your money gets lost in some other way.
The $10k thing is only necessary for AML compliance.
Since the bank is on the hook for giving out customer money to random con artists, their threshold for investigating suspicious account activity is much lower.
Came here to say that. If your system relies on an external system like someone's email, and that gets breached, your system has been breached. You don't get to brag that the successful attack was indirect; most of them are.
It seems to me that the damage is pretty limited for a cyber criminals with alleged ability to bypass 2FA. That low number of victims among millions of RobinHood customers is highly uncharacteristic for a critical security breach.
This headline is a bit hyperbolic, but the lack of a direct phone line to someone who can help is why I've moved on to other brokerages.
Robinhood worked well for bootstrapping my portfolio with free trades, but after a certain point it got big enough for me to worry about other factors like this.
Charles Schwab has native english speaker support just a phone call away (with no waiting in the handful of times I've used them, so far). And they were the first of the non-robinhood retail brokerages to break rank and offer 0-commission equity trades.
Example: I accidentally deposited a check into my IRA once. I called and explained I wasn't sure what to do because 1) the check was post-tax money and 2) if I tried to fix it myself, would it count as an early withdrawal?.
The guy picked up almost immediately, said yep lemme transfer you, the <something> department has a button for that. I got transferred, still to a native english speaker, who sorted me out. A couple days later it was all fixed in my account. 10/10.
I do all my banking with them and if they offered a 2% cashback credit card, I'd move that to them too.
Speaking of which, Citi (I have the doublecash) has been dreadful - my card # got stolen once, and they sent the new credit cards to my old address (that I still - for a bit longer - owned, thankfully) even after I specifically stressed, and confirmed multiple times, that I was 300 miles away from the address and if they sent them there, they'd sit in my porch for 1-2 weeks before I could get to them, and I would also not have a credit card to use.
They reassure me, even getting a bit snippy at the end of the call, that they're sending them to the address I gave them (my parents' house) on the call. And since I'm such an important customer, they're overnighting the cards.
Sure enough, the next day, I check my security camera and see a dang cardboard envelope that says CITICARDS all over it sitting on my old porch 300 miles away.
So I call them up, explain that they did exactly what I asked them not to do, and if they could cancel those cards and try sending them again, because I don't have a credit card right now, and I'm trying to furnish and move into a new house and need to put about $10k of appliances purchases through the cards ASAP. They explain that, sorry, they need to wait a week or two (I was incensed and don't remember clearly at this point) before they can do anything.
Luckily a week later when I rolled up to finish cleaning the old house, the cards were still there, albeit a bit damp.
In the meantime I'd applied for a Blue Cash Preferred (which gets 6% cashback on instacart!) and they had it to me overnight and dropped it on the doorstep of my new house which was a new construction and not even in some systems yet as a valid address. Their support as been good so far, too, though I haven't had to call them but once so far.
I was able to enable it myself through the web interface, no contacting customer support required.
>And to enter it, you ... append it to your password?
Are you implying this is wrong somehow? It's a fairly common way to do 2FA and there's nothing wrong with it. On the backend, all it's doing is taking the input, substringing the final 6 characters and inputting that as the code, and then uses the remaining characters as the password input. It's essentially just a shortcut that allows you to log in with one click rather than having to enter your password, click submit, enter a code, then click submit again.
Per the FAQ, if you for some reason don't want to append it to your password, it'll send you to a normal "Enter your 2FA code" form like you're probably used to.
The main issue for me is that the 2FA is locked to using the Symantec VIP 2FA app, which is disappointing from a usability standpoint.
On its own, there's nothing inherently wrong with it, aside from it being a very awkward user experience.
But here's where it can go wrong, using ETrade as a specific example. ETrade appends the 2FA token to your password, but also enforces a password character limit. Yep, that means turning on 2FA reduces your password character limit. From what I hear, it has some surprising behavior if your password is already at the character limit and you turn on 2FA.
(Aside: ETrade has some very sketchy security practices, like apparently letting you use the 2FA token on its own to reset your password (according to a coworker), but that's another discussion.)
FWIW, World of Warcraft has had a sublime 2FA solution for like a decade at this point. So when schwab has 1) weird UX around logging in and 2) you have to contact customer support to enable something that should be standard security functionality in 2020, then yeah, I'm going to hold off on endorsing their 2fa implementation.
For me, it sends me to a secondary login page that asks specifically for the Symantec VIP or hardware token. If they are appending it to the end of my password, it's not evident to me.
You can optionally input it at the end of your password. If you don't then they will prompt you for it. The option to append it to your password when logging in saves you from having to fill out two input boxes.
A lot of the alternatives aren't much better. Fidelity for example would allow you to input your password as the numerical equivalent (think phone keypad - A, B or C map to "1" and so on). Which basically requires modifying your password before hashing it (and dramatically reducing entropy in the process).
According to Fidelity's website [0] they still do so ("You'll be asked to enter your username and password using the keypad on your phone.").
I basically assume any financial institution that provides support for the old "telephone banking" methods via DTMF tones either stores your password in plaintext or a hashed version that reduces entropy. I'm honestly surprised hackers haven't gotten sophisticated enough to bruteforce these reduced entropy login passwords using a Twilio account.
I use a Verisign (Symantec?) VIP token on my account. Several years ago they actually mailed me the key fob, later they let me give them my mobile token's serial number (generated by python-vipaccess) so I could use that instead.
The only US brokerage that offers real 2fa is vanguard (last I checked), and even they mess it up by allowing sms fallback.
It still will allow you to avoid phishing if you never use the sms fallback, but it does make you vulnerable to sim attacks of the variety "convince phone store rep to replace 'your' lost sim card"
They offer a physical token if you call and ask for it. They also offer the option of using some Symantec app as a second factor but I've never tried that.
Can’t speak to their deposit account offerings (I use Chase, Schwab, and Fidelity for that), but my credit experiences with Citi were bad enough I switched to Amex exclusively for credit cards (Platinum and Gold charge cards, Schwab investor card, etc). Data point noted, many thanks.
i LOVE schwab recommend their checking account to anyone. I also have a TCF account from my childhood and the difference is so stark.
Schwab has a US based super super helpful call center. They will talk to visa on your behalf and fix any problems immediately. They will go out of there way to be very nice and helpful. they've waived wire fees for me when they had very little reason to. So amazing.
You can't even get a human on the phone at TCF and they even recently got rid of local branch phone numbers you can't find it - which is insane.
I can second this. I had some technical issues with Fidelity[0] and Vanguard[1] and both support groups were absolutely useless. I switched to Schwab and it has been a breeze. Everything so far has been really smooth and the little bit I've had to interact with support they were on the ball.
[0]Transfers kept failing for no clear reason.
[1]My account got into some sort of state where if I tried to login it said my account didn't exist, but when I tried to create a new one it said I already had an account.
Strongly agree on Citi. I had an identical situation: I repeated multiple times that I needed the new card sent to a different address than I had on file, the person repeatedly assured me they would, and then they sent it to the address on file.
Citi's internal system for these credit cards sucks. The main application used for account management will tell the worker one thing and do another. Workarounds must be employed by the workers for many routine actions (or things like this happen).
I am also a huge fan of Schwab and would recommend them to anyone that is looking for a brokerage (and checking account with no ATM fees). For such an old (and one would think, stuck in their old ways) institution, they keep up quite well technologically and consumer relations wise. Their website and apps are updated thoughtfully and regularly. The very few times I have had to deal with customer service, it couldn't have gotten smoother or quicker. One time, it was my fault (infringed SEC trade settlement rules and got put on probation required by law) and a knowledgeable man called to very politely explain what had happened and to clear up any confusion going forward. You're not going to get that from Robinhood.
I love Schwab and agree their support has always been great. The one thing I wish they had is an automatic money market sweep for cash in my brokerage account. Right now any uninvested cash I have in that account earns me essentially nothing, and my understanding is that Schwab makes a pretty good profit from it.
You are right that Schwab makes a pretty good profit from it. The way they do that is by lending "your" money to their margin customers and charging those people 7% or more while paying you pennies.
In a "margin" brokerage account, "your" money is merely a debt obligation of Schwab.
TD Ameritrade (and now I think Schwab) will sweep cash from your brokerage account into a real, genuine, bank account. But the interest rate is still almost nothing.
FYI, Charles Schwab was founded in the 1970s, and they were one of the first discount brokerages created after financial deregulation allowed for low-cost trades.
> For such an old (and one would think, stuck in their old ways) institution, they keep up quite well technologically and consumer relations wise.
Unfortunately, I have to disagree. While I never had any major problems with them, my company's 401k accounts used to be with them. At the time (this was about 5 years ago) you couldn't have a password longer than 8 characters and they didn't support 2 factor authentication. They had it, just not for your account. It was quite frustrating. Maybe they've finally wised up? But even so, that's hardly keeping up well with tech.
Speaking of support, one of the huge issues I had with Fidelity when I was with them was that after 2 PM Pacific (5 PM Eastern), there's literally nobody there who can actually do anything if something is messed up. This eventually lead to me moving my account to E*Trade, where my company's stock plan accounts are hosted. Thankfully, that process was completely seamless, and I've had 0 problems so far, but I do wonder what would happen if I somehow discovered an issue at 3 PM that needed a timely resolution.
It’s surprising with the level of scrutiny and regulation they're under that there isn’t a regulatory requirement for a minimal level of customer service.
If I understand public opinion logic correctly: its the customers fault until one of the customers kill themselves, then its the brokerage fault. But for now we can make fun of the customers having their email compromised, while being slightly confused why Robinhood doesn't offer greater verification.
> while being slightly confused why Robinhood doesn't offer greater verification.
It sounds like the bigger confusion is that Robinhood doesn't have a way to cancel withdrawals in flight. At least one of the customers caught the transaction with time to cancel, and couldn't reach a human in time to do that.
How different is this than getting your checking account number stolen? When that happened to me at Bank of America, I went physically into a branch where they just called support and we waited on hold for an hour. The person who eventually answered the phone screwed up the account closure and I had to visit 5 more times (each with the person in the bank just calling into support) to get half of their damage resolved.
I’m all for holding higher expectations for Robinhood—- they have an opportunity to make finance less scummy and are failing in many ways—- but it’s incredibly easy to get away with fraud at _any_ financial institution.
> Rao said he had previously set up two-factor authentication to access his account, and Bagheri said she’s certain her Robinhood password is unique from all others, including her email. Neither believed they had been duped by phishing scams or malware. Both said they use the same email for Robinhood and other accounts, and that only Robinhood has been affected.
Usually, these situations can be at least partially blamed on credential stuffing, but claims such as these warrant further investigation. Credential stuffing isn't supposed to work if 2FA is properly configured, and phishing shouldn't work if something like TOTP is implemented correctly--although it quite often isn't.
Typically this takes enough work that it has to be at least somewhat targeted but even some rando with just a few thousand dollars in their account would probably be a large enough target because it doesn't take super long
Depending on the method, it doesn't have to be targeted to the user, just to the platform. For a platform like Robin Hood, most accounts contain enough money that even one account could pay off for the effort.
TOTP gets a little tricky when it comes to phishing, but only because most phishing attacks that target casual users (rather than spear phishing attacks) aren't capable of logging in immediately. Naturally, that would change if enough people started using TOTP, but for now, TOTP is enough to avoid becoming low-hanging fruit.
Of course, if you're a high-value target or work for a company that's likely to be targeted by spear-phishing campaigns, you should be using FIDO2. (Don't target U2F, as there are newer, backward-compatible specifications.)
When properly implemented, TOTP codes are difficult to phish without tipping off the user because codes can't be reused. The spec requires that the service not allow code reuse within a given time window--although not all websites comply with that, unfortunately. Assuming the implementation is correct, that means the phishing page has to convince the user that it's acceptable to enter their TOTP code twice, and they have to log in very quickly. Most (non-spear-) phishing pages are basically just forms that email victims' credentials to the attacker; they aren't capable of logging into someone's account, let alone multiple accounts without tipping off someone on the security team.
If you get a message indicating your password was invalid, you're probably not going to pay a whole lot of attention to it--even with a password manager, it's a common message to receive on financial sites. Some go out of their way to impede password managers because they think that's a good security practice.
If you get a message indicating the 6-digit code you entered is invalid, that should be a lot more concerning to you, and you should immediately ensure that nobody has logged into your account. If you can hold out for however long the site will accept the code (usually 60 seconds, but some sites have a larger window), you're good.
Of course, none of these "ifs" exist with FIDO2 and U2F, which is what everyone should be using instead. If you're in charge of security for a website, please offer FIDO2 and/or U2F.
Your phish site says it has an important message and demands a TOTP code, then once entered it says "important: thanks for being our customer". User thinks this is dumb, closes tab. No need to enter code twice.
Most people who bother with TOTP are a little more security-conscious. If you’re attempting to phish random targets, rather than spear phishing, you’re probably not going to bother with all that.
>If you get a message indicating the 6-digit code you entered is invalid, that should be a lot more concerning to you
I could type the 6-digit code incorrectly just as well as I could type the password incorrectly.
Additionally, some sites might check both the password and the 2FA code simultaneously as a security mechanism to prevent attackers learning if the password is correct.
Additionally, the phishing page could simply redirect the user to the real site. The user is likely already logged in to the real site, so it will appear to the user as if the user just performed a successful login. If the user isn't logged in, it will seem like some type of site glitch, and I've experienced glitches like that myself.
Anything is possible, of course. However, having been on the other side of this situation I quickly learned that some people will tell reporters whatever they think the journalist wants to hear. The journalist’s goal is to make the story as sensational as possible, not to necessarily provide the most accurate representation of the facts.
Indeed. I'd take it with a grain of salt, but it warrants further investigation. If I were on the security team at Robinhood, I'd definitely be following up on that case.
It took Soraya Bagheri a day to learn that 450 shares of Moderna Inc. had been liquidated in her Robinhood account and that $10,000 in withdrawals were pending. But after alerting the online brokerage to what she believed was a theft in progress, she received a frustrating email.
The firm wrote it would investigate and respond within “a few weeks.” Now her money is gone.
Bagheri is among five Robinhood customers who recounted similar experiences to Bloomberg News, saying they’ve been left in limbo in recent weeks after someone sold their investments and withdrew funds. Because the wildly popular app has no emergency phone number, some said they tried in vain to intervene, only to watch helplessly as their money vanished.
“A limited number of customers appear to have had their Robinhood account targeted by cyber criminals because of their personal email account (that which is associated with their Robinhood account) being compromised outside of Robinhood,” a spokesman for the company said in an email. “We’re actively working with those impacted to secure their accounts.”
The issue didn’t stem from a breach of Robinhood’s systems, the spokesman said.
SEC, Finra
Bagheri, a Washington attorney, and three other Robinhood users said they also contacted authorities including the Securities and Exchange Commission and the Financial Industry Regulatory Authority. Two of those customers said they have heard back from an official at the SEC seeking more information.
Finra and the SEC declined to comment.
Robinhood, founded seven years ago and based in Menlo Park, California, has exploded in popularity this year as millions of Americans stuck at home -- including throngs of millennials -- look to make some money during a pandemic that has sent stock prices swinging. But the no-fee brokerage app has also attracted consumer complaints, with novice investors confused by the vagaries of stock options and margin loans.
Now, even though the firm said this year that it has more than doubled its customer-service team, clients complain they’re struggling to get quick help when their funds are disappearing.
“They don’t have a customer service line, which I’m quite shocked about,” Bagheri said.
‘Mental Stress’
Pruthvi Rao, a Chicago software engineer, said his account was hit on Oct. 6. His bet on Netflix Inc. was liquidated and $2,850 was soon withdrawn. He said he’s sent more than a dozen emails to Robinhood’s customer support address, and that he even tried messaging some of the brokerage’s executives on LinkedIn.
“I’m in tremendous mental stress right now because this is all of my savings,” said Rao, 36, whose account was frozen by Robinhood in response to the fraudulent activity. He said Robinhood contacted him on Friday and unlocked the account after sending several emails late Thursday asking for help.
Rao showed Bloomberg the same emailed response from Robinhood that Bagheri received. “We understand the sensitivity of your situation and will be escalating the matter to our fraud investigations team,” Robinhood customer service agents wrote them. “Please be aware that this process may take a few weeks, and the team working on your case won’t be able to provide constant updates.”
Rao said he had previously set up two-factor authentication to access his account, and Bagheri said she’s certain her Robinhood password is unique from all others, including her email. Neither believed they had been duped by phishing scams or malware. Both said they use the same email for Robinhood and other accounts, and that only Robinhood has been affected.
“Unfortunately, it’s a common occurrence that online accounts of monetary value are bought, sold and traded by cyber-criminals,” said Mark Arena, CEO of Intel 471, which monitors activities of digital criminals. “This shows the importance of people practicing common information-security hygiene such as not re-using the same password across multiple accounts and ...
can someone explain to me why you would use RH over something like Fidelity who has 24/7/365 support and no commission trades? honestly the first thing i do when it comes to a service (especially financial) is see if they have a way in getting in touch with someone 24/7/365. i would rather pay to know i can call and talk to a human then save money. seems like these people lost dollars tripping over pennies. even if a trade cost $5 a trade, i would still pay it just to know i can reach someone.
They might mean that they approve users for it more easily and quickly than other brokerages. Logs are definitely kept (and in more locations than just RH).
RH has the best user interface experience on mobile. Charges no commissions on options and you get automatic deposits. So it has the smallest barrier to entry. Very straightforward to use, it's very simple and clean. Buy and trade stocks and puts and calls, no problem. Yes if you try more complex option strategies then RH starts to fall apart. But for the majority of people that are just tagging along from wallstreetbets or something like that, RH is the simplest way to get you in the stock market.
Not surprised. I submitted a report and POC of an oauth2 vulnerability that they deemed as a low priority. Robinhood users are highly susceptible to phishing attacks. Even 2FA is vulnerable if the attacker is fast enough.
Assuming they're talking about TOTP, the 6-digit codes that are valid for 30 seconds:
If I'm fishing you and get you to type your password into fakegoogle.com, I'll try to use it with real google immediately. If they send me a 2FA error (and I've got a semi-sophisticated phishing operation) fakegoogle will show you a an input field for that 6 digit code (just like real google). Then I've got a few seconds to send that to $site as well. It's a tighter timing window, but it's likely at this point that I'm into your account.
This sort of attack isn't possible with a hardware key, since it only works on the original domain (which presumably I don't control).
Nope, no tunnel or anything. When you touch the yubikey, it does some math on-device and "types" out a long string that can be mathematically validated with the shared secret the site stored when you set it up.
It's become an alien concept to online users that companies can be forced to comply with financial laws. But they can.
Here's the FINRA complaint form.[1]
Also, here's some FINRA arbitration information.[2]
Online users are so used to being powerless, facing unreasonable EULAs, that most are unaware they can push back hard. FINRA has the authority to have brokerage employees fired and barred from the securities industry. So brokerages pay attention when a complaint comes in via FINRA.
As a reminder, despite having the word "authority" in its name, FINRA is a completely private organisation and does not directly answer to any legislative, judicial, or executive authority.
The SEC trusts them to regulate themselves with the understanding that they had better run a tight ship, or the heavy hand of government will come down.
Robinhood is playing a game it learned from banks.
If I walk into a bank with a gun and demand money, everyone agrees I am robbing the bank. But if I walk into your bank and claim to be you, suddenly I am not robbing the bank. I am committing "identity theft," and the bank will take no responsibility and do as little as legally possible to help resolve the situation.
It is a neat trick.
Pass all the expense of being a victim of a crime down to your customers.
Same with credit cards. The banks/issuers get the benefit of advertising "no liability" to consumers for fraudulent transactions, yet ensure they're able to contractually shift as much of the cost onto the merchants that were ripped off, rather than eat it themselves[1].
I used to be a bank teller and we were instructed under no uncertain terms to hand over whatever we had and enjoy a week of paid vacation to recover from any potential trauma suffered.
The bank I worked for had a corporate security team who wouldn’t even stop their lunch break to review one isolated robbery, instead they’d look for serial cases, or occasionally assess how likely it was that it had any “inside job” elements if the robbery didn’t fall within standard profiles.
The actual “vault” in most branches is barely bigger than a high school locker inside the room behind the big metal door. Most everything else kept behind that huge metal door is administrative or customer related documents (arguably worth more than the cash itself!).
Lastly, about once a week, I was tasked with filling the ATMs for a branch that was in a downtown office building lobby. The ATMs were in a wall and had a little secret door that I’d access to audit the machines and count the money I’d refill them with. Each machine could hold 200k or so and there were two of them but there was no real clear way to get the $400,000 from our secured vault to the machines without armed security or something. In order to avoid having to order an escort every time, we’d just load the cash into a printer paper box and stealthily walk it across the lobby like I was just carrying actual printer paper (insert your federal reserve jokes here).
It’d take 2-3 hours to audit and refill the machines, meaning I would have had a nice head start if I had the guts and gray morality to make a run for it.
I had family who worked in banking for a long time
The policies across the board are to just hand over money. As a result, there's essentially zero fatalities from bank robbery. Maybe a few every year, usually the criminal themselves.
However, bank robbers only get away with about 10% of cases. Clearance rates are super, super high now. And because they're usually serial, almost every single bank robber gets caught. There's a whole slew of tactics used.
That's not how insurance works. If you file claims against the insurance company, they pay the claim, but your rates go up to cover it. YOU wind up paying.
A friend of mine (now deceased) robbed a bank once. His side of the story was that he walked into the bank (unarmed, by the way) and simply demanded money; they gave it to him and he walked out. He said he was astonished at how smoothly the whole thing went. Upon exiting the bank he just continued to walk away, turned a couple of corners, and was never caught. His take was about 80 dollars.
Later on, he got clean and sober and told his sponsor about the episode. Part of recovery is that you're supposed to be willing to make amends for the damage you've done. His sponsor thought about that one, and said, "You know what? I think we're going to let that one pass." Probably a good decision.
I guarantee the average success rate of a person’s first bank robbery rubs up against 100% - it’s the unwillingness to stop while you’re ahead that gets people caught.
I’d guess my average teller drawer value was somewhere between 2-5k “unlocked” and maybe another 5k kept locked below my station. Not exactly “let’s leave the country and live like kings” money.
FWIW, I knew a guy, briefly, who committed over 70 bank robberies. He was a next door neighbor of a friend of mine who lived in subsidized housing for the elderly. The robber had a strict schedule in and out in two, maybe three minutes once the robbery started. However, he got caught on the last one - because he stayed too long.
As a side note, I met him as he was dying of cancer, and my friend would help take care of him. Id pitch in, but it was mostly my friend doing the day-to-day helping. Absolutely f*ing heartbreaking. There was no one else in his life - no friends, no family, nothing. He was bitter and alone. It was brutal watching him die over a few months.
That’s why I’ve never understood the utility of debit cards. When a debit card is abused fraudulently I am out the money. When a credit card is abused fraudulently the bank is out the money.
In both cases neither the bank nor I have done anything wrong. We’re both literally victims of a crime. And through the payments system and the justice system we’ll hopefully be made whole in the end. But the difference is the incentives. When I lose the money the bank has less of an incentive to rectify the situation.
Some people with particularly bad spending habits use debit cards as a way to enforce self-control, but there are probably much better ways of achieving that. Teenagers also use them when paying with their own money because you can't have a credit card until you're 18 unless it's an authorized user card on your parents' account. Costco used to make you pay with a debit card, if I remember correctly.
But those are pretty much edge cases. Credit builder and secured credit cards exist for people with poor or no credit.
I'm not sure I agree. How should anyone know that it might take six months for their bank to know whether a check is real or not? Does anyone who isn't actually a bank employee know that? (What percentage even of bank employees know that?)
It seems to me that a person ought to be able to reasonably rely on a bank acting like a check has cleared, at least after some clearly stated period of time.
Fair points, but not directly on the issue raised by the complaint. Its not about the legitimacy of the sending money off transaction, or about the funds availability policy. What the victim was complaining about---and what I was agreeing with---is the bank's failure to have any mechanism to communicate when a check actually cleared.
Fixing that wouldn't require a change to the funds availability policy, and wouldn't require it to dishonor any transactions. As the original complaint indicated, it would literally just be a UI tweak: the online banking system could highlight provisionally available funds differently from really really available funds, and in that way communicate to customers what is actually cleared and safe to spend. This isn't a big ask.
In addition to protecting account holders from a massive range of fake check scams, that would also protect them from a bunch of other crooked stuff.
For example: did you know an employer can reverse a direct deposit of a paycheck for some amount of time after it seems to go through?[1] Employees get screwed all the time when their employer randomly decides "oops, we paid you too much" after the money is already spent. Which is insane and unfair but---we wouldn't even have to change the system to protect many employees. Just have banks clearly indicate which direct deposits are final and which might still go poof if the employer unilaterally decides.
Checks actually “clear” quite quickly nowadays. As in, the money gets pulled from the check writer’s account and made available to the depositor within a day or two (notwithstanding whatever the depositor’s bank hold policy happens to be). The problem is, if the transaction proved to be fraudulent (as in the check was written by a fraudster on a random persons bank account) the real account owner can dispute the transaction weeks or months afterwards. This is normally going to be long after the check has nominally “cleared.”
Once the check is disputed, the money gets yanked back from the depositor’s account. That’s why personal checks are just a completely unreliable method of payment and should only be used between trusting parties.
That's not true of debit cards. If the card is used fraudulently you just dispute the charges the same as you would with a credit card. The bank reverses the charge and the vendor has the opportunity to sue you if you really did make the alleged charges.
With a credit card, transactions against the card will get declined after it maxes out (if the fraud checks don't kick in sooner). You report the theft. Everything solves itself quickly. A minor inconvenience at worst.
When your debit card gets stolen, that's YOUR money going out, then your rent check bounces, and it takes weeks to get the money back, and in the meantime, YOU HAVE NO MONEY.
Going through my bank statements at tax time, I noticed a weird check for $80 that was unaccounted for. Getting the check image, it was:
1. Not my name for the payer
2. An out-of-state address
3. Check was not on my bank's paper, they did the logo wrong, etc.
4. Signature was someone else's
Essentially, everything was wrong but the account number. The bank cashed the check, and blamed me. I got very angry about that, and basically sat in the manager's office until he agreed to refund my money.
A couple months later, I ran out of blank checks, and went to the bank to order more. They gave me a song-and-dance about the advanced "security paper" for the expensive check blanks they wanted to sell me. I literally laughed, and told them you guys don't check the name, the address, the signature, and certainly not the paper, and walked out and bought more checks from an online company.
Also, the image of the bad check was what got my money refunded. An electronic trail is simply not as good as a paper one when there's a dispute. A cancelled check is gold in a dispute.
Meh, using paper checks -- and being able to pull up the scanned image online at any time -- has saved my butt at least twice in the last two years (to the tune of a few thousand dollars).
There's only one thing I (typically) use them for nowadays but they do occasionally come in handy at times.
The rest of the world is doing fine without them and the associated levels of fraud that comes with a random slip of paper allowing you to transfer large quantities of money. I haven’t even seen a check in decades and even if they are technically legal in the UK for a few more years, nobody accepts them. Why would you?
The US has a ridiculous level of bank/payment fraud compared to Europe (~15x in some areas, according to the fed), who invested in chip+pin, SEPA, IBAN, etc etc. This all lets me pay for something with no overhead and maintain my own audit trail in a way that doesn’t involve a trust-based system from the 1800s.
That's side stepping the real problem very neatly though.
Speaking as a citizen of a country with "real" identification laws, how would you like the banks to identify you?
SSN? Absolutely not. That number is not meant to be used as formal identification, it's completely unprotected.
America has a particular weakness to identify fraud because you don't have an identity system.
My ID number is formally defined in law, protected and verified by various check sums built into the number (like so many tokens out there). Banks are required, by law, to ensure they have identified the right individual before transacting and they carry the full burden if they get it wrong.
The SSN in the US is sequential and I never fail to laugh at the idea of forcing your banks to verify you with such a flimsy structure. It's just gonna make the problem worse
Maybe we should be going back to local banks, personal relationships and a real-life web of trust? I remember long time ago when you could get a bank account without any identification at all. The bank tellers knew you by name from talking to you at the grocery store. The bank manager hunts with you. The owner of the bank has seen you on the local golf course.
These days, you're CUSTOMER #52219945 at SuperUltraMegaBank with such-and-such mother's maiden name. The local bank employees live 80 miles away where there are cheaper houses, and to them you're just one of thousands of customers in their corporate database. But, you never even see each other because almost all of the banking you do is via their web site, with the occasional telephone call that gets answered by a teller in southeast Asia. It's totally impersonal.
Those liquidated sums are so small that Robinhood will pay it from their coffee budget. The larger problem is friendly fraud or claimed "hacks" where the owner hacked himself. Easy policy will attract more of these, like insurance fraud.
> “A limited number of customers appear to have had their Robinhood account targeted by cyber criminals because of their personal email account (that which is associated with their Robinhood account) being compromised outside of Robinhood,”
I refused to set up online access or email on my brokerage account, because of hackers. I do trades via a phone call, and my broker knows my voice. (This works because I do very little trading, as I practice buy and hold hold hold hold.)
Robinhood (and other similar companies) is not a bank (not sure what it is registered as?).
By not being a bank it doesn't have to implement all kind of security and operational measures (e.g. access limitations by its own employees, active data-transfer analysis, communication "firewalls" between departments, liability based on the degree of the IT-security which is implemented, etc...) that banks HAve to implement/adhere to => that's really A LOT of in/direct effort (therefore $) for both the initial implementation and the ongoing operations => I imagine that platforms like Robinhood (and similar) shrank ALL costs to the minimum, therefore the kind of problems reported in the article are in my opinion not unexpected.
The most simple (to understand) IT-security guidelines worldwide (but still quite complicated to interpret, at least for me) are maybe the ones of the Monetary Authority of Singapore ("MAS"):
They're high-level (as they should be - details are for lawyers & tribunals), but in the end they all scream to you a lot of <embedded> stuff about security.
For example if you're (un/willingly) running an old version of Apache that has security bugs (and those bugs were fixed by some patch that you did not apply "timely") then you don't comply to the MAS guidelines therefore you'll be preemptively thrown out of their market, voilà. The adherence to these rules and the results of their controls must be confirmed yearly by a top-mgmt executive => if external audit discovers that that was false, and/or if later events discover that that was false then that/those executive/s will burn and/or you'll be thrown out of their market (all this is the result of the last ~20 years of regulations, which I personally think is generally more good than bad, but which is definitely painful for me to deliver hehe).
I don't think that this level of <liability/control/regulation> is in place for Robinhood & Co. - not saying that such companies are bad, they're probably interesting from a certain point of view, but customers should be made more aware of the embedded risks.
Be careful about making electronic payments. I once had the revenooers send me a dunning letter about non-payment of taxes. I sent them a copy of my cancelled check. Problem solved.
I also had an electronic payment made for $700 to the utility company. They said they never got it, but my account was debited. They said take it up with your bank, the bank said take it up with the utility company. After quite a bit of wrangling, I finally demanded to the bank manager that the debit be labelled as "fraudulent" and it be clawed back.
Wonder of wonders, this caused the utility company to magically find the money.
Now I send them paper checks. I also pay my credit card with paper checks, as one time they moved the decimal point over two places (!), and the cancelled check saved me a *
lot* of hassle.
A digitally-signed (by the bank) copy of the transaction would also suffice instead of a check.
Decimal places can't shift with electronic payments.
All B2C debits (SDD Core) have the right to be reversed within 55 days for specific reasons; this can be done online by the account holder and they are instantly refunded.
This is all across Europe, and has been for years now.
> Decimal places can't shift with electronic payments.
[...]
> This is all across Europe, and has been for years now.
Only after living in USA for some time do you realize that many corporations here actually use cheap labor to read electronically submitted information, and then type it back into a computer.
I've had my name misspelled on utility accounts where I signed up online, and damn sure did not misspell it like that.
In eastern Germany they skipped checks for cards and it catapulted their payment systems to transcend the first world payment systems within the decade.
Please correct me if I'm wrong.
I think great depressions in tech yield necessary solutions; necessity and invention...
172 comments
[ 3.0 ms ] story [ 128 ms ] threadI disagree.
The Robinhood system includes their disbursement process.
In this case, someone with access to a username and password managed to, without passing any of the other typical 2FA checks in finance (Calling the the account holder, snail-mail confirmation, actual 2FA tokens) managed to get Robinhood to wire them money.
This is absolutely a compromise of their disbursement system. If a bank gave all my money to some random asshat that showed up to a branch with my debit card, the blame for that lies on my bank.
This is typical liability laundering.
Funny that. The PSD2 regulations in Europe do.[0]
The downside is that they don't mandate properly secure 2FA, so we have a mishmash of SMS, time-based tokens and whatever else passes for various banks under the regulations.[ß]
0: https://www.bankinfosecurity.com/psd2-authentication-require...
ß: My UK bank requires locally generated, time-based reader/app tokens, and has done so as long as I've lived here. My Finnish bank uses SMS.
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
https://www.ffiec.gov/pdf/authentication_guidance.pdf
Additional factors are of course always safer, but everything is a trade-off between security and usability, and users should have control.
A bank would not let you empty an account with just a debit card and PIN, assuming there was some non-trivial amount of money in there.
I think that's a pretty important detail. With my bank they could only get up to $1000 without further verification.
2. They will return my money if I reported the theft in a timely fashion.
Robin hood seems to be doing neither.
Wouldn't that be out of the graciousness of the bank (or PR)?
Edit: You may still be on the hook for overdraft fees from e.g. authorized payments, and it may take some time for the bank to indemnify you, which is why the conventional wisdom is that CCs are safer than debit cards from a fraud perspective.
[0] https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-cr...
[1] and is in fact legally required to: https://www.federalreserve.gov/boarddocs/caletters/2008/0807...
FDIC insurance (and its equivalent in other countries) is something completely unrelated - it's for cases when the bank is unable to pay you because it goes bankrupt for some reason (which may include massive fraud done to the bank or by the bank), it's not for cases when your money gets lost in some other way.
Since the bank is on the hook for giving out customer money to random con artists, their threshold for investigating suspicious account activity is much lower.
Relevant Mitchell & Webb comedy sketch: https://www.youtube.com/watch?v=CS9ptA3Ya9E
Robinhood worked well for bootstrapping my portfolio with free trades, but after a certain point it got big enough for me to worry about other factors like this.
Example: I accidentally deposited a check into my IRA once. I called and explained I wasn't sure what to do because 1) the check was post-tax money and 2) if I tried to fix it myself, would it count as an early withdrawal?.
The guy picked up almost immediately, said yep lemme transfer you, the <something> department has a button for that. I got transferred, still to a native english speaker, who sorted me out. A couple days later it was all fixed in my account. 10/10.
I do all my banking with them and if they offered a 2% cashback credit card, I'd move that to them too.
Speaking of which, Citi (I have the doublecash) has been dreadful - my card # got stolen once, and they sent the new credit cards to my old address (that I still - for a bit longer - owned, thankfully) even after I specifically stressed, and confirmed multiple times, that I was 300 miles away from the address and if they sent them there, they'd sit in my porch for 1-2 weeks before I could get to them, and I would also not have a credit card to use.
They reassure me, even getting a bit snippy at the end of the call, that they're sending them to the address I gave them (my parents' house) on the call. And since I'm such an important customer, they're overnighting the cards.
Sure enough, the next day, I check my security camera and see a dang cardboard envelope that says CITICARDS all over it sitting on my old porch 300 miles away.
So I call them up, explain that they did exactly what I asked them not to do, and if they could cancel those cards and try sending them again, because I don't have a credit card right now, and I'm trying to furnish and move into a new house and need to put about $10k of appliances purchases through the cards ASAP. They explain that, sorry, they need to wait a week or two (I was incensed and don't remember clearly at this point) before they can do anything.
Luckily a week later when I rolled up to finish cleaning the old house, the cards were still there, albeit a bit damp.
In the meantime I'd applied for a Blue Cash Preferred (which gets 6% cashback on instacart!) and they had it to me overnight and dropped it on the doorstep of my new house which was a new construction and not even in some systems yet as a valid address. Their support as been good so far, too, though I haven't had to call them but once so far.
(Thanks for coming to my TED talk.)
Or is it not real 2FA somehow?
The email one has different problems (what if my email's hacked too?)
https://client.schwab.com/clientapps/access/securityCenter#/...
And to enter it, you ... append it to your password?
I'm personally going to hold off on giving them the greenlight here.
>And to enter it, you ... append it to your password?
Are you implying this is wrong somehow? It's a fairly common way to do 2FA and there's nothing wrong with it. On the backend, all it's doing is taking the input, substringing the final 6 characters and inputting that as the code, and then uses the remaining characters as the password input. It's essentially just a shortcut that allows you to log in with one click rather than having to enter your password, click submit, enter a code, then click submit again.
Per the FAQ, if you for some reason don't want to append it to your password, it'll send you to a normal "Enter your 2FA code" form like you're probably used to.
The main issue for me is that the 2FA is locked to using the Symantec VIP 2FA app, which is disappointing from a usability standpoint.
But here's where it can go wrong, using ETrade as a specific example. ETrade appends the 2FA token to your password, but also enforces a password character limit. Yep, that means turning on 2FA reduces your password character limit. From what I hear, it has some surprising behavior if your password is already at the character limit and you turn on 2FA.
(Aside: ETrade has some very sketchy security practices, like apparently letting you use the 2FA token on its own to reset your password (according to a coworker), but that's another discussion.)
FWIW I think 2) is the bigger sin here.
I'm not sure if they still do this.
http://mattstockton.com/2013/03/20/my-bank-password-is-sort-...
I think I recall Vanguard having had something similar but I can't find it in searching, so perhaps not.
I basically assume any financial institution that provides support for the old "telephone banking" methods via DTMF tones either stores your password in plaintext or a hashed version that reduces entropy. I'm honestly surprised hackers haven't gotten sophisticated enough to bruteforce these reduced entropy login passwords using a Twilio account.
[0] https://www.fidelity.com/customer-service/phone-numbers/over...
It still will allow you to avoid phishing if you never use the sms fallback, but it does make you vulnerable to sim attacks of the variety "convince phone store rep to replace 'your' lost sim card"
Any kind of otp/totp leaves you with too much risk
https://www.schwab.com/help/two-factor-authentication
Schwab has a US based super super helpful call center. They will talk to visa on your behalf and fix any problems immediately. They will go out of there way to be very nice and helpful. they've waived wire fees for me when they had very little reason to. So amazing.
You can't even get a human on the phone at TCF and they even recently got rid of local branch phone numbers you can't find it - which is insane.
[0]Transfers kept failing for no clear reason. [1]My account got into some sort of state where if I tried to login it said my account didn't exist, but when I tried to create a new one it said I already had an account.
You are right that Schwab makes a pretty good profit from it. The way they do that is by lending "your" money to their margin customers and charging those people 7% or more while paying you pennies.
In a "margin" brokerage account, "your" money is merely a debt obligation of Schwab.
TD Ameritrade (and now I think Schwab) will sweep cash from your brokerage account into a real, genuine, bank account. But the interest rate is still almost nothing.
https://www.sfgate.com/business/article/The-genesis-of-disco...
Unfortunately, I have to disagree. While I never had any major problems with them, my company's 401k accounts used to be with them. At the time (this was about 5 years ago) you couldn't have a password longer than 8 characters and they didn't support 2 factor authentication. They had it, just not for your account. It was quite frustrating. Maybe they've finally wised up? But even so, that's hardly keeping up well with tech.
It was even worse, if such a thing is possible. Passwords were case insensitive.
https://1password.community/discussion/60363/psa-schwab-now-...
There was an HN discussion about this, but the original article is now lost to the mists of time.
https://news.ycombinator.com/item?id=8783790
It sounds like the bigger confusion is that Robinhood doesn't have a way to cancel withdrawals in flight. At least one of the customers caught the transaction with time to cancel, and couldn't reach a human in time to do that.
I’m all for holding higher expectations for Robinhood—- they have an opportunity to make finance less scummy and are failing in many ways—- but it’s incredibly easy to get away with fraud at _any_ financial institution.
> Rao said he had previously set up two-factor authentication to access his account, and Bagheri said she’s certain her Robinhood password is unique from all others, including her email. Neither believed they had been duped by phishing scams or malware. Both said they use the same email for Robinhood and other accounts, and that only Robinhood has been affected.
Usually, these situations can be at least partially blamed on credential stuffing, but claims such as these warrant further investigation. Credential stuffing isn't supposed to work if 2FA is properly configured, and phishing shouldn't work if something like TOTP is implemented correctly--although it quite often isn't.
TOTP codes can be phished. Hardware-based 2FA is a different matter, but SMS and TOTP 2FA doesn't fully protect against phishing.
The complex attack you are probably thinking of is sim swapping which is a bit different than phising.
Of course, if you're a high-value target or work for a company that's likely to be targeted by spear-phishing campaigns, you should be using FIDO2. (Don't target U2F, as there are newer, backward-compatible specifications.)
https://github.com/kgretzky/evilginx2
If you get a message indicating your password was invalid, you're probably not going to pay a whole lot of attention to it--even with a password manager, it's a common message to receive on financial sites. Some go out of their way to impede password managers because they think that's a good security practice.
If you get a message indicating the 6-digit code you entered is invalid, that should be a lot more concerning to you, and you should immediately ensure that nobody has logged into your account. If you can hold out for however long the site will accept the code (usually 60 seconds, but some sites have a larger window), you're good.
Of course, none of these "ifs" exist with FIDO2 and U2F, which is what everyone should be using instead. If you're in charge of security for a website, please offer FIDO2 and/or U2F.
I could type the 6-digit code incorrectly just as well as I could type the password incorrectly.
Additionally, some sites might check both the password and the 2FA code simultaneously as a security mechanism to prevent attackers learning if the password is correct.
Additionally, the phishing page could simply redirect the user to the real site. The user is likely already logged in to the real site, so it will appear to the user as if the user just performed a successful login. If the user isn't logged in, it will seem like some type of site glitch, and I've experienced glitches like that myself.
It took Soraya Bagheri a day to learn that 450 shares of Moderna Inc. had been liquidated in her Robinhood account and that $10,000 in withdrawals were pending. But after alerting the online brokerage to what she believed was a theft in progress, she received a frustrating email.
The firm wrote it would investigate and respond within “a few weeks.” Now her money is gone.
Bagheri is among five Robinhood customers who recounted similar experiences to Bloomberg News, saying they’ve been left in limbo in recent weeks after someone sold their investments and withdrew funds. Because the wildly popular app has no emergency phone number, some said they tried in vain to intervene, only to watch helplessly as their money vanished.
“A limited number of customers appear to have had their Robinhood account targeted by cyber criminals because of their personal email account (that which is associated with their Robinhood account) being compromised outside of Robinhood,” a spokesman for the company said in an email. “We’re actively working with those impacted to secure their accounts.”
The issue didn’t stem from a breach of Robinhood’s systems, the spokesman said.
SEC, Finra
Bagheri, a Washington attorney, and three other Robinhood users said they also contacted authorities including the Securities and Exchange Commission and the Financial Industry Regulatory Authority. Two of those customers said they have heard back from an official at the SEC seeking more information.
Finra and the SEC declined to comment.
Robinhood, founded seven years ago and based in Menlo Park, California, has exploded in popularity this year as millions of Americans stuck at home -- including throngs of millennials -- look to make some money during a pandemic that has sent stock prices swinging. But the no-fee brokerage app has also attracted consumer complaints, with novice investors confused by the vagaries of stock options and margin loans.
Now, even though the firm said this year that it has more than doubled its customer-service team, clients complain they’re struggling to get quick help when their funds are disappearing.
“They don’t have a customer service line, which I’m quite shocked about,” Bagheri said.
‘Mental Stress’
Pruthvi Rao, a Chicago software engineer, said his account was hit on Oct. 6. His bet on Netflix Inc. was liquidated and $2,850 was soon withdrawn. He said he’s sent more than a dozen emails to Robinhood’s customer support address, and that he even tried messaging some of the brokerage’s executives on LinkedIn.
“I’m in tremendous mental stress right now because this is all of my savings,” said Rao, 36, whose account was frozen by Robinhood in response to the fraudulent activity. He said Robinhood contacted him on Friday and unlocked the account after sending several emails late Thursday asking for help.
Rao showed Bloomberg the same emailed response from Robinhood that Bagheri received. “We understand the sensitivity of your situation and will be escalating the matter to our fraud investigations team,” Robinhood customer service agents wrote them. “Please be aware that this process may take a few weeks, and the team working on your case won’t be able to provide constant updates.”
Rao said he had previously set up two-factor authentication to access his account, and Bagheri said she’s certain her Robinhood password is unique from all others, including her email. Neither believed they had been duped by phishing scams or malware. Both said they use the same email for Robinhood and other accounts, and that only Robinhood has been affected.
“Unfortunately, it’s a common occurrence that online accounts of monetary value are bought, sold and traded by cyber-criminals,” said Mark Arena, CEO of Intel 471, which monitors activities of digital criminals. “This shows the importance of people practicing common information-security hygiene such as not re-using the same password across multiple accounts and ...
If I'm fishing you and get you to type your password into fakegoogle.com, I'll try to use it with real google immediately. If they send me a 2FA error (and I've got a semi-sophisticated phishing operation) fakegoogle will show you a an input field for that 6 digit code (just like real google). Then I've got a few seconds to send that to $site as well. It's a tighter timing window, but it's likely at this point that I'm into your account.
This sort of attack isn't possible with a hardware key, since it only works on the original domain (which presumably I don't control).
Does that make sense?
It's an open standard, so you can read all about it: https://webauthn.guide/
Seems like good password manager hygiene (which checks the domain name before filling credentials) can help prevent this from happening.
Unless it doesn't auto-fill, but it looks right, so you paste it anyway.
Also, here's some FINRA arbitration information.[2]
Online users are so used to being powerless, facing unreasonable EULAs, that most are unaware they can push back hard. FINRA has the authority to have brokerage employees fired and barred from the securities industry. So brokerages pay attention when a complaint comes in via FINRA.
[1] https://www.finra.org/investors/have-problem/file-complaint/...
[2] https://www.finra.org/arbitration-mediation/resolution-and-r...
https://nclalegal.org/2019/07/finra-is-a-double-delegation-d...
This is patently false. The Securities and Exchange Commission accredits and oversees all national SROs.
If I walk into a bank with a gun and demand money, everyone agrees I am robbing the bank. But if I walk into your bank and claim to be you, suddenly I am not robbing the bank. I am committing "identity theft," and the bank will take no responsibility and do as little as legally possible to help resolve the situation.
It is a neat trick.
Pass all the expense of being a victim of a crime down to your customers.
[1] https://www.nerdwallet.com/article/credit-cards/merchants-vi...
I used to be a bank teller and we were instructed under no uncertain terms to hand over whatever we had and enjoy a week of paid vacation to recover from any potential trauma suffered.
The bank I worked for had a corporate security team who wouldn’t even stop their lunch break to review one isolated robbery, instead they’d look for serial cases, or occasionally assess how likely it was that it had any “inside job” elements if the robbery didn’t fall within standard profiles.
The actual “vault” in most branches is barely bigger than a high school locker inside the room behind the big metal door. Most everything else kept behind that huge metal door is administrative or customer related documents (arguably worth more than the cash itself!).
Lastly, about once a week, I was tasked with filling the ATMs for a branch that was in a downtown office building lobby. The ATMs were in a wall and had a little secret door that I’d access to audit the machines and count the money I’d refill them with. Each machine could hold 200k or so and there were two of them but there was no real clear way to get the $400,000 from our secured vault to the machines without armed security or something. In order to avoid having to order an escort every time, we’d just load the cash into a printer paper box and stealthily walk it across the lobby like I was just carrying actual printer paper (insert your federal reserve jokes here).
It’d take 2-3 hours to audit and refill the machines, meaning I would have had a nice head start if I had the guts and gray morality to make a run for it.
The policies across the board are to just hand over money. As a result, there's essentially zero fatalities from bank robbery. Maybe a few every year, usually the criminal themselves.
However, bank robbers only get away with about 10% of cases. Clearance rates are super, super high now. And because they're usually serial, almost every single bank robber gets caught. There's a whole slew of tactics used.
Makes perfect sense. They lose a few bucks, vs the $$$$ they'd have to pay in the lawsuit. Let the cops deal with the crooks.
I vaguely recall it's part of FDIC even.
That's not how insurance works. If you file claims against the insurance company, they pay the claim, but your rates go up to cover it. YOU wind up paying.
Later on, he got clean and sober and told his sponsor about the episode. Part of recovery is that you're supposed to be willing to make amends for the damage you've done. His sponsor thought about that one, and said, "You know what? I think we're going to let that one pass." Probably a good decision.
I’d guess my average teller drawer value was somewhere between 2-5k “unlocked” and maybe another 5k kept locked below my station. Not exactly “let’s leave the country and live like kings” money.
As a side note, I met him as he was dying of cancer, and my friend would help take care of him. Id pitch in, but it was mostly my friend doing the day-to-day helping. Absolutely f*ing heartbreaking. There was no one else in his life - no friends, no family, nothing. He was bitter and alone. It was brutal watching him die over a few months.
I guess it makes sense that he quit robbing banks once he got caught.
He got out from prison before he died?
How did he spend the days alone before he got cancer
In both cases neither the bank nor I have done anything wrong. We’re both literally victims of a crime. And through the payments system and the justice system we’ll hopefully be made whole in the end. But the difference is the incentives. When I lose the money the bank has less of an incentive to rectify the situation.
But those are pretty much edge cases. Credit builder and secured credit cards exist for people with poor or no credit.
Costco, gas stations, and some mom & pop shops really want to save on that credit card processing fee.
Personally, I consider missing out on the cash discount at a gas station a convenience & fraud protection fee.
They now have a deal with Visa, along with their own branded Visa card but will accept any bank's Visa card.
I wrote about the story here:
https://www.zainrizvi.io/blog/how-banks-help-scammers-with-t...
As cruel as it sounds, your sister performed a legitimate transaction.
It seems to me that a person ought to be able to reasonably rely on a bank acting like a check has cleared, at least after some clearly stated period of time.
There isn’t a dependency.
The legitimate account holder said “Send $x from my account to y” and the bank did.
There was no fraud in that transaction.
As for your second point - funds are required to be available before the check clears by federal law. Complain to your congresscritter, not the bank.
Not sure why I’m getting downvoted for stating simple facts...
Welcome to HN.
Fixing that wouldn't require a change to the funds availability policy, and wouldn't require it to dishonor any transactions. As the original complaint indicated, it would literally just be a UI tweak: the online banking system could highlight provisionally available funds differently from really really available funds, and in that way communicate to customers what is actually cleared and safe to spend. This isn't a big ask.
In addition to protecting account holders from a massive range of fake check scams, that would also protect them from a bunch of other crooked stuff.
For example: did you know an employer can reverse a direct deposit of a paycheck for some amount of time after it seems to go through?[1] Employees get screwed all the time when their employer randomly decides "oops, we paid you too much" after the money is already spent. Which is insane and unfair but---we wouldn't even have to change the system to protect many employees. Just have banks clearly indicate which direct deposits are final and which might still go poof if the employer unilaterally decides.
[1] old example https://www.nytimes.com/1997/03/23/business/turning-direct-d... --- but I know people to whom this has happened this year.
Once the check is disputed, the money gets yanked back from the depositor’s account. That’s why personal checks are just a completely unreliable method of payment and should only be used between trusting parties.
Your card gets stolen.
Scammer empties out the account.
With a credit card, transactions against the card will get declined after it maxes out (if the fraud checks don't kick in sooner). You report the theft. Everything solves itself quickly. A minor inconvenience at worst.
When your debit card gets stolen, that's YOUR money going out, then your rent check bounces, and it takes weeks to get the money back, and in the meantime, YOU HAVE NO MONEY.
1. Not my name for the payer
2. An out-of-state address
3. Check was not on my bank's paper, they did the logo wrong, etc.
4. Signature was someone else's
Essentially, everything was wrong but the account number. The bank cashed the check, and blamed me. I got very angry about that, and basically sat in the manager's office until he agreed to refund my money.
A couple months later, I ran out of blank checks, and went to the bank to order more. They gave me a song-and-dance about the advanced "security paper" for the expensive check blanks they wanted to sell me. I literally laughed, and told them you guys don't check the name, the address, the signature, and certainly not the paper, and walked out and bought more checks from an online company.
Also, the image of the bad check was what got my money refunded. An electronic trail is simply not as good as a paper one when there's a dispute. A cancelled check is gold in a dispute.
The fact “bad checks” can exist is the problem, which necessitates the use of a literal paper trail.
It is insane.
Maybe FedNow will change things?
The real answer is more prevalance of free ACH transfers. Some companies still like to charge the unneeded credit card fee for those too sadly.
There's only one thing I (typically) use them for nowadays but they do occasionally come in handy at times.
"why is this gate here, let's take it down!"
type comment?
Checks are extremely useful to individuals. You can pay for something, it has no overhead, and you have your own audit trail.
You can probably fake a fax machine or a certified letter too, but I think they are useful too.
The US has a ridiculous level of bank/payment fraud compared to Europe (~15x in some areas, according to the fed), who invested in chip+pin, SEPA, IBAN, etc etc. This all lets me pay for something with no overhead and maintain my own audit trail in a way that doesn’t involve a trust-based system from the 1800s.
The US also has strong consumer protection laws.
I remember a friend of mine had a father in mexico and someone misused his bank card and he was SOL.
In the US, there are laws protecting credit card holders. The most that can be lost is $50 (or $500 in cases of extreme negligence).
What is really happening is that with minimized repercussions a lot of things have almost been decriminalized.
Speaking as a citizen of a country with "real" identification laws, how would you like the banks to identify you?
SSN? Absolutely not. That number is not meant to be used as formal identification, it's completely unprotected.
America has a particular weakness to identify fraud because you don't have an identity system.
My ID number is formally defined in law, protected and verified by various check sums built into the number (like so many tokens out there). Banks are required, by law, to ensure they have identified the right individual before transacting and they carry the full burden if they get it wrong.
The SSN in the US is sequential and I never fail to laugh at the idea of forcing your banks to verify you with such a flimsy structure. It's just gonna make the problem worse
These days, you're CUSTOMER #52219945 at SuperUltraMegaBank with such-and-such mother's maiden name. The local bank employees live 80 miles away where there are cheaper houses, and to them you're just one of thousands of customers in their corporate database. But, you never even see each other because almost all of the banking you do is via their web site, with the occasional telephone call that gets answered by a teller in southeast Asia. It's totally impersonal.
I refused to set up online access or email on my brokerage account, because of hackers. I do trades via a phone call, and my broker knows my voice. (This works because I do very little trading, as I practice buy and hold hold hold hold.)
By not being a bank it doesn't have to implement all kind of security and operational measures (e.g. access limitations by its own employees, active data-transfer analysis, communication "firewalls" between departments, liability based on the degree of the IT-security which is implemented, etc...) that banks HAve to implement/adhere to => that's really A LOT of in/direct effort (therefore $) for both the initial implementation and the ongoing operations => I imagine that platforms like Robinhood (and similar) shrank ALL costs to the minimum, therefore the kind of problems reported in the article are in my opinion not unexpected.
The most simple (to understand) IT-security guidelines worldwide (but still quite complicated to interpret, at least for me) are maybe the ones of the Monetary Authority of Singapore ("MAS"):
https://www.mas.gov.sg/regulation/cyber-security
They're high-level (as they should be - details are for lawyers & tribunals), but in the end they all scream to you a lot of <embedded> stuff about security.
For example if you're (un/willingly) running an old version of Apache that has security bugs (and those bugs were fixed by some patch that you did not apply "timely") then you don't comply to the MAS guidelines therefore you'll be preemptively thrown out of their market, voilà. The adherence to these rules and the results of their controls must be confirmed yearly by a top-mgmt executive => if external audit discovers that that was false, and/or if later events discover that that was false then that/those executive/s will burn and/or you'll be thrown out of their market (all this is the result of the last ~20 years of regulations, which I personally think is generally more good than bad, but which is definitely painful for me to deliver hehe).
I don't think that this level of <liability/control/regulation> is in place for Robinhood & Co. - not saying that such companies are bad, they're probably interesting from a certain point of view, but customers should be made more aware of the embedded risks.
I also had an electronic payment made for $700 to the utility company. They said they never got it, but my account was debited. They said take it up with your bank, the bank said take it up with the utility company. After quite a bit of wrangling, I finally demanded to the bank manager that the debit be labelled as "fraudulent" and it be clawed back.
Wonder of wonders, this caused the utility company to magically find the money.
Now I send them paper checks. I also pay my credit card with paper checks, as one time they moved the decimal point over two places (!), and the cancelled check saved me a * lot* of hassle.
Decimal places can't shift with electronic payments.
All B2C debits (SDD Core) have the right to be reversed within 55 days for specific reasons; this can be done online by the account holder and they are instantly refunded.
This is all across Europe, and has been for years now.
Only after living in USA for some time do you realize that many corporations here actually use cheap labor to read electronically submitted information, and then type it back into a computer.
I've had my name misspelled on utility accounts where I signed up online, and damn sure did not misspell it like that.
Yes, USA is stuck in the 70s.
In eastern Germany they skipped checks for cards and it catapulted their payment systems to transcend the first world payment systems within the decade.
Please correct me if I'm wrong.
I think great depressions in tech yield necessary solutions; necessity and invention...
You'd think, right? But the utility company said they never got it, talk to the bank, the bank said they delivered it, talk to the utility company.
> Decimal places can't shift with electronic payments.
When they're OCR'd, yes they can and did. I had to present an image of the check before they would fix it.
There was a physical check? I wouldn't call that an electronic payment.
On a scale from 1-100. Support is a 0 for Robinhood. Ameritrade? I give them a 100+. They are amazing. And TOS trading platform is awesome.
Sure keep a few $$$s in RH and enjoy the confetti, but for larger accounts, I would NOT be using RH.