Yeah, this seems like an article about the blog post with not much extra, except a related reference to a similar Twitter social engineering attack (which, to be fair, I was unaware of). I don't think it adds much, though
Robin Hood gave to the poor, Robinhood takes from the poor. Robinhood sells the poor the constantly disproven dream that you can trade your way to riches.
"The company said in a blog post that a malicious hacker had socially engineered a customer service representative over the phone November 3 to get access to customer support systems."
Perhaps it is time to actually train customer service techs?
I do not understand this part: we (banking software) have trivial rules that completely stop this: I would hope bigger organizations have this too. But simply; support roles (all roles are limited: millions cannot happen; you need a big bug for that) cannot view over 100 customers a day: if they hit that 100 2 days in a row, their account is blocked and their manager (also access to 100 a day but can unblock support employees) has to check the reason and unblock. How does a support account actually give you access to all customer data? What is the point of that?
I actually signed a contract like that back in the late 90s when Y2K business was starting to build. To be fair, the training involved moving me 2000 miles from home for 3 months and my employer provided my housing and a per diem along with a reasonably intense "boot camp", so they actually spent money on my training. I think I had to stay a year. They kept me for 6 years, so it worked out for both of us.
"Fuck! We have to train them now?! Its bad enough that we have to PAY them!"
I was surprised to learn how poorly phone reps are paid. Even in America.
I work in healthcare, and when COVID hit, almost everyone in the company had to man the phones. We were all e-mailed PDFs from the customer service contractor with instructions about how to use the soft phone system on our computers.
Since it was a standard new hire packet, the contractor accidentally left in all of the other workplace policies. Some of which were terrible. For example, the phone reps were only allowed two bathroom breaks each day, and they could total no more than 11 minutes.
And this was an American company, with call centers in supposedly "liberal" western states.
I worked as phone rep for a major Canadian telecom provider and the pay was around 15 bucks an hour. That was 5 years ago so maybe they hiked the rate a bit. But overall 15$/hour is barely enough for anyone to start saving.
That's why I always laughed at those security "tests" and very strict software installation policies put up by licensed security people. I'm not saying that those are not useful, but frankly the worst leaks usually comes from some unexpected sources.
I enjoyed that in their blog post, instead of the cliché "we care about your security", they included a legal disclaimer about the same length as the initial alert. A nice change of pace.
This is why I love the email wildcard trick you can do with most providers [1]. Now I just update my email in Robinhood to a new wildcard, and then just block all emails to the old one since they will quickly just turn into spam emails 99% of the time. Makes email breaches way less annoying.
[1] If you have a service like Gmail or a service that supports wildcards you just do `name+[blahblah]@` or `name.[blahblahblah]@` to make the email specific to the service you are signing up for. So like `bluetidepro+robinhood@` and then if there is a breach you block all emails that go to that, and change your acct to be say `bluetidepro+rh@` or whatever new one so only legit emails go to the new one.
I don't know about Gmail (I have a different service), but they don't seem to. This trick has seemed to work for pretty much all breaches I've seen. Like the recent Peloton one, I started to get spam to `blah+peloton@` and then changed it, and haven't gotten any single spam since the change. They must not put that much effort into the way they check or send the emails. ¯\_(ツ)_/¯
The plus sign thing works with other email providers and servers. I used to use it with self-hosted postfix and I know it's possible with exim as well. I think exchange can do it as well. I would assume that any sophisticated spammer would try removing plus sign suffixes from harvested emails.
The reason spammers don't remove the + automatically, is because their goal isn't to deliver spam, it's to get the right people to read the spam.
The people who use the + trick are exactly the set of people who would never read spam email, and they're also likely to use the "report spam" feature and lower the deliverability of the rest of their spam.
It's also great when other people do this - because it's a dead canary when you start seeing people's emails with +website being collected and shared. I remember like 6 years ago when someone compiled and publicly shared a list of emails&passwords. By simply grep'ing the +websitename out of the email I found that there were easily 800+ unique websites that leaked their login emails and passwords after some validation. I made a comment on reddit about it and some articles that cited it got millions of hits, but people have seemingly forgot since then that finding name+website@gmail.com being shared in lists is a good canary in the coal mine for hacked websites.
That one gets tricky if you can’t keep track of which emails you used where. I’m paranoid that I’ll break my password manager somehow and then won’t even know the email I used for my account. For something financial, that could be devastating.
Seems like they don’t have MFA on this customer service tool? Device based security?
Don’t mean to pile on but this is not a hard problem to solve; it might cost money, require training etc. It’s scary that this could happen to a supposedly financial institution.
If a big techcorp writes something like "we don't know if your social security number was in the leaked data", assume that your social security number is compromised. Because it basically means the SSNs where in the reach of the hackers and they hope they didn't find it.
Last year I told Robinhood to "delete (not just close) my account and related data." I hadn't used the service in years and wanted to reduce their annoying "your account statement: still $0" emails as well as to reduce my online exposure to data breaches.
Now I get an email from them that not only did they not do what I asked, they did indeed serve my data to criminals.
Is there some legal mechanism to compel companies to delete your data rather than this "soft-delete" garbage? Registering an account with a new website these days feels more and more like a stain one will never be able to wash away.
Im not sure about your case but if you did any trading in that calendar year they might have been forced to keep your data until they sent out all the required tax forms to customers.
If that is not the case then yes its super annoying how hard it is to actually remove your data from websites.
I just looked into this, because I tried to delete my account yesterday as well. Normally you can use a CCPA request to nuke your data, but reading Robinhood's T&C it looks like they aren't obligated to delete much since they're a financial institution. Various regulations require them to keep records.
I don't even have an account with Robinhood. I've never done any business with them but somebody else set up an account with my email address. After taking way too long to have my email removed from that account, they now managed to give it to some criminals as well.
I get emails from legitimate companies (including Wells Fargo, a major U.S. bank) meant for others, because they never validated the email address their customers gave them.
Email Address Validation is not "yep, that looks like an email address", it's "let's send a confirmation email and have them click on a link".
Please do NOT trust users when it comes to email addresses!
They’re a bank. You can definitely close your account. I did it when I needed to graduate to a “big boy” brokerage. If they aren’t doing it, contact the CFPB for help & advice.
Why not contact a class action lawyer instead? I’m sure OP isn’t the only one who deleted his account, only to discover it wasn’t actually deleted and is now in the hands of criminals.
Because going through the CFPB is probably OP’s fastest course of action, vs potentially multiple years of litigation. Besides, the demand letter has to start from somewhere.
I consult with large companies, and right-to-be-forgotten generally just isn't a priority for them. It keeps getting moved down the backlog. Furthermore, accounts get deleted accidentally all the time, so managers are reluctant to hard-delete.
Then there are the peripherals - global db backups with x expiration date, random documents on various cloud providers, etc.
In short, I 100% agree that you should keep your main email (at the very least) off of anything possible.
> Is there some legal mechanism to compel companies to delete your data rather than this "soft-delete" garbage?
You could take a copy of the original e-mail and a copy of the notice and send them, with a cover letter, to your state securities regulator [1]. If you want to turn up the heat, submit a complaint to FINRA [2]. If you want to be peskier, and live in California, submit a CCPA complaint [3].
I don't think there is any rule or law requiring companies to hard delete customer data. I would bet that most companies never delete based on know your customer, anti-laundering, and other SEC regulations.
It may be very difficult to fully delete an account. Assuming there are various backups laying around. I assume most companies mark a "deleted" flag as that's the safest. Some maybe delete the record, but I doubt most if any purge you from backups.
A tightly regulated securities broker is not going to be able to comply with your request to just go ahead and delete your account and all related data.
Brokerages are required by law to retain a great deal of records about all of their clients and to keep it for a minimum of at least 5 years. You don't get to just tell a broker that you used to engage in tightly monitored financial transactions that you want all your info deleted as if you were dealing with some kind of social network.
I'm pretty sure it would be illegal for RobinHood to actually delete information about you after you are a customer. They are required to keep a history of your activity and transactions in case they get sued, audited or come under investigation. I do not know what the actual retention period would be but it's certainly longer than just a few years.
> Is there some legal mechanism to compel companies to delete your data rather than this "soft-delete" garbage?
Yes. GDPR (and other legislations basing themselves on this). The US has CCPA if you're in california for example.
Unfortunately, and this applies more or less worldwide, you can't count on this for anything financial. Expect financial institutions to have to legally keep your data for 7-10 years (sometimes even 20). This is one of those cases where soft delete might be the best they can do for you.
The repeated debacles of their trading systems going completely down for entire trading days already made me lose trust. I remember clearly their only communication through one of their most major outages was one tweet saying 'sorry' after the market had already closed. I discovered during this time they also had no customer support to call, only an email support system which was backlogged several days. Apparently they do have phone support now that have power to grant anyone access to customer data.
Robinhood reminded me of Theranos in that they are ran as tech companies that don't take the usual responsibilities of their respective industries seriously. And their outages make me think they don't take their tech seriously either.
I think the fundamental issue that we need so much personal information to open an account but there is no law protecting that piece of information. We have to take the fallout by ourselves. I can't really think of anyway to get out of this, except that to use as much tailored information (email and phone can be tailored to a specific financial service, and even address can be, but the most important ones, names and birthdays cannot sadly) as possible.
63 comments
[ 3.2 ms ] story [ 118 ms ] threadPoor: "I'm rich!"
Robinhood: narrows eyes - "You're what?"
Edit: Oh, this is markdown, isn't it?
Perhaps it is time to actually train customer service techs?
Get one smart dude to call in pretending to be a customer to "pen test".
Do that once a month, would take maybe an hour or two of the dude's time.
You'll offset the cost of training, and help with employee turnover at the SAME TIME! :D
/s in case it's necessary.
I was surprised to learn how poorly phone reps are paid. Even in America.
I work in healthcare, and when COVID hit, almost everyone in the company had to man the phones. We were all e-mailed PDFs from the customer service contractor with instructions about how to use the soft phone system on our computers.
Since it was a standard new hire packet, the contractor accidentally left in all of the other workplace policies. Some of which were terrible. For example, the phone reps were only allowed two bathroom breaks each day, and they could total no more than 11 minutes.
And this was an American company, with call centers in supposedly "liberal" western states.
Checkmate liberals
[1] If you have a service like Gmail or a service that supports wildcards you just do `name+[blahblah]@` or `name.[blahblahblah]@` to make the email specific to the service you are signing up for. So like `bluetidepro+robinhood@` and then if there is a breach you block all emails that go to that, and change your acct to be say `bluetidepro+rh@` or whatever new one so only legit emails go to the new one.
My understanding is that the use case for these hacks is typically not email spam.
One of my (non-wildcarded) emails has been included in many hacked email breaches, and I've yet to notice any associated spam.
The people who use the + trick are exactly the set of people who would never read spam email, and they're also likely to use the "report spam" feature and lower the deliverability of the rest of their spam.
you can also add extra periods in your name: so something like na.me.blah@gmail... will aso work.
Don’t mean to pile on but this is not a hard problem to solve; it might cost money, require training etc. It’s scary that this could happen to a supposedly financial institution.
Now I get an email from them that not only did they not do what I asked, they did indeed serve my data to criminals.
Is there some legal mechanism to compel companies to delete your data rather than this "soft-delete" garbage? Registering an account with a new website these days feels more and more like a stain one will never be able to wash away.
If that is not the case then yes its super annoying how hard it is to actually remove your data from websites.
So ... we're basically screwed with Robinhood.
Email Address Validation is not "yep, that looks like an email address", it's "let's send a confirmation email and have them click on a link".
Please do NOT trust users when it comes to email addresses!
Mint used to send me somebody else's statements. I don't understand how companies in sober industries can be this reckless.
Then there are the peripherals - global db backups with x expiration date, random documents on various cloud providers, etc.
In short, I 100% agree that you should keep your main email (at the very least) off of anything possible.
You could take a copy of the original e-mail and a copy of the notice and send them, with a cover letter, to your state securities regulator [1]. If you want to turn up the heat, submit a complaint to FINRA [2]. If you want to be peskier, and live in California, submit a CCPA complaint [3].
[1] https://www.nasaa.org/contact-your-regulator/
[2] https://www.finra.org/investors/need-help/file-a-complaint
[3] https://oag.ca.gov/contact/consumer-complaint-against-busine...
Yeah, GDPR and California's equivalent thing. Hacker News seems to really dislike it for some reason though.
I guess if you're building a business you don't see it from that perspective, just another hurdle stopping you from moving fast and leaking things
Brokerages are required by law to retain a great deal of records about all of their clients and to keep it for a minimum of at least 5 years. You don't get to just tell a broker that you used to engage in tightly monitored financial transactions that you want all your info deleted as if you were dealing with some kind of social network.
Yes. GDPR (and other legislations basing themselves on this). The US has CCPA if you're in california for example.
Unfortunately, and this applies more or less worldwide, you can't count on this for anything financial. Expect financial institutions to have to legally keep your data for 7-10 years (sometimes even 20). This is one of those cases where soft delete might be the best they can do for you.
Robinhood reminded me of Theranos in that they are ran as tech companies that don't take the usual responsibilities of their respective industries seriously. And their outages make me think they don't take their tech seriously either.
I thought the SEC would step in after the blatant fraud that they perpetrated on the behalf of their real customers during the GME debacle.
Now I find out they leaked my name and email after I deleted my account? Is there a class action being formed?