Robinhood Kicks Cybersecurity Month Off by Getting Hacked

Approximately 2,000 Robinhood accounts were accessed by hackers and looted during the week of October 5, according to Bloomberg. Victims told Bloomberg that their trading accounts were hacked in spite of already having set up account protection. A Robinhood spokesperson tells us, “A limited number of customers appear to have had their Robinhood account targeted by cybercriminals because of their personal email account (that which is associated with their Robinhood account) being compromised outside of Robinhood. We’re actively working with those impacted to secure their accounts. This was not stemming from a breach of Robinhood’s systems.”

Quite a few Robinhood clients reported on Twitter that they awoke on October 16th to an email telling them to set up two-factor authorization. Because of an increase in cybercrime that has been observed across the financial industry during the pandemic, and in an effort to help customers protect their accounts, Robinhood has been advising customers via push notifications related to recommended account security actions, to set up two-factor authentication, verify their personal information, and use strong password practices.

Robinhood, with an estimated 13 million customers, does not have a telephone support system at present; customers have to go through an online reporting system to provide details of an intrusion into their accounts. The spokesperson says, “Whenever we are made aware of account issues we work directly with customers to resolve any issues as quickly as possible.” The Robinhood spokesperson states, “If we determine through our investigation that the customer has sustained losses because of unauthorized activity, we will compensate the customer fully for those losses.”

More seriously, Robinhood also lacks some of the security measures that are in place at most other brokers, such as verifying changes in bank account links. One of the reasons so many of the hacked accounts were drained involved hackers adding a new bank account to a funded account, and allowing funds to be transferred to the new account without additional verification.

Cybertheft is Not New

In the mid-2000s, there was a series of breaches at several online brokers due to the lack of encryption for login credentials. Once a client was logged in, data was properly encrypted, but user IDs and passwords were being sent unencrypted over wired and wireless Internet connections. Cybercriminals were able to capture that data and manipulate the accounts they invaded. This was before the majority of online brokers had enabled online transfers into and out of bank accounts. In one of the more clever hacks, several E*TRADE clients were targeted in 2006 by thieves who entered bogus buy orders for nearly worthless penny stocks that they held, forcing the targeted account to purchase stocks for considerably more than they were worth. Brokers quickly figured out how to encrypt network traffic prior to login, and this scheme was shut down.

One of the largest data breaches to affect online brokers happened at Scottrade at the end of 2013, but it wasn’t discovered and made public until 2015. Approximately 4.6 million customers had records in a database that was breached, containing Social Security numbers and email addresses, but law enforcement was not able to ascertain which records were stolen. The hackers appeared to target names and addresses. Scottrade said it had “no reason to believe” that any client funds were taken, and the firm subsequently tightened up its network security. Scottrade was acquired by TD Ameritrade in 2017.

Security Guarantees and Account Protection

In the last five years, several brokers have added security guarantees to their suite of services. Charles Schwab offers SchwabSafe, which is automatically provided to all clients. Under this guarantee, Schwab pledges to cover 100% of any losses in any of your Schwab accounts due to unauthorized activity. In exchange, clients must promise to safeguard account access information and report any unauthorized transactions as quickly as possible to a toll-free number set up for this purpose. Clients who share login information with anyone are considered to have authorized such activity.

Fidelity has a similar guarantee called the Fidelity Customer Protection Guarantee. Cash and securities held in most Fidelity accounts are eligible, but credit and debit card and check-writing transactions are not covered. Accounts held at Fidelity but managed elsewhere, such as a college savings 529 plan, are not covered. Like Schwab’s guarantee, customers are required to protect their login credentials and report any suspected breaches as soon as possible, but at least within 30 days of the event. 

Interactive Brokers has clients all over the globe and allows them to trade a wide variety of asset classes on 135 exchanges. This presents an incredibly complex security challenge. The firm has offered its Secure Login System, two-factor authentication using tokens since the early 2000s, which offers an extra layer of security. Recently IBKR made soft tokens available as well as hard tokens, and clients are strongly encouraged to use either a free physical security device or IBKR Mobile Authentication, its digital security application designed for smartphones. Clients who participate in the Secure Login System enjoy enhanced withdrawal capabilities, while clients who do not participate are subject to daily and weekly withdrawal restrictions.

What Can You Do?

Check over all of your financial accounts and make sure:

1. You are using a unique and hard-to-guess password for each account. Do not re-use passwords. Use a password organizer to generate and save unique passwords. Never write your password down and store it near your device (or on it with a post-it note).
2. Do not share your login credentials with anyone unless you trust that person to make changes to your account on your behalf.
3. You log into the institution’s secure website. The address should start with “https://” and there should be a small lock icon displayed.
4. Set up two-factor authentication. Robinhood clients should immediately follow the steps listed in this support post. Check your broker’s FAQ for instructions.
5. Use a firewall program to control the flow of cyber traffic to your computer. For additional protection, use a hardware firewall and virtual private network in addition. 
6. Use anti-virus and anti-spyware software that is always on.
7. Make sure your device’s operating system is up to date.
8. Do not access financial accounts from public computers.

Stay safe out there.