On Monday, stock trading app Robinhood emailed customers urging them to adopt two-factor authentication and strong passwords.
“As part of National Cybersecurity Awareness Month, we’re reaching out to let you know about the best ways to help protect your Robinhood account,” the email read.
Earlier in National Cybersecurity Awareness Month, on Oct. 15, Bloomberg reported that hackers had accessed around 2,000 Robinhood accounts and some customers had lost funds. Bloomberg also reported that customers had difficulty getting in touch with the company to deal with the matter.
Security has long been a key issue in the financial industry, especially with retail customers, and many companies have long implemented — and even moved to require – two-factor authentication, which requires at least two pieces of information to access a site, thereby increasing security. Across the industry, most brokerage firms like Schwab, TD Ameritrade, and Interactive Brokers currently require two-factor authentication. E*Trade has long had 2FA, but doesn’t require it, and Fidelity has it automatically enabled for transactions.
It’s not clear whether the recent Robinhood incident is a result of a lack of two-factor authentication for affected accounts, or even whether it prompted the company’s actions to push a notification asking customers to sign up for the added protection. (The company didn’t really answer the question, but said the communications were “planned.”). A Robinhood spokesperson pointed out it has other layers of security beyond 2FA and new devices must be verified by a code.
Bloomberg reported that some of the victims had two-factor authentication enabled but were still impacted by the hack and Robinhood declined to comment on the matter, only that a “limited” amount of customers were targeted and had their emails associated with their Robinhood accounts hacked.
Two-factor authentication is a speed bump to the platform, which is good and bad
Though it’s being encouraged in ever-stronger terms at Robinhood, two-factor authentication is not required and exists on an opt-in basis. Customers who want their portfolios to have added security must actively seek it out.
“In an effort to help customers continue to protect their accounts, we have recently rolled out planned communications with customers via push notifications related to recommended account security actions, including setting up two-factor authentication, verifying their personal information, and encouraging strong password practices,” Robinhood told Yahoo Finance.
Robinhood is known for being very user-friendly. One of the reasons for that is the ease of logging in, which two-factor authentication complicates. Long, secure passwords and passphrases take longer to type and might result in more “forgot password” queries. For 2FA, the extra step of entering in a code from an SMS, email, or authenticator app might just be big enough of a speed bump to prevent or discourage access.
Robinhood’s security requirements appear to be more lax than the standard in the brokerage industry. Yahoo Finance polled a variety of financial institutions on their policies and found that mandatory two-factor authentication was present almost universally across the board.
Vanguard requires it for both its retail investors as well as customers who use the company’s 401(k) tools. TD Ameritrade told Yahoo Finance it “requires that all clients to use some form of enhanced or multifactor authentication and offers several options, including SMS and push-based authentication.”
Interactive Brokers said its research found that it was “one of the first” to offer 2FA, and now requires a code via a phone or a separate physical device.
“If an internet hacker should somehow manage to obtain your Interactive Brokers username and password, they WILL NOT be able to access your account without physical possession of your Secure Login System security device or full access to your smartphone. If you do not have a smartphone, we offer an alternative 2FA device,” the company told Yahoo Finance.
Charles Schwab said it requires two-factor authentication, and noted that it “will cover losses in any Schwab account due to unauthorized activity.”
Still, like Robinhood, a few prominent brokerages don’t appear to have a mandatory policy. Fidelity’s NetBenefits platform for 401(k) participants is defaulted to 2FA for transactions, but not logins, but a client can opt out. E*Trade, which helped pioneer 2FA with a fob and code, does not appear to require it. (E*Trade did not respond to Yahoo Finance’s inquiry.)
Robinhood points out that there are a wide array of security measures available that the company employs to sniff out fraudulent behavior, as does places like Fidelity. (E*Trade did not respond to detail about its 2FA and other security policies.) But a key difference that Bloomberg reported in the recent fiasco: Customers couldn’t get in touch quickly. Even if one or two larger brokerages offer optional 2FA policies, they also offer a phone number you can call.
All of this is especially important given the recent boom in retail investing, largely led by Robinhood’s user-friendly experience and no-fee trades. With more users than ever, there are more — and perhaps softer — targets for bad actors.