Some Robinhood customers say their money was looted, suggesting online stock trading may be less secure than investors hoped.
By Charlie Wells, Annie Massa, and Sophie Alexander
It feels as easy as it does safe. With a few swipes of the thumb, investors anywhere can trade stocks straight from their mobile phones, identifying themselves with the unique biometric data stored in their fingerprints or faces.
But an expanding pool of consumer complaints suggests that online trading, which has soared in popularity during the Covid-19 pandemic, may be less secure than investors would hope. Bloomberg News reported last week on the experience of some users on Robinhood Markets Inc.’s brokerage app who say their money was stolen.
Robinhood says the issue didn’t stem from a breach of its systems. Yet the lack of an emergency phone number left customers feeling stranded with little avenue for help as their funds vanished, they said.
Cybersecurity experts say the boom in online stock trading has created a parallel opportunity for hackers. And even the most diligent traders can fall prey to the increasingly sophisticated tactics of today’s digital thieves.
“Cyber hacking has now become the biggest threat to investors’ financial well-being,” said Andrew Stoltmann, a Chicago-based lawyer and former president of the Public Investors Advocate Bar Association. “Unfortunately, brokerage firms haven’t invested the money needed in order to keep cyber hacking of brokerage accounts from happening.”
What are the new tricks?
Messages from alleged Nigerian princes writing about unmissable investment opportunities have been replaced by more believable “phishing” emails, said Jonathan Care, a research director who specializes in cybersecurity and fraud at Gartner.
Such missives might use personal information gathered from publicly visible social-media accounts. They may use the logos of financial institutions to look official to even the most discerning eye. The result? Unwitting investors may be baited into forking over their log-in information.
Other tactics take place in the background and make legitimate-seeming web activity risky. Some hackers set up WiFi networks in public places with monikers that sound credible — such as the name of a nearby business — which can in fact be used to take control of a system.
Malicious software installed on some machines can detect when users log into financial accounts and even make additional transactions they did not intended to authorize, Care said.
What can you do?
“Any of us could have our brokerage account hacked if we do not take precautions to protect ourselves,” said Mark McCreary, chair of the privacy and data-security practice group at Fox Rothschild, a law firm based in Philadelphia.
Digital traders should change their passwords frequently, experts say, and avoid unfamiliar WiFi networks. They should be sure to have two-factor authentication enabled, which requires a secondary code to sign in.
But more than anything else, even savvy users could benefit from simply paying more attention to the flurry of emails, texts and other messages that flood their devices.
“Frankly, none of us are completely immune to an effective phishing email, simply because we may be distracted,” McCreary wrote in an email.
Can you get your money back?
McCreary recommends that investors who think their accounts are compromised immediately notify their brokers, who may be able to track down where funds were wired and reverse the transfer.
“The bottom line is that unlike a credit card with federal law protections, and unlike a bank account where lack of authorization will restore funds (e.g., a forged check), a brokerage account has no such legal protections,” McCreary said.
The Securities Investor Protection Corp., which functions for brokerage accounts in a way similar to the FDIC for U.S. bank accounts, does not cover situations in which money and securities are stolen due to a hack.
There is no magic bullet for international investors seeking compensation, either. However, those in Europe may have an additional avenue to pursue in the General Data Protection Regulation, said Simon Shooter, a partner at law firm Bird & Bird in London who heads its cybersecurity group.
GDPR is a stringent regime governing how companies gather and use citizens’ information, giving consumers more control of their data. Investors may have a right to some compensation if a hacked firm failed to comply with GDPR requirements when it comes to the security and safety of data, said Shooter.
While regulators may not be able to get you your money back, brokerage firms have a strong incentive to compensate consumers for losses.
“With most of these firms, the judgments are really reputational,” said Adam Fee, a former federal prosecutor in the Southern District of New York who is now a partner at Milbank, a law firm. “When something bad happens, they are asking, ‘Do we want a bunch of articles about how people are out money because we messed up and didn’t react?’”
With that in mind, Fee said investors shouldn’t “sit on their rights.” They should make themselves aware of what they may be entitled to in their investor agreements.
After alerting their brokers, investors may also find it helpful to file a complaint with law enforcement. The most direct way to do that in the U.S. is with the FBI’s Internet Crime Complaint Center. Don’t expect agents to show up at your door, however. Fee said this step simply helps formalize the complaint.
What do the brokerages say?
A common industry practice is to promise to cover 100% of losses as a result of unauthorized activity in a brokerage account. The sticking point, of course, is whether the company will rule the breach was indeed unauthorized or lay the blame on you.
“If we determine through our investigation that the customer has sustained losses because of unauthorized activity, we will compensate the customer fully for those losses,” said Dan Mahoney, a spokesman for Robinhood. He also said the company works to “resolve any issues as quickly as possible.”
The company is hiring a Fraud Investigations Team Lead in Denver, according to its website.
Charles Schwab Corp. says on its website that it will cover all losses stemming from unauthorized activity in one of its brokerage accounts. Schwab says it employs more than 2,500 people in its service team and call centers alone, and over 1,300 others in client-facing roles at its branches.
Interactive Brokers has been hiring more client services staff, faced with big increases in client accounts and trading activity. It has live, chat and email support with centers around the world, and its phone service runs Sunday through Friday. Another tool called IBot uses artificial intelligence to answer some customer questions.