Two Factor Authentication at Corner Trader

I have an account at Corner Trader. I like their web trading interface (not that it matters, I used it twice so far…). However, sometimes I worry that they are unprofessional, low-scale. If you want to contact support, you write an e-mail and then it’s always the same people responding.

Moreover, I have been begging them for two factor authentication for months. Nowadays a single password is just not enough, especially when it comes to your life savings! Finally, they have implemented this Symantec VIP Security app. You pair your CT account with the app credential, and each time you login, you need to provide a code from the app in your smartphone.

The problem is, before you enter the code, you can just change the credential and authenticate yourself with another app. It makes me really anxious. CT is the cheapest Swiss broker and I would be happy to stick with them, but some evenings I have these thoughts that all my assets just evaporate and there will be no trace of them. Or someone breaks in and makes some harmful transactions and drives my portfolio to the ground. What are your thoughts on keeping 90% of your wealth in digital form?

I’ve just got the two factor authentication enabled and was thinking it was pretty good. I hadn’t noticed you could just sign up a different credential. If you can do that on any other phone then that’s terrible. Have you asked CT about it?

Maybe i’m being naive but I’m not that worried about someone hacking in and messing up my portfolio. The money can only be transferred out to your linked account so the worst they could do would be to make some bad trades but why would they? If you’re going to bother to hack into someones banking at least you’d want to profit from it in some way.

Of course if it’s true that you can bypass the security then they absolutely need to sort that out.

I have contacted Corner Trader multiple times about this issue. They have said that it is their top priority. But it has been the top priority for months. I have installed the app on my other phone and after logging in, just changed my credential to the new phone, provided the code and voila - I am logged in. This renders the two factor authentication completely useless.

My worry is that by making trades they can still send value to a different place, for example by bumping up the price of an illiquid asset. And I have never sent money back from CT to my account, so I don’t know how this works.

Hi Bojack
even if useless, I would like to give this 2 factor implementation a try. How do you activate it? I have to admit, is the only thing that is keeping me a little bit on the edge with CT. I’m using it since 3 years and never had a problem, but a single password…meh. I try to do the most complicated and random password possible, that should help, but is not very professional.
Sadly for the moment I’m making 2 trades a year so IB is still more expensive

I’ve been molesting my advisor and CT support with e-mail since the end of last year. They told me they would sign me up for testing. Then, finally, they sent me an e-mail saying that they activated it for me. Then after I logged in, I had to provide this Symantec VIP credential, which came from the smartphone app. So I am not aware how do you activate 2FA. Maybe it is still not out of the test phase :persevere:. I would write to your advisor or to the support per email that you would like to have it.

That being said, you can so easily bypass 2FA by changing the credential. It makes me so angry with CT :rage:. My bank account is with PostFinance. I have this calculator thing and it all looks much more professional than by CT. Some moments, I think that maybe I should just pay these extra few franks per year for the peace of mind. And I would also have my bank and broker under one roof (yay simplicity & minimalism).

Thanks, I’ll give it a try and write them.

However, sometimes I worry that they are unprofessional, low-scale. If you want to contact support, you write an e-mail and then it’s always the same people responding.

If we ever meet at a meetup one day, I’ll tell you some about UBS’s professionalism. For the time being, let’s say that it is not only CornerTrader, but rather Swiss banking, I feel, that rests on its laurels.

Regarding CornerTrader, I have my password stored on my laptop and my username in a secure cloud. This isn’t perfect but diminishes the likelihood of stolen credentials to a level with which I’m fine. But thanks for being though on them, they need to get this done. I’ll send my advisor an email to ask for a calculator like I have with UBS.

FYI, here’s my advisor’s reply, which might complement what you’ve been told by yours. No extra security for the login because:

  1. nobody can get cash out ouf the account by himself. The email isn’t 100% clear but what I understand is that if you want to do that, you have to either go by yourself to a CT location, or authenticate yourself further on the phone for instance.

  2. only transfers from/to bank accounts with your own name are accepted. No 3rd person can be involved.

This doesn’t solve the case where some hacker would make dumb moves with your assets. If you tell me the exact steps required to bypass the two-factor authentication, I can also forward that problem to the advisor. I’d do it myself but I don’t have a smartphone.

  1. Right after you login, there comes a screen
  2. It reads: “Please enter the Security Code shown on your VIP Security Credential”
  3. Below it there is a link saying “Register new Credential ID”
  4. If you click it, you can change the authorisation device
  5. You come back to the first screen
  6. Now you just have to enter the code from the new app

It renders the who two factor authentication useless.

@Bojack

Is there any update?

I’m considering cornertrader as my broker as it seems to be the cheapest Swiss broker. However postfinance is 20 CHF/year more expensive for me and my gut feeling is that they have better security.

No updates. I didn’t ask them. They seem unprofessional to me. But PostFinance is really expensive, especially when compared to IB.

I visited the CT seminar about the web trader platform in January and they said that they have the trading platform from the Saxo bank (white label), so I guess they cannot influence it’s security by themselves.

Hi,
I have an account with CT and asked the 2FA… I tried to “bypass” asking new credentials and no problem to register a new device!!!
I cannot understand how a big bank ( they say they are the 3rd in Switzerland ) can have such a hole in their systems…Honestly.

I’ve been using and installing 2FA, i.e. the Google Auth, without any fail or error for websites, access, etc… and there is so simple to use the API to install that I cannot understand how they are using the sh*** of Symantec…

Is unacceptable that a bank/trader can have such a big hole in the system… Considering changing the broker… I have already an account in IB but I wanted to have 2 brokers… I don’t know if was a good idea opening with CT…

3 Likes

Gotta love security theater.

At least it is more work than just skimming your username and pw and stuffing them in a form.

IB let you change auth device with an SMS. Not much better really

SMS still Requires someone to have your phonenumber wich is a relatively high effort attack. Definitely not Great though.

About that: https://en.wikipedia.org/wiki/SIM_swap_scam

It’s quite common.

I am aware of those attacks. However SMS 2FA is still a lot more secure than no 2FA.

1 Like

that’s indeed very worrying! Have you asked them about this flaw? a reset should require either an SMS, email or phone call. Being able to just reset it without any of these voids 2FA completely

1 Like

If I am not mistaken they accept to transfer money only to the registered bank account. I am not sure how one would change the registered bank account though.

By reading and partipating to this forum, you confirm you have read and agree with the disclaimer presented on http://www.mustachianpost.com/
En lisant et participant à ce forum, vous confirmez avoir lu et être d'accord avec l'avis de dégagement de responsabilité présenté sur http://www.mustachianpost.com/fr/