Two Factor Authentication at Corner Trader

#16

SMS still Requires someone to have your phonenumber wich is a relatively high effort attack. Definitely not Great though.

#17

About that: https://en.wikipedia.org/wiki/SIM_swap_scam

It’s quite common.

#18

I am aware of those attacks. However SMS 2FA is still a lot more secure than no 2FA.

1 Like
#19

that’s indeed very worrying! Have you asked them about this flaw? a reset should require either an SMS, email or phone call. Being able to just reset it without any of these voids 2FA completely

1 Like
#20

If I am not mistaken they accept to transfer money only to the registered bank account. I am not sure how one would change the registered bank account though.

#21

For 1M CHF, social-engineering someone’s mobile number is not a lot of work.

#22

Well… surprise, surprise. Not answer from CT but now, if I click in the [Register new Credential ID] the system don’t let me do it :slight_smile: Nice…

I don’t know the “procedure” in case I lose my phone or is destroyed but I’m sure that calling/emailing my advisor will solve the situation.

Case closed :wink:

Tino.

#23

You are right, from the interface you cannot change that…but…can you imagine the sh*** they can make into your account??? Imagine with a margin account…buying and selling contracts, forex, etc… without control!!! HAHAHA… Get a paper account and try … You can make more mess that just steeling the money :wink:

#24

What about Swissquote?

#25

It is still work and stops most automated attacks.

SMS 2FA is the worst one (I know of) but still better than no 2FA.

2FA as I see it is mostly to prevent the use of stolen or reused passwords, so not loosing those is a pretty big part of security too.

And if we are talking about a targeted attack stealing your phone or just a plain old rubber hose atack would not be that much more work.

With SMS 2FA you just prove you have access to the Phonenumber, like you prove access to a private key with Google authenticator or access to a particular smartcard with the physical solutions.

Not great, not terrible XD

#26

Not at all comparable. Phone number access can be gained remotely, authenticator harder, smartcard impossible without physical access.

If you can social engineer someone to enter their IB password and phone number into the wrong site - game over. If you can social engineer someone to enter their random other password and phone number into a site protected by smartcard/usb-key, they aren’t going to get very far.

1 Like
#27

Did I say something else?

In that case why not ask for a 2FA token while you are at it and directly log in when you get it?

My whole point is that SMS 2FA is a lot better than nothing but a lot worse than the private key based ones.

#28

What’s your point here? For smartcard/usb-key they can’t get a 2FA token because the smartcard/usb-key (at least the modern ones, not the ancient TOTP yubikeys) authenticates the website before generating a token.

And a one-time passcode hack isn’t anywhere near as bad as getting long-term control: first 2FA code lets you login, most website ask you for a second code to withdraw money. Whereas if they capture your SMS then they can keep authenticating repeatedly.

#29

Phishing site asks for usename and pw -> phishing initiates login on real site -> real site asks for 2FA/Sends request to app/sends SMS -> phishing site asks victim for 2FA code/ to confirm 2FA -> phishing site uses code to log in -> phishing site fucks up account -> phishing site comforts victim by by showing whatever they thought it would show.

Yeah would be nice if banks actually used the modern ones. Kinda funny how my github account is better protected than my money.

Fair enough but it’s still pretty bad.

You can’t withdraw money to an account that is not yours at IB so that would be an additional thing to circumvent to actually steal something.

I am honestly not quite sure why we are arguing here cause I am pretty sure we agree but I think I just love playing devils advocate too much.

#30

I just checked my mailbox to refresh my memory. I have my CT account since almost 3 years and I’ve been complaining about 2FA from the start. My Russian relationship manager was really making me roll my eyes with her excuses, like “but you can only withdraw money to your account, so what is your concern?” or “but we have clients which MUCH more money than you, so don’t be afraid”.

Around 2 years ago I got the 2FA (their IT guy activated it for me and was “grateful for any feedback”) and instantly I noticed the possibility to change your credential, which I did, just to test the system. So of course I complained about it, they said it’s their “top priority”. At some point I just gave up.

Then later on I was changing my phone and I noticed that I could not change my credential anymore. This was ironically a happy moment. I gave them a call, they didn’t really verify me properly, just asked for my user account and released my credential, so I could register a new one myself.

I guess, my point is, Corner Trader strikes me as very amateur and I would not trust a lot of money with them. But then again, Interactive Brokers also give me a feeling of “constant beta” and their telephone support is very unfriendly. I’m yet to see a broker where I would get the feeling that if anything bad happens, they got my back… Wonder how Schwab is, any experience?

3 Likes
#31

Swissquote has a good service and security.
IB is quite secured, but like you said the hotline is bad

#32

I don’t know how I should interpret statements like “good service” or “quite secured”. IB does not offer fraud protection, which is a bummer.

Here is an interesting article about some top brokers and their “unathorized activity” protection.

1 Like
#33

Just because we didn’t have enough fun:

#34

They use a Symantec VIP app… but to change it you have to login first (or I imagine you can call, but then they’ll ask you for more information such as AHV and addresses). Not as good as proper Yubikey, but still safer than some places.

1 Like
#35

How easy is to steal a phone number in switzerland? I’m not sure,but I believe you can’t do it on the phone…