Two Factor Authentication at Corner Trader

For 1M CHF, social-engineering someone’s mobile number is not a lot of work.

Well… surprise, surprise. Not answer from CT but now, if I click in the [Register new Credential ID] the system don’t let me do it :slight_smile: Nice…

I don’t know the “procedure” in case I lose my phone or is destroyed but I’m sure that calling/emailing my advisor will solve the situation.

Case closed :wink:

Tino.

You are right, from the interface you cannot change that…but…can you imagine the sh*** they can make into your account??? Imagine with a margin account…buying and selling contracts, forex, etc… without control!!! HAHAHA… Get a paper account and try … You can make more mess that just steeling the money :wink:

What about Swissquote?

It is still work and stops most automated attacks.

SMS 2FA is the worst one (I know of) but still better than no 2FA.

2FA as I see it is mostly to prevent the use of stolen or reused passwords, so not loosing those is a pretty big part of security too.

And if we are talking about a targeted attack stealing your phone or just a plain old rubber hose atack would not be that much more work.

With SMS 2FA you just prove you have access to the Phonenumber, like you prove access to a private key with Google authenticator or access to a particular smartcard with the physical solutions.

Not great, not terrible XD

Not at all comparable. Phone number access can be gained remotely, authenticator harder, smartcard impossible without physical access.

If you can social engineer someone to enter their IB password and phone number into the wrong site - game over. If you can social engineer someone to enter their random other password and phone number into a site protected by smartcard/usb-key, they aren’t going to get very far.

1 Like

Did I say something else?

In that case why not ask for a 2FA token while you are at it and directly log in when you get it?

My whole point is that SMS 2FA is a lot better than nothing but a lot worse than the private key based ones.

What’s your point here? For smartcard/usb-key they can’t get a 2FA token because the smartcard/usb-key (at least the modern ones, not the ancient TOTP yubikeys) authenticates the website before generating a token.

And a one-time passcode hack isn’t anywhere near as bad as getting long-term control: first 2FA code lets you login, most website ask you for a second code to withdraw money. Whereas if they capture your SMS then they can keep authenticating repeatedly.

Phishing site asks for usename and pw -> phishing initiates login on real site -> real site asks for 2FA/Sends request to app/sends SMS -> phishing site asks victim for 2FA code/ to confirm 2FA -> phishing site uses code to log in -> phishing site fucks up account -> phishing site comforts victim by by showing whatever they thought it would show.

Yeah would be nice if banks actually used the modern ones. Kinda funny how my github account is better protected than my money.

Fair enough but it’s still pretty bad.

You can’t withdraw money to an account that is not yours at IB so that would be an additional thing to circumvent to actually steal something.

I am honestly not quite sure why we are arguing here cause I am pretty sure we agree but I think I just love playing devils advocate too much.

I just checked my mailbox to refresh my memory. I have my CT account since almost 3 years and I’ve been complaining about 2FA from the start. My Russian relationship manager was really making me roll my eyes with her excuses, like “but you can only withdraw money to your account, so what is your concern?” or “but we have clients which MUCH more money than you, so don’t be afraid”.

Around 2 years ago I got the 2FA (their IT guy activated it for me and was “grateful for any feedback”) and instantly I noticed the possibility to change your credential, which I did, just to test the system. So of course I complained about it, they said it’s their “top priority”. At some point I just gave up.

Then later on I was changing my phone and I noticed that I could not change my credential anymore. This was ironically a happy moment. I gave them a call, they didn’t really verify me properly, just asked for my user account and released my credential, so I could register a new one myself.

I guess, my point is, Corner Trader strikes me as very amateur and I would not trust a lot of money with them. But then again, Interactive Brokers also give me a feeling of “constant beta” and their telephone support is very unfriendly. I’m yet to see a broker where I would get the feeling that if anything bad happens, they got my back… Wonder how Schwab is, any experience?

3 Likes

Swissquote has a good service and security.
IB is quite secured, but like you said the hotline is bad

I don’t know how I should interpret statements like “good service” or “quite secured”. IB does not offer fraud protection, which is a bummer.

Here is an interesting article about some top brokers and their “unathorized activity” protection.

1 Like

Just because we didn’t have enough fun:

They use a Symantec VIP app… but to change it you have to login first (or I imagine you can call, but then they’ll ask you for more information such as AHV and addresses). Not as good as proper Yubikey, but still safer than some places.

1 Like

How easy is to steal a phone number in switzerland? I’m not sure,but I believe you can’t do it on the phone…

There is a law that was introduced last year I think where they ID you before handing out a SIM card, even it it’s just sent by mail.

But there is always the risk of hacking: either getting your terminal hacked or just your line through SS7 attacks for example. Salt used to be vulnerable to these attacks: I saw a demo on TV where SMS could be eavesdropped as well as calls.

I want to emphasize again that as far as I understood, CornerTrader has almost NOTHING to do with Corner Bank. It’s a white label platform courtesy of Saxo Bank, which Corner Bank is apparently also crossfinancing in order to gain clients (I wonder how long it will take until they won’t want to pay Saxo the 0,12% pa custody fee anymore…).

1 Like

I cannot agree more with you…
Look, I’m having an account with them because I don’t want to have my investing money with one broker. I have an account in IB and even for the Swiss market, they are cheaper than CT!!! If I give 10 points to IB, CT will have 2 or 3 .

Said that, I had an account long time ago with Saxo when I was living in France. One night, I had a position opened and “mysteriously” and ONLY in their platform, the position went down… around… 80%!!! and, they closed the position because the margin call… And… I lost around 30KEur. Never, ever open an account with Saxo bank, never! They never accepted the fact that was a glitch in their system because I couldn’t find the falling price anywhere in other platforms. Was gas commodity, at 3 o’clock in the morning… no comments.

Was so frustrating that I wanted to open an account with Truewealth some months ago and I stop all the opening because if I wanted the documentation for the account in english, I had to open in SaxoBank…

I have a position opened now in CT and I took off the stop-lost for the night because I know how they “play” with the CFD, Forex, etc. when the real market doesn’t force them to follow the prices :wink:

And, be sure… at the first mistake, I close the account and open with Swissquote or other, but I “need” a Swiss broker because a “special” configuration in my investments…

what makes you believe they pay Saxo 0.12% pa? I know it’s that much on Saxo directly but why do you think this is part of their deal?

I personally asked.

Terms: https://www.cornertrader.ch/export/sites/cornertrader/.content/.galleries/downloads/website/Inglese_solo_Condizioni.pdf

For example points 23.1 and 26 where the outsourced character of Corner Trader is less than more clearly laid out; without mentionning Saxo by name, obviously.

And you can ask people here who they opened their account with, ie whether the account is actually with Corner Bank.

Make no mistake: everything is under Swiss regulation and you are actually dealing with a Swiss regulated bank. This is in contrast to IB and DeGiro for instance. But having an account with Corner Bank is not the same as having an account with Corner Trader.