Log in credentials for customers of online brokerages are for sale on the dark web and have led to a spate of accounts being drained of funds. Affected customers of Robinhood complain that the company has been slow to react to complaints that unauthorized transactions are taking place and note that the company cannot be contacted by phone. The difficulty reaching the company has frustrated users who are attempting to regain control of their accounts.
According to one report, Robinhood also lacks some of the security measures that are in place at most other brokers. This includes verifying changes in bank account links. Per the report, “One of the reasons so many of the hacked accounts were drained involved hackers adding a new bank account to a funded account, and allowing funds to be transferred to the new account without additional verification.”
Two primary issues of concern:
- Potential security flaws in the core product symptomatic of a company that has put growth above all else, including security;
- Poor initial response can exacerbate the potential financial damage.
Tech start-ups have long espoused the ‘move fast and break things ethos’. This has meant not even incorporating ‘secure-by-design’ concepts into company vocabulary let alone product design which leads to fundamental flaws that only become apparent in the wake of a breach. Strong security architecture is particularly important for financial services companies — consistently a top target for hackers. If such flaws exist in Robinhood’s product, this incident will likely not be the last.
Robinhood has built its business on the back of a low-cost business model that eschews personal contact with the company’s staff (again evidence of prioritizing growth over all else). While this ‘tech heavy, low contact’ business model can be very profitable and staffing call centers can be costly, a deliberate choice by Robinhood to not provide that access vector even for customers experiencing severe problems may prove to be even more costly to the company and may not continue to be a viable strategy.
As we have previously discussed, customers are very sensitive to company operations being disrupted due to cyber attack — especially financial services companies—and a large percentage of users report that they would switch service providers if a company’s website or operations are down for more than 24 hours. Indeed, more than half of respondents to a survey earlier this year said they would pay more for products from banking and securities providers that were believed to be more secure.
It is possible that the well-publicized difficulties customers are having getting Robinhood to react to their account problems has tarnished its reputation and will have a negative impact on customer activity and growth. This is problematic for the company’s very high VC valuation, which depends on continued rapid growth.
Therefore, Robinhood will likely have to increase investment in its cyber security and customer services to improve security and protect its users (and its own valuation). Building a new security architecture like this is a challenging task on what is—and needs to continue being—a fast moving train.