Fraud attempts seem to be coming at us 24/7, and this story of a couple losing $180,000 from their brokerage account was very sad. However, what really caught my eye is that not only could they not track down the funds (where was it withdrawn to? shouldn’t they only let you withdraw to a linked bank account?), Tastytrade only agreed to reimburse half of the $180,000 stolen from their account. Their reasoning was that the customer did not sign up for two-factor authentication (2FA), even though it was available.
In an email exchange, Tastytrade confirmed that the “intrusion” took place, but said it wasn’t the company’s fault, because the couple failed to sign up for an optional two-factor authentication protection.
“We rolled out this additional security feature to mitigate the risk of this occurring to our customers,” the email from a fraud manager read.
“I know that this was an option, but it was never made mandatory,” Erez said.
I hadn’t heard of this as an excuse before, but it is definitely something worth nothing. While I feel like 2FA with text codes are sort of the minimum level of security most people should maintain, I also feel that a broker needs to provide clear notice if it absolves them of liability. Either that or simply require it.
I found another example of a $37,000 Tastytrade hack, this time from a customer who claims they did enable 2FA. This time Tastytrade denied all liability.
We see that your username and password was obtained by the nefarious party outside of the control of our Firm. Because of this, we will unfortunately be unable to extend any relief or concessions.
Many of the major brokerages offer security guarantees (although I could not find one for Tastytrade!), for example the Fidelity Customer Protection Guarantee and Vanguard security promise. I looked and Fidelity and Vanguard do not explicitly require you to use 2FA, but I’m also not sure if 2FA is already required of everyone. I would note that none of these “guarantees” or “promises” will apply (as far as I’ve seen across the major brokerages) if you got tricked into giving out your password:
Fidelity will reimburse you for losses from unauthorized activity in your Covered Accounts occurring through no fault of your own.
What are examples of when I won’t be covered?
If you grant access or authority to, or share your Fidelity account access credentials or information with, any persons or entities, their activity will be considered authorized by you and not covered by the Customer Protection Guarantee.
The problem is, how do they know how the hackers got the password? What if it was obtained from an inside job from a brokerage employee, or an undiscovered hack?
Photo by Dan Nelson on Unsplash
The Best Credit Card Bonus Offers – 2026
Big List of Free Stocks from Brokerage Apps
Best Interest Rates on Cash - 2026
Free Credit Scores x 3 + Free Credit Monitoring
Best No Fee 0% APR Balance Transfer Offers
Little-Known Cellular Data Plans That Can Save Big Money
How To Haggle Your Cable or Direct TV Bill
Big List of Free Consumer Data Reports (Credit, Rent, Work)
So stay away from TastyTrade??
Just changed mine from sms to authenticator 2fa! Do you have any money at tastytrade?
After setting up authentication apps or fido2 keys be sure to disable your SMS Authentication. Otherwise the weaker fork can still be used.
On a related note, I’ve been super frustrated with Vanguard log-in recently (4-5 months), enough to consider changing brokerages.
The situation: I want to manage my account on the PC.
-Go to personal investor website and enter username and password, Get error message saying “Your username or password is incorrect”. This is not true. I know my UN and PW because I have a PW manager.
-Have to use QR code to log in.
-QR code opens app on phone,
-App opens browser on phone, which asks for UN and PW.
-I enter the same UN and PW, but now I have to switch between apps to get it from my pw manager.
-Phone browser logs in and asks for 2FA. Get text, enter code.
-App logs in.
-Go back to website on PC, and use QR code again.
-App asks for verification
-Finally, can log in on PC.
Can’t talk to customer service about this, all they can do is reset your account log-in, which is clearly not the problem. But the tech guy was nice enough to listen to me complain.
No way to contact higher level tech support or customer service for issues like this.
Thanks for coming to my TED talk
Daniel – It’s easy fix for PC, all you need to do after your password manager fills UN/PW is – Click inside the username text box and click on “Log In” button. It should log you in. HTH.
It’s how Vanguard implemented their login page on PC, it needs an explicit click event after password manager fills in UN/PW. I am guessing they implemented this way due to security reasons if someone tries to brute force by a program. By click on the user name field ensures that it’s a human.
Often attacks are done near the weekend which can make recovery more difficult. Some banks are notoriously less cooperative than others, and the bad guys know them. Bad guys will also quickly retransfer to other banks and/or offshore which makes recovery even more difficult. Every uncooperative bank is another challenge which increases the difficulty in recovering funds.
In my experience, reimbursement decisions are usually made on a case-by-case basis. A variety of factors are considered but it mostly boils down to how much evidence we can gather attributing fault to the customer, how much responsibility we as the provider have, and impact to reputation. It’s usually just a risk management decision weighing the likelihood and impact of possible outcomes.
There’s a variety of ways we can determine how hackers may have gotten your password. Or that you’ve given it out. We can tell when you’ve given up your password to a company like Intuit or any of the financial aggregators such as Stripe. We can check your email at haveibeenpwned.com to see if you’re part of a recent password breach. We can compare your password against commonly used passwords to see if you’ve selected a poor password. We can see if you’re using your email for MFA and see recent password resets that would indicate your email was compromised.
“However, what really caught my eye is that not only could they not track down the funds (where was it withdrawn to? shouldn’t they only let you withdraw to a linked bank account?)”
One of the comments in the reddit thread you linked explains how the attack works. The thieves can steal your money without ever withdrawing money from your account. They place losing trades on low volume options with another account they control at another brokerage being on the winning side of the trade:
“Hackers, likely from asian countries, gained access to the Tastytrade account. They used illiquid options trades to transfer funds to another account, while carefully adhering to CBOE rules to avoid or minimize the chances of the trades being busted. (It’s worth noting that Tasty could have acted in the client’s interest to reverse the trades, but they chose not to.)”
The reason it worked even with 2FA enabled is because it seems like previously Tastytrade did not require 2FA authentication at login. They only required the 2FA code when doing certain actions like updating account info or bank transactions. So the hackers were able to login and place trades without going through 2FA authentication. Even today, while Tastytrade has added the option to require 2FA at login, it’s turned off by default. So you not only need to turn 2FA on, but also turn on the option to require it at login.