Robinhood: Is It Safe?

Robinhood offers stock, ETF, and crypto trading with no fees. Today, we’re going to investigate its safety and security.

By
&
Tom Blackstone
Gabe TurnerChief Editor
Last Updated on Jun 16, 2022
By Tom Blackstone & Gabe Turner on Jun 16, 2022
The content on this page is provided for informational purposes only. Security.org does not offer financial or investment advice, nor does it advise or encourage anyone to buy, sell, or trade cryptocurrency. It is advised that you conduct your own investigation as to the accuracy of any information contained herein as such information is provided “as is” for informational purposes only. Further, Security.org shall not be liable for any informational error or for any action taken in reliance on information contained herein.

If you’re interested in any type of investing, then you’ve probably heard of Robinhood. Robinhood changed the face of stock investing by offering commission-free stock trades through a web and mobile app. And recently, Robinhood has added crypto trading as an additional product.

But is Robinhood safe? How can we know that the cash, stock, or other assets held in Robinhood won’t be stolen by hackers and scammers?

We’ve investigated this question by looking over Robinhood’s security practices and by using its app. In this guide, we’ll go over what we discovered. We’ll explain how Robinhood works, the risks of using it, and how you can protect yourself if you decide to use it.

Pro Tip: Scammers often try to take advantage of new crypto investors. But when you’re armed with the knowledge of how crypto works, protecting your crypto becomes easy. We’ve published a complete guide to investing in crypto safely that explains it all.

Let’s give a brief answer to the question: Is Robinhood safe?

Robinhood Order Form
Robinhood Order Form

 

Is Robinhood Safe?

If you came for the TL;DR version, here it is: Robinhood is an extremely safe stock brokerage and crypto exchange.

Robinhood has never lost cash, stocks, or crypto through a cyberattack on the platform itself. And Robinhood has robust security protocols to make sure that it never is the victim of such an attack.

Here are some of the measures Robinhood takes to protect users’ assets:

  • Insurance – Robinhood sweeps cash balances into F.D.I.C. insured banks each day. This means that cash balances at Robinhood are insured up to $250,000 per user. In addition, all stocks and ETFs in the platform are insured up to $500,000 through the Security Investors Protection Corporation (SIPC). Robinhood’s crypto is not covered by these policies. But it does carry a separate policy that helps to protect it if a cyberattack is used to steal its crypto.
  • Penetration testing – Robinhood employs security experts to try to break into the platform and find vulnerabilities before bad actors do.
  • Password security – Robinhood hashes all passwords using the BCrypt hash function. This means that even if an attacker penetrates Robinhood’s defenses and steals your password hash, he or she will still need to crack the hash in order to get your password.
  • Sensitive information – Robinhood encrypts sensitive information like social security numbers, phone numbers, etc. before storing them. It also uses Transport Layer Security (TLS) to ensure that when you send sensitive info, it can’t be intercepted by an attacker.
  • Two Factor Authentication (2FA) – Robinhood allows you to set up 2FA on your account. If you choose to do this, you’ll be required to enter a code from your phone every time you log into the account from a new device. This helps to protect you in case an attacker gets control of your email and tries to reset your password.
  • Crypto withdrawals are disabled by default – A cryptocurrency exchange is inherently more risky to use than a stock brokerage—because unlike stocks, crypto can be withdrawn and sent to an anonymous, private wallet. For this reason, crypto withdrawals at Robinhood are turned off by default. Although this can create a hassle for some crypto users, it also enhances security by making it nearly impossible for an attacker to withdraw the user’s crypto.

Pro Tip: Cybercriminals may try to get your personal info (social security number, phone number, etc.) by hacking your stock brokerage or other financial apps that you use. This is called “identity theft.” One excellent way to protect yourself against this threat is to use an identity protection service. These services monitor the Internet and alert you if your personal information is found on it. They then suggest steps you can take to protect your credit and prevent fraud if this has happened.

All of this, however, does not mean Robinhood is 100 percent risk-free. In the next section, I’ll go over some risks of using it.

Risks of Using Robinhood

Robinhood is a highly secure stock, ETF, and crypto brokerage, but there are still risks to using it.

Insurance usually won’t cover negligence

If the Robinhood platform itself is hacked, the various types of insurance it provides should help to protect you. But if your personal account is hacked, the insurance may not cover your losses, especially if you are accused of practicing bad security habits that allowed the hack to happen.

So insurance isn’t helpful in every individual case.

2FA codes can be intercepted

Some hackers are very charismatic. They may be able to call up your phone company and trick it into transferring your phone service to a device the hackers control. In fact, this is a very common type of attack called a “SIM Swap Attack.”

If a hacker gets your phone service transferred to a device under his control, he can receive text messages intended for you, including your 2FA code. So 2FA isn’t a perfect solution to the problem of how to protect your Robinhood account.

Password hashes can be cracked

Even if your password is stored as a hash instead of plaintext, an attacker still may be able to crack the hash using Hashcat or some other cracking software. This is especially true if the password is weak.

Crypto Withdrawals Can Be Enabled Through the Robinhood Wallet

Robinhood is an especially secure exchange for crypto users, since it doesn’t allow crypto withdrawals by default. But some crypto users want to be able to withdraw their crypto into a wallet—because they want to use it to play video games, invest in DeFi apps, or make payments.

Robinhood Crypto Mobile App Dashboard
Robinhood Crypto Mobile App Dashboard

So even though Robinhood doesn’t allow withdrawals by default, an attacker can still withdraw your crypto from it if you end up needing to enable withdrawals.

FYI: Aside from disabling withdrawals, another great way to protect your crypto is to enable withdrawals, but transfer your crypto into a wallet. We’ve provided an analysis of the best crypto wallets to help you decide which one to use.

Robinhood Privacy

As with all U.S.-licensed stock brokerages, Robinhood Crypto requires you to verify your identity. That means you can’t use the service unless you enter your name, address, Social Security number, and phone number, and upload photos of your driver’s license or passport.

That creates a risk of your personal information being revealed through a hack. Many Robinhood users were the victims of exactly this kind of attack in 2021.

Robinhood Hack

In November 2021, Robinhood announced that it had been hacked, and the hacker had obtained 2 million names, 5 million email addresses, and several thousand phone numbers.1

Luckily, no Social Security numbers, bank account numbers, or debit card numbers were obtained, and no one suffered a financial loss from the breach.

The privacy of users was certainly violated, though, so it’s important to be aware of the risk, not only when using Robinhood, but also when using any licensed financial app.

Pro Tip: Some attackers may try to get access to your Robinhood account by infecting your PC with malware. You can help to protect yourself against this threat by using good antivirus software. We’ve got a list of the best antivirus to help you decide which one is best for you.

In the next section, we’ll explain how to mitigate some of these risks and stay safe while using Robinhood Crypto.

How to Stay Safe When Using Robinhood Crypto

Here are a few tips to keep your Robinhood account safe and secure.

  1. Use a strong password – Just in case an attacker ever gets your password hash, you may want to make your password as hard to crack as possible. You can do this by making the password especially long and by combining capital and lowercase letters with numbers and special characters. You can test how long your password hash might take to crack by using our How Secure is My Password tool.
  2. Use an authenticator app for 2FA – Use Google Authenticator or another authenticator app to receive your 2FA code. This way, the code will not be sent using your phone service, which means that an attacker won’t be able to get the code by convincing your phone company to transfer service to his own device. The attacker could still get the code by stealing your phone. But hopefully, she isn’t that bold.
  3. Check the url – Some attackers may try to send you to a fake Robinhood site in an attempt to record your login info. This is called “phishing.” They may do this by sending you an email that looks like it came from Robinhood. Inside the email is a link to the fake site. To help prevent this, each time you log into Robinhood, check the URL at the top of the screen. It should say Robinhood.com. If it says Robinhood@gmail.com, Robinh00d.com, or some other illegitimate domain, it’s most likely a scam phishing site.
  4. Watch out for malware – One easy way for an attacker to get your login credentials is to infect your computer with keystroke-logging malware. To do this, the attacker sends you an email posing as someone you want to talk to. Inside the email is a file attachment that looks like legitimate software. When you run the file, it infects your computer with malware and allows the attacker to spy on everything that you’re doing, including what you type on your keyboard. The attacker uses this software to record your login info on all of your financial apps, including Robinood. To help avoid this type of attack, make sure to do a virus scan on any attachments you receive through email.
  5. Don’t enable crypto withdrawals (or go ahead and withdraw it all) – If you’re buying crypto in the Robinhood app, consider leaving withdrawals disabled. If you must enable withdrawals (because you’re making payments with your crypto, for example), consider moving all of your crypto out of the app and into a private wallet, where keeping it secure should be easier.

Final Thoughts on Robinhood Safety

Robinhood is a great way to buy and sell stocks, ETFs, and cryptocurrencies, with zero fees. And for the most part, it’s safe. Robinhood also has great insurance protection, is registered with FinCEN to operate legally in the U.S., and employs cybersecurity experts for penetration testing.

Of course, it’s not 100 percent secure — no financial app is — so you should always be aware of the risks of using Robinhood and how to minimize them.

Ethereum in Robinhood Crypto Mobile Trading App
Ethereum in Robinhood Crypto Mobile Trading App

Robinhood is only one option for investing in stocks, ETFs, and crypto. For crypto in particular, you may want to check out Coinbase and Crypto.com as alternatives. Here is our review of Coinbase and our Crypto.com review.

Robinhood Safety FAQs

Here are answers to some frequently asked questions about Robinhood safety and security.

  • Is it safe to give Robinhood my bank account?

    Yes, it’s fairly safe to enter your bank account login info in the Robinhood app.

    Many people are alarmed that Robinhood asks for your bank login info when you attempt to link a bank account, and they wonder if it’s safe to give Robinhood this information. The information, however, is not being requested by Robinhood. It’s Plaid that is asking for it.

    Plaid is a company that helps financial apps connect to banks. It’s a solution that is trusted by nearly all financial institutions, and it’s safe to use. It’s not a good idea to enter your bank login details into weird web forms that pop up on websites, however, so it’s completely reasonable to ask this question.

  • Why does Robinhood need my bank password?

    Robinhood uses Plaid to allow its users to link their bank accounts to the app. Robinhood doesn’t get this information. It goes only to Plaid, which is a financial intermediary with a good reputation for security. It’s mostly safe to provide your bank password in this instance.

    This is admittedly a very weird way to link a bank account, however, so you’re right to ask the question.

  • Is Robinhood insured?

    Yes. Robinhood carries insurance of up to $500,000 for stocks for each user. Cash, on the other hand, is swept into U.S. bank accounts and is covered by up to $250,000 worth of F.D.I.C. insurance.

    Robinhood also carries cybercrime insurance on some of its own crypto. This is to help prevent it from becoming insolvent if it is ever the victim of a major crypto hack. However, this insurance does not directly protect users from loss of crypto.

  • Is it safe to enter my Social Security number in Robinhood?

    Yes. Anytime you give out your personal information to a third-party, there is always a risk that the information will be stolen or leaked. Robinhood has a good track record of protecting users’ Social Security numbers, though, so providing yours is as safe as giving it to most reputable financial apps.

    Unfortunately, U.S. FinCEN requires you to provide your Social Security number to your stock brokerage for identity-verification purposes. It is very difficult to avoid the requirement if you are a U.S. resident or citizen.

  • Does Robinhood affect my credit score?

    No. Under normal circumstances, Robinhood does not report to credit bureaus and does not affect your credit score. If you do margin trading, Robinhood’s terms of service states that it may obtain a credit report on you. That could affect your credit score as a “hard inquiry” on your report. If you don’t do margin trading, then Robinhood is unlikely to affect your credit score.

Citations
  1. Robinhood. (2021). Robinhood Announces Data Security Incident (Update).
    blog.robinhood.com/news/2021/11/8/data-security-incident