Potential breaches of fintech's client accounts have sparked a debate about the security of deposits held with trading firms.
2FA is often the only line of defense used by CFD brokers, and their security measures lag significantly behind those of the banking sector.
While two-factor authentication, for example, is mandatory at Plus500, Robinhood merely “encourages” users to enable it.
The recent
XTB security breach that allegedly cost a Polish client approximately 150,000
zlotys ($38,000) has ignited a fierce debate about whether optional
security measures are sufficient for CFD brokers and retail trading
platforms in 2025.
Following
the incident, where hackers reportedly executed thousands of rapid trades to
drain a client's account, cybersecurity experts are calling for fundamental
changes to how financial companies protect client assets.
As it turns
out, the XTB case is not isolated, and when it comes to retail trading
companies, the saying “you can bank on it” doesn’t always hold true.
The Anatomy of a Modern
Financial Hack
Rather than
attempting direct fund transfers, which can only be executed on a verified
account, hackers opened simultaneous buy-sell transactions on low-liquidity
securities, consistently profiting on one side while draining the victim's XTB account
on the other. The client had not enabled two-factor authentication (2FA),
a detail that has become central to the broader security debate.
Mate Ivanszky, Founder & CEO of Matworks.
“2FA
isn't just recommended, it's a must. Even the strongest password is still a
single point of failure. A simple password combined with enforced 2FA is far
safer than forcing users into complex ones they'll end up writing down,”
commented Mate Ivanszky, Founder & CEO of Matworks.
What makes
this case particularly concerning is the apparent lack of automated fraud
detection. The attack exhibited multiple red flags that should have triggered
immediate security responses: an unfamiliar IP address, extraordinarily high
trading volumes, and behavior completely outside the client's historical
patterns.
If a trader
typically performs two or three operations per month and suddenly executes
hundreds in a single day, the system should catch that. XTB, however, takes a
different view, citing the specific nature of the market as its explanation.
“Due to the
nature of the market and the speed at which investment decisions are made, we
do not apply automatic restrictions based on changes in investor preferences, such
as the initiation of trading in different instruments,” XTB’s PR department explained.
Expert
Consensus:
Optional Security is No Longer Acceptable
Jon Bellard, Head of Product at Rootshell Security
Jon
Bellard, Head of Product at Rootshell Security, argues that the incident
exposes fundamental gaps in modern fintech security. “While the user not enabling 2FA is a
clear risk factor, platforms like XTB carry a responsibility to protect users
even when they make mistakes,” he states. “In 2025, it's not enough to offer
2FA, it should be mandatory, particularly for high-risk platforms.”
And while 2FA
might seem like a legal requirement today, XTB explains that this is not always
the case: “PSD2 regulations and payment services laws apply to companies
providing payment services, not brokerage firms like XTB. Therefore, these
regulations only apply to our eWallet payment service provided by DiPocket,
where we implemented strong authentication in August 2024.”
This
highlights that brokerage activities do not face the same mandatory security
requirements as traditional banking services, even though they involve similar
financial risks.
However, in
an interview with FinanceMagnates.com, XTB’s CEO noted that 80% of the
company’s new clients invest in stocks and ETFs rather than CFDs. He also
reiterated XTB’s ambition to become an “all-in-one financial super app.” Given
this shift toward more bank-like services, shouldn't the company prioritize
stronger security measures?
A Mixed Picture of Industry
Standard
While XTB's
approach appears questionable, it seems that CFD broker and retail trading
apps security standards across the industry remain inconsistent. The reality is
that many don't implement significantly more security measures than XTB's original setup, suggesting this is an industry-wide challenge rather than an
isolated problem.
FinanceMagnates.com
has verified that Robinhood also offers only optional 2FA. While Plus500 does
require 2FA, when it comes to additional protections, such as IP blocking or
geo-restrictions, these are generally lacking. Whether it's a large publicly
listed broker or a fintech focused on retail trading, most rely on fraud
detection systems, login alerts, and manual reviews.
Marijus Breidis, the CTO at NordVPN
“Security
cannot be a user's responsibility when entrusted with client money,” commented
Marijus Breidis, the CTO at NordVPN. “Behavioral risk detection should be
enabled by default, not buried in settings menus. Platforms prioritize
convenience over fundamental security and then blame their customers when the
inevitable happens. That approach is irresponsible and completely surrenders
their duty to protect client assets.”
Ivanszky agrees with his statement, adding that regulated financial institutions have a clear and enforceable duty to safeguard client funds. “This responsibility
begins with ensuring that access to client accounts is properly authenticated,
and continues through every transaction that could affect the security or
disposition of those funds.”
XTB Does Not Confirm
Incident, but Increases Security Measures
XTB neither
confirms nor denies that such an incident occurred, but emphasizes that no
similar breach has ever taken place involving clients with 2FA enabled.
Moreover, following
the public outcry, XTB may end up being more secure than industry standard. The
company’s press office outlined its current approach: “In recent weeks, we
have significantly simplified and expanded 2FA. Extended testing has already
been completed, and as of July 14, clients will have two options: SMS codes or
an authenticator app.”
The firm will also begin automatically enabling 2FA for existing clients, and
starting in Q4 2025, all new users will be required to activate it. The company
has also introduced additional monitoring systems.
“We
continuously monitor information about password leaks published online and
cross-check them with our database. If a match is found, we notify clients to
change their password,” the spokesperson said. “We have also built
and continue to expand our internal database of suspicious IP addresses, logins
from such locations trigger enhanced security protocols.”
The recent
XTB security breach that allegedly cost a Polish client approximately 150,000
zlotys ($38,000) has ignited a fierce debate about whether optional
security measures are sufficient for CFD brokers and retail trading
platforms in 2025.
Following
the incident, where hackers reportedly executed thousands of rapid trades to
drain a client's account, cybersecurity experts are calling for fundamental
changes to how financial companies protect client assets.
As it turns
out, the XTB case is not isolated, and when it comes to retail trading
companies, the saying “you can bank on it” doesn’t always hold true.
The Anatomy of a Modern
Financial Hack
Rather than
attempting direct fund transfers, which can only be executed on a verified
account, hackers opened simultaneous buy-sell transactions on low-liquidity
securities, consistently profiting on one side while draining the victim's XTB account
on the other. The client had not enabled two-factor authentication (2FA),
a detail that has become central to the broader security debate.
Mate Ivanszky, Founder & CEO of Matworks.
“2FA
isn't just recommended, it's a must. Even the strongest password is still a
single point of failure. A simple password combined with enforced 2FA is far
safer than forcing users into complex ones they'll end up writing down,”
commented Mate Ivanszky, Founder & CEO of Matworks.
What makes
this case particularly concerning is the apparent lack of automated fraud
detection. The attack exhibited multiple red flags that should have triggered
immediate security responses: an unfamiliar IP address, extraordinarily high
trading volumes, and behavior completely outside the client's historical
patterns.
If a trader
typically performs two or three operations per month and suddenly executes
hundreds in a single day, the system should catch that. XTB, however, takes a
different view, citing the specific nature of the market as its explanation.
“Due to the
nature of the market and the speed at which investment decisions are made, we
do not apply automatic restrictions based on changes in investor preferences, such
as the initiation of trading in different instruments,” XTB’s PR department explained.
Expert
Consensus:
Optional Security is No Longer Acceptable
Jon Bellard, Head of Product at Rootshell Security
Jon
Bellard, Head of Product at Rootshell Security, argues that the incident
exposes fundamental gaps in modern fintech security. “While the user not enabling 2FA is a
clear risk factor, platforms like XTB carry a responsibility to protect users
even when they make mistakes,” he states. “In 2025, it's not enough to offer
2FA, it should be mandatory, particularly for high-risk platforms.”
And while 2FA
might seem like a legal requirement today, XTB explains that this is not always
the case: “PSD2 regulations and payment services laws apply to companies
providing payment services, not brokerage firms like XTB. Therefore, these
regulations only apply to our eWallet payment service provided by DiPocket,
where we implemented strong authentication in August 2024.”
This
highlights that brokerage activities do not face the same mandatory security
requirements as traditional banking services, even though they involve similar
financial risks.
However, in
an interview with FinanceMagnates.com, XTB’s CEO noted that 80% of the
company’s new clients invest in stocks and ETFs rather than CFDs. He also
reiterated XTB’s ambition to become an “all-in-one financial super app.” Given
this shift toward more bank-like services, shouldn't the company prioritize
stronger security measures?
A Mixed Picture of Industry
Standard
While XTB's
approach appears questionable, it seems that CFD broker and retail trading
apps security standards across the industry remain inconsistent. The reality is
that many don't implement significantly more security measures than XTB's original setup, suggesting this is an industry-wide challenge rather than an
isolated problem.
FinanceMagnates.com
has verified that Robinhood also offers only optional 2FA. While Plus500 does
require 2FA, when it comes to additional protections, such as IP blocking or
geo-restrictions, these are generally lacking. Whether it's a large publicly
listed broker or a fintech focused on retail trading, most rely on fraud
detection systems, login alerts, and manual reviews.
Marijus Breidis, the CTO at NordVPN
“Security
cannot be a user's responsibility when entrusted with client money,” commented
Marijus Breidis, the CTO at NordVPN. “Behavioral risk detection should be
enabled by default, not buried in settings menus. Platforms prioritize
convenience over fundamental security and then blame their customers when the
inevitable happens. That approach is irresponsible and completely surrenders
their duty to protect client assets.”
Ivanszky agrees with his statement, adding that regulated financial institutions have a clear and enforceable duty to safeguard client funds. “This responsibility
begins with ensuring that access to client accounts is properly authenticated,
and continues through every transaction that could affect the security or
disposition of those funds.”
XTB Does Not Confirm
Incident, but Increases Security Measures
XTB neither
confirms nor denies that such an incident occurred, but emphasizes that no
similar breach has ever taken place involving clients with 2FA enabled.
Moreover, following
the public outcry, XTB may end up being more secure than industry standard. The
company’s press office outlined its current approach: “In recent weeks, we
have significantly simplified and expanded 2FA. Extended testing has already
been completed, and as of July 14, clients will have two options: SMS codes or
an authenticator app.”
The firm will also begin automatically enabling 2FA for existing clients, and
starting in Q4 2025, all new users will be required to activate it. The company
has also introduced additional monitoring systems.
“We
continuously monitor information about password leaks published online and
cross-check them with our database. If a match is found, we notify clients to
change their password,” the spokesperson said. “We have also built
and continue to expand our internal database of suspicious IP addresses, logins
from such locations trigger enhanced security protocols.”
Damian's adventure with financial markets began at the Cracow University of Economics, where he obtained his MA in finance and accounting. Starting from the retail trader perspective, he collaborated with brokerage houses and financial portals in Poland as an independent editor and content manager. His adventure with Finance Magnates began in 2016, where he is working as a business intelligence analyst.
“Prop Isn’t Finished, but If You’re Coming into Prop Now, You Are,” FMLS:25 Takeaways
Exness expands its presence in Africa: Inside our interview with Paul Margarites in Cape Town
Exness expands its presence in Africa: Inside our interview with Paul Margarites in Cape Town
Finance Magnates met with Paul Margarites, Exness regional commercial director for Sub-Saharan Africa, during a visit to the firm’s office opening in Cape Town. In this talk, led by Andrea Badiola Mateos, Co-CEO at Finance Magnates, Paul shares views on the South African trading space, local user behavior, mobile trends, regulation, team growth, and how Exness plans to grow in more markets across the region. @Exness
Read the article at: https://www.financemagnates.com/thought-leadership/exness-expands-its-presence-in-africa-inside-our-interview-with-paul-margarites/
#exness #financemagnates #exnesstrading #CFDtrading #tradeonline #africanews #capetown
Finance Magnates met with Paul Margarites, Exness regional commercial director for Sub-Saharan Africa, during a visit to the firm’s office opening in Cape Town. In this talk, led by Andrea Badiola Mateos, Co-CEO at Finance Magnates, Paul shares views on the South African trading space, local user behavior, mobile trends, regulation, team growth, and how Exness plans to grow in more markets across the region. @Exness
Read the article at: https://www.financemagnates.com/thought-leadership/exness-expands-its-presence-in-africa-inside-our-interview-with-paul-margarites/
#exness #financemagnates #exnesstrading #CFDtrading #tradeonline #africanews #capetown
Interview with Jas Shah
Builder | Adviser | Fintech Writer | Product Strategist
In this episode, Jonathan Fine sat down with Jas Shah, one of the most thoughtful voices in global fintech. Known for his work across advisory, product, stablecoins, and his widely read writing, Jas brings a rare combination of industry insight and plain-spoken clarity.
We talk about his first impression of the Summit, the projects that keep him busy today, and how they connect to the stablecoin panel he joined. Jas shares his view on the link between fintech, wealthtech and retail brokers, especially as firms like Revolut, eToro and Trading212 blur long-standing lines in the market.
We also explore what stablecoin adoption might look like for retail investment platforms, including a few product and UX angles that are not obvious at first glance.
To close, Jas explains how he thinks about writing, and how he approaches “shipping” pieces that spark debate across the industry.
Interview with Jas Shah
Builder | Adviser | Fintech Writer | Product Strategist
In this episode, Jonathan Fine sat down with Jas Shah, one of the most thoughtful voices in global fintech. Known for his work across advisory, product, stablecoins, and his widely read writing, Jas brings a rare combination of industry insight and plain-spoken clarity.
We talk about his first impression of the Summit, the projects that keep him busy today, and how they connect to the stablecoin panel he joined. Jas shares his view on the link between fintech, wealthtech and retail brokers, especially as firms like Revolut, eToro and Trading212 blur long-standing lines in the market.
We also explore what stablecoin adoption might look like for retail investment platforms, including a few product and UX angles that are not obvious at first glance.
To close, Jas explains how he thinks about writing, and how he approaches “shipping” pieces that spark debate across the industry.
Vitalii Bulynin Talks About Versus Trade, New Pairs, and Big Plans
Vitalii Bulynin Talks About Versus Trade, New Pairs, and Big Plans
In this interview, Versus Trade Co-Founder Vitalii Bulynin explains how the company got its license fast, why its trading pairs are fresh and fun, and what the team will build next.
He also discusses the most active pairs, the IB and MIB plans, and hiring needs for new markets.
Watch the whole talk to learn more about how Versus Trade works and where it is heading.
#financemagnates #VersusTrade #TradingPairs #BTCvsGold #goldtrading #innovation
In this interview, Versus Trade Co-Founder Vitalii Bulynin explains how the company got its license fast, why its trading pairs are fresh and fun, and what the team will build next.
He also discusses the most active pairs, the IB and MIB plans, and hiring needs for new markets.
Watch the whole talk to learn more about how Versus Trade works and where it is heading.
#financemagnates #VersusTrade #TradingPairs #BTCvsGold #goldtrading #innovation
Marketing in 2026 Audiences, Costs, and Smarter AI
Marketing in 2026 Audiences, Costs, and Smarter AI
As brokers eye B2B business and compete with fintechs and crypto exchanges alike, marketers need to act wisely with often limited budgets. AI can offer scalable solutions, but only if used properly.
Join seasoned marketing executives and specialists as they discuss the main challenges they identify in financial services in 2026 and how they address them.
Attendees of this session will walk away with:
- A nuts-and-bolts account of acquisition costs across platforms and geos
- Analysis of today’s multi-layered audience segments and differences in behaviour
- First-hand account of how global brokers balance consistency and local flavour
- Notes from the field about intelligently using AI and automation in marketing
Speakers:
-Yam Yehoshua, Editor-In-Chief at Finance Magnates
-Federico Paderni, Managing Director for Growth Markets in Europe at X
-Jo Benton, Chief Marketing Officer, Consulting | Fractional CMO
-Itai Levitan, Head of Strategy at investingLive
-Roberto Napolitano, CMO at Innovate Finance
-Tony Cross, Director at Monk Communications
#fmls #fmls25 #fmevents #FintechMarketing #AI #DigitalStrategy #Fintech #Innovation
Connect with us at:
🔗 LinkedIn: / financemagnates-events
👍 Facebook: / financemagnatesevents
📸 Instagram: / fmevents_official
🐦 Twitter: / f_m_events
🎥 TikTok: / fmevents_official
As brokers eye B2B business and compete with fintechs and crypto exchanges alike, marketers need to act wisely with often limited budgets. AI can offer scalable solutions, but only if used properly.
Join seasoned marketing executives and specialists as they discuss the main challenges they identify in financial services in 2026 and how they address them.
Attendees of this session will walk away with:
- A nuts-and-bolts account of acquisition costs across platforms and geos
- Analysis of today’s multi-layered audience segments and differences in behaviour
- First-hand account of how global brokers balance consistency and local flavour
- Notes from the field about intelligently using AI and automation in marketing
Speakers:
-Yam Yehoshua, Editor-In-Chief at Finance Magnates
-Federico Paderni, Managing Director for Growth Markets in Europe at X
-Jo Benton, Chief Marketing Officer, Consulting | Fractional CMO
-Itai Levitan, Head of Strategy at investingLive
-Roberto Napolitano, CMO at Innovate Finance
-Tony Cross, Director at Monk Communications
#fmls #fmls25 #fmevents #FintechMarketing #AI #DigitalStrategy #Fintech #Innovation
Connect with us at:
🔗 LinkedIn: / financemagnates-events
👍 Facebook: / financemagnatesevents
📸 Instagram: / fmevents_official
🐦 Twitter: / f_m_events
🎥 TikTok: / fmevents_official
Fail Better Trading Tech to Tackle Industry Risks
Fail Better Trading Tech to Tackle Industry Risks
Much like their traders in the market, brokers must diversify to manage risk and stay resilient. But that can get costly, clunky, and lengthy.
This candid panel brings together builders across the trading infrastructure space to uncover the shifting dynamics behind tools, interfaces, and full-stack ambitions.
Attendees will hear:
-Why platform dependency has become one of the most overlooked risks in the trading business?
-Buy vs. build: What do hybrid models look like, and why are industry graveyards filled with failed ‘killer apps’?
-How AI is already changing execution, risk, and reporting—and what’s next?
-Which features, assets, and tools gain the most traction, and where brokers should look for tech-driven retention?
Speakers:
-Stephen Miles, Chief Revenue Officer at FYNXT
-John Morris, Co-Founder at FXBlue
-Matthew Smith, Group Chair & CEO at EC Markets
-Tom Higgins, Founder & CEO at Gold-i
-Gil Ben Hur, Founder at 5% Group
#fmls #fmls25 #fmevents #Brokers #Trading #Fintech #FintechInnovation #TradingTechnology #Innovation
Connect with us at:
🔗 LinkedIn: / financemagnates-events
👍 Facebook: / financemagnatesevents
📸 Instagram: / fmevents_official
🐦 Twitter: / f_m_events
🎥 TikTok: / fmevents_official
Much like their traders in the market, brokers must diversify to manage risk and stay resilient. But that can get costly, clunky, and lengthy.
This candid panel brings together builders across the trading infrastructure space to uncover the shifting dynamics behind tools, interfaces, and full-stack ambitions.
Attendees will hear:
-Why platform dependency has become one of the most overlooked risks in the trading business?
-Buy vs. build: What do hybrid models look like, and why are industry graveyards filled with failed ‘killer apps’?
-How AI is already changing execution, risk, and reporting—and what’s next?
-Which features, assets, and tools gain the most traction, and where brokers should look for tech-driven retention?
Speakers:
-Stephen Miles, Chief Revenue Officer at FYNXT
-John Morris, Co-Founder at FXBlue
-Matthew Smith, Group Chair & CEO at EC Markets
-Tom Higgins, Founder & CEO at Gold-i
-Gil Ben Hur, Founder at 5% Group
#fmls #fmls25 #fmevents #Brokers #Trading #Fintech #FintechInnovation #TradingTechnology #Innovation
Connect with us at:
🔗 LinkedIn: / financemagnates-events
👍 Facebook: / financemagnatesevents
📸 Instagram: / fmevents_official
🐦 Twitter: / f_m_events
🎥 TikTok: / fmevents_official
