Hello,
I found a bug in TR that allows any pin to easily be brute forced.
Accounts have no persistent level of attempts. If you want to withdraw funds/place order (whatever requires pin)
Simply write a script that executes your preferred action, and after 4 attempts it reloads the action, and it will give your more attempts.
You can brute pins easily. I tried on several test accounts.
Probably not big deal, they must have your account first, but it effectively makes PIN useless.
Messaged admins, they don't see a problem.
not this again