Fidelity 2-Factor authentication fail...

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
Z9yajAg
Posts: 38
Joined: Sun Jun 29, 2014 11:55 am

Fidelity 2-Factor authentication fail...

Post by Z9yajAg »

Fidelity uses Symantec VIP Access on a cell phone for 2-factor authentication, and I've got it turned on.

I replaced my phone last month and logging in failed, apparently because a new cell phone gets a new copy of the cellphone security app. So I called Fidelity on the phone. I got access to my account using only my account userid and password, no other challenge. I explained that I had a new cell phone. The CSR changed Fidelity's 2-factor info to match my new phone, and I was able to log in.

So much for Fidelity 2-factor authentication. At Fidelity, if you have username and password, but NOT the 2nd identity device, a Fidelity rep will be happy to reset the system to let you in. Is this really how 2-factor authentication is supposed to work? It took less than 5 minutes on the phone to bypass the 2-factor login failure.
User avatar
Phineas J. Whoopee
Posts: 9675
Joined: Sun Dec 18, 2011 5:18 pm

Re: Fidelity 2-Factor authentication fail...

Post by Phineas J. Whoopee »

Not too good, but if I may say so, not too surprising, either. There's always a tradeoff between security and convenience. Many service providers compromise the first to facilitate the second.

Thanks for the report.

For the record, I have the Schwab VPN token, and their instructions say that if the token fails, or is lost, to phone them. I've not tried it, but no doubt they'll rely on what I know. One factor. I'm still happier to have the token than not. It makes me more time-consuming to attack, kind of like a door lock.

PJW
xenial
Posts: 2876
Joined: Tue Feb 27, 2007 12:36 am
Location: USA

Re: Fidelity 2-Factor authentication fail...

Post by xenial »

Z9yajAg wrote:Fidelity uses Symantec VIP Access on a cell phone for 2-factor authentication, and I've got it turned on.

I replaced my phone last month and logging in failed, apparently because a new cell phone gets a new copy of the cellphone security app. So I called Fidelity on the phone. I got access to my account using only my account userid and password, no other challenge. I explained that I had a new cell phone. The CSR changed Fidelity's 2-factor info to match my new phone, and I was able to log in.

So much for Fidelity 2-factor authentication. At Fidelity, if you have username and password, but NOT the 2nd identity device, a Fidelity rep will be happy to reset the system to let you in. Is this really how 2-factor authentication is supposed to work? It took less than 5 minutes on the phone to bypass the 2-factor login failure.
Interesting. I bet you actually provided the CSR authentication info other than your userid and password. When the rep answered the phone, did he/she really ask immediately for your web userid and password, but not your name, address, etc.? Also, the CSR can tell what phone number you're calling from. If it's the home phone in your records, that's a powerful piece of authentication info.
User avatar
Archie Sinclair
Posts: 413
Joined: Sun Mar 06, 2011 1:03 am

Re: Fidelity 2-Factor authentication fail...

Post by Archie Sinclair »

I suspect that thieves who steal lots of electronic login information are not interested in calling Fidelity separately for each account and pretending to be that individual. If you're a Russian hacker, how many fake American voices can you mimic, and how soon would Fidelity catch on? Once you break into the account, what exactly can you do to steal money? Fidelity probably looks at its internal data on security breaches and knows that this is rare.
User avatar
Phineas J. Whoopee
Posts: 9675
Joined: Sun Dec 18, 2011 5:18 pm

Re: Fidelity 2-Factor authentication fail...

Post by Phineas J. Whoopee »

Archie Sinclair wrote:... If you're a Russian hacker, how many fake American voices can you mimic, and how soon would Fidelity catch on? Once you break into the account, what exactly can you do to steal money? Fidelity probably looks at its internal data on security breaches and knows that this is rare.
Although I agree with your main point, I suspect "Russian hacker"s are perfectly capable of recruiting willing native US English speakers if their business models favor paying money to do so. Their own accents are irrelevant to security.
PJW
User avatar
bogleblitz
Posts: 506
Joined: Mon Oct 01, 2012 2:51 pm

Re: Fidelity 2-Factor authentication fail...

Post by bogleblitz »

I may be wrong but a phone call is very safe in my opinion. All phone calls are recorded and logged. phone numbers can not be spoofed and the police can trace a phone number back to a home address.

So a hacker will not call fidelity because the phone call will be traced back to the hacker's home address.
User avatar
Phineas J. Whoopee
Posts: 9675
Joined: Sun Dec 18, 2011 5:18 pm

Re: Fidelity 2-Factor authentication fail...

Post by Phineas J. Whoopee »

bogleblitz wrote:I may be wrong but a phone call is very safe in my opinion. All phone calls are recorded and logged. phone numbers can not be spoofed and the police can trace a phone number back to a home address.

So a hacker will not call fidelity because the phone call will be traced back to the hacker's home address.
Using VOIP it is trivially easy to spoof phone numbers.
PJW
stlutz
Posts: 5585
Joined: Fri Jan 02, 2009 12:08 am

Re: Fidelity 2-Factor authentication fail...

Post by stlutz »

I'm curious what people *want* Fidelity to do in this case?

10 or 12 years ago I had lost my VG password and had to wait for them to snail me a new one. That is one approach.
User avatar
Rob5TCP
Posts: 3812
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Fidelity 2-Factor authentication fail...

Post by Rob5TCP »

Phineas J. Whoopee wrote:
bogleblitz wrote:I may be wrong but a phone call is very safe in my opinion. All phone calls are recorded and logged. phone numbers can not be spoofed and the police can trace a phone number back to a home address.

So a hacker will not call fidelity because the phone call will be traced back to the hacker's home address.
Using VOIP it is trivially easy to spoof phone numbers.
PJW
Phone numbers should never be used as security. As PJW stated - it's now trivial, unfortunately.
Using voice as verification I have not yet investigated how safe, but Vanguard does use that.
User avatar
tuningfork
Posts: 885
Joined: Wed Oct 30, 2013 8:30 pm

Re: Fidelity 2-Factor authentication fail...

Post by tuningfork »

Phineas J. Whoopee wrote:
bogleblitz wrote:I may be wrong but a phone call is very safe in my opinion. All phone calls are recorded and logged. phone numbers can not be spoofed and the police can trace a phone number back to a home address.

So a hacker will not call fidelity because the phone call will be traced back to the hacker's home address.
Using VOIP it is trivially easy to spoof phone numbers.
PJW
Indeed. If police could reliably trace a phone number to an address, "Rachel" and her credit card services scam would have been shut down years ago.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Fidelity 2-Factor authentication fail...

Post by Epsilon Delta »

Phineas J. Whoopee wrote:
bogleblitz wrote:I may be wrong but a phone call is very safe in my opinion. All phone calls are recorded and logged. phone numbers can not be spoofed and the police can trace a phone number back to a home address.

So a hacker will not call fidelity because the phone call will be traced back to the hacker's home address.
Using VOIP it is trivially easy to spoof phone numbers.
PJW
Are you talking ANI or Caller ID? I thought ANI was still secure, because the phone companies used it for billing and they don't want to lose money.

In any case caller ID spoofing can be dealt with by hanging up and calling back, Unless the whole phone system has been subverted. OTOH a crook can just plug his phone into the network interface outside your house, but he can't do that from Russia.
KyleAAA
Posts: 9498
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Fidelity 2-Factor authentication fail...

Post by KyleAAA »

Yeah, that's how it's supposed to work. If you lose/change the physical device, they have to be able to tie it to a new device somehow. The Fidelity rep should have verified your identity using information other than just your username/password, though. Did they not at least ask for the last 4 digits of your social, your birthday, and some other form of security question before letting you in?
Topic Author
Z9yajAg
Posts: 38
Joined: Sun Jun 29, 2014 11:55 am

Re: Fidelity 2-Factor authentication fail...

Post by Z9yajAg »

KyleAAA wrote:Yeah, that's how it's supposed to work. If you lose/change the physical device, they have to be able to tie it to a new device somehow. The Fidelity rep should have verified your identity using information other than just your username/password, though. Did they not at least ask for the last 4 digits of your social, your birthday, and some other form of security question before letting you in?
OP here. Fidelity asked for only the account username and password. I was calling Fidelity's toll-free number from my home landline, so perhaps Fidelity matched my home phone using ANI? I guess that's enough to get validated, and once validated, to change the 2-factor device ID. It sure felt weird to get login access working again only a few minutes after realizing I had messed up the original 2-factor device.
lazyday
Posts: 3849
Joined: Wed Mar 14, 2007 10:27 pm

Re: Fidelity 2-Factor authentication fail...

Post by lazyday »

stlutz wrote:I'm curious what people *want* Fidelity to do in this case?

10 or 12 years ago I had lost my VG password and had to wait for them to snail me a new one. That is one approach.
I want options on the security vs easy scale.

I'd like to choose the option so that it is impossible to ever phone anyone about my account without using my password. If the password is lost, it can only be reset by mail with a Medallion signature guarantee from me.

Others might be happy with simple snail mail. That's what I'd probably pick for a 2FA device failure.

Default could be like what usually happens, phone call and verify address and ssn.
Post Reply