Brokerage accounts identity theft and life savings

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills

Brokerage accounts identity theft and life savings

Postby stedmakr » Wed Apr 03, 2013 12:53 pm

I'm starting to lose a little bit of sleep about the security of my life savings. I have a brokerage account that includes multiple funds. When I access the account via the internet to see the current value, I occasionaly have a moment of anxiety after I put in the password and the account information hits the screen. The fear is that someone has hacked my account or my identity and the account has been drawn to zero. I'm not paranoid but it is something I think about. I have increased the strength of my password but don't know what else I can do.

Most of us have large investment accounts that can be accessed (and funds withdrawn) electronically. Are there other techniques besides a strong password that you employ to protect your funds?

Thanks,

Keith
stedmakr
 
Posts: 17
Joined: Mon Apr 21, 2008 3:37 pm

Re: Brokerage accounts identity theft and life savings

Postby WHL » Wed Apr 03, 2013 1:45 pm

Have to say, this is one thing I've never worried about. Maybe different age groups between us, but I grew up with computers, and am pretty comfortable with them.

With that said, if you're actually having issues because of it, call the brokerage and ask them to discontinue your online account. Start doing everything over the phone, through mail, or in person. Keep in mind, you may incur additional fees accessing your accounts this way.
WHL
 
Posts: 611
Joined: Mon Dec 10, 2012 3:22 pm

Re: Brokerage accounts identity theft and life savings

Postby hlfo718 » Wed Apr 03, 2013 3:28 pm

Not sure if your broker can accommodate but some will take your instruction not to send out any funds unless they have received a signed instruction from you and call you to confirm about the transfer. Call your firm to see what they can offer.
hlfo718
 
Posts: 649
Joined: Wed Dec 01, 2010 10:17 am
Location: NYC

Re: Brokerage accounts identity theft and life savings

Postby dickenjb » Wed Apr 03, 2013 4:09 pm

Perhaps counseling would help? Or a benzodiazepine?
Philly Chapter Coordinator
dickenjb
 
Posts: 2940
Joined: Tue Jan 05, 2010 2:11 pm
Location: Philadelphia PA

Re: Brokerage accounts identity theft and life savings

Postby AAA » Wed Apr 03, 2013 5:33 pm

I share your concern and there have been several posts about having "too much" in one financial institution.

My only hope is that if something like that actually occurred, the financial institution would be able to trace what happened and make it good.
AAA
 
Posts: 199
Joined: Sat Jan 12, 2008 9:56 am

Re: Brokerage accounts identity theft and life savings

Postby Default User BR » Wed Apr 03, 2013 6:40 pm

If it really concerns you, take it up with the custodian. Find out what protections are in place and what if anything can be done to strengthen it. Most of the time, it's not all that easy to move money out of accounts.


Brian
Default User BR
 
Posts: 7503
Joined: Mon Dec 17, 2007 8:32 pm

Re: Brokerage accounts identity theft and life savings

Postby Watty » Wed Apr 03, 2013 10:39 pm

Default User BR wrote:If it really concerns you, take it up with the custodian. Find out what protections are in place and what if anything can be done to strengthen it. Most of the time, it's not all that easy to move money out of accounts.


Brian



I would not be too complacent about that.

One way that I have heard of accounts being drained is that they can makes large trades buying penny stocks that they are selling from some shell account.
User avatar
Watty
 
Posts: 4675
Joined: Wed Oct 10, 2007 4:55 pm

Re: Brokerage accounts identity theft and life savings

Postby Epsilon Delta » Thu Apr 04, 2013 9:34 am

I grew up with computers, and am pretty comfortable with them, but ...

To err is human, to really screw up requires a computer.
User avatar
Epsilon Delta
 
Posts: 3431
Joined: Thu Apr 28, 2011 8:00 pm

Re: Brokerage accounts identity theft and life savings

Postby Dulocracy » Thu Apr 04, 2013 6:13 pm

The number one way that a criminal gets your password is through a program called a "Keystroke Logger." Simply put, this lets someone know what keys you typed in. It would show them something like:

www dot bankname dot com (I changed this after looking at the preview to not actually link to a spam holding site).
:click:
MySignInName
:tab:
MyPassword1234
:enter:

One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order. The person may see something like this:
3
:click:
1
:click:
4
:click:
2
:click:
word
:click:
my
:click:
pass
:enter:

You get the idea. You have at least made it more difficult. By the way, never use 1234 or any such combination in a password.

At least that is the way to combat one method of online id theft.
I'm not a financial professional. Post is info only & not legal advice. No attorney-client relationship exists with reader. Scrutinize my ideas as if you spoke with a guy at a bar. I may be wrong.
Dulocracy
 
Posts: 761
Joined: Wed Feb 27, 2013 2:03 pm
Location: Atlanta, GA

Re: Brokerage accounts identity theft and life savings

Postby lostInFinance » Thu Apr 04, 2013 11:49 pm

I wouldn't lose any sleep over this. Can anyone point to a single example of where an individual investor lost money as a result of computer hacking? If your account gets hacked, Vanguard will eat the loss.
lostInFinance
 
Posts: 218
Joined: Sun Mar 03, 2013 4:57 pm

Re: Brokerage accounts identity theft and life savings

Postby cheapskate » Fri Apr 05, 2013 12:55 am

lostInFinance wrote:I wouldn't lose any sleep over this. Can anyone point to a single example of where an individual investor lost money as a result of computer hacking? If your account gets hacked, Vanguard will eat the loss.


This has happened. Here is one article I remember from a few years ago.

http://www.businessweek.com/stories/200 ... ck-hackers

Need to take sensible precautions :

1) Install up to date antivirus software and firewalls.
2) Never ever login to a brokerage from anyplace but your home computer. I never login from computers my kids might be using (viruses/trojan horses are common on kid's computers thanks to their visiting online games and such).
3) I don't login from any mobile device either.
4) Schwab offers 2 factor authentication, which is handy (it adds yet another layer of protection that needs breaching).
5) Instruct the custodian that a wire xfer out of the account requires both a signature and a phone call verification. This of course does nothing for the penny stock scam another poster described :(
6) Diversify across more than one brokerage account.
cheapskate
 
Posts: 569
Joined: Thu Apr 26, 2007 2:05 pm

Re: Brokerage accounts identity theft and life savings

Postby MattS » Fri Apr 05, 2013 1:24 am

Dulocracy wrote:One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order.

I don't think this is effective: most spyware looks directly at the form fields on the page, so cutting and pasting does not help.

My brokerage (Wells Fargo) has a pretty tight looking 'Security Guarantee'-- 100% of funds are covered for both unauthorized transfers and trades: https://www.wellsfargo.com/privacy_security/online/guarantee

But if I was concerned about this, I would choose a brokerage that uses 2-factor authentication (ex: HSBC) and practice excellent computer hygiene.
MattS
 
Posts: 2
Joined: Mon Apr 01, 2013 6:41 pm

Re: Brokerage accounts identity theft and life savings

Postby Default User BR » Fri Apr 05, 2013 1:38 am

cheapskate wrote:This has happened. Here is one article I remember from a few years ago.

Did you notice the bit in there about the "satisfactory settlement" with the custodian?


Brian
Default User BR
 
Posts: 7503
Joined: Mon Dec 17, 2007 8:32 pm

Re: Brokerage accounts identity theft and life savings

Postby Dulocracy » Fri Apr 05, 2013 1:34 pm

MattS wrote:
Dulocracy wrote:One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order.

I don't think this is effective: most spyware looks directly at the form fields on the page, so cutting and pasting does not help.



It is not effective against all malware/spyware programs. The most common (and most commonly used by people you know) is a keystroke logger. That is, the interception point is the striking of the key, not mining data from https sites. It is easier to hack an individual's computer than to hack in the process, and keystroke logging is one of the easiest ways. It is not effective if they have hacked the website (as the website does not have access to your keystrokes, but to the actual data). Again, it will not prevent all kinds of cybercrime, but it does deter one major type. (As an attorney, I learned a lot more about this than I thought I ever would because of cases wherein such tactics were implemented.)
I'm not a financial professional. Post is info only & not legal advice. No attorney-client relationship exists with reader. Scrutinize my ideas as if you spoke with a guy at a bar. I may be wrong.
Dulocracy
 
Posts: 761
Joined: Wed Feb 27, 2013 2:03 pm
Location: Atlanta, GA

Re: Brokerage accounts identity theft and life savings

Postby Iorek » Fri Apr 05, 2013 2:01 pm

If this is a concern, you might look into using Schwab as your primary brokerage. As someone pointed out on another thread, they will give you a token that constantly generates new passwords that need to be entered in addition to your usual password, so that might be helpful for you.

http://www.schwab.com/public/schwab/nn/ ... ur_account
Iorek
 
Posts: 616
Joined: Fri Mar 08, 2013 10:38 am

Re: Brokerage accounts identity theft and life savings

Postby cheapskate » Fri Apr 05, 2013 2:33 pm

Default User BR wrote:
cheapskate wrote:This has happened. Here is one article I remember from a few years ago.

Did you notice the bit in there about the "satisfactory settlement" with the custodian?

Brian


Yes. I did. I am not unduly worried about this, but I take the precautions I outlined anyway.

I asked Schwab about this, and they said their policies is to re-imburse clients who are victims of fraud.
cheapskate
 
Posts: 569
Joined: Thu Apr 26, 2007 2:05 pm

Re: Brokerage accounts identity theft and life savings

Postby prudent » Fri Apr 05, 2013 4:35 pm

If I could not be comfortable accessing my accounts online, I would not set up online accounts and then use the telephone to get information. No online account = account cannot be hacked with a computer. Honestly and with no slight intended, for some people that would be the best option.

Knock on wood, I am fairly savvy about how miscreants do their work so I remain vigilant. One of my best friends works in the online security group of a bank and there is no doubt some of the best brains in the world are being paid by organized crime to work full-time on stealing from online accounts. He recently shared with me how they are getting around two-factor authentication, although it takes a little help from a naive end user.
User avatar
prudent
 
Posts: 1234
Joined: Fri May 20, 2011 3:50 pm

Re: Brokerage accounts identity theft and life savings

Postby Mudpuppy » Sat Apr 06, 2013 2:20 am

Dulocracy wrote:
MattS wrote:
Dulocracy wrote:One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order.

I don't think this is effective: most spyware looks directly at the form fields on the page, so cutting and pasting does not help.



It is not effective against all malware/spyware programs. The most common (and most commonly used by people you know) is a keystroke logger. That is, the interception point is the striking of the key, not mining data from https sites. It is easier to hack an individual's computer than to hack in the process, and keystroke logging is one of the easiest ways. It is not effective if they have hacked the website (as the website does not have access to your keystrokes, but to the actual data). Again, it will not prevent all kinds of cybercrime, but it does deter one major type. (As an attorney, I learned a lot more about this than I thought I ever would because of cases wherein such tactics were implemented.)

It is not effective against a keystroke logger either. The logger will record the set of characters used for the password. It's simply a matter of determining the permutation. In the example given, there are 7 tokens to rearrange in the correct order. That is 7!, or 5040, permutations. Assuming one can try 3 passwords per hour on a live website because the account gets locked out for an hour after 3 wrong passwords, then all of the 5040 permutations could be tried in 70 days. If the site's password attempt policy allowed 6 wrong passwords before locking out or only locked out for 30 minutes, then they could determine the password in a month. And the attacker could randomly luck out and land on the correct permutation much sooner than the maximum brute force time.

It is much better to employ practices to avoid getting keyloggers in the first place.
Mudpuppy
 
Posts: 2657
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: Brokerage accounts identity theft and life savings

Postby Dulocracy » Mon Apr 08, 2013 11:26 am

Mudpuppy wrote:
Dulocracy wrote:
MattS wrote:
Dulocracy wrote:One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order.

I don't think this is effective: most spyware looks directly at the form fields on the page, so cutting and pasting does not help.



It is not effective against all malware/spyware programs. The most common (and most commonly used by people you know) is a keystroke logger. That is, the interception point is the striking of the key, not mining data from https sites. It is easier to hack an individual's computer than to hack in the process, and keystroke logging is one of the easiest ways. It is not effective if they have hacked the website (as the website does not have access to your keystrokes, but to the actual data). Again, it will not prevent all kinds of cybercrime, but it does deter one major type. (As an attorney, I learned a lot more about this than I thought I ever would because of cases wherein such tactics were implemented.)

It is not effective against a keystroke logger either. The logger will record the set of characters used for the password. It's simply a matter of determining the permutation. In the example given, there are 7 tokens to rearrange in the correct order. That is 7!, or 5040, permutations. Assuming one can try 3 passwords per hour on a live website because the account gets locked out for an hour after 3 wrong passwords, then all of the 5040 permutations could be tried in 70 days. If the site's password attempt policy allowed 6 wrong passwords before locking out or only locked out for 30 minutes, then they could determine the password in a month. And the attacker could randomly luck out and land on the correct permutation much sooner than the maximum brute force time.

It is much better to employ practices to avoid getting keyloggers in the first place.



I agree that it is better to avoid keyloggers in the first place, and I agree that it is easier to decipher the permutations when there are fewer of them. It does not hurt, however, to add a step for the bad guys. Would you rather that they have to try the permutations or to simply have the password. Many sites shut down after three bad guesses. It is amazing how often friends and family members are the ones to blame for theft. At work, an employee uses a keylogger to gain info. At home, the son with a drug problem gets the password. The above method would make it much harder for them. Even with a stranger with all sorts of programs, the security feature of the website that shuts access after 3 tries makes the 5040 permutations a lot harder to work. Will a hacker with lots of passwords and lots of crime to do go through the extra steps or move to the next password? No system is perfect. The idea is to add as many steps as possible. Many hacker types will grab the low hanging fruit and move on.
I'm not a financial professional. Post is info only & not legal advice. No attorney-client relationship exists with reader. Scrutinize my ideas as if you spoke with a guy at a bar. I may be wrong.
Dulocracy
 
Posts: 761
Joined: Wed Feb 27, 2013 2:03 pm
Location: Atlanta, GA


Return to Personal Finance (Not Investing)

Who is online

Users browsing this forum: Compound, engineer1969, firedfly, Google [Bot], Tim_in_GA and 47 guests