Brokerage accounts identity theft and life savings

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
Post Reply
Topic Author
stedmakr
Posts: 24
Joined: Mon Apr 21, 2008 2:37 pm

Brokerage accounts identity theft and life savings

Post by stedmakr »

I'm starting to lose a little bit of sleep about the security of my life savings. I have a brokerage account that includes multiple funds. When I access the account via the internet to see the current value, I occasionaly have a moment of anxiety after I put in the password and the account information hits the screen. The fear is that someone has hacked my account or my identity and the account has been drawn to zero. I'm not paranoid but it is something I think about. I have increased the strength of my password but don't know what else I can do.

Most of us have large investment accounts that can be accessed (and funds withdrawn) electronically. Are there other techniques besides a strong password that you employ to protect your funds?

Thanks,

Keith
WHL
Posts: 789
Joined: Mon Dec 10, 2012 1:22 pm

Re: Brokerage accounts identity theft and life savings

Post by WHL »

Have to say, this is one thing I've never worried about. Maybe different age groups between us, but I grew up with computers, and am pretty comfortable with them.

With that said, if you're actually having issues because of it, call the brokerage and ask them to discontinue your online account. Start doing everything over the phone, through mail, or in person. Keep in mind, you may incur additional fees accessing your accounts this way.
hlfo718
Posts: 808
Joined: Wed Dec 01, 2010 8:17 am
Location: NYC

Re: Brokerage accounts identity theft and life savings

Post by hlfo718 »

Not sure if your broker can accommodate but some will take your instruction not to send out any funds unless they have received a signed instruction from you and call you to confirm about the transfer. Call your firm to see what they can offer.
dickenjb
Posts: 2941
Joined: Tue Jan 05, 2010 12:11 pm
Location: Philadelphia PA

Re: Brokerage accounts identity theft and life savings

Post by dickenjb »

Perhaps counseling would help? Or a benzodiazepine?
User avatar
AAA
Posts: 1885
Joined: Sat Jan 12, 2008 7:56 am

Re: Brokerage accounts identity theft and life savings

Post by AAA »

I share your concern and there have been several posts about having "too much" in one financial institution.

My only hope is that if something like that actually occurred, the financial institution would be able to trace what happened and make it good.
Default User BR
Posts: 7502
Joined: Mon Dec 17, 2007 6:32 pm

Re: Brokerage accounts identity theft and life savings

Post by Default User BR »

If it really concerns you, take it up with the custodian. Find out what protections are in place and what if anything can be done to strengthen it. Most of the time, it's not all that easy to move money out of accounts.


Brian
User avatar
Watty
Posts: 28860
Joined: Wed Oct 10, 2007 3:55 pm

Re: Brokerage accounts identity theft and life savings

Post by Watty »

Default User BR wrote:If it really concerns you, take it up with the custodian. Find out what protections are in place and what if anything can be done to strengthen it. Most of the time, it's not all that easy to move money out of accounts.


Brian

I would not be too complacent about that.

One way that I have heard of accounts being drained is that they can makes large trades buying penny stocks that they are selling from some shell account.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Brokerage accounts identity theft and life savings

Post by Epsilon Delta »

I grew up with computers, and am pretty comfortable with them, but ...

To err is human, to really screw up requires a computer.
Tamahome
Posts: 2325
Joined: Wed Feb 27, 2013 12:03 pm
Location: Atlanta, GA

Re: Brokerage accounts identity theft and life savings

Post by Tamahome »

The number one way that a criminal gets your password is through a program called a "Keystroke Logger." Simply put, this lets someone know what keys you typed in. It would show them something like:

www dot bankname dot com (I changed this after looking at the preview to not actually link to a spam holding site).
:click:
MySignInName
:tab:
MyPassword1234
:enter:

One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order. The person may see something like this:
3
:click:
1
:click:
4
:click:
2
:click:
word
:click:
my
:click:
pass
:enter:

You get the idea. You have at least made it more difficult. By the way, never use 1234 or any such combination in a password.

At least that is the way to combat one method of online id theft.
I'm not a financial professional. Post is info only & not legal advice. No attorney-client relationship exists with reader. Scrutinize my ideas as if you spoke with a guy at a bar. I may be wrong.
lostInFinance
Posts: 218
Joined: Sun Mar 03, 2013 2:57 pm

Re: Brokerage accounts identity theft and life savings

Post by lostInFinance »

I wouldn't lose any sleep over this. Can anyone point to a single example of where an individual investor lost money as a result of computer hacking? If your account gets hacked, Vanguard will eat the loss.
cheapskate
Posts: 926
Joined: Thu Apr 26, 2007 1:05 pm

Re: Brokerage accounts identity theft and life savings

Post by cheapskate »

lostInFinance wrote:I wouldn't lose any sleep over this. Can anyone point to a single example of where an individual investor lost money as a result of computer hacking? If your account gets hacked, Vanguard will eat the loss.
This has happened. Here is one article I remember from a few years ago.

http://www.businessweek.com/stories/200 ... ck-hackers

Need to take sensible precautions :

1) Install up to date antivirus software and firewalls.
2) Never ever login to a brokerage from anyplace but your home computer. I never login from computers my kids might be using (viruses/trojan horses are common on kid's computers thanks to their visiting online games and such).
3) I don't login from any mobile device either.
4) Schwab offers 2 factor authentication, which is handy (it adds yet another layer of protection that needs breaching).
5) Instruct the custodian that a wire xfer out of the account requires both a signature and a phone call verification. This of course does nothing for the penny stock scam another poster described :(
6) Diversify across more than one brokerage account.
MattS
Posts: 2
Joined: Mon Apr 01, 2013 5:41 pm

Re: Brokerage accounts identity theft and life savings

Post by MattS »

Dulocracy wrote:One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order.
I don't think this is effective: most spyware looks directly at the form fields on the page, so cutting and pasting does not help.

My brokerage (Wells Fargo) has a pretty tight looking 'Security Guarantee'-- 100% of funds are covered for both unauthorized transfers and trades: https://www.wellsfargo.com/privacy_secu ... /guarantee

But if I was concerned about this, I would choose a brokerage that uses 2-factor authentication (ex: HSBC) and practice excellent computer hygiene.
Default User BR
Posts: 7502
Joined: Mon Dec 17, 2007 6:32 pm

Re: Brokerage accounts identity theft and life savings

Post by Default User BR »

cheapskate wrote:This has happened. Here is one article I remember from a few years ago.
Did you notice the bit in there about the "satisfactory settlement" with the custodian?


Brian
Tamahome
Posts: 2325
Joined: Wed Feb 27, 2013 12:03 pm
Location: Atlanta, GA

Re: Brokerage accounts identity theft and life savings

Post by Tamahome »

MattS wrote:
Dulocracy wrote:One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order.
I don't think this is effective: most spyware looks directly at the form fields on the page, so cutting and pasting does not help.
It is not effective against all malware/spyware programs. The most common (and most commonly used by people you know) is a keystroke logger. That is, the interception point is the striking of the key, not mining data from https sites. It is easier to hack an individual's computer than to hack in the process, and keystroke logging is one of the easiest ways. It is not effective if they have hacked the website (as the website does not have access to your keystrokes, but to the actual data). Again, it will not prevent all kinds of cybercrime, but it does deter one major type. (As an attorney, I learned a lot more about this than I thought I ever would because of cases wherein such tactics were implemented.)
I'm not a financial professional. Post is info only & not legal advice. No attorney-client relationship exists with reader. Scrutinize my ideas as if you spoke with a guy at a bar. I may be wrong.
Iorek
Posts: 1569
Joined: Fri Mar 08, 2013 8:38 am

Re: Brokerage accounts identity theft and life savings

Post by Iorek »

If this is a concern, you might look into using Schwab as your primary brokerage. As someone pointed out on another thread, they will give you a token that constantly generates new passwords that need to be entered in addition to your usual password, so that might be helpful for you.

http://www.schwab.com/public/schwab/nn/ ... ur_account
cheapskate
Posts: 926
Joined: Thu Apr 26, 2007 1:05 pm

Re: Brokerage accounts identity theft and life savings

Post by cheapskate »

Default User BR wrote:
cheapskate wrote:This has happened. Here is one article I remember from a few years ago.
Did you notice the bit in there about the "satisfactory settlement" with the custodian?

Brian
Yes. I did. I am not unduly worried about this, but I take the precautions I outlined anyway.

I asked Schwab about this, and they said their policies is to re-imburse clients who are victims of fraud.
User avatar
prudent
Moderator
Posts: 9085
Joined: Fri May 20, 2011 2:50 pm

Re: Brokerage accounts identity theft and life savings

Post by prudent »

If I could not be comfortable accessing my accounts online, I would not set up online accounts and then use the telephone to get information. No online account = account cannot be hacked with a computer. Honestly and with no slight intended, for some people that would be the best option.

Knock on wood, I am fairly savvy about how miscreants do their work so I remain vigilant. One of my best friends works in the online security group of a bank and there is no doubt some of the best brains in the world are being paid by organized crime to work full-time on stealing from online accounts. He recently shared with me how they are getting around two-factor authentication, although it takes a little help from a naive end user.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Brokerage accounts identity theft and life savings

Post by Mudpuppy »

Dulocracy wrote:
MattS wrote:
Dulocracy wrote:One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order.
I don't think this is effective: most spyware looks directly at the form fields on the page, so cutting and pasting does not help.
It is not effective against all malware/spyware programs. The most common (and most commonly used by people you know) is a keystroke logger. That is, the interception point is the striking of the key, not mining data from https sites. It is easier to hack an individual's computer than to hack in the process, and keystroke logging is one of the easiest ways. It is not effective if they have hacked the website (as the website does not have access to your keystrokes, but to the actual data). Again, it will not prevent all kinds of cybercrime, but it does deter one major type. (As an attorney, I learned a lot more about this than I thought I ever would because of cases wherein such tactics were implemented.)
It is not effective against a keystroke logger either. The logger will record the set of characters used for the password. It's simply a matter of determining the permutation. In the example given, there are 7 tokens to rearrange in the correct order. That is 7!, or 5040, permutations. Assuming one can try 3 passwords per hour on a live website because the account gets locked out for an hour after 3 wrong passwords, then all of the 5040 permutations could be tried in 70 days. If the site's password attempt policy allowed 6 wrong passwords before locking out or only locked out for 30 minutes, then they could determine the password in a month. And the attacker could randomly luck out and land on the correct permutation much sooner than the maximum brute force time.

It is much better to employ practices to avoid getting keyloggers in the first place.
Tamahome
Posts: 2325
Joined: Wed Feb 27, 2013 12:03 pm
Location: Atlanta, GA

Re: Brokerage accounts identity theft and life savings

Post by Tamahome »

Mudpuppy wrote:
Dulocracy wrote:
MattS wrote:
Dulocracy wrote:One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order.
I don't think this is effective: most spyware looks directly at the form fields on the page, so cutting and pasting does not help.
It is not effective against all malware/spyware programs. The most common (and most commonly used by people you know) is a keystroke logger. That is, the interception point is the striking of the key, not mining data from https sites. It is easier to hack an individual's computer than to hack in the process, and keystroke logging is one of the easiest ways. It is not effective if they have hacked the website (as the website does not have access to your keystrokes, but to the actual data). Again, it will not prevent all kinds of cybercrime, but it does deter one major type. (As an attorney, I learned a lot more about this than I thought I ever would because of cases wherein such tactics were implemented.)
It is not effective against a keystroke logger either. The logger will record the set of characters used for the password. It's simply a matter of determining the permutation. In the example given, there are 7 tokens to rearrange in the correct order. That is 7!, or 5040, permutations. Assuming one can try 3 passwords per hour on a live website because the account gets locked out for an hour after 3 wrong passwords, then all of the 5040 permutations could be tried in 70 days. If the site's password attempt policy allowed 6 wrong passwords before locking out or only locked out for 30 minutes, then they could determine the password in a month. And the attacker could randomly luck out and land on the correct permutation much sooner than the maximum brute force time.

It is much better to employ practices to avoid getting keyloggers in the first place.

I agree that it is better to avoid keyloggers in the first place, and I agree that it is easier to decipher the permutations when there are fewer of them. It does not hurt, however, to add a step for the bad guys. Would you rather that they have to try the permutations or to simply have the password. Many sites shut down after three bad guesses. It is amazing how often friends and family members are the ones to blame for theft. At work, an employee uses a keylogger to gain info. At home, the son with a drug problem gets the password. The above method would make it much harder for them. Even with a stranger with all sorts of programs, the security feature of the website that shuts access after 3 tries makes the 5040 permutations a lot harder to work. Will a hacker with lots of passwords and lots of crime to do go through the extra steps or move to the next password? No system is perfect. The idea is to add as many steps as possible. Many hacker types will grab the low hanging fruit and move on.
I'm not a financial professional. Post is info only & not legal advice. No attorney-client relationship exists with reader. Scrutinize my ideas as if you spoke with a guy at a bar. I may be wrong.
Post Reply