Brokerage accounts identity theft and life savings
Brokerage accounts identity theft and life savings
I'm starting to lose a little bit of sleep about the security of my life savings. I have a brokerage account that includes multiple funds. When I access the account via the internet to see the current value, I occasionaly have a moment of anxiety after I put in the password and the account information hits the screen. The fear is that someone has hacked my account or my identity and the account has been drawn to zero. I'm not paranoid but it is something I think about. I have increased the strength of my password but don't know what else I can do.
Most of us have large investment accounts that can be accessed (and funds withdrawn) electronically. Are there other techniques besides a strong password that you employ to protect your funds?
Thanks,
Keith
Most of us have large investment accounts that can be accessed (and funds withdrawn) electronically. Are there other techniques besides a strong password that you employ to protect your funds?
Thanks,
Keith
Re: Brokerage accounts identity theft and life savings
Have to say, this is one thing I've never worried about. Maybe different age groups between us, but I grew up with computers, and am pretty comfortable with them.
With that said, if you're actually having issues because of it, call the brokerage and ask them to discontinue your online account. Start doing everything over the phone, through mail, or in person. Keep in mind, you may incur additional fees accessing your accounts this way.
With that said, if you're actually having issues because of it, call the brokerage and ask them to discontinue your online account. Start doing everything over the phone, through mail, or in person. Keep in mind, you may incur additional fees accessing your accounts this way.
Re: Brokerage accounts identity theft and life savings
Not sure if your broker can accommodate but some will take your instruction not to send out any funds unless they have received a signed instruction from you and call you to confirm about the transfer. Call your firm to see what they can offer.
Re: Brokerage accounts identity theft and life savings
Perhaps counseling would help? Or a benzodiazepine?
Re: Brokerage accounts identity theft and life savings
I share your concern and there have been several posts about having "too much" in one financial institution.
My only hope is that if something like that actually occurred, the financial institution would be able to trace what happened and make it good.
My only hope is that if something like that actually occurred, the financial institution would be able to trace what happened and make it good.
-
- Posts: 7502
- Joined: Mon Dec 17, 2007 6:32 pm
Re: Brokerage accounts identity theft and life savings
If it really concerns you, take it up with the custodian. Find out what protections are in place and what if anything can be done to strengthen it. Most of the time, it's not all that easy to move money out of accounts.
Brian
Brian
Re: Brokerage accounts identity theft and life savings
Default User BR wrote:If it really concerns you, take it up with the custodian. Find out what protections are in place and what if anything can be done to strengthen it. Most of the time, it's not all that easy to move money out of accounts.
Brian
I would not be too complacent about that.
One way that I have heard of accounts being drained is that they can makes large trades buying penny stocks that they are selling from some shell account.
- Epsilon Delta
- Posts: 8090
- Joined: Thu Apr 28, 2011 7:00 pm
Re: Brokerage accounts identity theft and life savings
I grew up with computers, and am pretty comfortable with them, but ...
To err is human, to really screw up requires a computer.
To err is human, to really screw up requires a computer.
Re: Brokerage accounts identity theft and life savings
The number one way that a criminal gets your password is through a program called a "Keystroke Logger." Simply put, this lets someone know what keys you typed in. It would show them something like:
www dot bankname dot com (I changed this after looking at the preview to not actually link to a spam holding site).
:click:
MySignInName
:tab:
MyPassword1234
:enter:
One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order. The person may see something like this:
3
:click:
1
:click:
4
:click:
2
:click:
word
:click:
my
:click:
pass
:enter:
You get the idea. You have at least made it more difficult. By the way, never use 1234 or any such combination in a password.
At least that is the way to combat one method of online id theft.
www dot bankname dot com (I changed this after looking at the preview to not actually link to a spam holding site).
:click:
MySignInName
:tab:
MyPassword1234
:enter:
One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order. The person may see something like this:
3
:click:
1
:click:
4
:click:
2
:click:
word
:click:
my
:click:
pass
:enter:
You get the idea. You have at least made it more difficult. By the way, never use 1234 or any such combination in a password.
At least that is the way to combat one method of online id theft.
I'm not a financial professional. Post is info only & not legal advice. No attorney-client relationship exists with reader. Scrutinize my ideas as if you spoke with a guy at a bar. I may be wrong.
-
- Posts: 218
- Joined: Sun Mar 03, 2013 2:57 pm
Re: Brokerage accounts identity theft and life savings
I wouldn't lose any sleep over this. Can anyone point to a single example of where an individual investor lost money as a result of computer hacking? If your account gets hacked, Vanguard will eat the loss.
-
- Posts: 926
- Joined: Thu Apr 26, 2007 1:05 pm
Re: Brokerage accounts identity theft and life savings
This has happened. Here is one article I remember from a few years ago.lostInFinance wrote:I wouldn't lose any sleep over this. Can anyone point to a single example of where an individual investor lost money as a result of computer hacking? If your account gets hacked, Vanguard will eat the loss.
http://www.businessweek.com/stories/200 ... ck-hackers
Need to take sensible precautions :
1) Install up to date antivirus software and firewalls.
2) Never ever login to a brokerage from anyplace but your home computer. I never login from computers my kids might be using (viruses/trojan horses are common on kid's computers thanks to their visiting online games and such).
3) I don't login from any mobile device either.
4) Schwab offers 2 factor authentication, which is handy (it adds yet another layer of protection that needs breaching).
5) Instruct the custodian that a wire xfer out of the account requires both a signature and a phone call verification. This of course does nothing for the penny stock scam another poster described
6) Diversify across more than one brokerage account.
Re: Brokerage accounts identity theft and life savings
I don't think this is effective: most spyware looks directly at the form fields on the page, so cutting and pasting does not help.Dulocracy wrote:One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order.
My brokerage (Wells Fargo) has a pretty tight looking 'Security Guarantee'-- 100% of funds are covered for both unauthorized transfers and trades: https://www.wellsfargo.com/privacy_secu ... /guarantee
But if I was concerned about this, I would choose a brokerage that uses 2-factor authentication (ex: HSBC) and practice excellent computer hygiene.
-
- Posts: 7502
- Joined: Mon Dec 17, 2007 6:32 pm
Re: Brokerage accounts identity theft and life savings
Did you notice the bit in there about the "satisfactory settlement" with the custodian?cheapskate wrote:This has happened. Here is one article I remember from a few years ago.
Brian
Re: Brokerage accounts identity theft and life savings
It is not effective against all malware/spyware programs. The most common (and most commonly used by people you know) is a keystroke logger. That is, the interception point is the striking of the key, not mining data from https sites. It is easier to hack an individual's computer than to hack in the process, and keystroke logging is one of the easiest ways. It is not effective if they have hacked the website (as the website does not have access to your keystrokes, but to the actual data). Again, it will not prevent all kinds of cybercrime, but it does deter one major type. (As an attorney, I learned a lot more about this than I thought I ever would because of cases wherein such tactics were implemented.)MattS wrote:I don't think this is effective: most spyware looks directly at the form fields on the page, so cutting and pasting does not help.Dulocracy wrote:One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order.
I'm not a financial professional. Post is info only & not legal advice. No attorney-client relationship exists with reader. Scrutinize my ideas as if you spoke with a guy at a bar. I may be wrong.
Re: Brokerage accounts identity theft and life savings
If this is a concern, you might look into using Schwab as your primary brokerage. As someone pointed out on another thread, they will give you a token that constantly generates new passwords that need to be entered in addition to your usual password, so that might be helpful for you.
http://www.schwab.com/public/schwab/nn/ ... ur_account
http://www.schwab.com/public/schwab/nn/ ... ur_account
-
- Posts: 926
- Joined: Thu Apr 26, 2007 1:05 pm
Re: Brokerage accounts identity theft and life savings
Yes. I did. I am not unduly worried about this, but I take the precautions I outlined anyway.Default User BR wrote:Did you notice the bit in there about the "satisfactory settlement" with the custodian?cheapskate wrote:This has happened. Here is one article I remember from a few years ago.
Brian
I asked Schwab about this, and they said their policies is to re-imburse clients who are victims of fraud.
Re: Brokerage accounts identity theft and life savings
If I could not be comfortable accessing my accounts online, I would not set up online accounts and then use the telephone to get information. No online account = account cannot be hacked with a computer. Honestly and with no slight intended, for some people that would be the best option.
Knock on wood, I am fairly savvy about how miscreants do their work so I remain vigilant. One of my best friends works in the online security group of a bank and there is no doubt some of the best brains in the world are being paid by organized crime to work full-time on stealing from online accounts. He recently shared with me how they are getting around two-factor authentication, although it takes a little help from a naive end user.
Knock on wood, I am fairly savvy about how miscreants do their work so I remain vigilant. One of my best friends works in the online security group of a bank and there is no doubt some of the best brains in the world are being paid by organized crime to work full-time on stealing from online accounts. He recently shared with me how they are getting around two-factor authentication, although it takes a little help from a naive end user.
Re: Brokerage accounts identity theft and life savings
It is not effective against a keystroke logger either. The logger will record the set of characters used for the password. It's simply a matter of determining the permutation. In the example given, there are 7 tokens to rearrange in the correct order. That is 7!, or 5040, permutations. Assuming one can try 3 passwords per hour on a live website because the account gets locked out for an hour after 3 wrong passwords, then all of the 5040 permutations could be tried in 70 days. If the site's password attempt policy allowed 6 wrong passwords before locking out or only locked out for 30 minutes, then they could determine the password in a month. And the attacker could randomly luck out and land on the correct permutation much sooner than the maximum brute force time.Dulocracy wrote:It is not effective against all malware/spyware programs. The most common (and most commonly used by people you know) is a keystroke logger. That is, the interception point is the striking of the key, not mining data from https sites. It is easier to hack an individual's computer than to hack in the process, and keystroke logging is one of the easiest ways. It is not effective if they have hacked the website (as the website does not have access to your keystrokes, but to the actual data). Again, it will not prevent all kinds of cybercrime, but it does deter one major type. (As an attorney, I learned a lot more about this than I thought I ever would because of cases wherein such tactics were implemented.)MattS wrote:I don't think this is effective: most spyware looks directly at the form fields on the page, so cutting and pasting does not help.Dulocracy wrote:One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order.
It is much better to employ practices to avoid getting keyloggers in the first place.
Re: Brokerage accounts identity theft and life savings
Mudpuppy wrote:It is not effective against a keystroke logger either. The logger will record the set of characters used for the password. It's simply a matter of determining the permutation. In the example given, there are 7 tokens to rearrange in the correct order. That is 7!, or 5040, permutations. Assuming one can try 3 passwords per hour on a live website because the account gets locked out for an hour after 3 wrong passwords, then all of the 5040 permutations could be tried in 70 days. If the site's password attempt policy allowed 6 wrong passwords before locking out or only locked out for 30 minutes, then they could determine the password in a month. And the attacker could randomly luck out and land on the correct permutation much sooner than the maximum brute force time.Dulocracy wrote:It is not effective against all malware/spyware programs. The most common (and most commonly used by people you know) is a keystroke logger. That is, the interception point is the striking of the key, not mining data from https sites. It is easier to hack an individual's computer than to hack in the process, and keystroke logging is one of the easiest ways. It is not effective if they have hacked the website (as the website does not have access to your keystrokes, but to the actual data). Again, it will not prevent all kinds of cybercrime, but it does deter one major type. (As an attorney, I learned a lot more about this than I thought I ever would because of cases wherein such tactics were implemented.)MattS wrote:I don't think this is effective: most spyware looks directly at the form fields on the page, so cutting and pasting does not help.Dulocracy wrote:One way to fight this is to put your password in out of order. That is: My password is MyPassword1234. I would then put the numbers in out of order.
It is much better to employ practices to avoid getting keyloggers in the first place.
I agree that it is better to avoid keyloggers in the first place, and I agree that it is easier to decipher the permutations when there are fewer of them. It does not hurt, however, to add a step for the bad guys. Would you rather that they have to try the permutations or to simply have the password. Many sites shut down after three bad guesses. It is amazing how often friends and family members are the ones to blame for theft. At work, an employee uses a keylogger to gain info. At home, the son with a drug problem gets the password. The above method would make it much harder for them. Even with a stranger with all sorts of programs, the security feature of the website that shuts access after 3 tries makes the 5040 permutations a lot harder to work. Will a hacker with lots of passwords and lots of crime to do go through the extra steps or move to the next password? No system is perfect. The idea is to add as many steps as possible. Many hacker types will grab the low hanging fruit and move on.
I'm not a financial professional. Post is info only & not legal advice. No attorney-client relationship exists with reader. Scrutinize my ideas as if you spoke with a guy at a bar. I may be wrong.