Evidence that retirement account ID theft is increasing

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
User avatar
tadamsmar
Posts: 7828
Joined: Mon May 07, 2007 12:33 pm

Evidence that retirement account ID theft is increasing

Post by tadamsmar » Thu Feb 22, 2018 10:36 am

But the crime that might be most devastating – where many victims probably keep their biggest pile of money — is brokerage account takeovers. Javelin says that in 2016, such crimes accounted for only 2% of existing non card fraud. In 2017, that swelled to 7% — more the tripling in one year.
https://bobsullivan.net/cybercrime/reti ... -about-it/

User avatar
pokebowl
Posts: 216
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: Evidence that retirement account ID theft is increasing

Post by pokebowl » Thu Feb 22, 2018 11:32 am

Unlike the author, I wouldn't call this retirement account hacking, more like social engineering the help desk support which is nothing new. If anything this illiterates the absurdity of having to use partial SSNs, addresses, etc as verification methods when phoning brokerages for account access. I believe custom PINs and challenge phrases are becoming more common, but I believe institutions can up their security offerings a little more. Security is usually the last thing a company wants to invest in, as it limits availability, profitability, ease of use, and causes more barriers for employees, but its a necessary evil in my opinion. Especially with financial institutions.
There is nothing more expensive than something offered for free.

bikechuck
Posts: 371
Joined: Sun Aug 16, 2015 9:22 pm

Re: Evidence that retirement account ID theft is increasing

Post by bikechuck » Thu Feb 22, 2018 11:42 am

This scares the BEJESUS out of me.

Call_Me_Op
Posts: 7045
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: Evidence that retirement account ID theft is increasing

Post by Call_Me_Op » Thu Feb 22, 2018 1:29 pm

The question I have is have there been cases where the stolen funds have not been reimbursed?
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

User avatar
whodidntante
Posts: 4198
Joined: Thu Jan 21, 2016 11:11 pm

Re: Evidence that retirement account ID theft is increasing

Post by whodidntante » Thu Feb 22, 2018 2:07 pm

Call_Me_Op wrote:
Thu Feb 22, 2018 1:29 pm
The question I have is have there been cases where the stolen funds have not been reimbursed?
If the fraud was made possible because you were tricked into authorizing a transaction, gave your password to an attacker, etc., then you would have several options for retirement. Or rather flavors. Of Alpo.

User avatar
tadamsmar
Posts: 7828
Joined: Mon May 07, 2007 12:33 pm

Re: Evidence that retirement account ID theft is increasing

Post by tadamsmar » Thu Feb 22, 2018 11:29 pm

Call_Me_Op wrote:
Thu Feb 22, 2018 1:29 pm
The question I have is have there been cases where the stolen funds have not been reimbursed?
The only ones I have heard of involved the Federal Thrift Savings Plan (TSP). I think they use to allow online withdrawals, but that is no longer possible.

As far as I know, the TSP still has a policy of not reimbursing if they are not at fault.

The same policy might apply to Federal Direct, but that is just speculation on my part. I think you have to have a physical key to log into Federal Direct.

I also once saw a vague reference on a discussion board to a retiree who lost money from a Merrill Lynch account, It think it was a few tens of thousands. But this was a case where the theft was discovered by relatives a long time after the loss, so there was nothing close to timely reporting of the theft. Not sure if they tried hard to get reimbursed.
Last edited by tadamsmar on Thu Feb 22, 2018 11:35 pm, edited 2 times in total.

User avatar
randomizer
Posts: 1539
Joined: Sun Jul 06, 2014 3:46 pm

Re: Evidence that retirement account ID theft is increasing

Post by randomizer » Thu Feb 22, 2018 11:31 pm

Time to panic.
87.5:12.5, EM tilt — HODL the course!

User avatar
Top99%
Posts: 334
Joined: Sat Apr 22, 2017 9:30 am
Location: Austin, TX

Re: Evidence that retirement account ID theft is increasing

Post by Top99% » Fri Feb 23, 2018 8:50 am

One thing that can help mitigate this is to use a dedicated email account for associating with your financial accounts. Use a strong password and multifactor authentication for that email account. Don't use this email account for anything else.

What I would really like and hopefully some brokers will start offering is more rigorous confirmation checks for one time withdrawals.
Basically they could offer the equivalent of a "credit freeze" for withdrawals.
Adapt or perish

User avatar
tractorguy
Posts: 632
Joined: Wed May 19, 2010 6:32 pm
Location: Chicago Suburb

Re: Evidence that retirement account ID theft is increasing

Post by tractorguy » Fri Feb 23, 2018 9:20 am

I read the original article and it strikes me as click bait with a goal of getting people to sign up for a newsletter and eventually buy books. I'm not sure where the 7% of non credit card fraud number comes from and I don't believe it. I think we'd be hearing a lot more about these kinds of fraud events if it was as high as this.

The retirement account fraud cases I have heard of through this forum and the news have in common a person who isn't watching their accounts. I remember reading about the Vanguard theft on this forum although I've been unable to find the discussion. If I remember right, it was an elderly person who never checked his account and somehow the thief managed to get access online, changed his linked bank account, and then pulled all of the money out. There are safeguards in place that would notify you by e-mail and paper mail for each of those steps. The elderly person didn't notice any of these notifications.

IMOP, this kind of fraud is fairly easy to guard against. The obvious steps are;
1) Set up and use the internet access that your financial institution makes available to you. Unfortunately, in many cases all you need for first time access is account information and a Social Security number, both of which are now easy to get. Once you set up your account access with a long password you keep in a password manager and 2 factor identification, it is much harder to gain internet access to your account.
2) Pay attention to any notices of changes to your account. I strongly prefer e-mail notices because I can get it when traveling but for people who are more home bound, paper is good too.
3) Check your balances at least once a month. I check them weekly with Quicken as part of my Monday morning bill paying routine.
4) Check your brokerage's stated policy on restitution and only uses a broker that will recompense you for fraud. Vanguard states that they will make good any losses that are caused by fraud so long as you follow their guidelines for keeping your account secure.

If you are not willing to do these 4 things, then you're leaving the keys in the lock.
Lorne

LeeMKE
Posts: 1767
Joined: Mon Oct 14, 2013 9:40 pm

Re: Evidence that retirement account ID theft is increasing

Post by LeeMKE » Fri Feb 23, 2018 6:21 pm

+1 Lorne
There are some things we must do to protect ourselves, since users are the weak link in the cases cited.

BUT some things we aren't so able to thwart, and those kinds of data breaches will become more prevalent. This article cites a survey of 80 experts, who expect a catastrophic data breach in the next 3 years:
http://www.nextgov.com/cybersecurity/20 ... 21/146143/

Here's what I do in anticipation:

Keep an account completely separate and at a different brokerage with enough money to get you through a 6 month period of being unable to use your main accounts due to a data breach. If you can wait for recovery of a data breach, you'll sleep easier at night and be able to wait patiently for the firm to recover/reconstruct accounts.

In our case, we keep all financial issues on one login. DH has no access to anything. So, if he accidentally gets scammed, a breach of his network/computer/smart phone can be ignored and just replace the device. This means I have to document where things are, and brief him annually, so in case of my demise, he knows where to start looking for assets. He'll have to make a trip to banks and probably Fidelity to get himself setup with access to our accounts, but that's easy compared to dealing with identity theft or infiltration of our accounts.

I'm the naturally paranoid one, from a background in cybersecurity, so I use a VPN and delete emails that "friends" send with links or photos for download. I can look over DH shoulder to see the precious kid's photos on his email if I get curious.
The mightiest Oak is just a nut who stayed the course.

RRAAYY3
Posts: 926
Joined: Thu Jan 17, 2013 12:32 pm

Re: Evidence that retirement account ID theft is increasing

Post by RRAAYY3 » Fri Feb 23, 2018 6:27 pm

So 93% of accounts are a non issue

I love people that actively seek out things to worry about. Happy Friday BH! See ya Monday.

JAFFX2
Posts: 12
Joined: Sun May 21, 2017 2:33 pm

Re: Evidence that retirement account ID theft is increasing

Post by JAFFX2 » Fri Feb 23, 2018 10:21 pm

Multi-factor authentication on all your accounts

User avatar
Watty
Posts: 14397
Joined: Wed Oct 10, 2007 3:55 pm

Re: Evidence that retirement account ID theft is increasing

Post by Watty » Fri Feb 23, 2018 10:30 pm

tractorguy wrote:
Fri Feb 23, 2018 9:20 am
The elderly person didn't notice any of these notifications.

IMOP, this kind of fraud is fairly easy to guard against. The obvious steps are;

Things like this may not be easy for an elderly person even if they were computer literate in their younger days.

delamer
Posts: 6283
Joined: Tue Feb 08, 2011 6:13 pm

Re: Evidence that retirement account ID theft is increasing

Post by delamer » Fri Feb 23, 2018 10:41 pm

RRAAYY3 wrote:
Fri Feb 23, 2018 6:27 pm
So 93% of accounts are a non issue

I love people that actively seek out things to worry about. Happy Friday BH! See ya Monday.

Nope.

The percent of all non-card financial fraud that involved retirement accounts went from 2% to 7%. So if the only two types of fraud were hotel rewards fraud and retirement account, the portion involving hotel rewards was down and the portion involving retirement accounts was up. Could just be that there was an absolute decrease in hotel rewards fraud.

I bet that the percent of retirement accounts actually affected was way less.

Not that people shouldn’t take precautions, but I agree with that this is way, way down on my list of things to worry about.

But I do like the idea of having a finances-only e-mail address.

kagantx
Posts: 25
Joined: Sun Feb 04, 2018 1:39 am

Re: Evidence that retirement account ID theft is increasing

Post by kagantx » Sat Feb 24, 2018 11:57 am

It's true that the chance of theft may be low, but if theft happens it is completely devastating. 93% safety is nowhere near enough for such a catastrophic risk.

delamer
Posts: 6283
Joined: Tue Feb 08, 2011 6:13 pm

Re: Evidence that retirement account ID theft is increasing

Post by delamer » Sat Feb 24, 2018 12:47 pm

kagantx wrote:
Sat Feb 24, 2018 11:57 am
It's true that the chance of theft may be low, but if theft happens it is completely devastating. 93% safety is nowhere near enough for such a catastrophic risk.

It isn’t 93% safety. The 7% is the portion of non-card related financial fraud that involved retirement accounts.

It is NOT the percent of retirement accounts that were accessed fraudulently. I am sure that is much lower.

But agreed that it is devastating if you are the victim, and precautions are important.

Call_Me_Op
Posts: 7045
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: Evidence that retirement account ID theft is increasing

Post by Call_Me_Op » Sat Feb 24, 2018 1:11 pm

RRAAYY3 wrote:
Fri Feb 23, 2018 6:27 pm
So 93% of accounts are a non issue

I love people that actively seek out things to worry about. Happy Friday BH! See ya Monday.
I don't agree with your math, but if the chance of having your retirement savings wiped-out is 1%, is that OK with you? It's not OK with me
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

RRAAYY3
Posts: 926
Joined: Thu Jan 17, 2013 12:32 pm

Re: Evidence that retirement account ID theft is increasing

Post by RRAAYY3 » Sat Feb 24, 2018 1:22 pm

Call_Me_Op wrote:
Sat Feb 24, 2018 1:11 pm
RRAAYY3 wrote:
Fri Feb 23, 2018 6:27 pm
So 93% of accounts are a non issue

I love people that actively seek out things to worry about. Happy Friday BH! See ya Monday.
I don't agree with your math, but if the chance of having your retirement savings wiped-out is 1%, is that OK with you? It's not OK with me
I prefer worrying about things I can actually control

User avatar
rustymutt
Posts: 3732
Joined: Sat Mar 07, 2009 12:03 pm
Location: Oklahoma

Re: Evidence that retirement account ID theft is increasing

Post by rustymutt » Sat Feb 24, 2018 1:40 pm

bikechuck wrote:
Thu Feb 22, 2018 11:42 am
This scares the BEJESUS out of me.

THEN YOU NEED THE ADDED SECURITY OF LIFEHACKED.

lol :moneybag
I'm amazed at the wealth of Knowledge others gather, and share over a lifetime of learning. The mind is truly unique. It's nice when we use it!

JBTX
Posts: 4107
Joined: Wed Jul 26, 2017 12:46 pm

Re: Evidence that retirement account ID theft is increasing

Post by JBTX » Sat Feb 24, 2018 1:57 pm

Not to minimize the issue, but when a site is quoting in detail an anonymous post from bogleheads as evidence that isn’t Pulitzer Prize winning journalism.

I do worry about some older people who don’t use online access. They may become easier targets as they have no online defenses set up.

If nothing else maybe some people will cease and desist with the “don’t peek” advice or not looking at your financial account info/statements, etc.

Also lots of people pride themselves of how they have abandoned quicken but for me it is an easy way to check everything that I have on a weekly basis and any sort of depletion like this would rapidly become apparent.

Finally I hope financial institutions will wake up to the social engineering threat. The best laid security precautions can’t prevent a gullible CSR allowing a friendly sounding fraudster to change a password. The challenge FI have is they still have many older people who conduct transactions via telephone and extra measures of security tend to come at the expense of ease of use and customer service.

User avatar
Index Fan
Posts: 2555
Joined: Wed Mar 07, 2007 12:13 pm
Location: The great Midwest

Re: Evidence that retirement account ID theft is increasing

Post by Index Fan » Sat Feb 24, 2018 2:30 pm

I check my financial-only email frequently because any kind of fraud will show up in my email box (changing addresses, changing passwords, new email, new bank account, withdraws etc.).

It's really not that hard.
"Optimum est pati quod emendare non possis." | -Seneca

LeeMKE
Posts: 1767
Joined: Mon Oct 14, 2013 9:40 pm

Re: Evidence that retirement account ID theft is increasing

Post by LeeMKE » Sat Feb 24, 2018 7:04 pm

Finally I hope financial institutions will wake up to the social engineering threat. The best laid security precautions can’t prevent a gullible CSR allowing a friendly sounding fraudster to change a password. The challenge FI have is they still have many older people who conduct transactions via telephone and extra measures of security tend to come at the expense of ease of use and customer service.
Actually, the challenge IMHO is that management knows they won't be awarded higher anything (marketshare, profits, customer loyalty) for instituting stronger protections. And NOTHING will happen to them if an attack takes them down, or their customer's data (i.e. Experian). So, the motivations are not in the right place to spend time/energy on cybersecurity.

A massive disruption will have to happen before this changes. In the meantime, we are on our own to protect ourselves.

AND the good news is, unless you are a celebrity target, you only have to be slightly better than your neighbor. Like putting on your running shoes when faced with a bear: you don't need to outrun the bear (futile), you just need to outrun your neighbor. Criminals will move on to the next target if they run into better than ordinary security/reluctance to click/failure to respond to a phone call from your "grandchild."

Ordinary people just need to know and be reminded of simple measures to keep themselves safer. There ain't no such thing as safe, so we just do "good enough" safety. Don't be scared, just be wary and slow to click.
The mightiest Oak is just a nut who stayed the course.

User avatar
tadamsmar
Posts: 7828
Joined: Mon May 07, 2007 12:33 pm

Re: Evidence that retirement account ID theft is increasing

Post by tadamsmar » Sun Feb 25, 2018 4:08 pm

kagantx wrote:
Sat Feb 24, 2018 11:57 am
It's true that the chance of theft may be low, but if theft happens it is completely devastating. 93% safety is nowhere near enough for such a catastrophic risk.
Actually, the theft is not devastating if it is reimbursed by the brokerage or mutual fund company.

User avatar
tadamsmar
Posts: 7828
Joined: Mon May 07, 2007 12:33 pm

Re: Evidence that retirement account ID theft is increasing

Post by tadamsmar » Sun Feb 25, 2018 6:40 pm

tractorguy wrote:
Fri Feb 23, 2018 9:20 am
I'm not sure where the 7% of non credit card fraud number comes from and I don't believe it. I think we'd be hearing a lot more about these kinds of fraud events if it was as high as this.
According to the article cited in the OP, 7% number comes from the annual Javelin Strategy survey:

https://www.javelinstrategy.com/press-r ... ew-javelin

Unfortunately, full access the the survey is not free of charge.

One reason that we might not be hearing more about these kinds of events is that they don't have to be disclosed to the public and the fraud is typically reimbursed after a non-disclosure agreement is signed by the client.

If there were lots of actual losses due to fraud (except maybe intra-family "fraud" losses due to password sharing) on brokerage clients, then I am sure we would be hearing a lot more about these kinds of fraud events.

User avatar
siamond
Posts: 4239
Joined: Mon May 28, 2012 5:50 am

Re: Evidence that retirement account ID theft is increasing

Post by siamond » Sun Feb 25, 2018 6:46 pm

Top99% wrote:
Fri Feb 23, 2018 8:50 am
One thing that can help mitigate this is to use a dedicated email account for associating with your financial accounts. Use a strong password and multifactor authentication for that email account. Don't use this email account for anything else.
Just curious. I've been hesitating to do that, but I'm not there yet. Could you please elaborate on practicalities? Do you check this e-mail account every day (or week)? Do you have some automatic forwarding rule towards your regular e-mail? It can be really important to act ASAP on alerts...

User avatar
tadamsmar
Posts: 7828
Joined: Mon May 07, 2007 12:33 pm

Re: Evidence that retirement account ID theft is increasing

Post by tadamsmar » Sun Feb 25, 2018 6:51 pm

delamer wrote:
Fri Feb 23, 2018 10:41 pm
RRAAYY3 wrote:
Fri Feb 23, 2018 6:27 pm
So 93% of accounts are a non issue

I love people that actively seek out things to worry about. Happy Friday BH! See ya Monday.

Nope.

The percent of all non-card financial fraud that involved retirement accounts went from 2% to 7%. So if the only two types of fraud were hotel rewards fraud and retirement account, the portion involving hotel rewards was down and the portion involving retirement accounts was up. Could just be that there was an absolute decrease in hotel rewards fraud.
According to the cited report, non-card fraud increased and the percentage due to brokerage accounts also increased from 2% to 7%:
This increase was driven by growth in both existing non-card fraud and account takeover (ATO).
https://www.javelinstrategy.com/press-r ... ew-javelin

User avatar
siamond
Posts: 4239
Joined: Mon May 28, 2012 5:50 am

Re: Evidence that retirement account ID theft is increasing

Post by siamond » Sun Feb 25, 2018 6:52 pm

tadamsmar wrote:
Thu Feb 22, 2018 10:36 am
But the crime that might be most devastating – where many victims probably keep their biggest pile of money — is brokerage account takeovers. Javelin says that in 2016, such crimes accounted for only 2% of existing non card fraud. In 2017, that swelled to 7% — more the tripling in one year.
Better go to the source, the Javelin report itself, instead of some blogger 'summarizing' (and distorting) the content:
https://www.javelinstrategy.com/coverag ... complexity

One has to register (and likely pay) for the full content though...

JBTX
Posts: 4107
Joined: Wed Jul 26, 2017 12:46 pm

Re: Evidence that retirement account ID theft is increasing

Post by JBTX » Sun Feb 25, 2018 7:54 pm

siamond wrote:
Sun Feb 25, 2018 6:46 pm
Top99% wrote:
Fri Feb 23, 2018 8:50 am
One thing that can help mitigate this is to use a dedicated email account for associating with your financial accounts. Use a strong password and multifactor authentication for that email account. Don't use this email account for anything else.
Just curious. I've been hesitating to do that, but I'm not there yet. Could you please elaborate on practicalities? Do you check this e-mail account every day (or week)? Do you have some automatic forwarding rule towards your regular e-mail? It can be really important to act ASAP on alerts...
I guess the theory is if you have a separate email used only for Fin accts, it isn't as likely to be out there in the web stratosphere, and that is one less identifier for friendly fraudster to give to gullible CSR rep. Even moreso if the email is used for multi factor authentification.

Makes sense, kinda, but I haven't pulled the trigger yet, for the reasons you list. I check my regular email frequently - but I would have to condition myself to check this other one too. However, in whatever inbox you use, you can have this alternate email go into your main inbox, like Outlook. With iphone, I guess you'd have to select all inboxes to monitor it, unless could remember to check it separately.

lazyday
Posts: 3297
Joined: Wed Mar 14, 2007 10:27 pm

Re: Evidence that retirement account ID theft is increasing

Post by lazyday » Mon Feb 26, 2018 4:23 am

You could use three email addresses and only check one:

One public address that is used for friends, family, forums, businesses, etc. Even if this account is compromised so that others can read your mail, your assets are safe.

One address given only to banks and brokers. By limiting who knows this address, it may be more difficult to social engineer an attack on your assets.

One completely private address given to nobody other than your email provider. The other two addresses are set to forward to this one.

I don't use email on a smartphone, so may be unaware of some downsides.

User avatar
tadamsmar
Posts: 7828
Joined: Mon May 07, 2007 12:33 pm

Re: Evidence that retirement account ID theft is increasing

Post by tadamsmar » Mon Feb 26, 2018 8:28 am

siamond wrote:
Sun Feb 25, 2018 6:52 pm
tadamsmar wrote:
Thu Feb 22, 2018 10:36 am
But the crime that might be most devastating – where many victims probably keep their biggest pile of money — is brokerage account takeovers. Javelin says that in 2016, such crimes accounted for only 2% of existing non card fraud. In 2017, that swelled to 7% — more the tripling in one year.
Better go to the source, the Javelin report itself, instead of some blogger 'summarizing' (and distorting) the content:
https://www.javelinstrategy.com/coverag ... complexity

One has to register (and likely pay) for the full content though...
How was the content distorted?

User avatar
Top99%
Posts: 334
Joined: Sat Apr 22, 2017 9:30 am
Location: Austin, TX

Re: Evidence that retirement account ID theft is increasing

Post by Top99% » Mon Feb 26, 2018 11:03 am

siamond wrote:
Sun Feb 25, 2018 6:46 pm
Top99% wrote:
Fri Feb 23, 2018 8:50 am
One thing that can help mitigate this is to use a dedicated email account for associating with your financial accounts. Use a strong password and multifactor authentication for that email account. Don't use this email account for anything else.
Just curious. I've been hesitating to do that, but I'm not there yet. Could you please elaborate on practicalities? Do you check this e-mail account every day (or week)? Do you have some automatic forwarding rule towards your regular e-mail? It can be really important to act ASAP on alerts...
I just have it setup as a separate email account with its own "alert tone" so that when I get an email to that account it is easy to identify.
Basically I have 3 email accounts:
1) One Yahoo account I use for the numerous general sites that require email IDs when setting up accounts. For example, sites like Bogleheads. This is the email account I use for anything likely to generate lots of inbound spam. I only check this once / week or so mainly to clean out the spam.
2) One GMail account I use for more important stuff like utility accounts, credit card accounts etc. I also use this account for inbound email from friends and family.
3) One Gmail I use for finance only.
On most smart phones you can choose notification methods / tones so for 3) I pick something that will make it stand out.
Adapt or perish

User avatar
samsoes
Posts: 879
Joined: Tue Mar 05, 2013 9:12 am
Location: Northeast Rat Race

Re: Evidence that retirement account ID theft is increasing

Post by samsoes » Mon Feb 26, 2018 11:30 am

Top99% wrote:
Mon Feb 26, 2018 11:03 am

3) One Gmail I use for finance only.
On most smart phones you can choose notification methods / tones so for 3) I pick something that will make it stand out.
Hmmm...interesting idea. I think I'd go with a super secure email account like protonmail tho.

One thing gmail is not: secure.
"Happiness Is Not My Companion" - Gen. Gouverneur K. Warren. | (Avatar is the statue of Gen. Warren atop Little Round Top @ Gettysburg National Military Park.)

Post Reply