ACATS Transfer thefts from Fidelity

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
chw
Posts: 1238
Joined: Thu May 24, 2012 4:22 pm

Re: ACATS Transfer thefts from Fidelity

Post by chw »

grok87 wrote: Sun Jul 03, 2022 12:19 pm
chw wrote: Sun Jul 03, 2022 11:06 am This ACATS transfer issue certainly is troubling. At a minimum Lockdown seems to be advised for all Fidelity based accounts. 2 factor authentication and text alerts also seem to be mandatory for all. I didn’t know about lockdown until today, and did activate it. A bit of a hassle to disable for the occasional transfer of cash out, but seems easy enough to turn off when doing a transfer. I thought I was well protected with 2FA, but the fraudsters seem to always have workarounds.

It would seem the financial regulators should do a better job working with financial institutions to stay ahead of KYC and institute other safeguards to protect the public. Sadly, I believe much of this is driven by ease of doing business on-line. I think instituting some old-school protocols may avoid some of the transfer issues.
can you please elaborate on the "bit of a hassle to disable for the occasional transfer of cash out" please?
I've used auto transfer for any dividend/capital gain distributions from my brokerage account to my external bank account. It's a nice feature to use to not have to "sweep" any accumulations of cash in the taxable brokerage account to my external bank manually. However, not a big deal for the additional peace of mind with security provided by the Lockdown feature. Just an extra step or two to initiate the transfer in addition to looking out for cash accumulations in my taxable account.
Hockey10
Posts: 1031
Joined: Wed Aug 24, 2016 12:20 pm
Location: Philadelphia suburbs

Re: ACATS Transfer thefts from Fidelity

Post by Hockey10 »

JoMoney wrote: Sun Jul 03, 2022 10:34 am
Hockey10 wrote: Sun Jul 03, 2022 10:27 am
quietseas wrote: Sun Jul 03, 2022 9:37 am Does the Fidelity lockdown also stop ACH transfers out to existing linked bank accounts?
Yes, it prevents a transfer.

I make occasional transfers from my Fidelity brokerage account to an external bank checking account. First I turn off the lockdown in Fidelity. Then I make the transfer. Then I turn lockdown back on. Whenever lockdown is turned off or on, Fidelity sends me an alert.
I'm still waiting to see results for myself, but from how Fidelity tags transactions in my account, it appears that it DOES NOT stop an ACH transfer out if it's initiated from another bank (which it lists as "DIRECT DEBIT"), but does stop you from initiating the transfer as a 'push' from the Fidelity side to an outside account (which it lists as "ELECTRONIC FUNDS TRANSFER".)
I have only done the "push" transactions from Fidelity. Have never attempted a "pull" transaction from an external bank.
student
Posts: 7118
Joined: Fri Apr 03, 2015 6:58 am

Re: ACATS Transfer thefts from Fidelity

Post by student »

anon_investor wrote: Sun Jul 03, 2022 12:57 pm
student wrote: Sun Jul 03, 2022 12:55 pm
anon_investor wrote: Sun Jul 03, 2022 12:45 pm
student wrote: Sun Jul 03, 2022 12:43 pm
RetiredAL wrote: Sun Jul 03, 2022 12:39 pm

Careful there!

When the thief has the real owners name, address, account number, SS number, Customer Service is likely to accept thief's phone call as the real owner and the to execute over the phone instructions.
I think etrade text a number to your cellphone as part of the process.
Is the bad guy created the etrade account, won't the etrade text go to the bad guy?
I already have an etrade account. Now that I know how to add an extra layer of security at Fidelity to protect my money at Fidelity, I wanted to know how to add an extra layer of security at etrade to protect my money at etrade too. (Luckywon said I can have a no funds out by calling.)
I wonder if Vanguard or Merrill Edge has anything similar.
I want to know too. My guess is if this becomes widespread, everyone will come up with something. Joke: Do we see medallion signature guarantee in the future?
marcopolo
Posts: 6470
Joined: Sat Dec 03, 2016 10:22 am

Re: ACATS Transfer thefts from Fidelity

Post by marcopolo »

Anyone know if the lockdown feature at Fidelity also stops dividends directed to another fidelity account?

We have separate Brokerage and CMA accounts. Use CMA for most financial transactions.
Brokerage dividends and cap gains distribution are automatically sent to CMA.

I am thinking about locking down the brokerage account, but not the CMA account, wondering if those re-directed dividends will be blocked.
Once in a while you get shown the light, in the strangest of places if you look at it right.
User avatar
nyinvestor718
Posts: 161
Joined: Thu Mar 05, 2009 7:59 am
Location: New York City

Re: ACATS Transfer thefts from Fidelity

Post by nyinvestor718 »

student wrote: Sun Jul 03, 2022 1:18 pm
anon_investor wrote: Sun Jul 03, 2022 12:57 pm
student wrote: Sun Jul 03, 2022 12:55 pm
anon_investor wrote: Sun Jul 03, 2022 12:45 pm
student wrote: Sun Jul 03, 2022 12:43 pm

I think etrade text a number to your cellphone as part of the process.
Is the bad guy created the etrade account, won't the etrade text go to the bad guy?
I already have an etrade account. Now that I know how to add an extra layer of security at Fidelity to protect my money at Fidelity, I wanted to know how to add an extra layer of security at etrade to protect my money at etrade too. (Luckywon said I can have a no funds out by calling.)
I wonder if Vanguard or Merrill Edge has anything similar.
I want to know too. My guess is if this becomes widespread, everyone will come up with something. Joke: Do we see medallion signature guarantee in the future?
I really hope this becomes common practice in light of what's happening..
Judge Learned Hand: "Any one may so arrange his affairs that his taxes shall be as low as possible; he is not bound to choose that pattern which will best pay the Treasury".
urban
Posts: 98
Joined: Wed Apr 14, 2021 12:36 am

Re: ACATS Transfer thefts from Fidelity

Post by urban »

anon_investor wrote: Sun Jul 03, 2022 12:45 pm Is the bad guy created the etrade account, won't the etrade text go to the bad guy?
From my recent experience, ETrade takes very seriously the business of opening new brokerage accounts. For a joint account we have to provide both our gov issued IDs. I would not be surprised if they ran a background check on us, to make sure we are who we stated we are.
Last edited by urban on Sun Jul 03, 2022 1:25 pm, edited 3 times in total.
User avatar
anon_investor
Posts: 12311
Joined: Mon Jun 03, 2019 1:43 pm

Re: ACATS Transfer thefts from Fidelity

Post by anon_investor »

student wrote: Sun Jul 03, 2022 1:18 pm
anon_investor wrote: Sun Jul 03, 2022 12:57 pm
student wrote: Sun Jul 03, 2022 12:55 pm
anon_investor wrote: Sun Jul 03, 2022 12:45 pm
student wrote: Sun Jul 03, 2022 12:43 pm

I think etrade text a number to your cellphone as part of the process.
Is the bad guy created the etrade account, won't the etrade text go to the bad guy?
I already have an etrade account. Now that I know how to add an extra layer of security at Fidelity to protect my money at Fidelity, I wanted to know how to add an extra layer of security at etrade to protect my money at etrade too. (Luckywon said I can have a no funds out by calling.)
I wonder if Vanguard or Merrill Edge has anything similar.
I want to know too. My guess is if this becomes widespread, everyone will come up with something. Joke: Do we see medallion signature guarantee in the future?
Who knew Treasury Direct was so cutting edge!
AQ
Posts: 719
Joined: Mon Feb 25, 2008 11:38 pm

Re: ACATS Transfer thefts from Fidelity

Post by AQ »

For those already done this, how easy at Fidelity to turn off 'lockdown mode'? Is it just simply going online, and toggle the button on/off, and funds are immediately available to transfer out? Or it involves many validation steps, checking ID, proving I am who I claim I am, etc. and then wait for snail mail for 2 weeks, etc.?
drk
Posts: 3608
Joined: Mon Jul 24, 2017 10:33 pm
Location: Overlooking Elliott Bay

Re: ACATS Transfer thefts from Fidelity

Post by drk »

AQ wrote: Sun Jul 03, 2022 1:58 pm For those already done this, how easy at Fidelity to turn off 'lockdown mode'? Is it just simply going online, and toggle the button on/off, and funds are immediately available to transfer out? Or it involves many validation steps, checking ID, proving I am who I claim I am, etc. and then wait for snail mail for 2 weeks, etc.?
Yes, it's that simple. I turned it on to see what would and wouldn't work, then turned it off.
User avatar
beyou
Posts: 4720
Joined: Sat Feb 27, 2010 3:57 pm
Location: If you can make it there

Re: ACATS Transfer thefts from Fidelity

Post by beyou »

BernardShakey wrote: Sun Jul 03, 2022 11:05 am
beyou wrote: Sun Jul 03, 2022 5:59 am
catnapper wrote: Sat Jul 02, 2022 3:13 pm
frisco wrote: Sat Jul 02, 2022 3:10 pm
Does anyone know whether “Transfers between Fidelity accounts” affects 401(k) BrokerageLink contributions?
Not sure if this answers your question, but when I set up lockdown, it said:
"Note: Workplace savings accounts, such as 401(k) accounts, are not eligible for lockdown mode at this time."
Irrelevant. ACAT does not work for 401k accounts.
One must get cash by calling or online request to liquidate funds. Security behind the request may vary significantly from 401k provider to 401k provider, but a totally separate process.
Maybe a good reason to leave my money in my 401k when I retire :wink:
One of many reasons and tradeoffs.
rkhusky
Posts: 13087
Joined: Thu Aug 18, 2011 8:09 pm

Re: ACATS Transfer thefts from Fidelity

Post by rkhusky »

student wrote: Sun Jul 03, 2022 1:18 pm I want to know too. My guess is if this becomes widespread, everyone will come up with something. Joke: Do we see medallion signature guarantee in the future?
Or you will have to video chat with a teller and show your ID.
User avatar
typical.investor
Posts: 3585
Joined: Mon Jun 11, 2018 3:17 am

Re: ACATS Transfer thefts from Fidelity

Post by typical.investor »

urban wrote: Sun Jul 03, 2022 1:21 pm
anon_investor wrote: Sun Jul 03, 2022 12:45 pm Is the bad guy created the etrade account, won't the etrade text go to the bad guy?
From my recent experience, ETrade takes very seriously the business of opening new brokerage accounts. For a joint account we have to provide both our gov issued IDs. I would not be surprised if they ran a background check on us, to make sure we are who we stated we are.
As they should. As a participant in ACATS they are required per FINRA regulation:
to execute the TIF Immobilization Program Agreement (Agreement), which specifies the rights, liabilities and remedies of all ACATS participants.

Under the Agreement, each carrying firm agrees to recognize any electronic ACATS transmission initiated by any receiving firm as presumptive evidence of the receiving firm's authority to receive the account or assets in question. In exchange, the receiving firm agrees to indemnify and hold harmless the carrying firm for any claims or losses it incurs as a result of complying with what turns out to be an unauthorized or illegitimate TIF.
Are there really cases where Fidelity didn't reimburse per their guarantee? Fidelity wouldn't seem to be liable for losses so really they would have no reason not to.

Honestly, do we really have any documented cases where there were customer losses?

I am a bit skeptical of claims that the brokerage industry or assets in the US are not safe. I think many people have a vested interest in people seeking out the 'alternatives' and that there are many false claims as to the safety are reliability of them.

So surely there is a documented figure on unreimbursed invalid ACAT transfers. FINRA would be tracking such a thing.

Yes, I believe ACAT fraud may be increasing, but I am not so certain on the actual effect to customers with a broker guarantee.

Anyway, here is the FINRA notice https://www.finra.org/rules-guidance/notices/21-18
User avatar
JoMoney
Posts: 13902
Joined: Tue Jul 23, 2013 5:31 am

Re: ACATS Transfer thefts from Fidelity

Post by JoMoney »

Luckywon wrote: Sun Jul 03, 2022 11:16 am
JoMoney wrote: Sun Jul 03, 2022 11:07 am
Luckywon wrote: Sun Jul 03, 2022 10:44 am
student wrote: Sun Jul 03, 2022 9:34 am
Luckywon wrote: Sat Jul 02, 2022 11:15 am
Etrade has an even more robust option "no funds out". Schwab had no similar option the last time I asked, which in my opinion is one of their few weaknesses.
How do I enroll in "no funds out" option at Etrade?
Enrolling and temporarily lifting must be done on phone and they will verify identity with a text code and asking identity questions.

Unlike Fidelity's Account Lockdown, where checks, billpay debits are not blocked, Etrade's No Funds Out blocks funds going out in any form, so I think it is better.
FWIW, if you didn't want the checks, billpay, debit card, etc.. functionality on your Fidelity account you can not enable it and/or dis-enroll in it, and worth noting that you can't transfer or impact securities with those features either, only cash available for withdrawal in the account can be debited.
That's interesting, if you disable billpay do all your payees get wiped such that you have to set up anew?

How do I block/unblock check being cashed at Fidelity? I'd definitely have that blocked most of the time.
I don't know, I expect if you didn't enable Bill-pay or check writing on the account to begin with, that would be best if you're concerned about those features
"To achieve satisfactory investment results is easier than most people realize; to achieve superior results is harder than it looks." - Benjamin Graham
Northern Flicker
Posts: 11031
Joined: Fri Apr 10, 2015 12:29 am

Re: ACATS Transfer thefts from Fidelity

Post by Northern Flicker »

whodidntante wrote: Sun Jul 03, 2022 12:54 pm
lws wrote: Sun Jul 03, 2022 12:51 pm
UpperNwGuy wrote: Sat Jul 02, 2022 3:29 pm People here keep posting the advice (bad advice in my opinion) that investors should only check their balances once or twice a year. Perhaps that advice helps with behavioral investing errors, but it's bad advice for account security. I check my balances daily for this reason. I don't want any funds to mysteriously disappear from my accounts.
Totally agree.
This is one stash you don't want to vanish.
Don't depend only on notifications.
You may not get them all.
I always thought that advice originates from people who have never been the victim of serious theft. I could be wrong.
At a minimum, you need to check every statement because the cutting of a statement starts a clock for reporting errors that first show up on the given statement.
Last edited by Northern Flicker on Sun Jul 03, 2022 4:57 pm, edited 1 time in total.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
marcopolo
Posts: 6470
Joined: Sat Dec 03, 2016 10:22 am

Re: ACATS Transfer thefts from Fidelity

Post by marcopolo »

typical.investor wrote: Sun Jul 03, 2022 2:28 pm
urban wrote: Sun Jul 03, 2022 1:21 pm
anon_investor wrote: Sun Jul 03, 2022 12:45 pm Is the bad guy created the etrade account, won't the etrade text go to the bad guy?
From my recent experience, ETrade takes very seriously the business of opening new brokerage accounts. For a joint account we have to provide both our gov issued IDs. I would not be surprised if they ran a background check on us, to make sure we are who we stated we are.
As they should. As a participant in ACATS they are required per FINRA regulation:
to execute the TIF Immobilization Program Agreement (Agreement), which specifies the rights, liabilities and remedies of all ACATS participants.

Under the Agreement, each carrying firm agrees to recognize any electronic ACATS transmission initiated by any receiving firm as presumptive evidence of the receiving firm's authority to receive the account or assets in question. In exchange, the receiving firm agrees to indemnify and hold harmless the carrying firm for any claims or losses it incurs as a result of complying with what turns out to be an unauthorized or illegitimate TIF.
Are there really cases where Fidelity didn't reimburse per their guarantee? Fidelity wouldn't seem to be liable for losses so really they would have no reason not to.

Honestly, do we really have any documented cases where there were customer losses?

I am a bit skeptical of claims that the brokerage industry or assets in the US are not safe. I think many people have a vested interest in people seeking out the 'alternatives' and that there are many false claims as to the safety are reliability of them.

So surely there is a documented figure on unreimbursed invalid ACAT transfers. FINRA would be tracking such a thing.

Yes, I believe ACAT fraud may be increasing, but I am not so certain on the actual effect to customers with a broker guarantee.

Anyway, here is the FINRA notice https://www.finra.org/rules-guidance/notices/21-18
I suspect you are right that these customers will be made whole eventually.

But, taking a few simple steps like locking down brokerage accounts seems like prudent way to avoid possible days/weeks/months? of concern while the investigations are completed and the issues resolved.
Once in a while you get shown the light, in the strangest of places if you look at it right.
User avatar
whodidntante
Posts: 11003
Joined: Thu Jan 21, 2016 11:11 pm
Location: outside the echo chamber

Re: ACATS Transfer thefts from Fidelity

Post by whodidntante »

typical.investor wrote: Sun Jul 03, 2022 2:28 pm Are there really cases where Fidelity didn't reimburse per their guarantee? Fidelity wouldn't seem to be liable for losses so really they would have no reason not to.
I don't think Fidelity is at fault. I think E*TRADE is. They are the ones who allowed someone to create an account under false pretenses, transfer assets to it, liquidate those assets, and move the proceeds out of the country. All Fidelity did was to act on an ACATS request, which they are required to do.
mary1492
Posts: 664
Joined: Thu Oct 17, 2019 3:02 am

Re: ACATS Transfer thefts from Fidelity

Post by mary1492 »

typical.investor wrote: Sun Jul 03, 2022 2:28 pm
urban wrote: Sun Jul 03, 2022 1:21 pm
anon_investor wrote: Sun Jul 03, 2022 12:45 pm Is the bad guy created the etrade account, won't the etrade text go to the bad guy?
From my recent experience, ETrade takes very seriously the business of opening new brokerage accounts. For a joint account we have to provide both our gov issued IDs. I would not be surprised if they ran a background check on us, to make sure we are who we stated we are.
As they should. As a participant in ACATS they are required per FINRA regulation:
to execute the TIF Immobilization Program Agreement (Agreement), which specifies the rights, liabilities and remedies of all ACATS participants.

Under the Agreement, each carrying firm agrees to recognize any electronic ACATS transmission initiated by any receiving firm as presumptive evidence of the receiving firm's authority to receive the account or assets in question. In exchange, the receiving firm agrees to indemnify and hold harmless the carrying firm for any claims or losses it incurs as a result of complying with what turns out to be an unauthorized or illegitimate TIF.
Are there really cases where Fidelity didn't reimburse per their guarantee? Fidelity wouldn't seem to be liable for losses so really they would have no reason not to.

Honestly, do we really have any documented cases where there were customer losses?

I am a bit skeptical of claims that the brokerage industry or assets in the US are not safe. I think many people have a vested interest in people seeking out the 'alternatives' and that there are many false claims as to the safety are reliability of them.

So surely there is a documented figure on unreimbursed invalid ACAT transfers. FINRA would be tracking such a thing.

Yes, I believe ACAT fraud may be increasing, but I am not so certain on the actual effect to customers with a broker guarantee.

Anyway, here is the FINRA notice https://www.finra.org/rules-guidance/notices/21-18
So, given the choice of simply clicking the button to turn on the feature, or not doing it and potentially having your account emptied, your choice is to not click the button and assume the brokerage has you covered? Why wait to find out if they've got you covered or not? To be honest, I really don't see anything negative to this Fidelity feature. Seems less of a burden than 2FA, and most everyone understands why that is worthwhile...even if it doesn't provide 100% protection. My view is that you take advantage of the features offered to you to reduce the potential of something bad happening wherever possible. Why provide an opening when you can easily prevent it? Would Fidelity offer the feature if there were no value to it? Doubtful. I'm sure their software developers have plenty of other things they could be doing to generate revenue for the company.

Lastly, even if you are 100% correct and the brokerage will reimburse losses, you think it's something that will happen overnight? You call the main 800 number, tell them your account was emptied fraudulently and they automatically put back your $1MM+ immediately? I don't think so. It will be a long process.

An ounce of prevention ...
hoofaman
Posts: 474
Joined: Tue Jul 14, 2020 3:39 pm

Re: ACATS Transfer thefts from Fidelity

Post by hoofaman »

AQ wrote: Sun Jul 03, 2022 1:58 pm For those already done this, how easy at Fidelity to turn off 'lockdown mode'? Is it just simply going online, and toggle the button on/off, and funds are immediately available to transfer out? Or it involves many validation steps, checking ID, proving I am who I claim I am, etc. and then wait for snail mail for 2 weeks, etc.?
It's easy to turn off, can be done on the website. Oh, and you can also call customer service and have them reset your 2FA authenticator. I was concerned with how easy it was to be honest with my own account, so I'm not sure how much confidence I would place in these measures, but atleast the lockdown feature blocks external acats pulls, i didn't realize that

It's too bad these financial institutions don't offer a time lock feature. Like, turn off outbound transfers and wait X days (choosen at lock time) , so when you turn it on your forced to wait for that configured time value
Kruser64
Posts: 87
Joined: Wed Feb 20, 2019 6:41 pm

Re: ACATS Transfer thefts from Fidelity

Post by Kruser64 »

I wonder if having a Trusted Contact in place at the holding brokerage might slow down an ACATS transfer request? "Wait, you transferred out 7 figures and didn't bother to contact my on-file Trusted Contact?"

-Kruser64
mary1492
Posts: 664
Joined: Thu Oct 17, 2019 3:02 am

Re: ACATS Transfer thefts from Fidelity

Post by mary1492 »

Kruser64 wrote: Sun Jul 03, 2022 4:40 pm I wonder if having a Trusted Contact in place at the holding brokerage might slow down an ACATS transfer request? "Wait, you transferred out 7 figures and didn't bother to contact my on-file Trusted Contact?"

-Kruser64
That's not the purpose of a trusted contact.

https://www.fidelity.com/customer-servi ... ed-contact
A trusted contact is someone we can get in touch with in the event we're concerned about your:

Health,
Well-being, or
Welfare (due to exploitation, endangerment, or neglect)
Lastrun
Posts: 644
Joined: Wed May 03, 2017 6:46 pm

Re: ACATS Transfer thefts from Fidelity

Post by Lastrun »

outbackcountry wrote: Sat Jul 02, 2022 12:12 pm I turned on the Lockdown feature after reading that thread. Was wondering if there is anything similar at Vanguard or Schwab. Looks like there isn't. Not even a notification option when a transfer is initiated from outside. Scary!
I am confused by some of the posts here: When I go to the Vanguard Alerts page under profile I see this:

Asset transfer alerts

Initiated, in progress, and completed status messages for asset transfers

Granted it will only allow email and not texts like some of the other alerts, but would an ACATS transfer out not trigger this?

There are a couple of "no notification" and " shocking" posts on this thread and I think this needs clarification.

The lack of a lockdown function is troubling, but the lack of an alert capability is shocking.
urban
Posts: 98
Joined: Wed Apr 14, 2021 12:36 am

Re: ACATS Transfer thefts from Fidelity

Post by urban »

It seems that with all that alerts and restrictions placed on the existing brokerage account, the old fashion sure thing is to log in to that account every week or so, and quickly glance at the positions and transactions. Even if the account is already emptied, the money would be kept in the receiving brokerage for at least of a couple weeks or more, before those funds could be eligible to transfer outside, according to security protocols brokerages apply to transferred positions.
User avatar
typical.investor
Posts: 3585
Joined: Mon Jun 11, 2018 3:17 am

Re: ACATS Transfer thefts from Fidelity

Post by typical.investor »

mary1492 wrote: Sun Jul 03, 2022 4:18 pm
typical.investor wrote: Sun Jul 03, 2022 2:28 pm
urban wrote: Sun Jul 03, 2022 1:21 pm
anon_investor wrote: Sun Jul 03, 2022 12:45 pm Is the bad guy created the etrade account, won't the etrade text go to the bad guy?
From my recent experience, ETrade takes very seriously the business of opening new brokerage accounts. For a joint account we have to provide both our gov issued IDs. I would not be surprised if they ran a background check on us, to make sure we are who we stated we are.
As they should. As a participant in ACATS they are required per FINRA regulation:
to execute the TIF Immobilization Program Agreement (Agreement), which specifies the rights, liabilities and remedies of all ACATS participants.

Under the Agreement, each carrying firm agrees to recognize any electronic ACATS transmission initiated by any receiving firm as presumptive evidence of the receiving firm's authority to receive the account or assets in question. In exchange, the receiving firm agrees to indemnify and hold harmless the carrying firm for any claims or losses it incurs as a result of complying with what turns out to be an unauthorized or illegitimate TIF.
Are there really cases where Fidelity didn't reimburse per their guarantee? Fidelity wouldn't seem to be liable for losses so really they would have no reason not to.

Honestly, do we really have any documented cases where there were customer losses?

I am a bit skeptical of claims that the brokerage industry or assets in the US are not safe. I think many people have a vested interest in people seeking out the 'alternatives' and that there are many false claims as to the safety are reliability of them.

So surely there is a documented figure on unreimbursed invalid ACAT transfers. FINRA would be tracking such a thing.

Yes, I believe ACAT fraud may be increasing, but I am not so certain on the actual effect to customers with a broker guarantee.

Anyway, here is the FINRA notice https://www.finra.org/rules-guidance/notices/21-18
So, given the choice of simply clicking the button to turn on the feature, or not doing it and potentially having your account emptied, your choice is to not click the button and assume the brokerage has you covered? Why wait to find out if they've got you covered or not? To be honest, I really don't see anything negative to this Fidelity feature. Seems less of a burden than 2FA, and most everyone understands why that is worthwhile...even if it doesn't provide 100% protection. My view is that you take advantage of the features offered to you to reduce the potential of something bad happening wherever possible. Why provide an opening when you can easily prevent it? Would Fidelity offer the feature if there were no value to it? Doubtful. I'm sure their software developers have plenty of other things they could be doing to generate revenue for the company.

Lastly, even if you are 100% correct and the brokerage will reimburse losses, you think it's something that will happen overnight? You call the main 800 number, tell them your account was emptied fraudulently and they automatically put back your $1MM+ immediately? I don't think so. It will be a long process.

An ounce of prevention ...
I am using 2FA and Schwab mails me when assets are transferred out.

The Reddit thread the OP cites suggests there is no broker protection and that is cited in posts here as being an established fact. I am saying I disagree, not that precaution when possible isn't warranted.
urban
Posts: 98
Joined: Wed Apr 14, 2021 12:36 am

Re: ACATS Transfer thefts from Fidelity

Post by urban »

Lastrun wrote: Sun Jul 03, 2022 4:48 pm The lack of a lockdown function is troubling, but the lack of an alert capability is shocking.
My checking account where I keep barely enough money to pay a few next bills, has more security alert settings than VG and ETrade.
Northern Flicker
Posts: 11031
Joined: Fri Apr 10, 2015 12:29 am

Re: ACATS Transfer thefts from Fidelity

Post by Northern Flicker »

anon_investor wrote: Sat Jul 02, 2022 4:36 pm With a combo of money transfer lockdown and 2FA using authenticator app only, Fidelity seems the most secure of my brokerage accounts (others are Vanguard and Merrill Edge).
Unlike the authentication used in the Fido2 protocol with a Yubikey, the authenticator app does not protect against man-in-the-middle attacks, which could, among other things, could turn off the account protection switch for instance.
Last edited by Northern Flicker on Sun Jul 03, 2022 5:22 pm, edited 1 time in total.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
sc9182
Posts: 1020
Joined: Wed Aug 17, 2016 7:43 pm

Re: ACATS Transfer thefts from Fidelity

Post by sc9182 »

Think we may know how the OP reddit case ended (with good resolution):

The reddit user Persisted with Fidelity (and gave serious heads-up to destination brokerage) - but continue to persist with Fidelity - and with their fraud management team. Between Fidelity and the destination brokerage (fake account) — Fidelity brought back all the lots /identical/ including their original tax basis. All good, taken care by Fidelity - took about 1.5 to 2 months - since the time user first reported this fraudulent transaction to Fidelity.
Last edited by sc9182 on Sun Jul 03, 2022 6:30 pm, edited 1 time in total.
lazynovice
Posts: 2887
Joined: Mon Apr 16, 2012 10:48 pm

Re: ACATS Transfer thefts from Fidelity

Post by lazynovice »

whodidntante wrote: Sun Jul 03, 2022 4:11 pm
typical.investor wrote: Sun Jul 03, 2022 2:28 pm Are there really cases where Fidelity didn't reimburse per their guarantee? Fidelity wouldn't seem to be liable for losses so really they would have no reason not to.
I don't think Fidelity is at fault. I think E*TRADE is. They are the ones who allowed someone to create an account under false pretenses, transfer assets to it, liquidate those assets, and move the proceeds out of the country. All Fidelity did was to act on an ACATS request, which they are required to do.
This is a Reddit post. We don’t even know that it actually happened. When I go through the first few steps of an e-trade new account set up, I get to this warning:

“What this means for you:
When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also utilize a third-party information provider for verification purposes and/or ask for a copy of your driver's license or other identifying documents.”

Every account I have ever set up anywhere has asked for me to answer questions about which car I have owned, which address I have lived at, company I have been associated with etc. In the last few years, they’ve required an upload of my driver’s license. Is that all on the dark web? Maybe but most thieves aren’t working that hard. And getting a copy of my driver’s license would be pretty tough.

So did e-trade not follow its procedures or did this really happen the way the Reddit post states? We’ll know if the poster gets interviewed by a reputable news source.
Broken Man 1999
Posts: 7484
Joined: Wed Apr 08, 2015 11:31 am
Location: West coast of Florida, near Champa Bay !

Re: ACATS Transfer thefts from Fidelity

Post by Broken Man 1999 »

Lastrun wrote: Sun Jul 03, 2022 4:48 pm
outbackcountry wrote: Sat Jul 02, 2022 12:12 pm I turned on the Lockdown feature after reading that thread. Was wondering if there is anything similar at Vanguard or Schwab. Looks like there isn't. Not even a notification option when a transfer is initiated from outside. Scary!
I am confused by some of the posts here: When I go to the Vanguard Alerts page under profile I see this:

Asset transfer alerts

Initiated, in progress, and completed status messages for asset transfers

Granted it will only allow email and not texts like some of the other alerts, but would an ACATS transfer out not trigger this?

There are a couple of "no notification" and " shocking" posts on this thread and I think this needs clarification.

The lack of a lockdown function is troubling, but the lack of an alert capability is shocking.
Seems Vanguard offers plenty of alerts to me.

Account profile alerts
Add, edit, and delete linked bank accounts
Email alert Text alert
A password is changed, a security question and answer are changed, or my password is locked on the web or through an app.
Email alert Text alert
Transaction alerts
Buy, sell, and exchange Vanguard mutual funds
Email alert Text alert
Buy, sell, and exchange non-Vanguard mutual funds
Email alert Text alert
Brokerage trade execution notices
Email alert Text alert
Asset transfer alerts
Initiated, in progress, and completed status messages for asset transfers
Email alert


What else would one want?

Based on posts here, not everyone reads their emails from Vanguard. One complaint is they have to wade thru all the product/marketing emails. But that is on them, you can avoid those type emails. I don't get any product/marketing emails unless I have a product that has new/updated info.

If you practice good email hygiene you won't receive so much spam to wade thru in the first place.

The ability to protect your Vanguard accounts via alerts is clearly available. You do need to respond to the alerts, otherwise Vanguard sees no issue with the info they have sent to you.

So, if you haven't set up your alerts, do so, and chillax.

Broken Man 1999
Last edited by Broken Man 1999 on Sun Jul 03, 2022 5:25 pm, edited 1 time in total.
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go." - Mark Twain
Marseille07
Posts: 10487
Joined: Fri Nov 06, 2020 1:41 pm

Re: ACATS Transfer thefts from Fidelity

Post by Marseille07 »

whodidntante wrote: Sun Jul 03, 2022 4:11 pm I don't think Fidelity is at fault. I think E*TRADE is. They are the ones who allowed someone to create an account under false pretenses, transfer assets to it, liquidate those assets, and move the proceeds out of the country. All Fidelity did was to act on an ACATS request, which they are required to do.
E*Trade is not really at fault because when someone's ID is completely compromised, there's little they can do to detect fraud; every information presented to them is presumably accurate and correct.

Fidelity on the other hand had full control over the ACATS request - all they had to do was to call the customer on file, and that would have reached the legitimate account holder.

I know my broker calls me and I've actually suspended my own ACATS when I cut a deal to stay.
Last edited by Marseille07 on Sun Jul 03, 2022 5:27 pm, edited 1 time in total.
US & FM (5% seed) | 350K Cash
lazynovice
Posts: 2887
Joined: Mon Apr 16, 2012 10:48 pm

Re: ACATS Transfer thefts from Fidelity

Post by lazynovice »

sc9182 wrote: Sun Jul 03, 2022 5:07 pm Think we may know how the OP reddit case ended (with good resolution):

The reddit user Persisted with Fidelity (and gave serious heads-up to destination brokerage) - but continue to persist with Fidelity - and with their risk management team. Between Fidelity and the destination brokerage (fake account) — Fidelity brought back all the lots /identical/ including their original tax basis. All good, taken care by Fidelity - took about 1.5 to 2 months - since the time user first reported this fraudulent transaction to Fidelity.
Maybe you are phrasing this weirdly but the Reddit poster posted Friday. The shares were transferred to e-trade, sold and the cash transferred to BOA. There is no indication that the outcome is what you state since Friday.
Kruser64
Posts: 87
Joined: Wed Feb 20, 2019 6:41 pm

Re: ACATS Transfer thefts from Fidelity

Post by Kruser64 »

mary1492 wrote: Sun Jul 03, 2022 4:45 pm
Kruser64 wrote: Sun Jul 03, 2022 4:40 pm I wonder if having a Trusted Contact in place at the holding brokerage might slow down an ACATS transfer request? "Wait, you transferred out 7 figures and didn't bother to contact my on-file Trusted Contact?"

-Kruser64
That's not the purpose of a trusted contact.

https://www.fidelity.com/customer-servi ... ed-contact
A trusted contact is someone we can get in touch with in the event we're concerned about your:

Health,
Well-being, or
Welfare (due to exploitation, endangerment, or neglect)
A large outgoing transfer request would seem to me to meet "concern" for a number of these conditions. It's not like the brokerage has my cognitive tests results. Account patterns has to be part of it? Maybe what I'm getting at is the holding brokerage might not be so "not-liable" if there is a trusted contact in place.
Northern Flicker
Posts: 11031
Joined: Fri Apr 10, 2015 12:29 am

Re: ACATS Transfer thefts from Fidelity

Post by Northern Flicker »

Broken Man 1999 wrote: Sun Jul 03, 2022 5:14 pm
Lastrun wrote: Sun Jul 03, 2022 4:48 pm
outbackcountry wrote: Sat Jul 02, 2022 12:12 pm I turned on the Lockdown feature after reading that thread. Was wondering if there is anything similar at Vanguard or Schwab. Looks like there isn't. Not even a notification option when a transfer is initiated from outside. Scary!
I am confused by some of the posts here: When I go to the Vanguard Alerts page under profile I see this:

Asset transfer alerts

Initiated, in progress, and completed status messages for asset transfers

Granted it will only allow email and not texts like some of the other alerts, but would an ACATS transfer out not trigger this?

There are a couple of "no notification" and " shocking" posts on this thread and I think this needs clarification.

The lack of a lockdown function is troubling, but the lack of an alert capability is shocking.
Seems Vanguard offers plenty of alerts to me.

Account profile alerts
Add, edit, and delete linked bank accounts
Email alert Text alert
A password is changed, a security question and answer are changed, or my password is locked on the web or through an app.
Email alert Text alert
Transaction alerts
Buy, sell, and exchange Vanguard mutual funds
Email alert Text alert
Buy, sell, and exchange non-Vanguard mutual funds
Email alert Text alert
Brokerage trade execution notices
Email alert Text alert
Asset transfer alerts
Initiated, in progress, and completed status messages for asset transfers
Email alert


What else would one want?

Based on posts here, not everyone reads their emails from Vanguard. One complaint is they have to wade thru all the product/marketing emails. But that is on them, you can avoid those type emails. I don't get any product/marketing emails unless I have a product that has new/updated info.

If you practice good email hygiene you won't receive so much spam to wade thru in the first place.

The ability to protect your Vanguard accounts via alerts is clearly available. You do need to respond to the alerts, otherwise Vanguard sees no issue with the info they have sent to you.

So, if you haven't set up your alerts, do so, and chillax.

Broken Man 1999
For many security applications, an alert (detective control) is more effective than a lockdown (preventive control). If you have to disable the lock for various use cases, there is the risk of forgetting to re-enable it. Of course having both often is superior to either one alone.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
typical.investor
Posts: 3585
Joined: Mon Jun 11, 2018 3:17 am

Re: ACATS Transfer thefts from Fidelity

Post by typical.investor »

Marseille07 wrote: Sun Jul 03, 2022 5:16 pm
whodidntante wrote: Sun Jul 03, 2022 4:11 pm I don't think Fidelity is at fault. I think E*TRADE is. They are the ones who allowed someone to create an account under false pretenses, transfer assets to it, liquidate those assets, and move the proceeds out of the country. All Fidelity did was to act on an ACATS request, which they are required to do.
E*Trade is not really at fault because when someone's ID is completely compromised, there's little they can do to detect fraud; every information presented to them is presumably accurate and correct.

Fidelity on the other hand had full control over the ACATS request - all they had to do was to call the customer on file, and that would have reached the legitimate account holder.

I know my broker calls me and I've actually suspended my own ACATS when I cut a deal to stay.
No, E*Trade is liable.

Under the ACATs agreement, each carrying firm agrees to recognize any electronic ACATS transmission initiated by any receiving firm as presumptive evidence of the receiving firm's authority to receive the account or assets in question. In exchange, the receiving firm agrees to indemnify and hold harmless the carrying firm for any claims or losses it incurs as a result of complying with what turns out to be an unauthorized or illegitimate TIF.

That is per FINRA.
Northern Flicker
Posts: 11031
Joined: Fri Apr 10, 2015 12:29 am

Re: ACATS Transfer thefts from Fidelity

Post by Northern Flicker »

So this would suggest that the receiving firm can decide on how much friction they want to place on the transfer vs how much liability they are willing to take on to make it frictionless to bring in assets/business.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
mary1492
Posts: 664
Joined: Thu Oct 17, 2019 3:02 am

Re: ACATS Transfer thefts from Fidelity

Post by mary1492 »

Kruser64 wrote: Sun Jul 03, 2022 5:26 pm
mary1492 wrote: Sun Jul 03, 2022 4:45 pm
Kruser64 wrote: Sun Jul 03, 2022 4:40 pm I wonder if having a Trusted Contact in place at the holding brokerage might slow down an ACATS transfer request? "Wait, you transferred out 7 figures and didn't bother to contact my on-file Trusted Contact?"

-Kruser64
That's not the purpose of a trusted contact.

https://www.fidelity.com/customer-servi ... ed-contact
A trusted contact is someone we can get in touch with in the event we're concerned about your:

Health,
Well-being, or
Welfare (due to exploitation, endangerment, or neglect)
A large outgoing transfer request would seem to me to meet "concern" for a number of these conditions. It's not like the brokerage has my cognitive tests results. Account patterns has to be part of it? Maybe what I'm getting at is the holding brokerage might not be so "not-liable" if there is a trusted contact in place.
Go to the linked page, and click on the link for "View some examples".

You are free to interpret it however you like. Set your trusted contact and when they don't do what meets your definitions, you can see how far you'll get with arbitration. (Hint - not very far)
Broken Man 1999
Posts: 7484
Joined: Wed Apr 08, 2015 11:31 am
Location: West coast of Florida, near Champa Bay !

Re: ACATS Transfer thefts from Fidelity

Post by Broken Man 1999 »

I have posted what alerts one can have for various activities at Vanguard, including ACATS account transfers.

When I signed into my Fidelity account, I found this:

Alerts
Alert Categories
Manage Email & Mobile Phone
Place Alerts on Hold

Account Balances & Trading Activity
Trade notifications, margin calls, account/position balances and tender offers.

Account Events & Services
Mutual fund/equity dividend and capital gain distributions.

Cash Management
Electronic fund transfers, deposits, check notifications and Transfer of Assets.

Fixed Income Holdings
Upgrades/Downgrades and other Events, Redemptions, Bid Wanted, and Auto Roll Alerts.

Now I did not see an alert for account transfer except under Cash Management. I don't know if an ACATS account transfer would trigger an alert like some of the other activities.

I had a Fidelity account for a bit, but closed it so I am not familiar with much on the website.

Perhaps a direct question to Fidelity asking "Will an ACATS transfer from Fidelity generate an alert to me?" might settle the issue.

I would think a lockdown would be a major PITA for many folks.

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go." - Mark Twain
User avatar
anon_investor
Posts: 12311
Joined: Mon Jun 03, 2019 1:43 pm

Re: ACATS Transfer thefts from Fidelity

Post by anon_investor »

Northern Flicker wrote: Sun Jul 03, 2022 5:04 pm
anon_investor wrote: Sat Jul 02, 2022 4:36 pm With a combo of money transfer lockdown and 2FA using authenticator app only, Fidelity seems the most secure of my brokerage accounts (others are Vanguard and Merrill Edge).
Unlike the authentication used in the Fido2 protocol with a Yubikey, the authenticator app does not protect against man-in-the-middle attacks, which could, among other things, could turn off the account protection switch for instance.
How does a man-in-the-middle attack work with an authenticator app?
Marseille07
Posts: 10487
Joined: Fri Nov 06, 2020 1:41 pm

Re: ACATS Transfer thefts from Fidelity

Post by Marseille07 »

typical.investor wrote: Sun Jul 03, 2022 5:38 pm No, E*Trade is liable.

Under the ACATs agreement, each carrying firm agrees to recognize any electronic ACATS transmission initiated by any receiving firm as presumptive evidence of the receiving firm's authority to receive the account or assets in question. In exchange, the receiving firm agrees to indemnify and hold harmless the carrying firm for any claims or losses it incurs as a result of complying with what turns out to be an unauthorized or illegitimate TIF.

That is per FINRA.
I misspoke. I didn't mean to say E*Trade is fault free. I think the question here was which party is more liable than others.
US & FM (5% seed) | 350K Cash
Kruser64
Posts: 87
Joined: Wed Feb 20, 2019 6:41 pm

Re: ACATS Transfer thefts from Fidelity

Post by Kruser64 »

mary1492 wrote: Sun Jul 03, 2022 5:47 pm
Kruser64 wrote: Sun Jul 03, 2022 5:26 pm
mary1492 wrote: Sun Jul 03, 2022 4:45 pm
Kruser64 wrote: Sun Jul 03, 2022 4:40 pm I wonder if having a Trusted Contact in place at the holding brokerage might slow down an ACATS transfer request? "Wait, you transferred out 7 figures and didn't bother to contact my on-file Trusted Contact?"

-Kruser64
That's not the purpose of a trusted contact.

https://www.fidelity.com/customer-servi ... ed-contact
A trusted contact is someone we can get in touch with in the event we're concerned about your:

Health,
Well-being, or
Welfare (due to exploitation, endangerment, or neglect)
A large outgoing transfer request would seem to me to meet "concern" for a number of these conditions. It's not like the brokerage has my cognitive tests results. Account patterns has to be part of it? Maybe what I'm getting at is the holding brokerage might not be so "not-liable" if there is a trusted contact in place.
Go to the linked page, and click on the link for "View some examples".

You are free to interpret it however you like. Set your trusted contact and when they don't do what meets your definitions, you can see how far you'll get with arbitration. (Hint - not very far)
Yeah, those Fidelity examples are condescending. At least Schwab says a trusted contact is someone who can "Discuss urgent, unusual account activity or other possible red flags". Vague, I know. Better than nothing? Maybe...

https://www.schwab.com/learn/story/why- ... d-contacts
Northern Flicker
Posts: 11031
Joined: Fri Apr 10, 2015 12:29 am

Re: ACATS Transfer thefts from Fidelity

Post by Northern Flicker »

anon_investor wrote: Sun Jul 03, 2022 6:08 pm
Northern Flicker wrote: Sun Jul 03, 2022 5:04 pm
anon_investor wrote: Sat Jul 02, 2022 4:36 pm With a combo of money transfer lockdown and 2FA using authenticator app only, Fidelity seems the most secure of my brokerage accounts (others are Vanguard and Merrill Edge).
Unlike the authentication used in the Fido2 protocol with a Yubikey, the authenticator app does not protect against man-in-the-middle attacks, which could, among other things, could turn off the account protection switch for instance.
How does a man-in-the-middle attack work with an authenticator app?
To prevent MITM attacks you need end-to-end encryption with an a priori clean key exchange between service and client. If you are hit with a MITM attack the attacker in the middle can transmit your authenticator code to a service just as it can your password. The authenticator code defeats replay attacks where the MITM captures an authentication session and replays it later from a different client machine, but you may not notice small configuration changes while logged in. Hopefully, Fidelity sends an alert when the account lock is disabled.

SSL/TLS and trusted certificate authorities are the primary defense in use against MITM, but there have been examples of DNS queries hitting compromised or rogue DNS servers and examples of compromised or rogue certificate authorities.

One mitigating control you can do is to go through the list of default trusted certificate authorities in your browser, and eliminate ones hosted in countries with legal systems that you do not trust. It will break e-commerce to sites in those countries, but other sites you use should be fine.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 11031
Joined: Fri Apr 10, 2015 12:29 am

Re: ACATS Transfer thefts from Fidelity

Post by Northern Flicker »

My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
beyou
Posts: 4720
Joined: Sat Feb 27, 2010 3:57 pm
Location: If you can make it there

Re: ACATS Transfer thefts from Fidelity

Post by beyou »

Broken Man 1999 wrote: Sun Jul 03, 2022 5:14 pm
Lastrun wrote: Sun Jul 03, 2022 4:48 pm
outbackcountry wrote: Sat Jul 02, 2022 12:12 pm I turned on the Lockdown feature after reading that thread. Was wondering if there is anything similar at Vanguard or Schwab. Looks like there isn't. Not even a notification option when a transfer is initiated from outside. Scary!
I am confused by some of the posts here: When I go to the Vanguard Alerts page under profile I see this:

Asset transfer alerts

Initiated, in progress, and completed status messages for asset transfers

Granted it will only allow email and not texts like some of the other alerts, but would an ACATS transfer out not trigger this?

There are a couple of "no notification" and " shocking" posts on this thread and I think this needs clarification.

The lack of a lockdown function is troubling, but the lack of an alert capability is shocking.
Seems Vanguard offers plenty of alerts to me.

Account profile alerts
Add, edit, and delete linked bank accounts
Email alert Text alert
A password is changed, a security question and answer are changed, or my password is locked on the web or through an app.
Email alert Text alert
Transaction alerts
Buy, sell, and exchange Vanguard mutual funds
Email alert Text alert
Buy, sell, and exchange non-Vanguard mutual funds
Email alert Text alert
Brokerage trade execution notices
Email alert Text alert
Asset transfer alerts
Initiated, in progress, and completed status messages for asset transfers
Email alert


What else would one want?

Based on posts here, not everyone reads their emails from Vanguard. One complaint is they have to wade thru all the product/marketing emails. But that is on them, you can avoid those type emails. I don't get any product/marketing emails unless I have a product that has new/updated info.

If you practice good email hygiene you won't receive so much spam to wade thru in the first place.

The ability to protect your Vanguard accounts via alerts is clearly available. You do need to respond to the alerts, otherwise Vanguard sees no issue with the info they have sent to you.

So, if you haven't set up your alerts, do so, and chillax.

Broken Man 1999
Asset transfer alerts MAY be the relevant mitigation at Vanguard. I say MAY because it is not clear if this is for incoming or outgoing or both.
Last edited by beyou on Sun Jul 03, 2022 8:42 pm, edited 1 time in total.
Lastrun
Posts: 644
Joined: Wed May 03, 2017 6:46 pm

Re: ACATS Transfer thefts from Fidelity

Post by Lastrun »

beyou wrote: Sun Jul 03, 2022 6:31 pm
Lastrun wrote: Sun Jul 03, 2022 4:48 pm
Granted it will only allow email and not texts like some of the other alerts, but would an ACATS transfer out not trigger this?
Asset transfer alerts MAY be the relevant mitigation at Vanguard. I day MAY because it is not clear if this is for incoming or outgoing or both.
Agree, why I asked the question.
urban
Posts: 98
Joined: Wed Apr 14, 2021 12:36 am

Re: ACATS Transfer thefts from Fidelity

Post by urban »

Broken Man 1999 wrote: Sun Jul 03, 2022 5:14 pm Seems Vanguard offers plenty of alerts to me.

Account profile alerts
Add, edit, and delete linked bank accounts
Email alert Text alert
A password is changed, a security question and answer are changed, or my password is locked on the web or through an app.
Email alert Text alert
Transaction alerts
Buy, sell, and exchange Vanguard mutual funds
Email alert Text alert
Buy, sell, and exchange non-Vanguard mutual funds
Email alert Text alert
Brokerage trade execution notices
Email alert Text alert
Asset transfer alerts
Initiated, in progress, and completed status messages for asset transfers
Email alert


What else would one want?

Based on posts here, not everyone reads their emails from Vanguard. One complaint is they have to wade thru all the product/marketing emails. But that is on them, you can avoid those type emails. I don't get any product/marketing emails unless I have a product that has new/updated info.

If you practice good email hygiene you won't receive so much spam to wade thru in the first place.

The ability to protect your Vanguard accounts via alerts is clearly available. You do need to respond to the alerts, otherwise Vanguard sees no issue with the info they have sent to you.

So, if you haven't set up your alerts, do so, and chillax.

Broken Man 1999
Thank you for pointing it. After you pointed it, I finally found it under "Account activity and appointment alerts".
Interesting, the reason I did not see it before, even though I looked there previously, is because in my web browser (Opera) the Privacy Protection was set to "Tracker Blocker was turned on". It resulted in the blank pane. I had to set it to "Tracker Blocker is turned off for this site" in order for the alerts to be properly displayed.
User avatar
anon_investor
Posts: 12311
Joined: Mon Jun 03, 2019 1:43 pm

Re: ACATS Transfer thefts from Fidelity

Post by anon_investor »

Northern Flicker wrote: Sun Jul 03, 2022 6:23 pm
anon_investor wrote: Sun Jul 03, 2022 6:08 pm
Northern Flicker wrote: Sun Jul 03, 2022 5:04 pm
anon_investor wrote: Sat Jul 02, 2022 4:36 pm With a combo of money transfer lockdown and 2FA using authenticator app only, Fidelity seems the most secure of my brokerage accounts (others are Vanguard and Merrill Edge).
Unlike the authentication used in the Fido2 protocol with a Yubikey, the authenticator app does not protect against man-in-the-middle attacks, which could, among other things, could turn off the account protection switch for instance.
How does a man-in-the-middle attack work with an authenticator app?
To prevent MITM attacks you need end-to-end encryption with an a priori clean key exchange between service and client. If you are hit with a MITM attack the attacker in the middle can transmit your authenticator code to a service just as it can your password. The authenticator code defeats replay attacks where the MITM captures an authentication session and replays it later from a different client machine, but you may not notice small configuration changes while logged in. Hopefully, Fidelity sends an alert when the account lock is disabled.

SSL/TLS and trusted certificate authorities are the primary defense in use against MITM, but there have been examples of DNS queries hitting compromised or rogue DNS servers and examples of compromised or rogue certificate authorities.

One mitigating control you can do is to go through the list of default trusted certificate authorities in your browser, and eliminate ones hosted in countries with legal systems that you do not trust. It will break e-commerce to sites in those countries, but other sites you use should be fine.
Does Vanguard have an equivalent feature to money transfer lockdown? Even Vanguard's Yubikey still requires a Google Voice number SMS 2FA to be "secure". Which could still be subject to man-in-the-middle attacks. So it seems that Fidelity might still be more secure because of their lockdown feature.
Northern Flicker
Posts: 11031
Joined: Fri Apr 10, 2015 12:29 am

Re: ACATS Transfer thefts from Fidelity

Post by Northern Flicker »

GV 2FA is only admits MITM attacks if you choose to use it when logging in. Having it enabled at Vanguard to protect someone from using the app to try to break in does not defeat the Yubikey protection against MITM if you always use the Yubikey when authenticating.

The protection Vanguard has for unauthorized ACATS would be turning on alerts, which would enable a customer to contact Vanguard while the transfer still could be blocked or clawed back.

Authenticator apps are great for enterprise applications such as an employer facility to support VPN into an employer network. They don’t scale well for internet facing applications because you need a separate instance of an authenticator app for every service used. This can lead to lower utilization of the authenticator app.
Last edited by Northern Flicker on Sun Jul 03, 2022 7:42 pm, edited 1 time in total.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
anon_investor
Posts: 12311
Joined: Mon Jun 03, 2019 1:43 pm

Re: ACATS Transfer thefts from Fidelity

Post by anon_investor »

Northern Flicker wrote: Sun Jul 03, 2022 7:16 pm GV is only admits MITM attacks if you choose to use it when logging in. Having it enabled to protect someone from using the app to try to break in does not defeat the Yubikey protection against MITM if you always use the Yubikey when authenticating.

The protection Vanguard has for unauthorized ACATS would be turning on alerts, which would enable a customer to contact Vanguard while the transfer still could be blocked or clawed back.

Authenticator apps are great for enterprise applications such as an employer facility to support VPN into an employer network. They don’t scale well for internet facing applications because you need a separate instance of an authenticator app for every service used. This can lead to lower utilization of the authenticator app.
Seems like no brokerage has it all...
Northern Flicker
Posts: 11031
Joined: Fri Apr 10, 2015 12:29 am

Re: ACATS Transfer thefts from Fidelity

Post by Northern Flicker »

That’s correct. Some organizations do a better job than others, but it is unlikely there ever will be a single linear ordering of best to worst.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
anon_investor
Posts: 12311
Joined: Mon Jun 03, 2019 1:43 pm

Re: ACATS Transfer thefts from Fidelity

Post by anon_investor »

Northern Flicker wrote: Sun Jul 03, 2022 7:49 pm That’s correct. Some organizations do a better job than others, but there unlikely is ever going to be a single linear ordering of best to worst.
We plan to have a 6 figure amount in I Bonds when we enter retirement. At least that will be safe from ACATS theft.
grok87
Posts: 10056
Joined: Tue Feb 27, 2007 9:00 pm

Re: ACATS Transfer thefts from Fidelity

Post by grok87 »

Lastrun wrote: Sun Jul 03, 2022 4:48 pm
outbackcountry wrote: Sat Jul 02, 2022 12:12 pm I turned on the Lockdown feature after reading that thread. Was wondering if there is anything similar at Vanguard or Schwab. Looks like there isn't. Not even a notification option when a transfer is initiated from outside. Scary!
I am confused by some of the posts here: When I go to the Vanguard Alerts page under profile I see this:

Asset transfer alerts

Initiated, in progress, and completed status messages for asset transfers

Granted it will only allow email and not texts like some of the other alerts, but would an ACATS transfer out not trigger this?

There are a couple of "no notification" and " shocking" posts on this thread and I think this needs clarification.

The lack of a lockdown function is troubling, but the lack of an alert capability is shocking.
i thought those asset transfer alert are only for when you are moving money/assets TO vanguard?
RIP Mr. Bogle.
Post Reply