Did Schwab Fraud Protection Guarantee fail here?
-
- Posts: 1058
- Joined: Sun Feb 25, 2007 5:39 pm
- Location: Northern VA
Did Schwab Fraud Protection Guarantee fail here?
Interesting video. Should Schwab with their Fraud Protection Guarantee cover this?
Fraud Protection Guarantee at Schwab
Fraud Protection Guarantee at Schwab
From Jack Brennan's "Straight Talk on Investing", page 23 "Living below your means is the ultimate financial strategy"
Re: Did Schwab Fraud Protection Guarantee fail here?
I would say no. I understand the victim got a phone call seemingly from Schwab but that is not always what it seems. My opinion would be different if the bad guys somehow break into Schwab system and the victim got a push message within the Schwab app.
Last edited by student on Wed Aug 28, 2024 2:20 pm, edited 3 times in total.
- typical.investor
- Posts: 5450
- Joined: Mon Jun 11, 2018 3:17 am
Re: Did Schwab Fraud Protection Guarantee fail here?
I think you made up the phrase "Fraud Protection Guarantee" because Schwab certainly never uses it. Here is what they say:BeachPerson wrote: ↑Wed Aug 28, 2024 12:54 pm Interesting video. Should Schwab with their Fraud Protection Guarantee cover this?
Fraud Protection Guarantee at Schwab
After having actually read their stated guarantee, what do you think?We offer you this simple guarantee:
Schwab will cover losses in any of your Schwab accounts due to unauthorized activity.
The highest levels of security are only possible when we work together. To ensure your protection under this guarantee, it is your responsibility to:
Safeguard your account access information.
Please do not share your account access information, including but not limited to your login ID, password, PIN and transaction codes, with anyone. If you share this information with anyone, we will consider their activities to have been authorized by you.
Report any unauthorized transactions to us as quickly as possible.
If you suspect you are a victim of fraud, please contact us immediately.
There may be other individuals to whom you grant authority in your account. Their activities in your account will also be considered authorized.
Also, if Schwab reimbursed people every time they give their password away and allow money to be stolen, how will Schwab protect itself from customers giving their password to accomplices who will 'steal' their money knowing that the customer will be reimbursed? It's a quick way to double your money or even increase it by 50% if you have to give the accomplice half. Do you think people wouldn't do that?
Re: Did Schwab Fraud Protection Guarantee fail here?
No. And even though the video agrees, I am not crazy how the man in the video says their actions allow Schwab to deny the fraud claim. His phrasing is almost like Schwab was “weaseling” out of a proper claim. Schwab really did not have a choice. The family did exactly what Schwab said not to do. If Schwab decided to make them whole, it could open up all kinds of liability and subject them to fraudBeachPerson wrote: ↑Wed Aug 28, 2024 12:54 pm Interesting video. Should Schwab with their Fraud Protection Guarantee cover this?
Fraud Protection Guarantee at Schwab
Re: Did Schwab Fraud Protection Guarantee fail here?
I think Schwab may still be liable. The transactions were clearly unauthorized and Schwab purports to cover unauthorized transactions. The part about them 'considering' transactions to be authorized can be deconstructed to the customer's favor, IMO. First, the fact that they consider it to be authorized does not make it so. Second, it makes no distinction between inadvertent or unintentional sharing vs deliberately allowing a third party access to the account. Of course the latter would not be covered as unauthorized, but the problem is that Schwab would not be able to claim that is the case here. There doesn't seem to be any dispute that the customer did not purposefully share information with third parties or authorize the transactions.typical.investor wrote: ↑Wed Aug 28, 2024 1:28 pm After having actually read their stated guarantee, what do you think?
Also, if Schwab reimbursed people every time they give their password away and allow money to be stolen, how will Schwab protect itself from customers giving their password to accomplices who will 'steal' their money knowing that the customer will be reimbursed? It's a quick way to double your money or even increase it by 50% if you have to give the accomplice half. Do you think people wouldn't do that?
In short, IMO Schwab should pay and then perhaps reconsider either their security practices or the wording of their guarantee...or both. Clearly convenience and cost is winning out over effectiveness in security practices when it comes to our financial accounts. The question is who pays when something goes wrong? If the customer is going to be paying, then the financial institutions should not be reassuring them with statements about fraud being covered or the various "we've got your back" verbiage that floats about.
-
- Posts: 16421
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
If the video has complete info, it appears that the account holder supplied a login 2FA code but not a password to the attackers. If the password was changed by the attackers exploiting a weak password reset protocol, things get murkier.
-
- Posts: 331
- Joined: Thu Aug 27, 2020 9:22 pm
Re: Did Schwab Fraud Protection Guarantee fail here?
The Schwab fraud protects you from an unauthorized outside party. It doesn’t protect you from yourself. It seems to be the case here that the account owner willingly handed over the keys to the kingdom.
Government entities often have fraud insurance. I saw a lawsuit where a local city got “tricked” and checks for a major construction contract got diverted to a different address and then cashed. The insurance company didn’t pay because the city did it to themselves- they updated the addresses and mailed out the checks. The fraudster didn’t do it. If the fraudster broke into their IT system and changed addresses and stole money that way then there would be coverage. If you, through your own lack of internal controls or stupidity fall into one of the fraudsters traps, then there isn’t coverage. It depends on the policy language but most of what I have seen only cover actions of third parties, and do not provide coverage for your own actions.
Government entities often have fraud insurance. I saw a lawsuit where a local city got “tricked” and checks for a major construction contract got diverted to a different address and then cashed. The insurance company didn’t pay because the city did it to themselves- they updated the addresses and mailed out the checks. The fraudster didn’t do it. If the fraudster broke into their IT system and changed addresses and stole money that way then there would be coverage. If you, through your own lack of internal controls or stupidity fall into one of the fraudsters traps, then there isn’t coverage. It depends on the policy language but most of what I have seen only cover actions of third parties, and do not provide coverage for your own actions.
Re: Did Schwab Fraud Protection Guarantee fail here?
How about "It seems to be the case here that the account owner unwittingly handed over the keys to the kingdom."Sprucebark wrote: ↑Wed Aug 28, 2024 11:47 pm The Schwab fraud protects you from an unauthorized outside party. It doesn’t protect you from yourself. It seems to be the case here that the account owner willingly handed over the keys to the kingdom.
The language of an insurance contract will be complex and specific. Any conclusions you might reach on one specific contract don't apply generally to every other situation. If you know me and I knock on your door to ask you if I can borrow your car and you hand me the keys, the police might conclude that it wasn't stolen even if I don't bring it back. If I pose as a valet at a parking garage and you hand me the keys, they probably will call it stolen. It seems pretty clear here that the victim did not intend for their money to be stolen and were not specifically aware that they were allowing an unknown third party access to their account. It is easy to blame the victim as most of us are NOW aware of the danger, but if you don't know you don't know. You know, I know, Schwab knows, the victim knows now but apparently didn't before this.
I don't have a Schwab account so IDK what other information a scammer would need (user name, password, etc) but I have seen sites that will let you recover the username and then the password in two steps as long as you have the right e-mail. So if a scammer could start with nothing but readily available public information (your name and e-mail) and the only security feature in place is one OTP sent via text, then Schwab's system is pretty insecure.
-
- Posts: 16421
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
Some services use 2FA to authenticate password resets, violating the independence of them that prevents a failure of one of the controls from becoming a failure of the entire authentication control.
I assume that a court may have the final word on the scenario in the video.
I assume that a court may have the final word on the scenario in the video.
Last edited by Northern Flicker on Thu Aug 29, 2024 5:07 pm, edited 1 time in total.
- typical.investor
- Posts: 5450
- Joined: Mon Jun 11, 2018 3:17 am
Re: Did Schwab Fraud Protection Guarantee fail here?
Schwab clearly states:bd7 wrote: ↑Wed Aug 28, 2024 11:11 pmThe question is who pays when something goes wrong? If the customer is going to be paying, then the financial institutions should not be reassuring them with statements about fraud being covered or the various "we've got your back" verbiage that floats about.typical.investor wrote: ↑Wed Aug 28, 2024 1:28 pm After having actually read their stated guarantee, what do you think?
Also, if Schwab reimbursed people every time they give their password away and allow money to be stolen, how will Schwab protect itself from customers giving their password to accomplices who will 'steal' their money knowing that the customer will be reimbursed? It's a quick way to double your money or even increase it by 50% if you have to give the accomplice half. Do you think people wouldn't do that?
What verbiage could be more clear?Safeguard your account access information.
Please do not share your account access information, including but not limited to your login ID, password, PIN and transaction codes, with anyone. If you share this information with anyone, we will consider their activities to have been authorized by you.
Re: Did Schwab Fraud Protection Guarantee fail here?
I'll voice an opposing view on this topic. The folks on this forum have a lot of knowledge of investing, and they have good awareness of basic security practices. I suggest, however, that we are not representative of the general population.
We all know people, young and old, who have not set up a passcode on their smartphones, use the same password on multiple websites, or download all sorts of junk software on their laptops. IMHO, the onus should fall on all financial and government entities to implement much better privacy and security solutions, particularly when it comes to moving money out of an account.
I do not know the specifics of the Schwab case in question, and I do not have a Schwab account. But as a general comment, many financial institutions still use txt messages for 2FA, which is the weakest form of 2FA security. The "fatigue attack" mentioned in the video is very real. That so many non-financial entities also use txt messages for 2FA probably lulls a lot of people into just disclosing the 2FA code when asked to.
We all know people, young and old, who have not set up a passcode on their smartphones, use the same password on multiple websites, or download all sorts of junk software on their laptops. IMHO, the onus should fall on all financial and government entities to implement much better privacy and security solutions, particularly when it comes to moving money out of an account.
I do not know the specifics of the Schwab case in question, and I do not have a Schwab account. But as a general comment, many financial institutions still use txt messages for 2FA, which is the weakest form of 2FA security. The "fatigue attack" mentioned in the video is very real. That so many non-financial entities also use txt messages for 2FA probably lulls a lot of people into just disclosing the 2FA code when asked to.
“My opinions are just that - opinions.”
-
- Posts: 7473
- Joined: Wed May 18, 2022 12:42 pm
Re: Did Schwab Fraud Protection Guarantee fail here?
"Do not share this code with anyone."
"Oops, I shared the code, can I have my money back?"
On the other hand, I haven't tested the "forgot password?" link for Schwab yet, but do they bypass all their security and allow you to login with a PIN from a text message like many other sites? That would be unfortunate. Also, did this family have a trusted contact person identified? Did Schwab contact that person prior to wiring out the entire contents of the account? If not, what's the point?
"Oops, I shared the code, can I have my money back?"
On the other hand, I haven't tested the "forgot password?" link for Schwab yet, but do they bypass all their security and allow you to login with a PIN from a text message like many other sites? That would be unfortunate. Also, did this family have a trusted contact person identified? Did Schwab contact that person prior to wiring out the entire contents of the account? If not, what's the point?
Last edited by toddthebod on Thu Aug 29, 2024 10:13 am, edited 1 time in total.
Re: Did Schwab Fraud Protection Guarantee fail here?
We had a system that would protect most of your issues. But itt requires you to physically take your bank book in to a physical branch, provide govt id, have your signature checked against a card, etc. ofc the cost will be much greater, you will need to hold physical certificates so you better have a good safe.Gaston wrote: ↑Thu Aug 29, 2024 9:31 am I'll voice an opposing view on this topic. The folks on this forum have a lot of knowledge of investing, and they have good awareness of basic security practices. I suggest, however, that we are not representative of the general population.
We all know people, young and old, who have not set up a passcode on their smartphones, use the same password on multiple websites, or download all sorts of junk software on their laptops. IMHO, the onus should fall on all financial and government entities to implement much better privacy and security solutions, particularly when it comes to moving money out of an account.
I do not know the specifics of the Schwab case in question, and I do not have a Schwab account. But as a general comment, many financial institutions still use txt messages for 2FA, which is the weakest form of 2FA security. The "fatigue attack" mentioned in the video is very real. That so many non-financial entities also use txt messages for 2FA probably lulls a lot of people into just disclosing the 2FA code when asked to.
TLDR…your solution is “Welcome Back to the Future “ in 1974.
Re: Did Schwab Fraud Protection Guarantee fail here?
I can see how some people don't understand the meaning of this. After all, how does anyone use the code without sharing it with something or somebody?
- firebirdparts
- Posts: 4674
- Joined: Thu Jun 13, 2019 4:21 pm
- Location: Southern Appalachia
Re: Did Schwab Fraud Protection Guarantee fail here?
So yeah, after some really slow talking there they got a code by text and told somebody the code on the phone. That would be a really easy thing to do, and course somebody trying to bypass 2 factor authentication and log into your account would do exactly that.
I can see myself falling for that. Understanding how those codes are used, we have to know that you can't tell somebody one. Eventually I guess scammers will think of something even better.
I can see myself falling for that. Understanding how those codes are used, we have to know that you can't tell somebody one. Eventually I guess scammers will think of something even better.
This time is the same
Re: Did Schwab Fraud Protection Guarantee fail here?
You created a false strawman. The message does not say don’t use this code by entering where needed. This is sharing with something. Which is certainly not precluded by the warning message. Unless you decided to personalize the computer into a person you are sharing with, I think folks do understand the warning.
My DM who is 86 and literally does no online banking from a phone or computer (she would not even get the code but if she did) would understand that message.
-
- Posts: 16421
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
If you call Schwab on the phone, do they sometimes send an SMS code to you and ask for it to authenticate the phone session?typical.investor wrote: ↑Thu Aug 29, 2024 3:56 amSchwab clearly states:bd7 wrote: ↑Wed Aug 28, 2024 11:11 pmThe question is who pays when something goes wrong? If the customer is going to be paying, then the financial institutions should not be reassuring them with statements about fraud being covered or the various "we've got your back" verbiage that floats about.typical.investor wrote: ↑Wed Aug 28, 2024 1:28 pm After having actually read their stated guarantee, what do you think?
Also, if Schwab reimbursed people every time they give their password away and allow money to be stolen, how will Schwab protect itself from customers giving their password to accomplices who will 'steal' their money knowing that the customer will be reimbursed? It's a quick way to double your money or even increase it by 50% if you have to give the accomplice half. Do you think people wouldn't do that?
What verbiage could be more clear?Safeguard your account access information.
Please do not share your account access information, including but not limited to your login ID, password, PIN and transaction codes, with anyone. If you share this information with anyone, we will consider their activities to have been authorized by you.
-
- Posts: 7473
- Joined: Wed May 18, 2022 12:42 pm
Re: Did Schwab Fraud Protection Guarantee fail here?
I do not recall that ever happening.Northern Flicker wrote: ↑Thu Aug 29, 2024 5:04 pmIf you call Schwab on the phone, do they sometimes send an SMS code to you and ask for it to authenticate the phone session?typical.investor wrote: ↑Thu Aug 29, 2024 3:56 amSchwab clearly states:bd7 wrote: ↑Wed Aug 28, 2024 11:11 pmThe question is who pays when something goes wrong? If the customer is going to be paying, then the financial institutions should not be reassuring them with statements about fraud being covered or the various "we've got your back" verbiage that floats about.typical.investor wrote: ↑Wed Aug 28, 2024 1:28 pm After having actually read their stated guarantee, what do you think?
Also, if Schwab reimbursed people every time they give their password away and allow money to be stolen, how will Schwab protect itself from customers giving their password to accomplices who will 'steal' their money knowing that the customer will be reimbursed? It's a quick way to double your money or even increase it by 50% if you have to give the accomplice half. Do you think people wouldn't do that?
What verbiage could be more clear?Safeguard your account access information.
Please do not share your account access information, including but not limited to your login ID, password, PIN and transaction codes, with anyone. If you share this information with anyone, we will consider their activities to have been authorized by you.
-
- Posts: 16421
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
We have much better solutions available today than what were used in 1974 and what often are used today. As one example, a pin-protected yubikey using challenge-response authentication does not have data leakage vulnerabilities.LotsaGray wrote: ↑Thu Aug 29, 2024 10:12 amWe had a system that would protect most of your issues. But itt requires you to physically take your bank book in to a physical branch, provide govt id, have your signature checked against a card, etc. ofc the cost will be much greater, you will need to hold physical certificates so you better have a good safe.Gaston wrote: ↑Thu Aug 29, 2024 9:31 am I'll voice an opposing view on this topic. The folks on this forum have a lot of knowledge of investing, and they have good awareness of basic security practices. I suggest, however, that we are not representative of the general population.
We all know people, young and old, who have not set up a passcode on their smartphones, use the same password on multiple websites, or download all sorts of junk software on their laptops. IMHO, the onus should fall on all financial and government entities to implement much better privacy and security solutions, particularly when it comes to moving money out of an account.
I do not know the specifics of the Schwab case in question, and I do not have a Schwab account. But as a general comment, many financial institutions still use txt messages for 2FA, which is the weakest form of 2FA security. The "fatigue attack" mentioned in the video is very real. That so many non-financial entities also use txt messages for 2FA probably lulls a lot of people into just disclosing the 2FA code when asked to.
TLDR…your solution is “Welcome Back to the Future “ in 1974.
- typical.investor
- Posts: 5450
- Joined: Mon Jun 11, 2018 3:17 am
Re: Did Schwab Fraud Protection Guarantee fail here?
Schwab never has.Northern Flicker wrote: ↑Thu Aug 29, 2024 5:04 pmIf you call Schwab on the phone, do they sometimes send an SMS code to you and ask for it to authenticate the phone session?typical.investor wrote: ↑Thu Aug 29, 2024 3:56 amSchwab clearly states:bd7 wrote: ↑Wed Aug 28, 2024 11:11 pmThe question is who pays when something goes wrong? If the customer is going to be paying, then the financial institutions should not be reassuring them with statements about fraud being covered or the various "we've got your back" verbiage that floats about.typical.investor wrote: ↑Wed Aug 28, 2024 1:28 pm After having actually read their stated guarantee, what do you think?
Also, if Schwab reimbursed people every time they give their password away and allow money to be stolen, how will Schwab protect itself from customers giving their password to accomplices who will 'steal' their money knowing that the customer will be reimbursed? It's a quick way to double your money or even increase it by 50% if you have to give the accomplice half. Do you think people wouldn't do that?
What verbiage could be more clear?Safeguard your account access information.
Please do not share your account access information, including but not limited to your login ID, password, PIN and transaction codes, with anyone. If you share this information with anyone, we will consider their activities to have been authorized by you.
Fidelity has done that but in the text message they send, it specifies whether to share it with a rep or not.
Fidelity Investments: If anyone asks for this code, STOP. It's a SCAM. Our reps will NEVER ask for it. Only enter it online. Code is: XXXXXX
Again, I have never been asked by a rep for a code in 10+ years at Schwab. If they need to verify me on the phone, they have used other ways.Fidelity Investments msg: Your security code is:XXXXXX. Please enter online or provide it to the customer service associate. Thank You.
Re: Did Schwab Fraud Protection Guarantee fail here?
Yes we have much better options now. But these will NOT protect people from themselves. People who do what Gaston was describing, are not going to use such as ubikey. The old fashioned in person process provided some protections against ones self (not complete as that is not possible).Northern Flicker wrote: ↑Thu Aug 29, 2024 5:09 pmWe have much better solutions available today than what were used in 1974 and what often are used today. As one example, a pin-protected yubikey using challenge-response authentication does not have data leakage vulnerabilities.LotsaGray wrote: ↑Thu Aug 29, 2024 10:12 amWe had a system that would protect most of your issues. But itt requires you to physically take your bank book in to a physical branch, provide govt id, have your signature checked against a card, etc. ofc the cost will be much greater, you will need to hold physical certificates so you better have a good safe.Gaston wrote: ↑Thu Aug 29, 2024 9:31 am I'll voice an opposing view on this topic. The folks on this forum have a lot of knowledge of investing, and they have good awareness of basic security practices. I suggest, however, that we are not representative of the general population.
We all know people, young and old, who have not set up a passcode on their smartphones, use the same password on multiple websites, or download all sorts of junk software on their laptops. IMHO, , particularly when it comes to moving money out of an account.
I do not know the specifics of the Schwab case in question, and I do not have a Schwab account. But as a general comment, many financial institutions still use txt messages for 2FA, which is the weakest form of 2FA security. The "fatigue attack" mentioned in the video is very real. That so many non-financial entities also use txt messages for 2FA probably lulls a lot of people into just disclosing the 2FA code when asked to.
TLDR…your solution is “Welcome Back to the Future “ in 1974.
Particularly the statement that "the onus should fall on all financial and government entities to implement much better privacy and security solutions" is ridiculous. Because they HAVE implemented these better processes but people can defeat even the best systems if they don't follow the system.
Re: Did Schwab Fraud Protection Guarantee fail here?
Security is not only about front-end sign-on and authentication processes. It’s also about back-end protocols. Countless financial firms, non-financial businesses and government entities have exposed (through hacking or otherwise) billions of records of personal data, placing all of us at greater risk. And it most cases, those same entities bear absolutely no accountability for the exposures. You might find it ridiculous to suggest they can do better, but I don’t.
“My opinions are just that - opinions.”
-
- Posts: 16421
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
Use of old-fashioned in-person procedures by the victim of the described scam would not have prevented the scam in question. They were not doing a transaction or trying to login when the attack happened.LotsaGray wrote: ↑Fri Aug 30, 2024 11:51 amThe old fashioned in person process provided some protections against ones self (not complete as that is not possible).Northern Flicker wrote: ↑Thu Aug 29, 2024 5:09 pmWe have much better solutions available today than what were used in 1974 and what often are used today. As one example, a pin-protected yubikey using challenge-response authentication does not have data leakage vulnerabilities.LotsaGray wrote: ↑Thu Aug 29, 2024 10:12 amWe had a system that would protect most of your issues. But itt requires you to physically take your bank book in to a physical branch, provide govt id, have your signature checked against a card, etc. ofc the cost will be much greater, you will need to hold physical certificates so you better have a good safe.Gaston wrote: ↑Thu Aug 29, 2024 9:31 am I'll voice an opposing view on this topic. The folks on this forum have a lot of knowledge of investing, and they have good awareness of basic security practices. I suggest, however, that we are not representative of the general population.
We all know people, young and old, who have not set up a passcode on their smartphones, use the same password on multiple websites, or download all sorts of junk software on their laptops. IMHO, , particularly when it comes to moving money out of an account.
I do not know the specifics of the Schwab case in question, and I do not have a Schwab account. But as a general comment, many financial institutions still use txt messages for 2FA, which is the weakest form of 2FA security. The "fatigue attack" mentioned in the video is very real. That so many non-financial entities also use txt messages for 2FA probably lulls a lot of people into just disclosing the 2FA code when asked to.
TLDR…your solution is “Welcome Back to the Future “ in 1974.
Moreover, technology today can be used to defeat some old-fashioned protections, so that strategy may not be as protective as suggested.
Re: Did Schwab Fraud Protection Guarantee fail here?
I waited to respond to this because I was almost apoplectic at your claim that "they HAVE implemented these better process". They haven't, they're slobbering morons and don't understand the first thing about actual security. They also have chosen convenience and low cost over effectiveness.LotsaGray wrote: ↑Fri Aug 30, 2024 11:51 am Particularly the statement that "the onus should fall on all financial and government entities to implement much better privacy and security solutions" is ridiculous. Because they HAVE implemented these better processes but people can defeat even the best systems if they don't follow the system.
Let's imagine that instead of a computer system, we have a person making decisions. So the person is giving the following information: The (apparent) customer has attempted to log on from a previously unknown computer (new device) and has now reset their password using the OTP-to-text method. Now an hour later they are requesting to wire out their entire account. Should that arouse a bit of suspicion and perhaps warrant a phone call or some other investigation? Or should they just push the 'OK' button whilst drooling on their bib? You'd call a person a moron if they didn't recognize this as a dangerous situation. There are many ways a scammer could get that OTP, including stealing the phone or SIM fraud.
Now you might say that online systems aren't persons and the users have to use them properly. Perhaps wring your hands and say "but he gave them the code! What can we do?" Well, how hard is it to write a few lines of code to set an alarm and require intervention when there is a request to transfer out a large sum of money within a short time period (say a week) after a password is reset via OTP-to-text? There's a LOT more that Schwab could have done IMO and other people are doing some of it already.
As typical.investor pointed out above, there are instances where some companies (perhaps not Schwab) actually will have their rep ask for an OTP from your phone. DW actually had that happen and she declined and called the bank branch instead--the rep didn't complain too much about it either but it was legit. So just generally, providing someone an OTP over the phone is really not indicative of extreme stupidity or lack of exposure to the modern world. It's a mistake, one mistake, and that one error should not be enough on it's own to completely vitiate the entire system keeping your money secure. If it does, it isn't security at all.
Banks have been one step behind for decades and each time new security holes emerge, they start by claiming the breach is "impossible". Then when it becomes apparent that it is happening they blame the consumer and then (eventually--when the goverment or TV news gets involved) they fix or patch the problem.
Re: Did Schwab Fraud Protection Guarantee fail here?
I think there might be a tad more "checking code" than you aloof to.
Example: I currently am not at home and just logged into Schwab. I instantly got a SMS challenge as this laptop is not set as "Trusted". In addition, Schwab immediately emailed me that an untrusted device logged on. As I remember, this checking has been the case for at least several years. I consider my travel laptop at a higher risk than my desktop at home, so I set it as untrusted just because I will get an SMS challenge.
Add to that, any ACH transfer, or the creation of a new ACH transfer point results in both a SMS challenge and an email, trusted device or not.
I have no out-going wire experience at Schwab, so I won't comment on what it does for supplemental validation.
-
- Posts: 452
- Joined: Mon Aug 28, 2023 10:58 am
Re: Did Schwab Fraud Protection Guarantee fail here?
Just as folks have vastly varying knowledge of the law. There's still an objective standard of responsibility. It's not reasonable to ask Schwab to protect you from yourself.
-
- Posts: 16421
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
We still don't know how the attackers got the password.
Re: Did Schwab Fraud Protection Guarantee fail here?
I don't disagree with you, but I wanted to quibble that this may not have been a large sum of money by brokerage standards. I think it was mentioned that these were young investors, so their "life savings" was in fact pretty small.
I'm not saying it wasn't important. But I wouldn't be surprised if it's fairly common for young investors to bounce $10K or so from their bank to Schwab to to their bank Vanguard to Robin Hood, as they get their feet wet in investing. So this policy might annoy more people than it seems.
All the same--annoyance is better than loss. Again, not disagreeing with you.
(Now I'm going back to look at the video again to see if I'm misremembering.)
(Huh. I may be remembering a different video.)
-
- Posts: 2548
- Joined: Sat Apr 09, 2016 5:06 pm
- Location: NYC
Re: Did Schwab Fraud Protection Guarantee fail here?
Agree 100%. Not only is it true for log in security, but also for card transactions. Why, in 2024 don't we have PIN protected credit card transactions in the US? Or why don't we have forced 3DS for online security? Because the banks determined it is cheaper to deal with rampant fraud than make cards more secure.
Banks also think consumers are too ignorant or lazy to use more secure protocols such as app or hardware based 2FA (and they may be correct), so they use insecure SMS or e-mail based 2FA so they don't risk having a customer leave.
With respect to the whole 2FA code, Bank of America's texts always say something to the effect of "we will never ask you for this code" and "don't share this code with anyone." So some liability fall on the consumer if their bank does the same thing yet they still give that code to someone on the phone.
On the other hand, when I've dealt with Chase, customer service often sends a code via text and they ask for it over the phone or will send a link that you have to click. That seems like a very bad security protocol because it trains the customer to think that it's perfectly normal for someone to ask for a 2FA code over the phone.
Long story short, US financial institutions need to get it together and bring their security up into the 21st century. Because fraudsters are only getting more sophisticated with AI and social engineering so this can only get worse.
Re: Did Schwab Fraud Protection Guarantee fail here?
In the case of Chase, the rep will often send a OTP code to my phone as verification that I am who I am. Deviating from the topic a bit, one way to mitigate this is if someone from the firm ever called me to report a fraud. I would hang up and call the firm back just to ensure I am actually dealing with the real party. I have gotten a few capital one fraud calls from weird looking number tht don't say Capital One. Instead of talking to the person I called Capital One and ask for their fraud department. The call turned out to be real, but it could have been a fake. Scammers like to generate a sense of urgency to make you take shortcuts in security.
In this case, Schwab may try to make a claim that the user willingly gave out the code. However, what if your phone had been sim swapped. In that case, the user would not have given out the code.
I agree with NyCaviator and bd7 that the financial industry really need to update their security practice here. it's 2024 and 2fa of most banks is a phone 2fa, the weakest 2FA possible and easiest to hack (most cellphone provider have terrible security). At least go to a TOTP or push notification (which would not help in this case)
In this case, Schwab may try to make a claim that the user willingly gave out the code. However, what if your phone had been sim swapped. In that case, the user would not have given out the code.
I agree with NyCaviator and bd7 that the financial industry really need to update their security practice here. it's 2024 and 2fa of most banks is a phone 2fa, the weakest 2FA possible and easiest to hack (most cellphone provider have terrible security). At least go to a TOTP or push notification (which would not help in this case)
Re: Did Schwab Fraud Protection Guarantee fail here?
In the case of Schwab, 2FA via Symantec VIP is available. https://www.schwab.com/help/two-factor-authenticationgavinsiu wrote: ↑Sat Aug 31, 2024 8:35 am In the case of Chase, the rep will often send a OTP code to my phone as verification that I am who I am. Deviating from the topic a bit, one way to mitigate this is if someone from the firm ever called me to report a fraud. I would hang up and call the firm back just to ensure I am actually dealing with the real party. I have gotten a few capital one fraud calls from weird looking number tht don't say Capital One. Instead of talking to the person I called Capital One and ask for their fraud department. The call turned out to be real, but it could have been a fake. Scammers like to generate a sense of urgency to make you take shortcuts in security.
In this case, Schwab may try to make a claim that the user willingly gave out the code. However, what if your phone had been sim swapped. In that case, the user would not have given out the code.
I agree with NyCaviator and bd7 that the financial industry really need to update their security practice here. it's 2024 and 2fa of most banks is a phone 2fa, the weakest 2FA possible and easiest to hack (most cellphone provider have terrible security). At least go to a TOTP or push notification (which would not help in this case)
-
- Posts: 16421
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
The threshold for raising the alert should be a user-settable parameter.
Re: Did Schwab Fraud Protection Guarantee fail here?
Yes! An excellent idea. Like some credit cards do for purchases.Northern Flicker wrote: ↑Sat Aug 31, 2024 2:11 pmThe threshold for raising the alert should be a user-settable parameter.
Re: Did Schwab Fraud Protection Guarantee fail here?
I don't know if this is a problem with their technical challenged parents, but my mom can't use the symantec vip. You have to press a button and type in a number, this is apparently one action too many. Even SMS is a bit difficult, she has difficulty figuring out what numbers to type in the SMS message. The most successful method appears to be the 2FA feature in password manager that basically copies the TOTP to the clipboard. This allow her to just paste it when the input box appear.student wrote: ↑Sat Aug 31, 2024 1:58 pm In the case of Schwab, 2FA via Symantec VIP is available. https://www.schwab.com/help/two-factor-authentication
I am curious to know how Schwab fraud protection would apply if a hack occurred due to sim hijack.
- typical.investor
- Posts: 5450
- Joined: Mon Jun 11, 2018 3:17 am
Re: Did Schwab Fraud Protection Guarantee fail here?
If you press on the security code of the Symantec VIP app as it displays, it will copy to the clipboard. You can then paste that into Schwab's login page. There is no need to try to remember the code.gavinsiu wrote: ↑Sat Aug 31, 2024 10:48 pmI don't know if this is a problem with their technical challenged parents, but my mom can't use the symantec vip. You have to press a button and type in a number, this is apparently one action too many.student wrote: ↑Sat Aug 31, 2024 1:58 pm In the case of Schwab, 2FA via Symantec VIP is available. https://www.schwab.com/help/two-factor-authentication
Or what about using faceID? I have 2FA via Symantec VIP set up, but the iPhone app lets me use faceID to log in without the code.
Re: Did Schwab Fraud Protection Guarantee fail here?
Have you done a sim lock?gavinsiu wrote: ↑Sat Aug 31, 2024 10:48 pmI don't know if this is a problem with their technical challenged parents, but my mom can't use the symantec vip. You have to press a button and type in a number, this is apparently one action too many. Even SMS is a bit difficult, she has difficulty figuring out what numbers to type in the SMS message. The most successful method appears to be the 2FA feature in password manager that basically copies the TOTP to the clipboard. This allow her to just paste it when the input box appear.student wrote: ↑Sat Aug 31, 2024 1:58 pm In the case of Schwab, 2FA via Symantec VIP is available. https://www.schwab.com/help/two-factor-authentication
I am curious to know how Schwab fraud protection would apply if a hack occurred due to sim hijack.
Re: Did Schwab Fraud Protection Guarantee fail here?
My mom can't figure out how to switch between apps and has trouble figure out that you have to press on the security code. She can however, use biometrics so she usually doesn't have issues if you set up the app first. She has also managed to figure out how to use Authy, but if you switch her to a different 2fa then she is lost. Basically she doesn't understand concept but only procedures. I have a custom launcher setup on her android phone to minimize change from updates.typical.investor wrote: ↑Sun Sep 01, 2024 2:35 am If you press on the security code of the Symantec VIP app as it displays, it will copy to the clipboard. You can then paste that into Schwab's login page. There is no need to try to remember the code.
Or what about using faceID? I have 2FA via Symantec VIP set up, but the iPhone app lets me use faceID to log in without the code.
Not every place have an app, so on website, I tried to setup her password manager to automatically put 2FA into the clipboard.
Re: Did Schwab Fraud Protection Guarantee fail here?
Yes, however there have been several cases from people who gotten sim lock but the lock is bypassed by social engineering. Basically they call the carrier and make some excuse that sounds plausible and got the pin removed. This would not be surprising since some of the carrier got hacked multiple times per year.
-
- Posts: 16421
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
Well, the credit union we use for some of our banking services has had that in place for years. They did not develop their own online banking web application, and I'm personally aware of other credit unions and a bank that also use the same system, so I don't think it is an uncommon feature.BirdFood wrote: ↑Sat Aug 31, 2024 3:04 pmYes! An excellent idea. Like some credit cards do for purchases.Northern Flicker wrote: ↑Sat Aug 31, 2024 2:11 pmThe threshold for raising the alert should be a user-settable parameter.
Vanguard and Fidelity just alert for all withdrawals.
I don't think the institution should be in the business of deciding on a threshold of how much is an important amount for someone. A customer with a smaller amount of assets may be just as impacted or moreso by losing a smaller amount than someone with more assets may be impacted by losing a larger amount.
-
- Posts: 16421
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
I still would love to know how the attackers got the password. Did Schwab hand it to them through a weak password reset procedure? To me, that would be a more egregious issue if that is what happened, as it is something designed in, not an accidental mistake.
Re: Did Schwab Fraud Protection Guarantee fail here?
I am a bit confused. I think bd7 was taking about requiring intervention when there is a request to transfer out a large sum of money within a short time period after a password is reset via OTP-to-text. So your credit union has such a setting? If so, what is the required intervention?Northern Flicker wrote: ↑Sun Sep 01, 2024 1:30 pmWell, the credit union we use for some of our banking services has had that in place for years. They did not develop their own online banking web application, and I'm personally aware of other credit unions and a bank that also use the same system, so I don't think it is an uncommon feature.BirdFood wrote: ↑Sat Aug 31, 2024 3:04 pmYes! An excellent idea. Like some credit cards do for purchases.Northern Flicker wrote: ↑Sat Aug 31, 2024 2:11 pmThe threshold for raising the alert should be a user-settable parameter.
Vanguard and Fidelity just alert for all withdrawals.
I don't think the institution should be in the business of deciding on a threshold of how much is an important amount for someone. A customer with a smaller amount of assets may be just as impacted or moreso by losing a smaller amount than someone with more assets may be impacted by losing a larger amount.
Re: Did Schwab Fraud Protection Guarantee fail here?
I would like to know, too. The most common way to get hack is password reuse. People can have a hundred website they just reuse the same password for every site. Let's say the italian cooking forum gets hack and exposes your password, the hacker then use the same password to log into schwab. I haven't. Schwab does have a password requirement.Northern Flicker wrote: ↑Sun Sep 01, 2024 1:55 pm I still would love to know how the attackers got the password. Did Schwab hand it to them through a weak password reset procedure? To me, that would be a more egregious issue if that is what happened, as it is something designed in, not an accidental mistake.
https://www.schwab.com/login/password-format
Re: Did Schwab Fraud Protection Guarantee fail here?
There are also services that will provide account verification of the target account for outgoing ACH or wire transactions. I was involved in implementing this at my employer prior to retirement. Target account is less than 90 days old? Fail. Target account is domiciled in Tunisia? Fail. Account Registration Name does not match between source and target accounts? Fail.bd7 wrote: ↑Fri Aug 30, 2024 11:09 pm Banks have been one step behind for decades and each time new security holes emerge, they start by claiming the breach is "impossible". Then when it becomes apparent that it is happening they blame the consumer and then (eventually--when the goverment or TV news gets involved) they fix or patch the problem.
Any new wire or ACH went through this verification. If the account could not be verified, we would offer to send a physical check to the (verified) address of record. Occasionally people would be upset by this limitation. But we deemed it necessary as we were seeing an increase in this type of fraud.
It cost money to implement and there was a transactional cost every time we did a validation but it helped to greatly reduce this type of fraud.
-
- Posts: 16421
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
While one should never reuse passwords or use the same password for multiple services, if a password is strong, its use for multiple services would be a weakness, but not be nearly as big a weakness as most password reset protocols.gavinsiu wrote: ↑Sun Sep 01, 2024 2:23 pmI would like to know, too. The most common way to get hack is password reuse. People can have a hundred website they just reuse the same password for every site. Let's say the italian cooking forum gets hack and exposes your password, the hacker then use the same password to log into schwab. I haven't. Schwab does have a password requirement.Northern Flicker wrote: ↑Sun Sep 01, 2024 1:55 pm I still would love to know how the attackers got the password. Did Schwab hand it to them through a weak password reset procedure? To me, that would be a more egregious issue if that is what happened, as it is something designed in, not an accidental mistake.
https://www.schwab.com/login/password-format
-
- Posts: 16421
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
They can act on the alert internally after a password reset if they choose to do so.student wrote: ↑Sun Sep 01, 2024 2:06 pmI am a bit confused. I think bd7 was taking about requiring intervention when there is a request to transfer out a large sum of money within a short time period after a password is reset via OTP-to-text. So your credit union has such a setting? If so, what is the required intervention?Northern Flicker wrote: ↑Sun Sep 01, 2024 1:30 pmWell, the credit union we use for some of our banking services has had that in place for years. They did not develop their own online banking web application, and I'm personally aware of other credit unions and a bank that also use the same system, so I don't think it is an uncommon feature.BirdFood wrote: ↑Sat Aug 31, 2024 3:04 pmYes! An excellent idea. Like some credit cards do for purchases.Northern Flicker wrote: ↑Sat Aug 31, 2024 2:11 pmThe threshold for raising the alert should be a user-settable parameter.
Vanguard and Fidelity just alert for all withdrawals.
I don't think the institution should be in the business of deciding on a threshold of how much is an important amount for someone. A customer with a smaller amount of assets may be just as impacted or moreso by losing a smaller amount than someone with more assets may be impacted by losing a larger amount.
Re: Did Schwab Fraud Protection Guarantee fail here?
Maybe I understood, I thought bd7 was talking about transfers could not take place until an intervention after a password reset. If we are just talking about alerts, doesn't Schwab already have alerts for a password change? In my setting, it says it will email, text and within mobile app application.Northern Flicker wrote: ↑Sun Sep 01, 2024 3:00 pmThey can act on the alert internally after a password reset if they choose to do so.student wrote: ↑Sun Sep 01, 2024 2:06 pmI am a bit confused. I think bd7 was taking about requiring intervention when there is a request to transfer out a large sum of money within a short time period after a password is reset via OTP-to-text. So your credit union has such a setting? If so, what is the required intervention?Northern Flicker wrote: ↑Sun Sep 01, 2024 1:30 pmWell, the credit union we use for some of our banking services has had that in place for years. They did not develop their own online banking web application, and I'm personally aware of other credit unions and a bank that also use the same system, so I don't think it is an uncommon feature.BirdFood wrote: ↑Sat Aug 31, 2024 3:04 pmYes! An excellent idea. Like some credit cards do for purchases.Northern Flicker wrote: ↑Sat Aug 31, 2024 2:11 pm
The threshold for raising the alert should be a user-settable parameter.
Vanguard and Fidelity just alert for all withdrawals.
I don't think the institution should be in the business of deciding on a threshold of how much is an important amount for someone. A customer with a smaller amount of assets may be just as impacted or moreso by losing a smaller amount than someone with more assets may be impacted by losing a larger amount.
If I understand you correctly, you think customers should have the ability to set to receive alerts on a certain amount like a credit card. That would be nice but I don't see real disadvantages of the current practice of sending all alerts for folks that don't trade often.
-
- Posts: 16421
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
I think users should be able to set the threshold for the minimum amount that matters to them for both external alerts and the institutions internal processes if the customer is taking on any of the liability.
My point is that setting thresholds already is in common usage even if not for the precise use case in question.
My point is that setting thresholds already is in common usage even if not for the precise use case in question.
Re: Did Schwab Fraud Protection Guarantee fail here?
Does anyone know the name of the former CIA official mentioned in the video, or any details at all about that case?
Re: Did Schwab Fraud Protection Guarantee fail here?
I agree that it is nice to have such a feature. I can't argue with having more options. (However, I would not be surprised that some people would still blame financial firms regardless. For example, it is confusing because there are too many options.) In any case, I don't think this feature of alerts would have helped the couple in the video.Northern Flicker wrote: ↑Sun Sep 01, 2024 5:08 pm I think users should be able to set the threshold for the minimum amount that matters to them for both external alerts and the institutions internal processes if the customer is taking on any of the liability.
My point is that setting thresholds already is in common usage even if not for the precise use case in question.
Re: Did Schwab Fraud Protection Guarantee fail here?
An alert likely wouldn't have because the money would probably already be gone, but if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped.student wrote: ↑Sun Sep 01, 2024 5:12 pmI agree that it is nice to have such a feature. I can't argue with having more options. (However, I would not be surprised that some people would still blame financial firms regardless. For example, it is confusing because there are too many options.) In any case, I don't think this feature of alerts would have helped the couple in the video.Northern Flicker wrote: ↑Sun Sep 01, 2024 5:08 pm I think users should be able to set the threshold for the minimum amount that matters to them for both external alerts and the institutions internal processes if the customer is taking on any of the liability.
My point is that setting thresholds already is in common usage even if not for the precise use case in question.
As I recall, my credit union forbids most risky activities for a couple of weeks after a mailing address change. (There's an old-fashioned feel about this; not much business happens by mail any more. I hope they have similar safeguards for other sorts of changes.)