Account security - Hackers gain access to mobile and then break havoc

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
lotusflower
Posts: 136
Joined: Thu Oct 24, 2013 12:32 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by lotusflower » Thu Sep 21, 2017 1:15 pm

URSnshn wrote:
Thu Sep 21, 2017 12:12 pm
Being hacked is a risk, and you need to have a sense of risk.

Great question! What is the risk? This is pretty much the question I asked myself this morning - what is the risk? How to assess it?
I guess the easiest way to assess the risk is to look at what happened the last time nearly every adult American with a credit card had all of their SSN/DL/Vital information breached. Well since that never happened, I'm not sure how you can assess it. It's like assessing earthquake risk, wildly inaccurate and not terribly useful, at least once you know you live in a fault zone, no one can tell you how likely the next big one will be. You're either as ready as you can be, or you have some more work to do.

And financially we all just got dumped into the fault zone.
Last edited by lotusflower on Thu Sep 21, 2017 1:16 pm, edited 1 time in total.

btenny
Posts: 4418
Joined: Sun Oct 07, 2007 6:47 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by btenny » Thu Sep 21, 2017 3:21 pm

WOW. You people have convinced me it is pretty easy for hackers to clone my phone and find out my email address. Then with those two sets of data they can use that and the Equifax data (name, SSN number, DOB and maybe a credit card number as well) to revise my passwords for both those accounts. So then they will have total control over my email and my phone. And then with those things can they dig around in my email and find my banking and investment companies? I am guessing this is not that hard so far if they bought the Equifax data.

But they still do not have my brokerage account number or names or passwords. So they have to get someone at those institutions to tell them those accounts names and let them reset those passwords as well. Am I missing that this will still be hard?

Please advise.......

davebo
Posts: 785
Joined: Wed Dec 17, 2008 12:02 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by davebo » Thu Sep 21, 2017 3:44 pm

jalbert wrote:
Mon Sep 18, 2017 5:00 pm
Is your email address pretty much central to all of these hacks? If they can't access that, then are they out of luck? If so, changing the 2FA on Gmail to backup codes or authenticator would solve the problem?
That would only address email vulnerability on a phone if the phone email client app did a 2FA every time you accessed your email. Most or all do not do this. In fact they rarely re-authenticate at all.
Are you saying that phones don't go through any kind of 2-factor auth process when you setup email? I don't believe I've setup email on a phone that has had 2-factor auth so I haven't done it recently. Or I might've disabled it temporarily and then re-set it up after the email was established.

User avatar
BlueEars
Posts: 3592
Joined: Sat Mar 10, 2007 12:15 am
Location: West Coast

Re: Account security - Hackers gain access to mobile and then break havoc

Post by BlueEars » Sat Sep 23, 2017 9:16 am

The OP mentioned using TMobile which is also my provider. T-Mobile now allows a complex password so it does not have to be associated with your SS number. The PW can be something like SILLY4563 and is for verbal ID only. Maybe this is all the OP would have needed to prevent the original hack.

Thoughts?

2015
Posts: 1412
Joined: Mon Feb 10, 2014 2:32 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by 2015 » Sat Sep 23, 2017 10:17 am

btenny wrote:
Thu Sep 21, 2017 3:21 pm
WOW. You people have convinced me it is pretty easy for hackers to clone my phone and find out my email address. Then with those two sets of data they can use that and the Equifax data (name, SSN number, DOB and maybe a credit card number as well) to revise my passwords for both those accounts. So then they will have total control over my email and my phone. And then with those things can they dig around in my email and find my banking and investment companies? I am guessing this is not that hard so far if they bought the Equifax data.

But they still do not have my brokerage account number or names or passwords. So they have to get someone at those institutions to tell them those accounts names and let them reset those passwords as well. Am I missing that this will still be hard?

Please advise.......
Will someone please answer this?

I'm also failing to see how someone could social engineer information for a site like Vanguard if one has set up telephone voice identification authorization. Additionally, if one has set up gibberish security questions answers, security phrases, etc., how would it be possible to socially engineer a CSR into providing vital information if the hacker doesn't know the answers but also does not have login/pw/pin number, etc. credentials.

Please advise.......

User avatar
BlueEars
Posts: 3592
Joined: Sat Mar 10, 2007 12:15 am
Location: West Coast

Re: Account security - Hackers gain access to mobile and then break havoc

Post by BlueEars » Sat Sep 23, 2017 10:48 am

2015 wrote:
Sat Sep 23, 2017 10:17 am
....

I'm also failing to see how someone could social engineer information for a site like Vanguard if one has set up telephone voice identification authorization. Additionally, if one has set up gibberish security questions answers, security phrases, etc., how would it be possible to socially engineer a CSR into providing vital information if the hacker doesn't know the answers but also does not have login/pw/pin number, etc. credentials.

Please advise.......
From my experience with VG, the reps are meticulous at verifying ID's. As you mentioned there are several security settings that let us help the process along:
1) Voice ID
2) Strong passwords
3) 2 FA required if logging in from a different device then normal
4) gibberish security question answers
5) phone in password (if somehow Voice ID were not operative)

Finally as a VG rep once pointed out, it is not easy to move money outside the VG accounts. There are various controls in place to make this secure.

For those of us who have taken some pretty modest security steps, I think the social engineering issue is not so worrisome.

2015
Posts: 1412
Joined: Mon Feb 10, 2014 2:32 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by 2015 » Sat Sep 23, 2017 11:15 am

BlueEars wrote:
Sat Sep 23, 2017 10:48 am
2015 wrote:
Sat Sep 23, 2017 10:17 am
....

I'm also failing to see how someone could social engineer information for a site like Vanguard if one has set up telephone voice identification authorization. Additionally, if one has set up gibberish security questions answers, security phrases, etc., how would it be possible to socially engineer a CSR into providing vital information if the hacker doesn't know the answers but also does not have login/pw/pin number, etc. credentials.

Please advise.......
From my experience with VG, the reps are meticulous at verifying ID's. As you mentioned there are several security settings that let us help the process along:
1) Voice ID
2) Strong passwords
3) 2 FA required if logging in from a different device then normal
4) gibberish security question answers
5) phone in password (if somehow Voice ID were not operative)

Finally as a VG rep once pointed out, it is not easy to move money outside the VG accounts. There are various controls in place to make this secure.

For those of us who have taken some pretty modest security steps, I think the social engineering issue is not so worrisome.
Thanks for the quick response! I have all of the above except for #5. I don't see anywhere on the VG website a phone in password option (as an alternative to Voice ID). Under the Security Profile, I see the Security Code, Key and Questions options but nothing about a phone in password. Am I missing something?

btenny
Posts: 4418
Joined: Sun Oct 07, 2007 6:47 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by btenny » Sat Sep 23, 2017 11:28 am

Many of us hold our investment stuff in other brokerages like Wells Fargo or Fidelity or Scottrade. So the rules are different. So I guess I will have to get mine on the phone and play twenty security questions that they will not want to answer. Fun.....

User avatar
VictoriaF
Posts: 18107
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Account security - Hackers gain access to mobile and then break havoc

Post by VictoriaF » Sat Sep 23, 2017 12:07 pm

2015 wrote:
Sat Sep 23, 2017 11:15 am
BlueEars wrote:
Sat Sep 23, 2017 10:48 am
2015 wrote:
Sat Sep 23, 2017 10:17 am
....

I'm also failing to see how someone could social engineer information for a site like Vanguard if one has set up telephone voice identification authorization. Additionally, if one has set up gibberish security questions answers, security phrases, etc., how would it be possible to socially engineer a CSR into providing vital information if the hacker doesn't know the answers but also does not have login/pw/pin number, etc. credentials.

Please advise.......
From my experience with VG, the reps are meticulous at verifying ID's. As you mentioned there are several security settings that let us help the process along:
1) Voice ID
2) Strong passwords
3) 2 FA required if logging in from a different device then normal
4) gibberish security question answers
5) phone in password (if somehow Voice ID were not operative)

Finally as a VG rep once pointed out, it is not easy to move money outside the VG accounts. There are various controls in place to make this secure.

For those of us who have taken some pretty modest security steps, I think the social engineering issue is not so worrisome.
Thanks for the quick response! I have all of the above except for #5. I don't see anywhere on the VG website a phone in password option (as an alternative to Voice ID). Under the Security Profile, I see the Security Code, Key and Questions options but nothing about a phone in password. Am I missing something?
When I go away for more than a couple weeks, without electronic communications and access to my paper mail, I create a web lock at Vanguard. That ensures that no one, even I, can gain access to my account until I un-lock it.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
BlueEars
Posts: 3592
Joined: Sat Mar 10, 2007 12:15 am
Location: West Coast

Re: Account security - Hackers gain access to mobile and then break havoc

Post by BlueEars » Sat Sep 23, 2017 12:10 pm

2015 wrote:
Sat Sep 23, 2017 11:15 am
BlueEars wrote:
Sat Sep 23, 2017 10:48 am
2015 wrote:
Sat Sep 23, 2017 10:17 am
....

I'm also failing to see how someone could social engineer information for a site like Vanguard if one has set up telephone voice identification authorization. Additionally, if one has set up gibberish security questions answers, security phrases, etc., how would it be possible to socially engineer a CSR into providing vital information if the hacker doesn't know the answers but also does not have login/pw/pin number, etc. credentials.

Please advise.......
From my experience with VG, the reps are meticulous at verifying ID's. As you mentioned there are several security settings that let us help the process along:
1) Voice ID
2) Strong passwords
3) 2 FA required if logging in from a different device then normal
4) gibberish security question answers
5) phone in password (if somehow Voice ID were not operative)

Finally as a VG rep once pointed out, it is not easy to move money outside the VG accounts. There are various controls in place to make this secure.

For those of us who have taken some pretty modest security steps, I think the social engineering issue is not so worrisome.
Thanks for the quick response! I have all of the above except for #5. I don't see anywhere on the VG website a phone in password option (as an alternative to Voice ID). Under the Security Profile, I see the Security Code, Key and Questions options but nothing about a phone in password. Am I missing something?
The phone in password was what I used when Voice ID was not available. Perhaps now it is redundant but I've kept it "just in case". You can set this by calling into a VG rep.

User avatar
BlueEars
Posts: 3592
Joined: Sat Mar 10, 2007 12:15 am
Location: West Coast

Re: Account security - Hackers gain access to mobile and then break havoc

Post by BlueEars » Sat Sep 23, 2017 12:17 pm

VictoriaF wrote:
Sat Sep 23, 2017 12:07 pm
...
When I go away for more than a couple weeks, without electronic communications and access to my paper mail, I create a web lock at Vanguard. That ensures that no one, even I, can gain access to my account until I un-lock it.

Victoria
Victoria, hadn't heard of this option. Do you set it via the web? Can you override the lock by calling into to VG to make a transaction? I am guessing to unset it you would have to call in to a rep?

We recently went away for a month but I had to make one transaction by phone which is the first time in decades I had to do this. Incidentally Voice ID worked very well from Europe and I could even call in via the VG 800 number.

2015
Posts: 1412
Joined: Mon Feb 10, 2014 2:32 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by 2015 » Sat Sep 23, 2017 12:41 pm

So is this the answer? If one uses Yubikey, has no phone number as a reset option on dedicated financial accounts gmail, uses Authenticator, and Backup Codes from Google as backup), this will secure the dedicated financial accounts gmail, no?

https://techsolidarity.org/resources/se ... ey_faq.htm

Why do you say it's bad to have a phone number on my account?

Many sites encourage you to add your phone number to secure your account. But there are at least three reasons why you should avoid using text messages for two-factor authentication.

Your phone number can be easily hijacked by someone who calls the phone company and pretends to be you.
The text message can be viewed or redirected while en route to your phone.
Many phones are configured to display text messages on the lock screen.
If text messages are the only way to add two-factor authentication to your account, they are better than nothing. But if you can use an alternative method, like an authenticator app or a security key, use that instead.
I know this doesn't solve the VG required SMS backup, but using the steps prior posts above (i.e., Voice Authentication, Nonsensical security answers, etc.) this should come as close as possible to thwarting social engineering, no?


https://techsolidarity.org/resources/se ... gmail.htm
Why is a security key more secure than an authenticator app?

An authenticator app lives on your phone and generates a time-based numerical code. It is a better second factor than text messaging, but not as good as a security key. An attacker who tricks you into entering your password and an authenticator code into a website they control can get into your email account. This is not the case if you log in using a security key.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Mudpuppy » Sat Sep 23, 2017 12:50 pm

2015 wrote:
Sat Sep 23, 2017 10:17 am
Will someone please answer this?

I'm also failing to see how someone could social engineer information for a site like Vanguard if one has set up telephone voice identification authorization. Additionally, if one has set up gibberish security questions answers, security phrases, etc., how would it be possible to socially engineer a CSR into providing vital information if the hacker doesn't know the answers but also does not have login/pw/pin number, etc. credentials.

Please advise.......
Folks aren't talking specifically about Vanguard. They're talking about accounts in general across a wide array of companies. Think of the account security of your local credit union or regional bank. It's probably nowhere near as robust as the security measures at Vanguard. For example, the main credit union in my area used to embed SSNs in their online banking URLs and didn't see how it was a problem when I contacted them about it, up until they changed software about half a decade back. These are not places used to having to employ sophisticated user verification methods and they're ripe for the picking by someone with a good deal of harvested information.

User avatar
ThereAreNoGurus
Posts: 92
Joined: Fri Jan 24, 2014 11:41 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by ThereAreNoGurus » Sat Sep 23, 2017 1:07 pm

I know this doesn't solve the VG required SMS backup, but using the steps prior posts above (i.e., Voice Authentication, Nonsensical security answers, etc.) this should come as close as possible to thwarting social engineering, no?
With respect to Vanguard, I would not worry about SMS as a backup if you have Voice Authentication and are using Yubikey.

I've been told you would have to pass Voice Authentication before they reset any options allowing one to use SMS codes as part of a login procedure.

ETA: And if you want to go really crazy you can restrict login to specific devices.

friareye
Posts: 15
Joined: Sun Feb 26, 2017 9:06 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by friareye » Sat Sep 23, 2017 1:10 pm

I read this thread when it started, and just now caught up, albeit quickly.

Is this too simple to work... or at least slow down... a hack?

1--Leave cell provider with whatever email you used.
2--Create new unique email.
3--Change all contact info for financials to new email, delete phone number (if possible).
4--Leave cell provider with same original address.

So if hacker gets cell number and then email address, at least they cannot access the rest of the accounts... but thinking as I type this, you would have to delete you entire established history cache in your old email (otherwise account details could be mined).

So new plan... create 2 new emails: one for cell provider, another for financials.
That way new email attached to cell provider has no history content.
Thoughts?

User avatar
ThereAreNoGurus
Posts: 92
Joined: Fri Jan 24, 2014 11:41 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by ThereAreNoGurus » Sat Sep 23, 2017 1:19 pm

I read this thread when it started, and just now caught up, albeit quickly.

Is this too simple to work... or at least slow down... a hack?

1--Leave cell provider with whatever email you used.
2--Create new unique email.
3--Change all contact info for financials to new email, delete phone number (if possible).
4--Leave cell provider with same original address.

So if hacker gets cell number and then email address, at least they cannot access the rest of the accounts... but thinking as I type this, you would have to delete you entire established history cache in your old email (otherwise account details could be mined).

So new plan... create 2 new emails: one for cell provider, another for financials.
That way new email attached to cell provider has no history content.
Thoughts?
That approach seems like a lot of trouble to me. I use gmail with google Authenticator (Authy is another choice). It seems quite unlikely your account will be hacked with it and I don't think google is stupid enough to remove 2FA from your gmail when the rep sees 2FA is established. So even if your password were reset, hackers could not log in.

J G Bankerton
Posts: 41
Joined: Thu Sep 14, 2017 3:30 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by J G Bankerton » Sat Sep 23, 2017 1:32 pm

ThereAreNoGurus wrote:
Sat Sep 23, 2017 1:07 pm
And if you want to go really crazy you can restrict login to specific devices.
Don't sign up of Internet access, do it all by paper.

User avatar
ThereAreNoGurus
Posts: 92
Joined: Fri Jan 24, 2014 11:41 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by ThereAreNoGurus » Sat Sep 23, 2017 1:35 pm

Haha... yes, one can do that.

But, then you should have your paper come to a PO Box in case your home mailbox is hacked. ;-)

User avatar
VictoriaF
Posts: 18107
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Account security - Hackers gain access to mobile and then break havoc

Post by VictoriaF » Sat Sep 23, 2017 1:46 pm

BlueEars wrote:
Sat Sep 23, 2017 12:17 pm
VictoriaF wrote:
Sat Sep 23, 2017 12:07 pm
...
When I go away for more than a couple weeks, without electronic communications and access to my paper mail, I create a web lock at Vanguard. That ensures that no one, even I, can gain access to my account until I un-lock it.

Victoria
Victoria, hadn't heard of this option. Do you set it via the web? Can you override the lock by calling into to VG to make a transaction? I am guessing to unset it you would have to call in to a rep?

We recently went away for a month but I had to make one transaction by phone which is the first time in decades I had to do this. Incidentally Voice ID worked very well from Europe and I could even call in via the VG 800 number.
BlueEars,

I call Vanguard to place a web lock and I call again to remove it. When I first went to the Camino I was concerned that in two months of my absence someone could empty my Vanguard account and upon return, I would just find several Vanguard warnings letters. I called Vanguard and they advised me on several options. I think it's a good idea to do every time when you leave for a long time.

I was not carrying any communications devices with me on the Camino. But even if I did, I would be reluctant to use public WiFi in Spanish albergues and bars to access my financial accounts.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
VictoriaF
Posts: 18107
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Account security - Hackers gain access to mobile and then break havoc

Post by VictoriaF » Sat Sep 23, 2017 1:51 pm

Mudpuppy wrote:
Sat Sep 23, 2017 12:50 pm
Folks aren't talking specifically about Vanguard. They're talking about accounts in general across a wide array of companies. Think of the account security of your local credit union or regional bank. It's probably nowhere near as robust as the security measures at Vanguard. For example, the main credit union in my area used to embed SSNs in their online banking URLs and didn't see how it was a problem when I contacted them about it, up until they changed software about half a decade back. These are not places used to having to employ sophisticated user verification methods and they're ripe for the picking by someone with a good deal of harvested information.
It's probably a good reason for keeping the bulk of one's money in more sophisticated financial institutions. A local or online credit union may offer slightly better rates, but the flip side is losing one's assets.

I am rethinking some of my financial activities. I don't enjoy opening accounts to get a $200 bonus, but I've done it a few times because otherwise I felt as I was losing easy money. My new thinking is that I may lose the entire account to a breach. This helps me not to do what I do not want to do anyway.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

J G Bankerton
Posts: 41
Joined: Thu Sep 14, 2017 3:30 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by J G Bankerton » Sat Sep 23, 2017 1:54 pm

ThereAreNoGurus wrote:
Sat Sep 23, 2017 1:35 pm
Haha... yes, one can do that.

But, then you should have your paper come to a PO Box in case your home mailbox is hacked. ;-)
That would take longer than hitting the any key. Pushing a few buttons on a keyboard can transfer my entire life savings in the blink of and eye. The only ID hack I ever had was when someone printed a check with my name and account number and tried to cash it. The bank called me before they cashed it and the rest is on COPS.

2015
Posts: 1412
Joined: Mon Feb 10, 2014 2:32 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by 2015 » Sat Sep 23, 2017 2:24 pm

ThereAreNoGurus wrote:
Sat Sep 23, 2017 1:19 pm
I read this thread when it started, and just now caught up, albeit quickly.

Is this too simple to work... or at least slow down... a hack?

1--Leave cell provider with whatever email you used.
2--Create new unique email.
3--Change all contact info for financials to new email, delete phone number (if possible).
4--Leave cell provider with same original address.

So if hacker gets cell number and then email address, at least they cannot access the rest of the accounts... but thinking as I type this, you would have to delete you entire established history cache in your old email (otherwise account details could be mined).

So new plan... create 2 new emails: one for cell provider, another for financials.
That way new email attached to cell provider has no history content.
Thoughts?
That approach seems like a lot of trouble to me. I use gmail with google Authenticator (Authy is another choice). It seems quite unlikely your account will be hacked with it and I don't think google is stupid enough to remove 2FA from your gmail when the rep sees 2FA is established. So even if your password were reset, hackers could not log in.
This is why I made the post with the links above, as the suggestion is to use a combination of Yubikey, Authenticator, and Google Back Up codes to secure the dedicated financial gmail account. Per the link, after establishing Yubikey, Authenticator, and Google Back Up codes as 2FA, you go back and remove your phone number from your dedicated financial gmail account which is your reset email account. Thus, hackers are unable to do financial account resets with this gmail set as the reset email account (versus a phone number). So even if they are able to somehow port your phone, they are unable to gain access to your reset email. It seems like a simple way to secure the dedicated financial account which would also contain all of your alerts in the event someone did use social engineering to hack a less secure financial account.

Regarding cache history, as I've posted previously, I do all financial transactions, to include interactions with my phone carrier, in Avast's Banking Mode. It acts as a computer within a computer, and once all transactions are completed, you can clear browser history and once the Mode is closed, the entire session vanishes as if it never happened.

2015
Posts: 1412
Joined: Mon Feb 10, 2014 2:32 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by 2015 » Sat Sep 23, 2017 2:37 pm

VictoriaF wrote:
Sat Sep 23, 2017 1:51 pm
Mudpuppy wrote:
Sat Sep 23, 2017 12:50 pm
Folks aren't talking specifically about Vanguard. They're talking about accounts in general across a wide array of companies. Think of the account security of your local credit union or regional bank. It's probably nowhere near as robust as the security measures at Vanguard. For example, the main credit union in my area used to embed SSNs in their online banking URLs and didn't see how it was a problem when I contacted them about it, up until they changed software about half a decade back. These are not places used to having to employ sophisticated user verification methods and they're ripe for the picking by someone with a good deal of harvested information.
It's probably a good reason for keeping the bulk of one's money in more sophisticated financial institutions. A local or online credit union may offer slightly better rates, but the flip side is losing one's assets.

I am rethinking some of my financial activities. I don't enjoy opening accounts to get a $200 bonus, but I've done it a few times because otherwise I felt as I was losing easy money. My new thinking is that I may lose the entire account to a breach. This helps me not to do what I do not want to do anyway.

Victoria
Another argument for the simplicity of consolidating one's accounts?

I just called and asked an Ally Bank CSR what would happen if someone called in, had all of my personally identifying information via the Equifax breach, told a very sad story like my password manager with all my logins, passwords, gibberish security question, pass code, secret phrase, and even my pin number were lost in the Houston flood, of which I was a victim who had lost everything and had no money. She told me if I had none of the account information she would have to pass me on to another department where they would verify I was calling from the telephone number they have listed. I then asked her what would happen if my phone number had been ported and it looked like I was calling my own phone. She told me in truth I wouldn't be able to access my account. She said just this morning, someone had called in, posing as the mother of an individual who had lost all his information in a brief case on one of the islands during the latest hurricane and needed money. She told me as heartless as it sounds, she told the mother she was unable to grant access to account without speaking to the account owner. I am not sure that I am reassured.

btenny
Posts: 4418
Joined: Sun Oct 07, 2007 6:47 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by btenny » Sat Sep 23, 2017 3:35 pm

Actually this kind of stuff is exactly why you should have money in two completely different brokerages. That way if some hacker is able to break in one place you still have some money elsewhere. So you can still do banking while you sort out the other issues.

Good luck

User avatar
VictoriaF
Posts: 18107
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Account security - Hackers gain access to mobile and then break havoc

Post by VictoriaF » Sat Sep 23, 2017 4:24 pm

2015 wrote:
Sat Sep 23, 2017 2:37 pm
Another argument for the simplicity of consolidating one's accounts?

I just called and asked an Ally Bank CSR ...
I agree, and thank you for the Ally discussion.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Mudpuppy » Sat Sep 23, 2017 4:25 pm

2015 wrote:
Sat Sep 23, 2017 2:24 pm
Regarding cache history, as I've posted previously, I do all financial transactions, to include interactions with my phone carrier, in Avast's Banking Mode. It acts as a computer within a computer, and once all transactions are completed, you can clear browser history and once the Mode is closed, the entire session vanishes as if it never happened.
That works great until Avast (or VMware or OpenBox or other VM providers) are compromised. We know that attackers broke into Avast CCleaner and compromised it with malware, beginning as early as the start of July. Now, CCleaner is in a different division (and is the result of a very recent acquisition) which may have made it an easier target to compromise, but it does make one think about the software one relies on. You can have the best practices in the world, and be brought down through no fault of your own if one of the software vendors is compromised. However, in the end, you have to trust something or just unplug entirely.

Press release on the CCleaner compromise: https://blog.avast.com/update-to-the-cc ... y-incident

User avatar
VictoriaF
Posts: 18107
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Account security - Hackers gain access to mobile and then break havoc

Post by VictoriaF » Sat Sep 23, 2017 4:27 pm

btenny wrote:
Sat Sep 23, 2017 3:35 pm
Actually this kind of stuff is exactly why you should have money in two completely different brokerages. That way if some hacker is able to break in one place you still have some money elsewhere. So you can still do banking while you sort out the other issues.

Good luck
Two brokerages is a good compromise between having a single point of failure and having 10-12 accounts in various financial institutions, including unsophisticated ones, that at one time offered additional 0.5% on CD rates or $200 account opening bonuses.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

friareye
Posts: 15
Joined: Sun Feb 26, 2017 9:06 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by friareye » Sat Sep 23, 2017 4:50 pm

2015 wrote:
Sat Sep 23, 2017 2:37 pm

Another argument for the simplicity of consolidating one's accounts?

I just called and asked an Ally Bank CSR what would happen if someone called in, had all of my personally identifying information via the Equifax breach, told a very sad story like my password manager with all my logins, passwords, gibberish security question, pass code, secret phrase, and even my pin number were lost in the Houston flood, of which I was a victim who had lost everything and had no money. She told me if I had none of the account information she would have to pass me on to another department where they would verify I was calling from the telephone number they have listed. I then asked her what would happen if my phone number had been ported and it looked like I was calling my own phone. She told me in truth I wouldn't be able to access my account. She said just this morning, someone had called in, posing as the mother of an individual who had lost all his information in a brief case on one of the islands during the latest hurricane and needed money. She told me as heartless as it sounds, she told the mother she was unable to grant access to account without speaking to the account owner. I am not sure that I am reassured.
I wonder how that would have played out differently and impersonated the account owner instead of the mother.

wrongfunds
Posts: 1590
Joined: Tue Dec 21, 2010 3:55 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by wrongfunds » Sat Sep 23, 2017 4:53 pm

Almost every financial institution that I called were honest enough to agree with me that setting up a strong password for telephone authentication did not buy me anything because most customers tend to forget that and then the rep goes through his list of question to qualify the call.

Once again, it is NOT the default access method which needs to be beefed up but rather it is the protocol that is being used when customer claims to have forgotten the password. Heck, there was a mutual fund which I never remembered giving them email address but rep told me they had one on the file. For the life of me, I could not remember the email address but was able to remove it from my account over the phone. Thankfully, the rep never disclosed the forgotten email address.

All of the calls that I made were done from my home phone which was listed in the account but from what I know, spoofing caller id is trivial for hackers.

The Equifax breach has essentially destroyed the security landscape completely. We have to get to bio-metric security with zero fall back if we want to seriously counter the Equifax breach. It will take a while before everybody understand the severity of what has happened. We will need the RFID chip identification implanted in our head at birth.

Then hackers will break that system once it is widely implemented :-)

User avatar
randomizer
Posts: 1249
Joined: Sun Jul 06, 2014 3:46 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by randomizer » Sat Sep 23, 2017 5:41 pm

lazydavid wrote:
Thu Sep 14, 2017 3:13 pm
For services that allow TOTP (Time-Based One-Time Passcode), ALWAYS choose that option instead of SMS or email. They will show you a QR code one time, you take a picture of it using an authenticator app on your phone--there are tons of these, from Google, MS, etc--and from then forward your phone generates the passcodes locally, which change every 30 seconds. The service never needs to deliver a code to you for your second factor, so the transmission medium cannot be hijacked. You can import an unlimited number of accounts into a single app. Here's Google Authenticator with three accounts:

Image
If only Vanguard did TOTP.
75:25 AA / Expected retirement: 2097

2015
Posts: 1412
Joined: Mon Feb 10, 2014 2:32 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by 2015 » Sat Sep 23, 2017 7:36 pm

Mudpuppy wrote:
Sat Sep 23, 2017 4:25 pm
2015 wrote:
Sat Sep 23, 2017 2:24 pm
Regarding cache history, as I've posted previously, I do all financial transactions, to include interactions with my phone carrier, in Avast's Banking Mode. It acts as a computer within a computer, and once all transactions are completed, you can clear browser history and once the Mode is closed, the entire session vanishes as if it never happened.
That works great until Avast (or VMware or OpenBox or other VM providers) are compromised. We know that attackers broke into Avast CCleaner and compromised it with malware, beginning as early as the start of July. Now, CCleaner is in a different division (and is the result of a very recent acquisition) which may have made it an easier target to compromise, but it does make one think about the software one relies on. You can have the best practices in the world, and be brought down through no fault of your own if one of the software vendors is compromised. However, in the end, you have to trust something or just unplug entirely.

Press release on the CCleaner compromise: https://blog.avast.com/update-to-the-cc ... y-incident
Yea, I read all about that. And I agree, in the end, you have to trust something or just unplug entirely.

2015
Posts: 1412
Joined: Mon Feb 10, 2014 2:32 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by 2015 » Sat Sep 23, 2017 7:41 pm

friareye wrote:
Sat Sep 23, 2017 4:50 pm
2015 wrote:
Sat Sep 23, 2017 2:37 pm

Another argument for the simplicity of consolidating one's accounts?

I just called and asked an Ally Bank CSR what would happen if someone called in, had all of my personally identifying information via the Equifax breach, told a very sad story like my password manager with all my logins, passwords, gibberish security question, pass code, secret phrase, and even my pin number were lost in the Houston flood, of which I was a victim who had lost everything and had no money. She told me if I had none of the account information she would have to pass me on to another department where they would verify I was calling from the telephone number they have listed. I then asked her what would happen if my phone number had been ported and it looked like I was calling my own phone. She told me in truth I wouldn't be able to access my account. She said just this morning, someone had called in, posing as the mother of an individual who had lost all his information in a brief case on one of the islands during the latest hurricane and needed money. She told me as heartless as it sounds, she told the mother she was unable to grant access to account without speaking to the account owner. I am not sure that I am reassured.
I wonder how that would have played out differently and impersonated the account owner instead of the mother.
My thoughts exactly. OTOH, I'm going to go with the Yubikey/Authenticator/Back Up Codes approach I linked above. After I set this up and remove the phone number from the gmail for dedicated financial accounts, I intend to restrict reset options on all my accounts to the gmail account. Even if they port my phone, they will be unable to reset any accounts. I haven't done this yet, am still getting my head around it, and will report back if I encounter issues with restricting PW reset options to the hardened gmail account.

fnmix
Posts: 188
Joined: Sun Sep 09, 2012 4:50 pm
Location: Northern California

Re: Account security - Hackers gain access to mobile and then break havoc

Post by fnmix » Sat Sep 23, 2017 11:02 pm

Or one can have one well defended account for each major financial use case. For example:
- Bank account with large bank for CDs/savings/checking; with enough funds to go 6mos - 1yr (2fa, strong passwords etc)
- Account with major brokerage firm for all retirement savings (2fa, strong passwords etc)
- House that is 100% owned (no debt - which is the defense in this case)

I bring up the last item above because if one is majorly hacked and most of one's liquid asset accounts are compromised, any debt on the house may go unserviced or require significant effort to set straight in parallel with dealing with the hack of the liquid asset accounts.

Personally, I am paying down my house mortgage for other reasons, but the simplicity and security of owning one's house was a factor as well.
VictoriaF wrote:
Sat Sep 23, 2017 4:27 pm
btenny wrote:
Sat Sep 23, 2017 3:35 pm
Actually this kind of stuff is exactly why you should have money in two completely different brokerages. That way if some hacker is able to break in one place you still have some money elsewhere. So you can still do banking while you sort out the other issues.

Good luck
Two brokerages is a good compromise between having a single point of failure and having 10-12 accounts in various financial institutions, including unsophisticated ones, that at one time offered additional 0.5% on CD rates or $200 account opening bonuses.

Victoria

letsgobobby
Posts: 11197
Joined: Fri Sep 18, 2009 1:10 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by letsgobobby » Thu Oct 19, 2017 8:57 am

VictoriaF wrote:
Sat Sep 23, 2017 4:27 pm
btenny wrote:
Sat Sep 23, 2017 3:35 pm
Actually this kind of stuff is exactly why you should have money in two completely different brokerages. That way if some hacker is able to break in one place you still have some money elsewhere. So you can still do banking while you sort out the other issues.

Good luck
Two brokerages is a good compromise between having a single point of failure and having 10-12 accounts in various financial institutions, including unsophisticated ones, that at one time offered additional 0.5% on CD rates or $200 account opening bonuses.

Victoria
In part because of employment, in part because of tax reasons, I cannot reasonably reduce our institution count below 4 investment, 2 bank, and 3 529. Our actual number is higher than that but am I materially safer with 9 institutions rather than 14? With the exception of our credit unions they're all large institutions but I don't know that I feel any better for that.

Yankuba
Posts: 62
Joined: Wed Dec 07, 2016 10:45 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Yankuba » Thu Oct 19, 2017 9:09 am

I put a PIN on my Verizon account - I was under the impression that when you request service on your account in person or over the phone you have to provide the PIN and/or identification.

My phone died this weekend. I went into the local Verizon store, handed over my drivers license and bought a new phone. I told the representative I have a PIN on the account and he looked at me like I had two heads. My number went from the old phone to the new phone without any problems.

mptfan
Posts: 4426
Joined: Mon Mar 05, 2007 9:58 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by mptfan » Thu Oct 19, 2017 9:23 am

davebo wrote:
Sun Sep 17, 2017 7:01 pm
Is your email address pretty much central to all of these hacks? If they can't access that, then are they out of luck? If so, changing the 2FA on Gmail to backup codes or authenticator would solve the problem?
I believe that even if you have 2FA on Gmail with backup codes or an authenticator app, you still have the option of selecting "Use another method" of getting the code and then telling Google to send the code by SMS text to your phone number.

https://www.google.com/landing/2step/features.html

Am I correct about that?

Update: It appears that you can disable SMS texts to your phone as an option for sending codes when someone tries to change your password in the Google account security section at myaccount.google.com under the heading 2 step verification. I think that if you disable SMS by removing a number from your account, it can no longer be used to send a code to change your google password.
Last edited by mptfan on Thu Oct 19, 2017 10:01 am, edited 3 times in total.

lazydavid
Posts: 1528
Joined: Wed Apr 06, 2016 1:37 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by lazydavid » Thu Oct 19, 2017 9:31 am

J G Bankerton wrote:
Sat Sep 23, 2017 1:32 pm
Don't sign up of Internet access, do it all by paper.
Depending on how the institution handles their online accounts, this is almost definitely WORSE. Just because you haven't signed up for online access, doesn't mean the bad guy can't do it on your behalf, if he has enough information to do so--and thanks to Equifax, he probably does. Then he doesn't even have to guess your password, because he can just make up whatever password he wants.

In a way, this is similar to the nonsense I hear from people who don't sign the back of their credit cards--"If my card gets stolen and isn't signed, then the bad guy can't forge my signature". True, because he won't have to--he can just sign it himself, and then of course the signature will match when he goes to use it.

If you can get the institution to lock your account so it's impossible to register for online access, that would be a defense. But I don't know how many companies offer that.

mptfan
Posts: 4426
Joined: Mon Mar 05, 2007 9:58 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by mptfan » Thu Oct 19, 2017 10:12 am

ThereAreNoGurus wrote:
Sat Sep 23, 2017 1:19 pm
I use gmail with google Authenticator (Authy is another choice). It seems quite unlikely your account will be hacked with it and I don't think google is stupid enough to remove 2FA from your gmail when the rep sees 2FA is established. So even if your password were reset, hackers could not log in.
That's not necessarily true. Even if you have 2FA set up on your Google account using the google authenticator app, it is likely that there are also other ways that you (or someone pretending to be you) can get an authentication code to access your gmail and change your password, and that may include getting a code sent by SMS text.

Try this...type myaccount.google.com into your browser and go the security checkup section and then review your 2 step verification settings (you will have to enter your google password again to review the settings). You will then see a list of ways that you can get your verification code, the google authenticator app method will likely be listed, along with the google prompt method (if you set that up)...this is important...do you also see the option of sending an SMS message to your phone number?? If so, that means if you (or someone pretending to be you) tried to change your password, they can claim that they don't have access to the authenticator app, and they will be given the option of "select another method" or some similar message to allow them to get the code by SMS and bypass your google aunthenticator app completely.

So, someone who knows your email address and hacks your phone number can now take over your gmail account and lock you out. Now all of your financial account notifications by either email or text go to the hacker and not you.
Last edited by mptfan on Thu Oct 19, 2017 10:37 am, edited 3 times in total.

User avatar
Sandtrap
Posts: 4411
Joined: Sat Nov 26, 2016 6:32 pm
Location: Hawaii😀 Northern AZ.😳

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Sandtrap » Thu Oct 19, 2017 10:19 am

I recently had my Discover credit card hacked. The address was changed. Password. Everything.
If not for a call from an unknown East Coast vendor to verify a purchase of strange items I would not have known. ( live in the Southwest).
I have no idea how they did it. :shock:

mptfan
Posts: 4426
Joined: Mon Mar 05, 2007 9:58 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by mptfan » Thu Oct 19, 2017 10:36 am

Sandtrap wrote:
Thu Oct 19, 2017 10:19 am
I recently had my Discover credit card hacked. The address was changed. Password. Everything.
If not for a call from an unknown East Coast vendor to verify a purchase of strange items I would not have known. ( live in the Southwest).
I have no idea how they did it. :shock:
So did you get it resolved? If so, how?

User avatar
Sandtrap
Posts: 4411
Joined: Sat Nov 26, 2016 6:32 pm
Location: Hawaii😀 Northern AZ.😳

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Sandtrap » Thu Oct 19, 2017 10:39 am

mptfan wrote:
Thu Oct 19, 2017 10:36 am
Sandtrap wrote:
Thu Oct 19, 2017 10:19 am
I recently had my Discover credit card hacked. The address was changed. Password. Everything.
If not for a call from an unknown East Coast vendor to verify a purchase of strange items I would not have known. ( live in the Southwest).
I have no idea how they did it. :shock:
So did you get it resolved? If so, how?
Called Discover immediately.
Found out $2,000 purchase for pet food. $3,000 purchase for a metal detector in Louisiana.
They closed the account. Refunded the charges as "fraud alert".
Enabled additional security to make it harder for anyone to make changes to the account.

I am a bit nervous that other credit cards can have address and personal info changes by someone other than myself.
Have no idea how they gain access.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Mudpuppy » Thu Oct 19, 2017 11:08 am

Yankuba wrote:
Thu Oct 19, 2017 9:09 am
My phone died this weekend. I went into the local Verizon store, handed over my drivers license and bought a new phone. I told the representative I have a PIN on the account and he looked at me like I had two heads. My number went from the old phone to the new phone without any problems.
Did you have your old phone with you when you went to the Verizon store? In such a case, cell providers don't usually ask the security questions. They just move the LTE SIM from the old phone to the new one, and then register the new phone's IMEI / MEID / ESN (device identifiers for LTE and CDMA) on the account.

If you did not have your old phone with you, then I would recommend complaining to Verizon corporate about the lackadaisical approach to account security that was taken at the store. Trusting that a driver's license is legit is a bad thing in the modern world.

investor997
Posts: 244
Joined: Tue Feb 07, 2017 3:23 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by investor997 » Thu Oct 19, 2017 11:28 am

mptfan wrote:
Thu Oct 19, 2017 9:23 am

Update: It appears that you can disable SMS texts to your phone as an option for sending codes when someone tries to change your password in the Google account security section at myaccount.google.com under the heading 2 step verification. I think that if you disable SMS by removing a number from your account, it can no longer be used to send a code to change your google password.
You can always create a new, secret Google account along with an accompanying Google Voice number and use that as the SMS text recovery method. Google Voice numbers are impossible to port out (in theory).

The other way is you can disable SMS recovery on your Google account altogether. If you do this, make sure you select the option to save temporary one-time-use recovery codes and store them in a safe location - perhaps multiple locations, such as printed on paper, stored in your password manager's vault, etc. You can use these codes to get back into your Google account if you ever lose your phone and/or the device with the Authenticator app. Of course, if you lose everything, you're probably screwed...

Yankuba
Posts: 62
Joined: Wed Dec 07, 2016 10:45 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Yankuba » Thu Oct 19, 2017 12:31 pm

Mudpuppy wrote:
Thu Oct 19, 2017 11:08 am
Yankuba wrote:
Thu Oct 19, 2017 9:09 am
My phone died this weekend. I went into the local Verizon store, handed over my drivers license and bought a new phone. I told the representative I have a PIN on the account and he looked at me like I had two heads. My number went from the old phone to the new phone without any problems.
Did you have your old phone with you when you went to the Verizon store? In such a case, cell providers don't usually ask the security questions. They just move the LTE SIM from the old phone to the new one, and then register the new phone's IMEI / MEID / ESN (device identifiers for LTE and CDMA) on the account.

If you did not have your old phone with you, then I would recommend complaining to Verizon corporate about the lackadaisical approach to account security that was taken at the store. Trusting that a driver's license is legit is a bad thing in the modern world.
I had the old phone but they didn't inspect it or anything. They certainly didn't take the old sim card and move it to the new phone. They activated the new phone without me giving them anything except my driver's license.

User avatar
oldcomputerguy
Posts: 2810
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Account security - Hackers gain access to mobile and then break havoc

Post by oldcomputerguy » Thu Oct 19, 2017 12:36 pm

pondering wrote:
Sat Sep 16, 2017 7:07 pm
For consumers the most practical strategy is to make sure that you review your accounts every month shortly after the statement has been sent or posted.
For Fidelity customers, here's another option (that I just discovered yesterday): In the "Alerts" section you can set up a schedule to have Fidelity email you your current balances daily. It becomes trivially easy to keep an eye on your account to make sure nobody has emptied it, and it doesn't even require logging in.
It’s taken me a lot of years, but I’ve come around to this: If you’re dumb, surround yourself with smart people. And if you’re smart, surround yourself with smart people who disagree with you.

mptfan
Posts: 4426
Joined: Mon Mar 05, 2007 9:58 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by mptfan » Thu Oct 19, 2017 12:49 pm

investor997 wrote:
Thu Oct 19, 2017 11:28 am
You can always create a new, secret Google account along with an accompanying Google Voice number and use that as the SMS text recovery method. Google Voice numbers are impossible to port out (in theory).
If Google Voice numbers are impossible to port out, then you do not need a secret Google account, you just need a Google Voice number for SMS texts and use that to get your security codes.

investor997
Posts: 244
Joined: Tue Feb 07, 2017 3:23 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by investor997 » Thu Oct 19, 2017 12:51 pm

mptfan wrote:
Thu Oct 19, 2017 12:49 pm
investor997 wrote:
Thu Oct 19, 2017 11:28 am
You can always create a new, secret Google account along with an accompanying Google Voice number and use that as the SMS text recovery method. Google Voice numbers are impossible to port out (in theory).
If Google Voice numbers are impossible to port out, then you do not need a secret Google account, you just need a Google Voice number for SMS texts and use that to get your security codes.
Correct. It depends on how paranoid you are.

Google Voice gives you the option to forward SMS texts and phone calls to your cell phone. I think this may be default behavior. You absolutely, positively want to disable this under account settings.

mptfan
Posts: 4426
Joined: Mon Mar 05, 2007 9:58 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by mptfan » Thu Oct 19, 2017 12:53 pm

investor997 wrote:
Thu Oct 19, 2017 12:51 pm
Google Voice gives you the option to forward SMS texts and phone calls to your cell phone. I think this may be default behavior. You absolutely, positively want to disable this under account settings.
Good point.

Chuck
Posts: 2049
Joined: Thu May 21, 2009 12:19 pm

Re: Account security - Hackers gain access to mobile and then break havoc

Post by Chuck » Thu Oct 19, 2017 2:26 pm

Xpe wrote:
Fri Sep 15, 2017 1:46 pm
"What was your high school name? 238fjkl49sj"
I think we went to high school together!

mptfan
Posts: 4426
Joined: Mon Mar 05, 2007 9:58 am

Re: Account security - Hackers gain access to mobile and then break havoc

Post by mptfan » Thu Oct 19, 2017 3:15 pm

oldcomputerguy wrote:
Thu Oct 19, 2017 12:36 pm
For Fidelity customers, here's another option (that I just discovered yesterday): In the "Alerts" section you can set up a schedule to have Fidelity email you your current balances daily. It becomes trivially easy to keep an eye on your account to make sure nobody has emptied it, and it doesn't even require logging in.
How does that help? Let's say you find out that your account has been emptied when you get your daily alert, isn't it too late at that point?

Post Reply