Man’s life savings stolen from hijacked cellphone number

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
cdu7
Posts: 297
Joined: Thu Feb 02, 2017 2:34 pm

Man’s life savings stolen from hijacked cellphone number

Post by cdu7 » Sun Apr 28, 2019 8:05 am

https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.

User avatar
Vulcan
Posts: 923
Joined: Sat Apr 05, 2014 11:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Vulcan » Sun Apr 28, 2019 8:11 am

cdu7 wrote:
Sun Apr 28, 2019 8:05 am
https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.
I use a Google Voice number for 2FA.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

acegolfer
Posts: 1443
Joined: Tue Aug 25, 2009 9:40 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by acegolfer » Sun Apr 28, 2019 8:19 am

cdu7 wrote:
Sun Apr 28, 2019 8:05 am
https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.
So, what do you do about those password resets by text that can open the door for hackers? Consider some changes, right now.

Ask your bank, brokerage, email, and social media companies if they can send unlock codes via email, not SMS. Or, text them to a secondary number — like Google Voice — instead of your cell.
For others, SIM swap doesn't involve your physical phone. It's done by the hacker and a naive CSR. For example, even if you have your phone with you, a hacker can easily hijack your phone number and start receiving SMS. By the time you realize this, it's too late.

acegolfer
Posts: 1443
Joined: Tue Aug 25, 2009 9:40 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by acegolfer » Sun Apr 28, 2019 8:23 am

Vulcan wrote:
Sun Apr 28, 2019 8:11 am
cdu7 wrote:
Sun Apr 28, 2019 8:05 am
https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.
I use a Google Voice number for 2FA.
Do you use 2 different google accounts, 1 for email and another for google voice?

miamivice
Posts: 2070
Joined: Tue Jun 11, 2013 11:46 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by miamivice » Sun Apr 28, 2019 8:27 am

meh. Sensational journsalism.

It takes far more than a stolen cell number to get money out of Vanguard. Plenty of posters here have first hand experiences with (legitimate) withdrawal requests.

student
Posts: 3708
Joined: Fri Apr 03, 2015 6:58 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by student » Sun Apr 28, 2019 8:27 am

I think it would be good if financial institutions offer customers an option to opt in to procedure that transactions exceed $X need to be confirmed in person/with a medallion guarantee. It is inconvenient but I believe it is worth it for the an extra layer of protection.

User avatar
midareff
Posts: 6305
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Man’s life savings stolen from hijacked cellphone number

Post by midareff » Sun Apr 28, 2019 8:29 am

Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.

User avatar
coingaroo
Posts: 50
Joined: Fri Apr 26, 2019 11:31 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by coingaroo » Sun Apr 28, 2019 8:33 am

miamivice wrote:
Sun Apr 28, 2019 8:27 am
meh. Sensational journsalism.

It takes far more than a stolen cell number to get money out of Vanguard. Plenty of posters here have first hand experiences with (legitimate) withdrawal requests.
Vanguard may be one thing, but I wouldn't be surprised if there are other brokers that allow for easier withdrawals.

ccf
Posts: 129
Joined: Mon Mar 09, 2015 9:13 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by ccf » Sun Apr 28, 2019 8:33 am

I Googled the guy's name and "bitcoin" and it looks like his million bucks was sitting in crypto trading platforms (Coinbase and Gemini)

On Coinbase, you can send money to any Bitcoin address once you have the credentials and 2FA but I thought that were were daily limits....
Last edited by ccf on Sun Apr 28, 2019 8:34 am, edited 1 time in total.

acegolfer
Posts: 1443
Joined: Tue Aug 25, 2009 9:40 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by acegolfer » Sun Apr 28, 2019 8:34 am

miamivice wrote:
Sun Apr 28, 2019 8:27 am
meh. Sensational journsalism.

It takes far more than a stolen cell number to get money out of Vanguard. Plenty of posters here have first hand experiences with (legitimate) withdrawal requests.
I have accounts with Vanguard but never taken out of it. When I read this article, I got worried. To sleep better, what protections are in place at Vanguard against stolen cell number?

crake
Posts: 253
Joined: Thu Mar 14, 2013 2:12 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by crake » Sun Apr 28, 2019 8:35 am

midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
Whether or not you personally choose to use a phone for financial transactions has nothing to do with this type of fraud.

miamivice
Posts: 2070
Joined: Tue Jun 11, 2013 11:46 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by miamivice » Sun Apr 28, 2019 8:40 am

acegolfer wrote:
Sun Apr 28, 2019 8:34 am
miamivice wrote:
Sun Apr 28, 2019 8:27 am
meh. Sensational journsalism.

It takes far more than a stolen cell number to get money out of Vanguard. Plenty of posters here have first hand experiences with (legitimate) withdrawal requests.
I have accounts with Vanguard but never taken out of it. When I read this article, I got worried. To sleep better, what protections are in place at Vanguard against stolen cell number?
To ease your worries, take a look at the mechanisms in place to actually get money out of Vanguard. You have two options: ACH withdrawals and wire transfers. ACH withdrawals can only be to banks that you have confirmed. It takes several days to confirm banks which would generate a variety of e-mails telling you that new banks have been added. Wire transfers are the other option, but wire transfers require medillian signature guarantees if not going to your confirmed bank. In lieu of MSG, you might be able to use voice recognition which I have not setup.

In a nutshell, it is very hard to get money out of Vanguard....

(Even if this does happen, it is fraud which I believe is protected and transactions can be reversed.)

User avatar
JoMoney
Posts: 7367
Joined: Tue Jul 23, 2013 5:31 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by JoMoney » Sun Apr 28, 2019 8:43 am

Despite the best intentions of Jack Bogle, this is why his "don't peek" advice misses the mark.
Your account(s) should be reviewed regularly and any un-authorized activity reported immediately.
"To achieve satisfactory investment results is easier than most people realize; to achieve superior results is harder than it looks." - Benjamin Graham

gtd98765
Posts: 372
Joined: Sun Jan 08, 2017 4:15 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by gtd98765 » Sun Apr 28, 2019 8:45 am

cdu7 wrote:
Sun Apr 28, 2019 8:05 am
https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.
I doubt it is really very common. I bet most people targeted for SIM swaps are well-known and wealthy, and probably involved in cryptocurrency trading. When these attacks do happen they make news, which is why we know about them. But not common.

Read about the availability heuristic: https://en.wikipedia.org/wiki/Availability_heuristic which causes us to overestimate the commonality of newsworthy events.
Last edited by gtd98765 on Sun Apr 28, 2019 9:07 am, edited 1 time in total.

User avatar
greg24
Posts: 3621
Joined: Tue Feb 20, 2007 10:34 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by greg24 » Sun Apr 28, 2019 8:51 am

ccf wrote:
Sun Apr 28, 2019 8:33 am
I Googled the guy's name and "bitcoin" and it looks like his million bucks was sitting in crypto trading platforms (Coinbase and Gemini)
Thank you for the followup. The original article didn't any details on how it was actually done.

DetroitRick
Posts: 721
Joined: Wed Mar 23, 2016 9:28 am
Location: SE Michigan

Re: Man’s life savings stolen from hijacked cellphone number

Post by DetroitRick » Sun Apr 28, 2019 9:15 am

I agree that this is overblown. Use automatic account monitoring, extra security on critical accounts (security key on brokerage for example), notice and report to carrier if you suddenly have no text or cell service, pin lock for sim, etc. But if you go off-grid, there is an increased risk.

Interesting article on the sim swap issue from Wired this week. The gist is that in some countries where this fraud is rampant, financial institutions are given access to a carrier database where sim swaps are reported. Financial institutions query that database and block money transfers where a sim swap has occurred within x number of days. The article cites a Mozambique bank where this technique reduced rampant sim swap-related fraud to nearly zero overnight. To my layman's eyes, this sure seems like decent solution in the U.S.

Full article:
https://www.wired.com/story/sim-swap-fi ... ers-banks/

Dottie57
Posts: 6703
Joined: Thu May 19, 2016 5:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Dottie57 » Sun Apr 28, 2019 9:16 am

midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.

User avatar
Vulcan
Posts: 923
Joined: Sat Apr 05, 2014 11:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Vulcan » Sun Apr 28, 2019 9:17 am

acegolfer wrote:
Sun Apr 28, 2019 8:23 am
Vulcan wrote:
Sun Apr 28, 2019 8:11 am
cdu7 wrote:
Sun Apr 28, 2019 8:05 am
https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.
I use a Google Voice number for 2FA.
Do you use 2 different google accounts, 1 for email and another for google voice?
Same account. I consider my e-mail to be the 2nd factor, and GV-based SMS is just another way to receive an email.

My Google account is the only key to my kingdom, and it is in turn protected by 2FA.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

staythecourse
Posts: 6993
Joined: Mon Jan 03, 2011 9:40 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by staythecourse » Sun Apr 28, 2019 9:20 am

Dottie57 wrote:
Sun Apr 28, 2019 9:16 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
Agreed. It seems pretty obvious that this was the next step in cyberfraud when you start using your smartphone for financial stuff.

Good luck.
"The stock market [fluctuation], therefore, is noise. A giant distraction from the business of investing.” | -Jack Bogle

User avatar
Cycle
Posts: 1380
Joined: Sun May 28, 2017 7:57 pm
Location: Minneapolis

Re: Man’s life savings stolen from hijacked cellphone number

Post by Cycle » Sun Apr 28, 2019 9:23 am

note to self, don't keep 90% of net worth in cash (or electronic equivalent)
Never look back unless you are planning to go that way

stan1
Posts: 7310
Joined: Mon Oct 08, 2007 4:35 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by stan1 » Sun Apr 28, 2019 9:30 am

ccf wrote:
Sun Apr 28, 2019 8:33 am
I Googled the guy's name and "bitcoin" and it looks like his million bucks was sitting in crypto trading platforms (Coinbase and Gemini)
Good to know it wasn't at a regulated US financial institution (bank or brokerage).

User avatar
Vulcan
Posts: 923
Joined: Sat Apr 05, 2014 11:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Vulcan » Sun Apr 28, 2019 9:30 am

staythecourse wrote:
Sun Apr 28, 2019 9:20 am
Dottie57 wrote:
Sun Apr 28, 2019 9:16 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.


I never use my phone for financial transactions. Never. I have two home iPads which I use for financial transactions via web page. No passwords stored.

I think I will be getting a yubikey to add more security.
Agreed. It seems pretty obvious that this was the next step in cyberfraud when you start using your smartphone for financial stuff.

Good luck.
This has nothing (ZERO, 0.0) to do with smartphones.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

EddyB
Posts: 894
Joined: Fri May 24, 2013 3:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by EddyB » Sun Apr 28, 2019 9:33 am

midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
What do you use as second factor authorization? I prefer things like the Symantec and Google Authenticator products (which are on my phone) to just getting a text to my phone number, but this article doesn’t suggest that the victim was using accounts on his phone or that it “contained” financial information. I’m not sure why a separate physical device 2FA key would be better than VIP Access or Authenticator.

User avatar
Vulcan
Posts: 923
Joined: Sat Apr 05, 2014 11:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Vulcan » Sun Apr 28, 2019 9:36 am

Vulcan wrote:
Sun Apr 28, 2019 9:17 am
My Google account is the only key to my kingdom, and it is in turn protected by 2FA.
And because my email account is a G Suite one (GMail account with my custom domain) there is also an element of security through obscurity, as it is not readily apparent from my e-mail address that it is GMail, so it would probably be dismissed as a target in favor of something more apparent.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

Boston Barry
Posts: 114
Joined: Sat Jan 14, 2017 4:55 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Boston Barry » Sun Apr 28, 2019 9:37 am

From a legal standpoint, wouldn’t the carrier be liable for the amount of stolen money if the carrier employee performed an unauthorized SIM swap which led to the theft?

Silence Dogood
Posts: 1044
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Sun Apr 28, 2019 10:01 am

Just a friendly reminder that, in addition to the security features already mentioned, Vanguard also offers the option to "Restrict account access from unrecognized devices."

Only my home computer can access my Vanguard account. I use a Firefox add-on called "Cookie AutoDelete" that automatically deletes my browser's cookies, but also allows me to "whitelist" specific websites (so that cookies from those specific websites are not deleted).

I also have it set to use two-factor authentication every time I log on (regardless of my device being recognized). I wish that Vanguard offered an alternative two-factor authentication - without SMS as a backup.

DrGoogle2017
Posts: 2528
Joined: Mon Aug 14, 2017 12:31 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by DrGoogle2017 » Sun Apr 28, 2019 10:05 am

I’m thinking of getting rid of my cell phone now. Honestly I don’t touch it for days. Back to riding horse and buggy.

User avatar
TheTimeLord
Posts: 6294
Joined: Fri Jul 26, 2013 2:05 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by TheTimeLord » Sun Apr 28, 2019 10:08 am

cdu7 wrote:
Sun Apr 28, 2019 8:05 am
https://www.nbcbayarea.com/news/local/M ... 97961.html

Really scary stuff, the scammers used an AT&T call center workers to pull off a theft of over a million in life savings. Happened in minutes. Apparently the SIM card transfer is very common.

https://www.cnbc.com/2018/11/21/hacker- ... umber.html
San Francisco resident Robert Ross, a father of two, noticed his phone suddenly lose its signal on Oct. 26. Confused, he went to a nearby Apple store and later contacted his service provider, AT&T. But he wasn’t quick enough to stop a hacker from draining $500,000 from two separate accounts he had at Coinbase and Gemini, according to Santa Clara officials.

Nicholas Truglia, 21, lifted the $1 million from Ross’ two cryptocurrency accounts, according to a felony complaint filed this month in California state court. Prosecutors say Truglia also hacked the phones of multiple Silicon Valley executives but was not able to rob their accounts.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

Silence Dogood
Posts: 1044
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Sun Apr 28, 2019 10:09 am

DrGoogle2017 wrote:
Sun Apr 28, 2019 10:05 am
I’m thinking of getting rid of my cell phone now. Honestly I don’t touch it for days. Back to riding horse and buggy.
Two-factor authentication, even using SMS, is still significantly more secure than not using two-factor authentication at all.

RetiredArtist
Posts: 88
Joined: Wed Aug 26, 2015 4:38 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by RetiredArtist » Sun Apr 28, 2019 10:09 am

student wrote:
Sun Apr 28, 2019 8:27 am
I think it would be good if financial institutions offer customers an option to opt in to procedure that transactions exceed $X need to be confirmed in person/with a medallion guarantee. It is inconvenient but I believe it is worth it for the an extra layer of protection.
Medallion signature guarantee is a big pain, but Vanguard could require you to phone them & use voice verification for sizeable transactions.

carolinaman
Posts: 3769
Joined: Wed Dec 28, 2011 9:56 am
Location: North Carolina

Re: Man’s life savings stolen from hijacked cellphone number

Post by carolinaman » Sun Apr 28, 2019 10:31 am

midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
+1. I totally agree. There are simply too many ways to be hacked using cell phones.

User avatar
willthrill81
Posts: 12625
Joined: Thu Jan 26, 2017 3:17 pm
Location: USA

Re: Man’s life savings stolen from hijacked cellphone number

Post by willthrill81 » Sun Apr 28, 2019 10:40 am

JoMoney wrote:
Sun Apr 28, 2019 8:43 am
Despite the best intentions of Jack Bogle, this is why his "don't peek" advice misses the mark.
Your account(s) should be reviewed regularly and any un-authorized activity reported immediately.
I agree and check my accounts nearly daily. When I wake up in the morning, checking our regular banking information is one of the first things I do. Having had a credit card number stolen four times does that to you I suppose, even though we weren't held liable for any fraudulent charges.
“It's a dangerous business, Frodo, going out your door. You step onto the road, and if you don't keep your feet, there's no knowing where you might be swept off to.” J.R.R. Tolkien,The Lord of the Rings

Grt2bOutdoors
Posts: 21088
Joined: Thu Apr 05, 2007 8:20 pm
Location: New York

Re: Man’s life savings stolen from hijacked cellphone number

Post by Grt2bOutdoors » Sun Apr 28, 2019 10:47 am

ccf wrote:
Sun Apr 28, 2019 8:33 am
I Googled the guy's name and "bitcoin" and it looks like his million bucks was sitting in crypto trading platforms (Coinbase and Gemini)

On Coinbase, you can send money to any Bitcoin address once you have the credentials and 2FA but I thought that were were daily limits....
Exactly. His money was in crypto-the Wild West of trading. I wonder if people still want crypto to become legitimate form of money, what a field day the crooks would have.
"One should invest based on their need, ability and willingness to take risk - Larry Swedroe" Asking Portfolio Questions

User avatar
TheTimeLord
Posts: 6294
Joined: Fri Jul 26, 2013 2:05 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by TheTimeLord » Sun Apr 28, 2019 10:50 am

Grt2bOutdoors wrote:
Sun Apr 28, 2019 10:47 am
ccf wrote:
Sun Apr 28, 2019 8:33 am
I Googled the guy's name and "bitcoin" and it looks like his million bucks was sitting in crypto trading platforms (Coinbase and Gemini)

On Coinbase, you can send money to any Bitcoin address once you have the credentials and 2FA but I thought that were were daily limits....
Exactly. His money was in crypto-the Wild West of trading. I wonder if people still want crypto to become legitimate form of money, what a field day the crooks would have.
I assume this is why people in the Crypto world often use Cold Storage.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

User avatar
willthrill81
Posts: 12625
Joined: Thu Jan 26, 2017 3:17 pm
Location: USA

Re: Man’s life savings stolen from hijacked cellphone number

Post by willthrill81 » Sun Apr 28, 2019 10:52 am

TheTimeLord wrote:
Sun Apr 28, 2019 10:50 am
Grt2bOutdoors wrote:
Sun Apr 28, 2019 10:47 am
ccf wrote:
Sun Apr 28, 2019 8:33 am
I Googled the guy's name and "bitcoin" and it looks like his million bucks was sitting in crypto trading platforms (Coinbase and Gemini)

On Coinbase, you can send money to any Bitcoin address once you have the credentials and 2FA but I thought that were were daily limits....
Exactly. His money was in crypto-the Wild West of trading. I wonder if people still want crypto to become legitimate form of money, what a field day the crooks would have.
I assume this is why people in the Crypto world often use Cold Storage.
True, but then if the key(s) to that cold storage is lost, the funds are lost forever with virtually no hope of recovery. And storage of the key(s) themselves entails risk. In the current situation, 2FA or 3FA plus mandatory delays seem to be about the most secure means of practical security for the average person.

All roads carry risk.
Last edited by willthrill81 on Sun Apr 28, 2019 10:54 am, edited 1 time in total.
“It's a dangerous business, Frodo, going out your door. You step onto the road, and if you don't keep your feet, there's no knowing where you might be swept off to.” J.R.R. Tolkien,The Lord of the Rings

Silence Dogood
Posts: 1044
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Sun Apr 28, 2019 10:53 am

willthrill81 wrote:
Sun Apr 28, 2019 10:40 am
JoMoney wrote:
Sun Apr 28, 2019 8:43 am
Despite the best intentions of Jack Bogle, this is why his "don't peek" advice misses the mark.
Your account(s) should be reviewed regularly and any un-authorized activity reported immediately.
I agree and check my accounts nearly daily. When I wake up in the morning, checking our regular banking information is one of the first things I do. Having had a credit card number stolen four times does that to you I suppose, even though we weren't held liable for any fraudulent charges.
I log on whenever I get a statement. I download my statement, look it over, and save it to my hard drive (it takes up an insignificant amount of space).

Oh, and I'll log on whenever I get a Form 5498 or some other tax form (download and save those, too).

Silence Dogood
Posts: 1044
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Sun Apr 28, 2019 10:55 am

JoMoney wrote:
Sun Apr 28, 2019 8:43 am
Despite the best intentions of Jack Bogle, this is why his "don't peek" advice misses the mark.
Your account(s) should be reviewed regularly and any un-authorized activity reported immediately.
I agree that accounts should be reviewed periodically, but do you have account activity alerts set up?

pdavi21
Posts: 1162
Joined: Sat Jan 30, 2016 4:04 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by pdavi21 » Sun Apr 28, 2019 10:56 am

It's only scary for people that don't get their money back.
"We spend a great deal of time studying history, which, let's face it, is mostly the history of stupidity." -Stephen Hawking

Silence Dogood
Posts: 1044
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Sun Apr 28, 2019 11:05 am

carolinaman wrote:
Sun Apr 28, 2019 10:31 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
+1. I totally agree. There are simply too many ways to be hacked using cell phones.
Two-factor authentication using a software token is incredibly secure.

This can be implemented using smartphone applications like "Authy" or "Google Authenticator".

Note: unfortunately Vanguard does not currently support any software token applications for two-factor authentication. Please call them and let them know you would like them to add this security feature.

TravelGeek
Posts: 3103
Joined: Sat Oct 25, 2014 3:23 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by TravelGeek » Sun Apr 28, 2019 11:14 am

Lots of paranoia in this thread (and important information missing in the article). The phone is the second factor, not the only factor. No well designed authentication system should be breakable just with access to the SMS. How did the hacker get the strong and unique password (first factor) of Mr. Ross?

The notion of “smartphone bad, home computer good” is way too simplistic, too.
Last edited by TravelGeek on Sun Apr 28, 2019 11:27 am, edited 1 time in total.

User avatar
midareff
Posts: 6305
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Man’s life savings stolen from hijacked cellphone number

Post by midareff » Sun Apr 28, 2019 11:21 am

crake wrote:
Sun Apr 28, 2019 8:35 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
Whether or not you personally choose to use a phone for financial transactions has nothing to do with this type of fraud.
and exactly how would they know if I had an account ANYWHERE?

User avatar
midareff
Posts: 6305
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Man’s life savings stolen from hijacked cellphone number

Post by midareff » Sun Apr 28, 2019 11:23 am

EddyB wrote:
Sun Apr 28, 2019 9:33 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
What do you use as second factor authorization? I prefer things like the Symantec and Google Authenticator products (which are on my phone) to just getting a text to my phone number, but this article doesn’t suggest that the victim was using accounts on his phone or that it “contained” financial information. I’m not sure why a separate physical device 2FA key would be better than VIP Access or Authenticator.
There are methods available, such as a special email account that is not on the phone.

Silence Dogood
Posts: 1044
Joined: Tue Feb 01, 2011 9:22 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Silence Dogood » Sun Apr 28, 2019 12:00 pm

TravelGeek wrote:
Sun Apr 28, 2019 11:14 am
Lots of paranoia in this thread (and important information missing in the article). The phone is the second factor, not the only factor. No well designed authentication system should be breakable just with access to the SMS. How did the hacker get the strong and unique password (first factor) of Mr. Ross?

The notion of “smartphone bad, home computer good” is way too simplistic, too.
Depending on the circumstances, a smartphone may actually be more secure than a home computer. For example, it is better to access your accounts using the latest iPhone than an old home computer running Windows XP.

Having said that, I only access my Vanguard account using my home computer, because I really don't need to log on that often. In addition, I prefer a larger screen, keyboard, and mouse. Since I restrict access to only this device, it is also more secure.

I do access my credit card account using my smartphone. I have a greater need to check up on this account more frequently, since there are more frequent transactions. If someone got access to this account, there is a limited amount of damage that they could do.

Financial institutions should stop using SMS as two-factor authentication though. Software tokens are both more secure and more convenient (even if you don't have a cell connection it still works).

Ferdinand2014
Posts: 576
Joined: Mon Dec 17, 2018 6:49 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Ferdinand2014 » Sun Apr 28, 2019 12:06 pm

This according to Fidelity:


“Fidelity will reimburse you for losses from unauthorized activity in covered accounts occurring through no fault of your own. “

“What accounts are covered?
Cash and securities in your retirement and non-retirement accounts with Fidelity Brokerage Services LLC, as well as individual workplace retirement accounts under a 401(k), profit sharing, 403(b), or 457 plan for which Fidelity is the record keeper are covered.”

“What actions must I take to be eligible?
You must frequently check your account information and promptly review correspondence, account statements, and confirmations as they are made available to you, but no later than 30 days after that information is posted to your account or delivered to you. Contact Fidelity immediately at 800-544-6666 if you suspect any unauthorized account activity, errors, discrepancies, lose the device you normally use to contact us, or if you have not received your account statements. You must also maintain up-to-date contact information with us so that you may continue to receive our important communications and to ensure that we can contact you in case of suspected unauthorized activity.”

“What must I do to protect my accounts?
To be covered, you must adopt Fidelity's recommended security practices at Online Security at Fidelity. Never share your account access information, including username, password and answers to security questions, with anyone. Use a unique username and password for your Fidelity accounts. If you are a victim of identity theft, change your password and notify us immediately.”

I follow the recommended best practices that Fidelity recommends. I guess I would have to trust Fidelity at their word.........
Last edited by Ferdinand2014 on Sun Apr 28, 2019 12:07 pm, edited 1 time in total.
“You only find out who is swimming naked when the tide goes out.“ — Warren Buffett

blackholescion
Posts: 126
Joined: Fri Mar 22, 2019 6:41 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by blackholescion » Sun Apr 28, 2019 12:07 pm

Grt2bOutdoors wrote:
Sun Apr 28, 2019 10:47 am
ccf wrote:
Sun Apr 28, 2019 8:33 am
I Googled the guy's name and "bitcoin" and it looks like his million bucks was sitting in crypto trading platforms (Coinbase and Gemini)

On Coinbase, you can send money to any Bitcoin address once you have the credentials and 2FA but I thought that were were daily limits....
Exactly. His money was in crypto-the Wild West of trading. I wonder if people still want crypto to become legitimate form of money, what a field day the crooks would have.
I take it you don’t actually know how these platforms work. For example, Coinbase USD wallet is FDIC insured. The actual crypto holdings are not. There are limits to getting money out so at best the crypto holdings were sent somewhere but the transaction history is there so it’s relatively trivial to find out where it went. It’s not obfuscated like it would have been at a lesser known exchange.

Crypto can’t become a legitimate form of currency until several problems are solved (including the security but also how it works in general and sending money is risky if you send it to the wrong wallet) but that’s neither for this thread nor forum.
Last edited by blackholescion on Sun Apr 28, 2019 12:13 pm, edited 2 times in total.

blackholescion
Posts: 126
Joined: Fri Mar 22, 2019 6:41 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by blackholescion » Sun Apr 28, 2019 12:10 pm

midareff wrote:
Sun Apr 28, 2019 11:23 am
EddyB wrote:
Sun Apr 28, 2019 9:33 am
midareff wrote:
Sun Apr 28, 2019 8:29 am
Maybe I'm too old fashioned. Home computers are for financial transactions. Cell phones are for calls and email and contain no financial information.
What do you use as second factor authorization? I prefer things like the Symantec and Google Authenticator products (which are on my phone) to just getting a text to my phone number, but this article doesn’t suggest that the victim was using accounts on his phone or that it “contained” financial information. I’m not sure why a separate physical device 2FA key would be better than VIP Access or Authenticator.
There are methods available, such as a special email account that is not on the phone.


If someone does a sim swap, they don’t have access to your email. In fact the only way they would is with access to your physical device. However, smartphones are encrypted so the only way for them to even get in is to bypass your password/pin and they only get 10 tries. See things like the San Bernardino iPhone case for why that kind of effort is complex and problematic.

Triple digit golfer
Posts: 3322
Joined: Mon May 18, 2009 5:57 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Triple digit golfer » Sun Apr 28, 2019 12:18 pm

To those with Vanguard accounts, what security measures do you take?

User avatar
Vulcan
Posts: 923
Joined: Sat Apr 05, 2014 11:43 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by Vulcan » Sun Apr 28, 2019 12:22 pm

Triple digit golfer wrote:
Sun Apr 28, 2019 12:18 pm
To those with Vanguard accounts, what security measures do you take?
2FA to a GV phone number

Same for all other accounts that offer 2FA
If you torture the data long enough, it will confess to anything. ~Ronald Coase

blackholescion
Posts: 126
Joined: Fri Mar 22, 2019 6:41 pm

Re: Man’s life savings stolen from hijacked cellphone number

Post by blackholescion » Sun Apr 28, 2019 12:25 pm

Triple digit golfer wrote:
Sun Apr 28, 2019 12:18 pm
To those with Vanguard accounts, what security measures do you take?
The only possible ones. Text based 2FA but not to a google voice number and generated password of max allowed length (20 characters). I also have a generated username so that it’s not obvious like first and last name. Both unique to vanguard.

Broken Man 1999
Posts: 3042
Joined: Wed Apr 08, 2015 11:31 am

Re: Man’s life savings stolen from hijacked cellphone number

Post by Broken Man 1999 » Sun Apr 28, 2019 12:26 pm

Ferdinand2014 wrote:
Sun Apr 28, 2019 12:06 pm
This according to Fidelity:


“Fidelity will reimburse you for losses from unauthorized activity in covered accounts occurring through no fault of your own. “

“What accounts are covered?
Cash and securities in your retirement and non-retirement accounts with Fidelity Brokerage Services LLC, as well as individual workplace retirement accounts under a 401(k), profit sharing, 403(b), or 457 plan for which Fidelity is the record keeper are covered.”

“What actions must I take to be eligible?
You must frequently check your account information and promptly review correspondence, account statements, and confirmations as they are made available to you, but no later than 30 days after that information is posted to your account or delivered to you. Contact Fidelity immediately at 800-544-6666 if you suspect any unauthorized account activity, errors, discrepancies, lose the device you normally use to contact us, or if you have not received your account statements. You must also maintain up-to-date contact information with us so that you may continue to receive our important communications and to ensure that we can contact you in case of suspected unauthorized activity.”

“What must I do to protect my accounts?
To be covered, you must adopt Fidelity's recommended security practices at Online Security at Fidelity. Never share your account access information, including username, password and answers to security questions, with anyone. Use a unique username and password for your Fidelity accounts. If you are a victim of identity theft, change your password and notify us immediately.”

I follow the recommended best practices that Fidelity recommends. I guess I would have to trust Fidelity at their word.........
Yep! See bolded statement! Not reviewing accounts/statements is foolish, IMHO. Giving bad people a head start just doesn't seem the thing to do. If looking at accounts causes folks to mess with them, perhaps they can find an adult to watch them, instead.
Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven than I shall not go. " -Mark Twain

Post Reply