Broker account security compendium thread

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
overthought
Posts: 201
Joined: Tue Oct 17, 2017 3:44 am

Broker account security compendium thread

Post by overthought » Sat Nov 25, 2017 9:53 am

Hi all,

Updated 11/28/2017 to add more broker-specific information

So I'm getting pretty creeped out about online brokerage account security, especially retirement accounts, after hearing so many horror stories about crooks impersonating account holders over the phone, stealing their phone (or phone number) to get around 2FA, phishing their email and exploiting single-factor account recovery to take over accounts even when 2FA is required for login, etc. That's to say nothing of the equifax leak giving baddies more than enough information to open bank and brokerage accounts in my name.

Unfortunately, I've not seen much distilled advice on general best practices for account protection (the trite "don't share you password, always run anti-virus, and browse responsibly" doesn't cut it for me, those things are great but far from enough), or on what security features the various brokers offer and how to make best use of them. Given what's potentially at stake, I'd love a centralized Boglehead resource (like a wiki article), where people can find actionable advice.

General advice I've picked up so far:
  • Keep your operating system and application software patched! The vast majority of exploits rely on known vulnerabilities for which fixes are available, and even the "zero day" attacks tend to get patches sooner rather than later (once discovered).
  • Assume every email with an embedded link or attachment is malicious until you can prove otherwise. Sender's address can be spoofed, friends in your contact list could have had their account hacked, malicious files can have very innocuous names and file types, and URL shorteners are really dangerous (but there exist "decoder" web sites that let you see where they go before you actually click on them).
  • Using a separate email account for finance-related emails can limit exposure of that account to various threads. Using a separate browser (or even computer) for finance-related activities can reduce exposure further. I'm still trying to decide the best way to integrate this bit of advice.
  • Anti-virus software can be helpful for avoiding known problems, but is useless against newer threats. Don't get over-confident just because you have it installed. Also realize AV software is vulnerable to hacking (and a very desirable target because it runs with elevated permissions), so you have to balance the risk of having it vs. not having it. I use Windows built-in AV, figuring it's "good enough" and if Microsoft gets compromised I'm toast regardless of what AV I installed.
  • Browsing responsibly only gets you so far when first-party sites are compromised or serve malicious ads. I try to protect myself there with an "ad blocker or bust" browsing policy and by disabling third-party javascript by default. The former is super easy to use, but means I can't use sites that reject ad-blocking users; the latter means I have to enable javascript on a case by case basis for web sites I visit for the first time (which can be a pain in the neck, and very intimidating for non-techie users). As a bonus, disabling javascript on the Treasury Direct web site bypasses their gosh-awful "virtual keyboard" gimmick.
  • Password managers (storing passwords locally) are a must, so you can use different strong passwords for every account, gibberish security question answers, etc. I would be extremely wary of storing passwords in the cloud or synchronizing them across machines, however; that opens you up to third party attacks over the network and/or a hacked provider.
  • Frequent monitoring of accounts reduces the delay between bad stuff happening and me noticing (setting up account alerts, when available, makes that task easier)

Broker features:
  • Asset protection guarantee (to restore assets lost due to unauthorized activity): E*Trade, Fidelity, Schwab, TD Ameritrade, Vanguard, unsure about other brokers.
  • Username. Make it unique, preferably gibberish. Why make it easier for an attacker with login information for one account to guess your username at another site? At one extreme, TD Ameritrade has separate login credentials for every account; at the other extreme, Fidelity 401(k) uses your SSN as login for all accounts (I don't know whether that's possible to change).
  • Password. Make it unique and strong (mix of letters, numbers and symbols). All brokers I'm aware of allow strong passwords.
  • Security questions. All brokers I'm aware of require these. Never supply true answers, too easy for attackers to guess. I use a password manager to generate gibberish answers.
  • Account PIN. TD Ameritrade has something (unclear exactly what). Unsure what other brokers do or don't do.
  • Two factor authentication (with help from twofactorauth.org)
    • None (wall of shame): American Funds, Scottrade, TD Ameritrade
    • Yubikey: Vanguard
    • Symantec VIP: Capital One, E*Trade, Fidelity, Interactive Brokers, Merrill Lynch (*not* Merrill Edge), Schwab
    • Google Authenticator: Betterment, Wealthfront
    • Phone/SMS (vulnerable to phone number porting attacks): Betterment, Merrill Edge, Personal Capital, Robinhood, Schwab, Vanguard, Wealthfront
    • Email (vulnerable to account takeover attacks): Personal Capital, Vanguard
  • Voiceprint analysis: Fidelity, Schwab, Vanguard.
  • Account recovery: Unknown. Key question is whether account recovery can be used to bypass an enabled 2FA solution (in which case 2FA becomes largely useless).
  • Account alerts: Unknown.




Original broker information:
  • My main broker, TD Ameritrade, has an asset protection guarantee, but doesn't provide many (any?) technical counter-measures like two-factor authentication, alerts, voice printing, etc. Their "what you can do" page is the trite version. They do recommend (and allow) good strong passwords, and I have set up gibberish answers to security questions. I think they also provide a PIN option for accounts (see Client Services -> My Profile -> Personal Information -> Account settings) but it isn't clear to me what purpose the PIN would serve. In particular, I don't ever remember using a PIN to log in, first time or otherwise, or being asked to supply one in my various phone conversations with client support:
    Conversation with TD Ameritrade Ted bot wrote: You: what is an account PIN?
    Ted: Your TD Ameritrade personal identification number (PIN) is a 4-digit number created to help ensure account security. Every TD Ameritrade account is assigned a separate PIN that must be used as a password to access your account online for the first time. Your PIN may be used on our phone system as well.

    I'm also frustrated that TDA is apparently working hard to provide "secure" account access via Facebook messenger, when IMO they haven't even got their own "secure" account access situation nailed down.
  • I've enrolled my Fidelity 401(k) account in voice print technology, but it's unclear how that feature is used. Supposedly it replaces account password and PIN, but I still have to dial my password whenever I call in for something. Maybe that's a good thing (multiple layers of defense). Fidelity also offers a software token scheme called Symantec VIP that makes an especially strong form of 2FA.
  • I hear that Vanguard supports security keys as 2FA, but somehow no actual web site at vanguard that advertises them or describes how to set them up. I don't have any vanguard accounts myself to explore.
  • I've not been able to find any particular information about account security options for Merrill Edge or Schwab (thinking about opening accounts at one or both of those in the future).
  • There are probably other big brokers out there that I'm not listing here as well.



Would love to hear what words of wisdom others have been able to piece together!
Last edited by overthought on Tue Nov 28, 2017 8:58 pm, edited 6 times in total.

User avatar
LadyGeek
Site Admin
Posts: 47438
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Broker account security compendium thread

Post by LadyGeek » Sat Nov 25, 2017 10:26 am

This thread is now in the Personal Finance (Not Investing) forum (account protection).

This is a different discussion than what's described in the wiki: Asset protection, which is protection of your assets from legal actions.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

azurekep
Posts: 1179
Joined: Tue Jun 16, 2015 7:16 pm

Re: Broker account security compendium thread

Post by azurekep » Sat Nov 25, 2017 7:31 pm

overthought wrote:
Sat Nov 25, 2017 9:53 am
Nice list. You've done a great job.
Using a separate email account for finance-related emails can limit exposure of that account to various threads. Using a separate browser (or even computer) for finance-related activities can reduce exposure further. I'm still trying to decide the best way to integrate this bit of advice.
The main ways of isolating financial activities are:
  • Use separate computer - probably the easiest option for most people
  • Use virtual machine (VM) on a computer - a popular method with Linux users since the Linux images (.isos) are free and don't require a license. Linux VMs can be created on Linux machines, on Windows machines...probably on Macs as well.
Either of the above solutions would be great for someone who doesn't perform financial activities that often. Maybe 2-3 times a month, maybe a little more -- for bill-pay, fund transfers, following up on alerts and the occasional buy/sell. It's easy to group those activities together, limiting the number of times you have to log in. For Bogleheads who have trouble keeping away from monitoring their portfolios, a separate computer could be a plus, since it would make it slightly harder to monitor their daily performance.

As for browser-based solutions on the same computer, they seem to be far less secure:
  • Use separate, locked-down browser for financial activities and use a less secure browser for general surfing. The problem with that is that while doing general surfing, you can acquire a keystroke-logger, which affects your entire system and will record your login credentials as you log into the secure browser. The controls you already have on your browser (limiting 3rd-party javascript, etc.) are pretty good, lessening the chances of getting malware. But it's still safter to separate your financial activities on another computer or in a VM.
  • Use Firefox containers. I admit to knowing nothing about this, but I believe one of the features of Firefox 57 is that each tab is a separate process. This apparently is some sort of sandboxing (?). If so, if you reach a malware-infected site in one tab and you happen to NOTICE it (yeah, right), you apparently can close that tab and it won't affect the others. But again, if you do manage to download the malware onto your system, it will affect your entire system.

saver007
Posts: 109
Joined: Fri Nov 07, 2014 9:18 pm

Re: Broker account security compendium thread

Post by saver007 » Sat Nov 25, 2017 10:29 pm

My broker Interactive Brokers is a very security conscious company. iB insist on 2FA by default. If you don't want 2FA, You have to sign a waiver agreeing you are on the hook for any hack attacks. I used to use a physical card for 2FA but now use IB key app to generate 2FA codes which is pretty convenient. Also, Read-only version of mobile app is available without 2FA which is neat.

IB list some best practices on their website...

https://www.interactivebrokers.com/en/i ... ngth&p=log

Cash
Posts: 1289
Joined: Wed Mar 10, 2010 10:52 am

Re: Broker account security compendium thread

Post by Cash » Sat Nov 25, 2017 10:56 pm

overthought wrote:
Sat Nov 25, 2017 9:53 am
[*] I've enrolled my Fidelity 401(k) account in voice print technology, but it's unclear how that feature is used. Supposedly it replaces account password and PIN, but I still have to dial my password whenever I call in for something. Maybe that's a good thing (multiple layers of defense).
Sign up for the soft token (Symantec VIP Access) as well.

Retired1809
Posts: 191
Joined: Fri Feb 23, 2007 4:11 pm
Location: North Carolina, USA

Re: Broker account security compendium thread

Post by Retired1809 » Sun Nov 26, 2017 11:38 am

Question:

If a thief steals assets from a retirement account held at a financial institution, who suffers the loss?

a. The financial institution.
b. The customer.

What's the answer?

azurekep
Posts: 1179
Joined: Tue Jun 16, 2015 7:16 pm

Re: Broker account security compendium thread

Post by azurekep » Sun Nov 26, 2017 1:34 pm

HikerNC wrote:
Sun Nov 26, 2017 11:38 am
Question:

If a thief steals assets from a retirement account held at a financial institution, who suffers the loss?

a. The financial institution.
b. The customer.

What's the answer?
It depends on the institution and their rules.

Although I'm not sure brokerages make a distinction between retirement and non-retirement accounts, they do have rules the customer is supposed to follow in order to get reimbursement for stolen funds. The rules may include using an up-to-date browser and not sharing your login credentials with your spouse or anyone else. Another requirement may be following up on alerts or checking monthly statements within 30 days of posting to make sure nothing is amiss.

CRC301
Posts: 106
Joined: Sat Feb 14, 2015 1:31 pm

Re: Broker account security compendium thread

Post by CRC301 » Sun Nov 26, 2017 2:04 pm

2FA (two-factor authentication) is just about the best you can do right now to lock down your online accounts. Not all 2FA is the same though; some use your text-enabled phone number or e-mail and others use "authenticator" apps or devices that you must consult for a generated pin. Everything else the OP mentioned is great. Password managers are nice but they aren't a silver bullet; the companies/groups that provide them can be hacked and the safety of your passwords is dependent on their implementation.

In the end, you just need to make it a nuisance for identity thieves or hackers to get access to you accounts. If someone really wanted to get into your accounts and they had an unlimited amount of time/resources, they would get in eventually. But most identity thieves will give up at the first sign of resistance and move on to someone else.

Back to 2FA, its implemented differently on every site so its kind of a pain to setup. This site tries to be a single point of reference for instructions on enabling 2FA on many different sites: https://www.turnon2fa.com/.

User avatar
aj76er
Posts: 575
Joined: Tue Dec 01, 2015 11:34 pm
Location: Portland, OR

Re: Broker account security compendium thread

Post by aj76er » Sun Nov 26, 2017 2:58 pm

Cash wrote:
Sat Nov 25, 2017 10:56 pm
overthought wrote:
Sat Nov 25, 2017 9:53 am
[*] I've enrolled my Fidelity 401(k) account in voice print technology, but it's unclear how that feature is used. Supposedly it replaces account password and PIN, but I still have to dial my password whenever I call in for something. Maybe that's a good thing (multiple layers of defense).
Sign up for the soft token (Symantec VIP Access) as well.
+1 for Symantec VIP access.

The voice print technology automatically listens in the background when you are talking to a representative. The rep will be alerted if the voice print of the person they are talking to does not match yours.

Usage of both voice print and software key (VIP) really gives me piece of mind.
"Buy-and-hold, long-term, all-market-index strategies, implemented at rock-bottom cost, are the surest of all routes to the accumulation of wealth" - John C. Bogle

overthought
Posts: 201
Joined: Tue Oct 17, 2017 3:44 am

Re: Broker account security compendium thread

Post by overthought » Sun Nov 26, 2017 4:46 pm

azurekep wrote:
Sat Nov 25, 2017 7:31 pm
overthought wrote:
Sat Nov 25, 2017 9:53 am
Using a separate email account for finance-related emails can limit exposure of that account to various threads. Using a separate browser (or even computer) for finance-related activities can reduce exposure further. I'm still trying to decide the best way to integrate this bit of advice.
The main ways of isolating financial activities are:
  • Use separate computer - probably the easiest option for most people
  • Use virtual machine (VM) on a computer - a popular method with Linux users since the Linux images (.isos) are free and don't require a license. Linux VMs can be created on Linux machines, on Windows machines...probably on Macs as well.
Either of the above solutions would be great for someone who doesn't perform financial activities that often. Maybe 2-3 times a month, maybe a little more -- for bill-pay, fund transfers, following up on alerts and the occasional buy/sell. It's easy to group those activities together, limiting the number of times you have to log in. For Bogleheads who have trouble keeping away from monitoring their portfolios, a separate computer could be a plus, since it would make it slightly harder to monitor their daily performance.

As for browser-based solutions on the same computer, they seem to be far less secure:
  • Use separate, locked-down browser for financial activities and use a less secure browser for general surfing. The problem with that is that while doing general surfing, you can acquire a keystroke-logger, which affects your entire system and will record your login credentials as you log into the secure browser. The controls you already have on your browser (limiting 3rd-party javascript, etc.) are pretty good, lessening the chances of getting malware. But it's still safter to separate your financial activities on another computer or in a VM.
  • Use Firefox containers. I admit to knowing nothing about this, but I believe one of the features of Firefox 57 is that each tab is a separate process. This apparently is some sort of sandboxing (?). If so, if you reach a malware-infected site in one tab and you happen to NOTICE it (yeah, right), you apparently can close that tab and it won't affect the others. But again, if you do manage to download the malware onto your system, it will affect your entire system.
I had considered firing up a virtual machine, but wouldn't it be affected by the same keylogger that makes separated browsers less helpful? Unless you did all your normal browsing in the VM in hopes of isolating badness there... but that's a lot more invasive and probably not an option for most folks.

overthought
Posts: 201
Joined: Tue Oct 17, 2017 3:44 am

Re: Broker account security compendium thread

Post by overthought » Sun Nov 26, 2017 5:09 pm

CRC301 wrote:
Sun Nov 26, 2017 2:04 pm
2FA (two-factor authentication) is just about the best you can do right now to lock down your online accounts. Not all 2FA is the same though; some use your text-enabled phone number or e-mail and others use "authenticator" apps or devices that you must consult for a generated pin.
I thought 2FA was great as well (when available), but the recent spate of phone number stealing hacks, as well as baddies taking over 2FA enabled accounts because they have one-factor account recovery, really gave me pause. Seems like a security key would be good, but very few brokers seem to support those...
Password managers are nice but they aren't a silver bullet; the companies/groups that provide them can be hacked and the safety of your passwords is dependent on their implementation.
I should have clarified: I would recommend a password manager that only stores passwords locally (or even on a removable thumb drive).

I can't overstate the benefit of being able to store unique, strong passwords and gibberish security question answers. Shared passwords and weak passwords are the first thing baddies check for when they breach a web site, and the password hash programs have gotten incredibly sophisticated to the point they can decode all but the strongest leaked password hashes in a matter of seconds.

Meanwhile, a local-only password manager is only likely to be vulnerable to baddies who already have access to your machine, and at that point they can get you in so many other ways that the password manager is probably the least of your worries.

I would never trust a cloud-based password manager. It's just too juicy a target for too many bad actors. That includes state sponsored actors, who can absolutely compromise any online vendor. I mention that not because they necessarily care about taking over your finances (for most people), but because financially motivated crooks love to exploit state actors who fail to properly secure their own hacks and/or ill-gotten data properly.
In the end, you just need to make it a nuisance for identity thieves or hackers to get access to you accounts. If someone really wanted to get into your accounts and they had an unlimited amount of time/resources, they would get in eventually. But most identity thieves will give up at the first sign of resistance and move on to someone else.
100% agree.

I would hope this discussion can highlight what are the reasonable measures to take (and especially what measures are important not to ignore).

It's a similar question to what kind of home security is appropriate: Most would agree that deadbolt locks on the door are a must, and that a security system is often worth the trouble... but steel roll-down shutters of all doors and windows, plus motion detectors and flood lights, with a trained attack dog patrolling a yard surrounded by razor wire fencing would be massive overkill for the vast majority of people.

overthought
Posts: 201
Joined: Tue Oct 17, 2017 3:44 am

Re: Broker account security compendium thread

Post by overthought » Sun Nov 26, 2017 5:15 pm

aj76er wrote:
Sun Nov 26, 2017 2:58 pm
Cash wrote:
Sat Nov 25, 2017 10:56 pm
overthought wrote:
Sat Nov 25, 2017 9:53 am
[*] I've enrolled my Fidelity 401(k) account in voice print technology, but it's unclear how that feature is used. Supposedly it replaces account password and PIN, but I still have to dial my password whenever I call in for something. Maybe that's a good thing (multiple layers of defense).
Sign up for the soft token (Symantec VIP Access) as well.
+1 for Symantec VIP access.
I don't remember running across that one in the Fidelity security pages, but sure enough it's there. Sounds like it falls into the "one time code" category, kind of like the Authenticator solution Google has started pushing?

I like the concept in general, but it seems like a real problem if somebody steals your phone that is logged into email and has the app installed as well? Then they could password reset you even if two-factor account recovery is enabled.

fposte
Posts: 1170
Joined: Mon Sep 02, 2013 1:32 pm

Re: Broker account security compendium thread

Post by fposte » Sun Nov 26, 2017 5:18 pm

Everything I'm seeing listed there so far is virtual. Remember paper insecurity is still a thing too (probably how my identity was stolen last year), so crosscut shred all discarded papers, statements, and printouts.

azurekep
Posts: 1179
Joined: Tue Jun 16, 2015 7:16 pm

Re: Broker account security compendium thread

Post by azurekep » Sun Nov 26, 2017 10:22 pm

overthought wrote:
Sun Nov 26, 2017 4:46 pm
Unless you did all your normal browsing in the VM in hopes of isolating badness there...
You're right. :oops: I keep thinking of my own situation which is not the norm. I have a second computer which is kept offline, but has a VM that is used for financial activity. The host machine (Windows 10) will never be compromised because it's always in an offline state. The VM is Linux, which compartments the financial activity inside it's own operating system. Not everyone has a second computer to use as a spare and I tend to forget this.

If people do have a spare, it probably makes more sense to just use it as a dedicated financial computer. I do, however, like my own solution better because I have the ability to use Windows 10 without the headache (it's okay for offline use :D) and I use the more secure operating system (Linux), for the online use. And of course, one can create as many VMs as they want for a variety of different purposes...though that's not what you asked for and I digress...

Edited to add: BTW, I think you're right to ask a lot of questions. While some of the newer security solutions may in fact work quite well, they rely either on the cloud (which can be compromised) or a separate device (which can be lost, stolen and compromised ), or other things that may not be that well understood by the user, or that may have built-in problems not yet discovered. The other thing is that the more technology is used as the solution, the less one is in touch with the actual problem, which is learning how to interact with the web safely. For example, just saying "let the cloud take care of it" tends to cut off one's critical thinking. The best solution is probably a combination of both old school and new school tactics, but never losing touch so much that one forgets how to navigate a web interface safely.

overthought
Posts: 201
Joined: Tue Oct 17, 2017 3:44 am

Re: Broker account security compendium thread

Post by overthought » Sun Nov 26, 2017 11:19 pm

fposte wrote:
Sun Nov 26, 2017 5:18 pm
Everything I'm seeing listed there so far is virtual. Remember paper insecurity is still a thing too (probably how my identity was stolen last year), so crosscut shred all discarded papers, statements, and printouts.
Yup, it's true. I'm less worried about physical security because (a) it's a better understood problem and there are generally known best practices to follow and (b) the number of baddies in the world with the ability to dig through my trash or break into my house is pretty small vs. the number lurking "out there" on the internet (assuming I trust my family, which I do). Plus, local baddies are subject to local jurisdiction and prosecution...

I've actually had a check stolen (probably when DW left the checkbook in an unlocked car), and a debit card skimmed (probably at a shady gas station), but disputing one bad check at a store we never shop at, or a weekend worth of $500 withdrawals from an airport ATM, was vastly easier to deal with than the (fortunately not experienced by me) nightmare of waking up one morning to discover that my email, phone, and all financial accounts were taken over and emptied out during the night. The "meatspace" attacks are just too slow to do much damage by comparison. I suspect that even a proper identity theft (involving creation of new bank accounts, credit cards, loans) or tax return fraud would be less damaging than a well-executed digital heist affecting an investor in the 2-comma club (which I am not a member of yet). Even the largest fraudulent home loan would likely clock in under $500k, for example (jumbo loans are much harder to get), and new credit card limits are typically around $10-20k at most. Plus, both of those attacks can (theoretically) be stopped in their tracks by a frozen credit report anyway.
Last edited by overthought on Sun Nov 26, 2017 11:41 pm, edited 1 time in total.

fposte
Posts: 1170
Joined: Mon Sep 02, 2013 1:32 pm

Re: Broker account security compendium thread

Post by fposte » Sun Nov 26, 2017 11:35 pm

overthought wrote:
Sun Nov 26, 2017 11:19 pm

I've actually had a check stolen (probably when DW left the checkbook in an unlocked car), but disputing one bad check at a store we never shop at was vastly easier to deal with than the (not experienced by me) nightmare of waking up one morning to discover that my email, phone, and all financial accounts were taken over and plundered during the night.
I don't disagree, and ultimately the damage the thieves caused me was minimal (presuming it's over, fingers crossed). But they did manage to cuckoo me out of my own credit report at Experian and if they'd managed it at the other two that could have gotten interesting, so I think there's merit to a both/and rather than an either/or.

overthought
Posts: 201
Joined: Tue Oct 17, 2017 3:44 am

Re: Broker account security compendium thread

Post by overthought » Sun Nov 26, 2017 11:38 pm

azurekep wrote:
Sun Nov 26, 2017 10:22 pm
the actual problem... is learning how to interact with the web safely.
Problem is, I'm not sure it can ever be fully "safe" to interact with the web. Reputable web sites serve malicious ads far too often, for example, and are even compromised directly with distressing regularity. If zero-day attacks (or an unpatched system) are involved, you don't have to *do* anything... just visiting the (normally safe and reputable web site) is game over.

We can and should learn to avoid the obviously unwise behaviors that cause trouble the most often, but after that the only option is to mitigate and isolate as best we can... and hope that our online brokers are never compromised, since that would be a massive mess to clean up even if they took responsibility.

azurekep
Posts: 1179
Joined: Tue Jun 16, 2015 7:16 pm

Re: Broker account security compendium thread

Post by azurekep » Mon Nov 27, 2017 12:22 pm

overthought wrote:
Sun Nov 26, 2017 11:38 pm
azurekep wrote:
Sun Nov 26, 2017 10:22 pm
the actual problem... is learning how to interact with the web safely.
Problem is, I'm not sure it can ever be fully "safe" to interact with the web. Reputable web sites serve malicious ads far too often, for example, and are even compromised directly with distressing regularity. If zero-day attacks (or an unpatched system) are involved, you don't have to *do* anything... just visiting the (normally safe and reputable web site) is game over.

We can and should learn to avoid the obviously unwise behaviors that cause trouble the most often, but after that the only option is to mitigate and isolate as best we can... and hope that our online brokers are never compromised, since that would be a massive mess to clean up even if they took responsibility.
Exactly. I could have worded things a little differently, but what I was getting at is the more we complicate our lives with new security solutions like devices, gadgets, cards and the cloud, we have to make sure not to forget the basics, like how to "read" a web site. For this thread, the main thing would be situational awareness of the navigation bar. Specifically, is the site https? Is there a lock symbol? Is the URL the one we intended (i.e., our brokerage) or were we redirected to another site?

Also, I think, or at least hope, that by now we should all be aware of the need for ad-blockers as necessities not luxuries. It's not just that ads can hide malware, but the more cluttered a site is, the less situational awareness we have when navigating the site since there are too many distractions. It's too easy to click on a bad link amongst all the colorful clutter.

To extend a little beyond brokerages, if one ever visits sites that are even in the least bit dodgy, turn off style sheets (CSS) to see what's really happening on the page. For example, is that highly prominent download button the real download button? Chances are, depending on the site, that may be a download button for adware and the real download button is much less prominent. You don't know that unless you turn off styles.

I just think that with the new directions that browsers are going in -- towards minimalization and hiding vital things like the status bar and maybe even the navigation bar -- and hiding javascript and styles controls, we have to work harder not to forget the basics and if needed, install add-ons to keep the basics in our browsers. The goal being situational awareness of the elements making up the web page (ads, images, scripts, flash, iframes, etc.) and some ability to control them.

User avatar
aj76er
Posts: 575
Joined: Tue Dec 01, 2015 11:34 pm
Location: Portland, OR

Re: Broker account security compendium thread

Post by aj76er » Mon Nov 27, 2017 3:02 pm

overthought wrote:
Sun Nov 26, 2017 5:15 pm
aj76er wrote:
Sun Nov 26, 2017 2:58 pm
Cash wrote:
Sat Nov 25, 2017 10:56 pm
overthought wrote:
Sat Nov 25, 2017 9:53 am
[*] I've enrolled my Fidelity 401(k) account in voice print technology, but it's unclear how that feature is used. Supposedly it replaces account password and PIN, but I still have to dial my password whenever I call in for something. Maybe that's a good thing (multiple layers of defense).
Sign up for the soft token (Symantec VIP Access) as well.
+1 for Symantec VIP access.
I don't remember running across that one in the Fidelity security pages, but sure enough it's there. Sounds like it falls into the "one time code" category, kind of like the Authenticator solution Google has started pushing?

I like the concept in general, but it seems like a real problem if somebody steals your phone that is logged into email and has the app installed as well? Then they could password reset you even if two-factor account recovery is enabled.
"All" of the following would need to happen:
* Steal the phone (not just number, but actual device)
* Break into phone (e.g. bypass the fingerprint detection)
* Discover username/password to brokerage
* Do all of the above before the person had knowledge of it and could remotely wipe phone + reset username/password

I think having a tie to the physical device itself (e.g. unique install of VIP app on your phone) offers really strong protection. The only thing stronger (today) would be a key fob stored in a safe-deposit box; but the inconvenience of that would be tough to justify.
"Buy-and-hold, long-term, all-market-index strategies, implemented at rock-bottom cost, are the surest of all routes to the accumulation of wealth" - John C. Bogle

User avatar
aj76er
Posts: 575
Joined: Tue Dec 01, 2015 11:34 pm
Location: Portland, OR

Re: Broker account security compendium thread

Post by aj76er » Mon Nov 27, 2017 3:11 pm

overthought wrote:
Sat Nov 25, 2017 9:53 am
Sounds like it falls into the "one time code" category, kind of like the Authenticator solution Google has started pushing?
It's better than an OTC that gets sent via text to your phone.

With the Symantec VIP app, a random signature ID is generated once when you install the app that is unique to that instance of the software (which is tied to your specific phone). The software then generates random keys every 30s that must match the "same" random keys on Symantec's server (for your instance).

Thus, a hacker would need your physical phone (for access to the exact instance of the app). With OTC, a hacker would only need to spoof your phone number.
"Buy-and-hold, long-term, all-market-index strategies, implemented at rock-bottom cost, are the surest of all routes to the accumulation of wealth" - John C. Bogle

azurekep
Posts: 1179
Joined: Tue Jun 16, 2015 7:16 pm

Re: Broker account security compendium thread

Post by azurekep » Mon Nov 27, 2017 11:05 pm

aj76er wrote:
Mon Nov 27, 2017 3:02 pm
"All" of the following would need to happen:
* Steal the phone (not just number, but actual device)
* Break into phone (e.g. bypass the fingerprint detection)
* Discover username/password to brokerage
* Do all of the above before the person had knowledge of it and could remotely wipe phone + reset username/password
Let's put it to the test when the OP is on vacation. These are the instructions for the bad guy...

* Make friends with the OP (mark) at a bar
* Slip a drug into his drink
* Help him upstairs to his hotel room as he appears too "drunk" for his own good; you're just being a good friend...
* Help the now conked-out mark onto his bed
* Locate his cell phone, place his finger on the screen and open the phone*
* The hard part -- if this is just a target of opportunity -- is getting the brokerage username/password. If the mark has been a target for awhile, that information will be available. Otherwise, the bad guy will have to rummage through the room and see if the info is written down anywhere.
* Wipe phone, reset username/password
* Take off disguise, so when the mark realizes his account has been drained, he won't be able to identify you

Yep. That's a pretty high bar. :mrgreen: It's interesting though that even with all that technology, the lynchpin is still the username/password.

* An article on sleep-hacking: https://techcrunch.com/2013/09/20/finge ... -sleeping/

Cash
Posts: 1289
Joined: Wed Mar 10, 2010 10:52 am

Re: Broker account security compendium thread

Post by Cash » Tue Nov 28, 2017 6:28 am

azurekep wrote:
Mon Nov 27, 2017 11:05 pm
* Locate his cell phone, place his finger on the screen and open the phone*
Use an iPhone X. Problem solved.

overthought
Posts: 201
Joined: Tue Oct 17, 2017 3:44 am

Re: Broker account security compendium thread

Post by overthought » Tue Nov 28, 2017 4:31 pm

azurekep wrote:
Mon Nov 27, 2017 11:05 pm
* Make friends with the OP (mark) at a bar
Seems like a lot of problems start with this sentence... maybe a good place to start if you're trying to tighten up opsec...
* Locate his cell phone, place his finger on the screen and open the phone*
One of many reasons it's a bad idea to authenticate based on "something you are" rather than "something you know." Hint: one of those is not a secret, can't be changed, and makes it hard-or-impossible to have more than one set of credentials for separation of concerns.

I do not enable fingerprint unlock on any of my devices.
Last edited by overthought on Tue Nov 28, 2017 6:53 pm, edited 1 time in total.

diy60
Posts: 167
Joined: Wed Sep 07, 2016 6:54 pm

Re: Broker account security compendium thread

Post by diy60 » Tue Nov 28, 2017 6:16 pm

I use Symantec VIP, the only down side I see is you do not need to sign on when you open the VIP app. I know this would be another nuisance, but I would like the option of locking the app with a password.

Also, you need to put a different Symantec VIP token on your spouse's phone if you have linked accounts.

overthought
Posts: 201
Joined: Tue Oct 17, 2017 3:44 am

Re: Broker account security compendium thread

Post by overthought » Tue Nov 28, 2017 6:52 pm

I updated the original post to give more complete information about brokers (in particular, 2FA support), but there are still a lot of missing pieces. In particular, I don't know what account recovery procedures any broker uses (might require phone calls to find out?), nor am I sure which brokers have solid asset protection guarantees (I listed the two I knew about).

overthought
Posts: 201
Joined: Tue Oct 17, 2017 3:44 am

Re: Broker account security compendium thread

Post by overthought » Tue Nov 28, 2017 7:02 pm

aj76er wrote:
Mon Nov 27, 2017 3:02 pm
overthought wrote:
Sun Nov 26, 2017 5:15 pm
aj76er wrote:
Sun Nov 26, 2017 2:58 pm
+1 for Symantec VIP access.
I like the concept in general, but it seems like a real problem if somebody steals your phone that is logged into email and has the app installed as well? Then they could password reset you even if two-factor account recovery is enabled.
"All" of the following would need to happen:
* Steal the phone (not just number, but actual device)
* Break into phone (e.g. bypass the fingerprint detection)
* Discover username/password to brokerage
* Do all of the above before the person had knowledge of it and could remotely wipe phone + reset username/password

I think having a tie to the physical device itself (e.g. unique install of VIP app on your phone) offers really strong protection. The only thing stronger (today) would be a key fob stored in a safe-deposit box; but the inconvenience of that would be tough to justify.
I agree that the device-tied token generator is really strong... for account sign in.

I was worried about an attack on account *recovery*:
* Steal/borrow the phone
* Break in (or use before screen locks)
* Use signed-in email to learn account username
* Go to broker website and request password reset
* Wait for recovery email and change password.

The attack only takes a few minutes and doesn't leave any obvious signs if the attacker deletes the password reset email. If the broker uses one-factor account recovery (e.g. email only), the VIP app is now useless (2FA is disabled on the recovered account). If the broker uses two-factor account recovery (e.g. VIP code required), the attacker conveniently has access to the VIP app as well, which again makes it kind of useless (they can use it to disable 2FA after recovering the account).

In short, the account recovery protocol matters just as much as the sign-in protocol. Sadly, I don't know of any broker that advertises how they secure their account recovery protocol, even though it's an increasingly popular way for baddies to take over peoples' accounts.

diy60
Posts: 167
Joined: Wed Sep 07, 2016 6:54 pm

Re: Broker account security compendium thread

Post by diy60 » Tue Nov 28, 2017 8:43 pm


. . . the attacker conveniently has access to the VIP app as well, which again makes it kind of useless (they can use it to disable 2FA after recovering the account). . . .
You have to call Fidelity to have the Symantec VIP token removed from your account on their servers. If you delete the app from your device or reinstall the app without contacting Fidelity you will have no way of logging in. I agree in your example the baddies would have convenient access to the VIP app, no app password protection is provided. However I think the weak link in the security chain is the account rep and how hard they push for account ownership verification.

Cash
Posts: 1289
Joined: Wed Mar 10, 2010 10:52 am

Re: Broker account security compendium thread

Post by Cash » Tue Nov 28, 2017 10:15 pm

diy60 wrote:
Tue Nov 28, 2017 8:43 pm
However I think the weak link in the security chain is the account rep and how hard they push for account ownership verification.
Yep. Hopefully voice ID makes it a bit harder for the human factor to come into play.

overthought
Posts: 201
Joined: Tue Oct 17, 2017 3:44 am

Re: Broker account security compendium thread

Post by overthought » Tue Nov 28, 2017 11:06 pm

diy60 wrote:
Tue Nov 28, 2017 8:43 pm

. . . the attacker conveniently has access to the VIP app as well, which again makes it kind of useless (they can use it to disable 2FA after recovering the account). . . .
You have to call Fidelity to have the Symantec VIP token removed from your account on their servers. If you delete the app from your device or reinstall the app without contacting Fidelity you will have no way of logging in. I agree in your example the baddies would have convenient access to the VIP app, no app password protection is provided. However I think the weak link in the security chain is the account rep and how hard they push for account ownership verification.
Cash wrote:
Tue Nov 28, 2017 10:15 pm
Yep. Hopefully voice ID makes it a bit harder for the human factor to come into play.
So if you lose the device with the app on it, you have to call (and get past voice print) to remove or replace it, in addition to whatever info they ask for (security questions, account balances, whatever). That does seem pretty hard to get around unless you're specifically targeted by somebody with a lot of resources (at which point you're probably in trouble no matter what).

In any case, it's looking like Vanguard, Fidelity, and Schwab are the winners so far: Strong 2FA (OTP rather than SMS/phone/email) and voice authentication.

Do Vanguard and Schwab also require a phone call in order to remove 2FA? Does anybody know if requesting a password reset requires the second factor for those three brokers?

Post Reply