Updated 11/28/2017 to add more broker-specific information
So I'm getting pretty creeped out about online brokerage account security, especially retirement accounts, after hearing so many horror stories about crooks impersonating account holders over the phone, stealing their phone (or phone number) to get around 2FA, phishing their email and exploiting single-factor account recovery to take over accounts even when 2FA is required for login, etc. That's to say nothing of the equifax leak giving baddies more than enough information to open bank and brokerage accounts in my name.
Unfortunately, I've not seen much distilled advice on general best practices for account protection (the trite "don't share you password, always run anti-virus, and browse responsibly" doesn't cut it for me, those things are great but far from enough), or on what security features the various brokers offer and how to make best use of them. Given what's potentially at stake, I'd love a centralized Boglehead resource (like a wiki article), where people can find actionable advice.
General advice I've picked up so far:
- Keep your operating system and application software patched! The vast majority of exploits rely on known vulnerabilities for which fixes are available, and even the "zero day" attacks tend to get patches sooner rather than later (once discovered).
- Assume every email with an embedded link or attachment is malicious until you can prove otherwise. Sender's address can be spoofed, friends in your contact list could have had their account hacked, malicious files can have very innocuous names and file types, and URL shorteners are really dangerous (but there exist "decoder" web sites that let you see where they go before you actually click on them).
- Using a separate email account for finance-related emails can limit exposure of that account to various threads. Using a separate browser (or even computer) for finance-related activities can reduce exposure further. I'm still trying to decide the best way to integrate this bit of advice.
- Anti-virus software can be helpful for avoiding known problems, but is useless against newer threats. Don't get over-confident just because you have it installed. Also realize AV software is vulnerable to hacking (and a very desirable target because it runs with elevated permissions), so you have to balance the risk of having it vs. not having it. I use Windows built-in AV, figuring it's "good enough" and if Microsoft gets compromised I'm toast regardless of what AV I installed.
- Password managers (storing passwords locally) are a must, so you can use different strong passwords for every account, gibberish security question answers, etc. I would be extremely wary of storing passwords in the cloud or synchronizing them across machines, however; that opens you up to third party attacks over the network and/or a hacked provider.
- Frequent monitoring of accounts reduces the delay between bad stuff happening and me noticing (setting up account alerts, when available, makes that task easier)
- Asset protection guarantee (to restore assets lost due to unauthorized activity): E*Trade, Fidelity, Schwab, TD Ameritrade, Vanguard, unsure about other brokers.
- Username. Make it unique, preferably gibberish. Why make it easier for an attacker with login information for one account to guess your username at another site? At one extreme, TD Ameritrade has separate login credentials for every account; at the other extreme, Fidelity 401(k) uses your SSN as login for all accounts (I don't know whether that's possible to change).
- Password. Make it unique and strong (mix of letters, numbers and symbols). All brokers I'm aware of allow strong passwords.
- Security questions. All brokers I'm aware of require these. Never supply true answers, too easy for attackers to guess. I use a password manager to generate gibberish answers.
- Account PIN. TD Ameritrade has something (unclear exactly what). Unsure what other brokers do or don't do.
- Two factor authentication (with help from twofactorauth.org)
- None (wall of shame): American Funds, Scottrade, TD Ameritrade
- Yubikey: Vanguard
- Symantec VIP: Capital One, E*Trade, Fidelity, Interactive Brokers, Merrill Lynch (*not* Merrill Edge), Schwab
- Google Authenticator: Betterment, Wealthfront
- Phone/SMS (vulnerable to phone number porting attacks): Betterment, Merrill Edge, Personal Capital, Robinhood, Schwab, Vanguard, Wealthfront
- Email (vulnerable to account takeover attacks): Personal Capital, Vanguard
- Voiceprint analysis: Fidelity, Schwab, Vanguard.
- Account recovery: Unknown. Key question is whether account recovery can be used to bypass an enabled 2FA solution (in which case 2FA becomes largely useless).
- Account alerts: Unknown.
Original broker information:
- My main broker, TD Ameritrade, has an asset protection guarantee, but doesn't provide many (any?) technical counter-measures like two-factor authentication, alerts, voice printing, etc. Their "what you can do" page is the trite version. They do recommend (and allow) good strong passwords, and I have set up gibberish answers to security questions. I think they also provide a PIN option for accounts (see Client Services -> My Profile -> Personal Information -> Account settings) but it isn't clear to me what purpose the PIN would serve. In particular, I don't ever remember using a PIN to log in, first time or otherwise, or being asked to supply one in my various phone conversations with client support:
Conversation with TD Ameritrade Ted bot wrote: You: what is an account PIN?
Ted: Your TD Ameritrade personal identification number (PIN) is a 4-digit number created to help ensure account security. Every TD Ameritrade account is assigned a separate PIN that must be used as a password to access your account online for the first time. Your PIN may be used on our phone system as well.
I'm also frustrated that TDA is apparently working hard to provide "secure" account access via Facebook messenger, when IMO they haven't even got their own "secure" account access situation nailed down.
- I've enrolled my Fidelity 401(k) account in voice print technology, but it's unclear how that feature is used. Supposedly it replaces account password and PIN, but I still have to dial my password whenever I call in for something. Maybe that's a good thing (multiple layers of defense). Fidelity also offers a software token scheme called Symantec VIP that makes an especially strong form of 2FA.
- I hear that Vanguard supports security keys as 2FA, but somehow no actual web site at vanguard that advertises them or describes how to set them up. I don't have any vanguard accounts myself to explore.
- I've not been able to find any particular information about account security options for Merrill Edge or Schwab (thinking about opening accounts at one or both of those in the future).
- There are probably other big brokers out there that I'm not listing here as well.
Would love to hear what words of wisdom others have been able to piece together!