Fidelity Security

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
User avatar
AAA
Posts: 843
Joined: Sat Jan 12, 2008 8:56 am

Fidelity Security

Post by AAA » Fri Sep 08, 2017 7:52 pm

I thought I had asked Fidelity about 2-factor authorization fairly recently and they said it wasn't available, but I found information on two methods on their website (below). I will be calling them to discuss and possibly set up (using the latter method on my Mac, not smartphone), but I would like to know - does the method using Symantec Validation involve Fidelity sharing password information with Symantec? Anyone using this? I'd like an objective assessment of any additional risks involved, i.e., another company to potentially get hacked? Thanks.

Add your mobile number to your profile
We are adding an extra verification step called two-factor authentication. In the event of highly sensitive transactions, a six-digit numerical code is sent to you to verify your identity. The primary way of receiving this security code is via a text message to your mobile phone.
If you own a mobile phone, make sure you've added the number to your profileLog In Required.
If you don't own a mobile phone, you can have an automated phone call deliver the security code to an alternate phone number on your profile.

Download Symantec Validation and ID Protection
With Symantec's Validation and ID Protection (VIP) Access, you can add one final layer of protection to your login process at no cost. Download their app and receive a randomly generated six-digit code to use in addition to your username and password.
This additional layer of authentication can prevent unauthorized access even if your login credentials were compromised.

student
Posts: 1340
Joined: Fri Apr 03, 2015 6:58 am

Re: Fidelity Security

Post by student » Fri Sep 08, 2017 8:06 pm

Both are two-factor authentications. It is unfortunate that the SMS-based one is only being used for selected transactions. We cannot opt-in for every login. The second required an app which I am not familiar with. I am also interested in how this works especially if one has both Fidelity and Etrade. Etrade also use Symantec VIP access.

FinanceGeek
Posts: 829
Joined: Sun Jul 01, 2007 5:27 pm

Re: Fidelity Security

Post by FinanceGeek » Fri Sep 08, 2017 8:15 pm

student wrote:
Fri Sep 08, 2017 8:06 pm
I am also interested in how this works especially if one has both Fidelity and Etrade. Etrade also use Symantec VIP access.
It works great, just give both vendors your Symantec VIP key.

With Fidelity you type the 6 digit code into a separate web page after putting in your password.
With Etrade you append the 6 digit code onto the end of your password when logging in.

User avatar
AAA
Posts: 843
Joined: Sat Jan 12, 2008 8:56 am

Re: Fidelity Security

Post by AAA » Fri Sep 08, 2017 9:26 pm

FinanceGeek wrote:
Fri Sep 08, 2017 8:15 pm
With Fidelity you type the 6 digit code into a separate web page after putting in your password.
Okay, but just to confirm (as I'm not sure a Fidelity rep would necessarily know or share): Symantec doesn't know your Fidelity password, right?

slin
Posts: 52
Joined: Fri May 16, 2014 12:07 pm

Re: Fidelity Security

Post by slin » Fri Sep 08, 2017 9:37 pm

I also use the Symantec VIP app with Fidelity, and I did not have to provide my Fidelity password to the app or Symantec. IIRC, when you start up the app, it gives you a serial number type thing that you then provide to Fidelity, and that's it - then, you just log in as normal and it prompts you to launch the VIP app, take the 6 digit number from there, and enter it on the login screen.

I believe the way this works is that the serial number you give to Fidelity uniquely identifies your Symantec VIP app, and then as it cycles through its sequence of pseudo-random passcodes (they change every 30 [ish?] seconds), the Fidelity site knows what the current VIP from your app should be at the current time, and checks for that.

I don't think your password goes anywhere new when using this mechanism, but of course I don't have any actual insight into the real inner workings...

I do wish that there was a feature to allow you to only require the VIP code when using a new PC, or maybe once every 30 days from a familiar PC (like Google/gmail does), because I am occasionally trying to log in when my phone is not handy, and realize I'll have to wait until I am with my phone. But that's a relatively small inconvenience.

FinanceGeek
Posts: 829
Joined: Sun Jul 01, 2007 5:27 pm

Re: Fidelity Security

Post by FinanceGeek » Fri Sep 08, 2017 9:53 pm

AAA wrote:
Fri Sep 08, 2017 9:26 pm
Okay, but just to confirm (as I'm not sure a Fidelity rep would necessarily know or share): Symantec doesn't know your Fidelity password, right?
As far as I know, Symantec only provides the second factor: a 6 digit number which changes every 30 seconds.

student
Posts: 1340
Joined: Fri Apr 03, 2015 6:58 am

Re: Fidelity Security

Post by student » Fri Sep 08, 2017 10:25 pm

FinanceGeek wrote:
Fri Sep 08, 2017 8:15 pm
student wrote:
Fri Sep 08, 2017 8:06 pm
I am also interested in how this works especially if one has both Fidelity and Etrade. Etrade also use Symantec VIP access.
It works great, just give both vendors your Symantec VIP key.

With Fidelity you type the 6 digit code into a separate web page after putting in your password.
With Etrade you append the 6 digit code onto the end of your password when logging in.
Thank you.

stlutz
Posts: 4018
Joined: Fri Jan 02, 2009 1:08 am

Re: Fidelity Security

Post by stlutz » Fri Sep 08, 2017 11:41 pm

How does the VIP app really provide any extra security? To deactivate it all you have to do is call...

Cash
Posts: 1221
Joined: Wed Mar 10, 2010 10:52 am

Re: Fidelity Security

Post by Cash » Sat Sep 09, 2017 6:47 am

^^ Indeed, the human element is where these security measures usually fail.

That said, thanks to the OP for alerting me to this option. I will be downloading it and hope that Fidelity is one of the companies making it harder to bypass security measures by calling in.

It seems to work like an RSA token, for anyone familiar with using that to work remotely. Fidelity's system (where the password is) just syncs with Symantec's system (where the code is).

orlandoman
Posts: 420
Joined: Tue Oct 19, 2010 7:27 am

Re: Fidelity Security

Post by orlandoman » Sat Sep 09, 2017 6:52 am

Here's the account data security page on Fidelity's website https://www.fidelity.com/security/overview

That page includes, "We're proud of the trust you place in Fidelity and want to ensure that you have peace of mind when doing business with us. That's why we offer this guarantee: We will reimburse you for any financial losses that result from unauthorized activity on your accounts."
If you are the smartest person in the room, you are in the wrong room.

MikeG62
Posts: 513
Joined: Tue Nov 15, 2016 3:20 pm
Location: New Jersey

Re: Fidelity Security

Post by MikeG62 » Sat Sep 09, 2017 7:44 am

AAA wrote:
Fri Sep 08, 2017 9:26 pm
FinanceGeek wrote:
Fri Sep 08, 2017 8:15 pm
With Fidelity you type the 6 digit code into a separate web page after putting in your password.
Okay, but just to confirm (as I'm not sure a Fidelity rep would necessarily know or share): Symantec doesn't know your Fidelity password, right?
I have been using the Symantec app for at least a year now. Symantec does not have access to your Fidelity login info. The role of Symantec is only to provide a rolling six digit code for you to use when logging in to the Fidelity Website. So when you attempt to log in, you will enter your username and password as usual and you are taken to a new screen which asks for the Symantec six digit code. Once entered, you will be brought to your main Fidelity home screen.

It works perfectly for me and I like the added security.

Wagnerjb
Posts: 7017
Joined: Mon Feb 19, 2007 8:44 pm
Location: Houston, Texas

Re: Fidelity Security

Post by Wagnerjb » Sat Sep 09, 2017 8:34 am

MikeG62 wrote:
Sat Sep 09, 2017 7:44 am
AAA wrote:
Fri Sep 08, 2017 9:26 pm
FinanceGeek wrote:
Fri Sep 08, 2017 8:15 pm
With Fidelity you type the 6 digit code into a separate web page after putting in your password.
Okay, but just to confirm (as I'm not sure a Fidelity rep would necessarily know or share): Symantec doesn't know your Fidelity password, right?
I have been using the Symantec app for at least a year now. Symantec does not have access to your Fidelity login info. The role of Symantec is only to provide a rolling six digit code for you to use when logging in to the Fidelity Website. So when you attempt to log in, you will enter your username and password as usual and you are taken to a new screen which asks for the Symantec six digit code. Once entered, you will be brought to your main Fidelity home screen.

It works perfectly for me and I like the added security.
Same here. It is very easy to use, and Symantec doesn't know the Fidelity password.
Andy

User avatar
AAA
Posts: 843
Joined: Sat Jan 12, 2008 8:56 am

Re: Fidelity Security

Post by AAA » Sat Sep 09, 2017 9:07 am

MikeG62 wrote:
Sat Sep 09, 2017 7:44 am
The role of Symantec is only to provide a rolling six digit code for you to use when logging in to the Fidelity Website. So when you attempt to log in, you will enter your username and password as usual and you are taken to a new screen which asks for the Symantec six digit code. Once entered, you will be brought to your main Fidelity home screen.
I wonder why Fidelity chose to involve Symantec. With Vanguard, they generate the code and send it to you as does Fidelity with their two-factor authentication (but not for logins). Why would Fidelity not just use two-factor authorization for everything?

User avatar
TheTimeLord
Posts: 4735
Joined: Fri Jul 26, 2013 2:05 pm

Re: Fidelity Security

Post by TheTimeLord » Sat Sep 09, 2017 9:19 am

AAA wrote:
Sat Sep 09, 2017 9:07 am
MikeG62 wrote:
Sat Sep 09, 2017 7:44 am
The role of Symantec is only to provide a rolling six digit code for you to use when logging in to the Fidelity Website. So when you attempt to log in, you will enter your username and password as usual and you are taken to a new screen which asks for the Symantec six digit code. Once entered, you will be brought to your main Fidelity home screen.
I wonder why Fidelity chose to involve Symantec. With Vanguard, they generate the code and send it to you as does Fidelity with their two-factor authentication (but not for logins). Why would Fidelity not just use two-factor authorization for everything?
SMS transmissions are increasingly being intercepted/misdirected, using a solution like Symantec or an open source variant or hardware device to provide a token is far superior imho. Not sure why you are hung up on the use of the Symantec product.
Run, You Clever Boy!

tenkuky
Posts: 264
Joined: Sun Dec 14, 2014 4:28 pm

Re: Fidelity Security

Post by tenkuky » Sat Sep 09, 2017 9:51 am

Thanks for the guidance (again) on the board.
I signed up this morning with Fido, after downloading the Symantec VIP Access app to my phone.
Also changed login, password and added MyVoice feature.
They did it instantly and up and running.

On another note, the same VIP Access is used by Schwab, signed up with them as well, though they are not instant, take a little while (they said day or so) to get this activated and they send an email to notify it is active.

Two differences: Fido leads to page to enter access code after login-password; Schwab has you enter the code after your password.

User avatar
AAA
Posts: 843
Joined: Sat Jan 12, 2008 8:56 am

Re: Fidelity Security

Post by AAA » Sat Sep 09, 2017 10:16 am

TheTimeLord wrote:
Sat Sep 09, 2017 9:19 am
SMS transmissions are increasingly being intercepted/misdirected, using a solution like Symantec or an open source variant or hardware device to provide a token is far superior imho. Not sure why you are hung up on the use of the Symantec product.
Thanks for the explanation. I believe Vanguard and Fidelity have the option to use a landline phone for two-factor authentication. Would that be more secure than SMS to a cell phone?

And with all the hacking/breaching going on these days, I'm just naturally hesitant to expand my potential vulnerability to other entities.

Cash
Posts: 1221
Joined: Wed Mar 10, 2010 10:52 am

Re: Fidelity Security

Post by Cash » Sat Sep 09, 2017 10:40 am

In my view, having a third party administer the code makes things more secure. If someone hacks into Fidelity's system, they will not have access to all of the codes. They would somehow also need to pull the codes from Symantec.

It also allows Fidelity to do what it does best and Symantec to do what it does best (and allow Fidelity to easily go with someone else if they later do it better than Symantec).

User avatar
TheTimeLord
Posts: 4735
Joined: Fri Jul 26, 2013 2:05 pm

Re: Fidelity Security

Post by TheTimeLord » Sat Sep 09, 2017 11:14 am

AAA wrote:
Sat Sep 09, 2017 10:16 am
TheTimeLord wrote:
Sat Sep 09, 2017 9:19 am
SMS transmissions are increasingly being intercepted/misdirected, using a solution like Symantec or an open source variant or hardware device to provide a token is far superior imho. Not sure why you are hung up on the use of the Symantec product.
Thanks for the explanation. I believe Vanguard and Fidelity have the option to use a landline phone for two-factor authentication. Would that be more secure than SMS to a cell phone?

And with all the hacking/breaching going on these days, I'm just naturally hesitant to expand my potential vulnerability to other entities.
From what I can tell yes. But I am sure there are several members here who are far better versed than I on this topic.

https://www.wired.com/2016/06/hey-stop- ... ntication/
http://www.zdnet.com/article/google-wan ... r-sign-in/
https://www.linkedin.com/pulse/why-most ... k-goossens
Run, You Clever Boy!

JBTX
Posts: 1530
Joined: Wed Jul 26, 2017 12:46 pm

Re: Fidelity Security

Post by JBTX » Sat Sep 09, 2017 11:27 am

Does Fidelity 2 factor authentification disrupt quickens one step update?

Whakamole
Posts: 467
Joined: Wed Jan 13, 2016 9:59 pm

Re: Fidelity Security

Post by Whakamole » Sat Sep 09, 2017 12:10 pm

JBTX wrote:
Sat Sep 09, 2017 11:27 am
Does Fidelity 2 factor authentification disrupt quickens one step update?
Yes.

Some companies are solving this problem by giving out a special account/password combination that allows for "read only" access to your account, so Mint/Personal Capital/etc. can get updates but a hacker could only get your account balance, and not withdraw money. Hopefully Fidelity adds this at one point.

JBTX
Posts: 1530
Joined: Wed Jul 26, 2017 12:46 pm

Re: Fidelity Security

Post by JBTX » Sat Sep 09, 2017 12:18 pm

Whakamole wrote:
Sat Sep 09, 2017 12:10 pm
JBTX wrote:
Sat Sep 09, 2017 11:27 am
Does Fidelity 2 factor authentification disrupt quickens one step update?
Yes.

Some companies are solving this problem by giving out a special account/password combination that allows for "read only" access to your account, so Mint/Personal Capital/etc. can get updates but a hacker could only get your account balance, and not withdraw money. Hopefully Fidelity adds this at one point.
Thanks. That is what I thought. Vanguards 2 step does not interrupt the one step update but I figured Fidelity's use of third party app probably would.

Anybody know if any workarounds?. I am not yet ready to give up the convenience of one step update.

User avatar
TheTimeLord
Posts: 4735
Joined: Fri Jul 26, 2013 2:05 pm

Re: Fidelity Security

Post by TheTimeLord » Sat Sep 09, 2017 12:30 pm

JBTX wrote:
Sat Sep 09, 2017 12:18 pm
Whakamole wrote:
Sat Sep 09, 2017 12:10 pm
JBTX wrote:
Sat Sep 09, 2017 11:27 am
Does Fidelity 2 factor authentification disrupt quickens one step update?
Yes.

Some companies are solving this problem by giving out a special account/password combination that allows for "read only" access to your account, so Mint/Personal Capital/etc. can get updates but a hacker could only get your account balance, and not withdraw money. Hopefully Fidelity adds this at one point.
Thanks. That is what I thought. Vanguards 2 step does not interrupt the one step update but I figured Fidelity's use of third party app probably would.

Anybody know if any workarounds?. I am not yet ready to give up the convenience of one step update.
Perhaps I am missing something but I can't see what using a third party app has to do with it. How do you enter the second factor for Vanguard for these updates? Or is Vanguard not use 2 factor for these updates?
Run, You Clever Boy!

JBTX
Posts: 1530
Joined: Wed Jul 26, 2017 12:46 pm

Re: Fidelity Security

Post by JBTX » Sat Sep 09, 2017 1:01 pm

TheTimeLord wrote:
Sat Sep 09, 2017 12:30 pm
JBTX wrote:
Sat Sep 09, 2017 12:18 pm
Whakamole wrote:
Sat Sep 09, 2017 12:10 pm
JBTX wrote:
Sat Sep 09, 2017 11:27 am
Does Fidelity 2 factor authentification disrupt quickens one step update?
Yes.

Some companies are solving this problem by giving out a special account/password combination that allows for "read only" access to your account, so Mint/Personal Capital/etc. can get updates but a hacker could only get your account balance, and not withdraw money. Hopefully Fidelity adds this at one point.
Thanks. That is what I thought. Vanguards 2 step does not interrupt the one step update but I figured Fidelity's use of third party app probably would.

Anybody know if any workarounds?. I am not yet ready to give up the convenience of one step update.
Perhaps I am missing something but I can't see what using a third party app has to do with it. How do you enter the second factor for Vanguard for these updates? Or is Vanguard not use 2 factor for these updates?
Vanguard does not require 2nd factor for quicken update.

With a third party app that changes code every 30 seconds it would be next to impossible to enter that into a quicken prompt indicating an additional information is required by fidelity.

User avatar
TheTimeLord
Posts: 4735
Joined: Fri Jul 26, 2013 2:05 pm

Re: Fidelity Security

Post by TheTimeLord » Sat Sep 09, 2017 1:11 pm

JBTX wrote:
Sat Sep 09, 2017 1:01 pm
TheTimeLord wrote:
Sat Sep 09, 2017 12:30 pm
JBTX wrote:
Sat Sep 09, 2017 12:18 pm
Whakamole wrote:
Sat Sep 09, 2017 12:10 pm
JBTX wrote:
Sat Sep 09, 2017 11:27 am
Does Fidelity 2 factor authentification disrupt quickens one step update?
Yes.

Some companies are solving this problem by giving out a special account/password combination that allows for "read only" access to your account, so Mint/Personal Capital/etc. can get updates but a hacker could only get your account balance, and not withdraw money. Hopefully Fidelity adds this at one point.
Thanks. That is what I thought. Vanguards 2 step does not interrupt the one step update but I figured Fidelity's use of third party app probably would.

Anybody know if any workarounds?. I am not yet ready to give up the convenience of one step update.
Perhaps I am missing something but I can't see what using a third party app has to do with it. How do you enter the second factor for Vanguard for these updates? Or is Vanguard not use 2 factor for these updates?
Vanguard does not require 2nd factor for quicken update.

With a third party app that changes code every 30 seconds it would be next to impossible to enter that into a quicken prompt indicating an additional information is required by fidelity.
Sounds like it is Vanguard's waiving its 2 factor security authorization that enables the update. I have no clue why 30 seconds would be sufficient to log on to the Fidelity Website but not enough to enter into Quicken in a request/response situation. Thanks for the explanation.
Run, You Clever Boy!

JBTX
Posts: 1530
Joined: Wed Jul 26, 2017 12:46 pm

Re: Fidelity Security

Post by JBTX » Sat Sep 09, 2017 1:48 pm

TheTimeLord wrote:
Sat Sep 09, 2017 1:11 pm
JBTX wrote:
Sat Sep 09, 2017 1:01 pm
TheTimeLord wrote:
Sat Sep 09, 2017 12:30 pm
JBTX wrote:
Sat Sep 09, 2017 12:18 pm
Whakamole wrote:
Sat Sep 09, 2017 12:10 pm


Yes.

Some companies are solving this problem by giving out a special account/password combination that allows for "read only" access to your account, so Mint/Personal Capital/etc. can get updates but a hacker could only get your account balance, and not withdraw money. Hopefully Fidelity adds this at one point.
Thanks. That is what I thought. Vanguards 2 step does not interrupt the one step update but I figured Fidelity's use of third party app probably would.

Anybody know if any workarounds?. I am not yet ready to give up the convenience of one step update.
Perhaps I am missing something but I can't see what using a third party app has to do with it. How do you enter the second factor for Vanguard for these updates? Or is Vanguard not use 2 factor for these updates?
Vanguard does not require 2nd factor for quicken update.

With a third party app that changes code every 30 seconds it would be next to impossible to enter that into a quicken prompt indicating an additional information is required by fidelity.
Sounds like it is Vanguard's waiving its 2 factor security authorization that enables the update. I have no clue why 30 seconds would be sufficient to log on to the Fidelity Website but not enough to enter into Quicken in a request/response situation. Thanks for the explanation.
As I understand it, the Fidelity app is one where you have a timed code every 30 seconds. 30 seconds is plenty of time to enter directly into a website. I don't know how it would work if quicken gave you a prompt that a code was needed, and once you entered the code how much time that would take to process through the servers. Don't know if it accesses all of your various accounts at once, or separately in sequence. Maybe it would work, maybe it wouldn't. I guess the only way I'd know is to set it up and try it and see if it works or not. Talking to a fidelity rep a week or so ago he said he wasn't sure how it would work, but he did recently have a customer who set it up call back and deactivate it because it wasn't working with his quicken.

JBTX
Posts: 1530
Joined: Wed Jul 26, 2017 12:46 pm

Re: Fidelity Security

Post by JBTX » Sat Sep 09, 2017 3:03 pm

I just set up the fidelity 2 factor. I actually already had the VIP Symantec app on my phone from a prior employer VPN application. I tested it on the website and it seems to work as intended.

I tried updating quicken, and best I can tell it updated without needing the code. The onestep update shows as updated. However, I had updated today before I did this, so I haven't gotten any new transactions yet. I guess I won't know for sure if the quicken will work until I have some actual new transactions to download.

So far so good....I guess.

student
Posts: 1340
Joined: Fri Apr 03, 2015 6:58 am

Re: Fidelity Security

Post by student » Sat Sep 09, 2017 4:53 pm

I just installed it and it works as advertised.

User avatar
dmcmahon
Posts: 1856
Joined: Fri Mar 21, 2008 10:29 pm

Re: Fidelity Security

Post by dmcmahon » Sat Sep 09, 2017 6:07 pm

Cash wrote:
Sat Sep 09, 2017 6:47 am
^^ Indeed, the human element is where these security measures usually fail.

That said, thanks to the OP for alerting me to this option. I will be downloading it and hope that Fidelity is one of the companies making it harder to bypass security measures by calling in.

It seems to work like an RSA token, for anyone familiar with using that to work remotely. Fidelity's system (where the password is) just syncs with Symantec's system (where the code is).
My thanks as well, and I'll be spreading the word to my colleagues. Also they have a voice recognition layer now as well, and they signed me up for it, so that should make it harder for someone to impersonate me.

student
Posts: 1340
Joined: Fri Apr 03, 2015 6:58 am

Re: Fidelity Security

Post by student » Sat Sep 09, 2017 8:00 pm

I haven't signed up for the voice security as I am not sure whether it is more or less secure than password. It would be more secure if it requires both but I think it is using voice to replace password.

Cash
Posts: 1221
Joined: Wed Mar 10, 2010 10:52 am

Re: Fidelity Security

Post by Cash » Sun Sep 10, 2017 7:41 am

student wrote:
Sat Sep 09, 2017 8:00 pm
I haven't signed up for the voice security as I am not sure whether it is more or less secure than password. It would be more secure if it requires both but I think it is using voice to replace password.
You think it would be easier for someone to mimic your voice than to figure out your password?

student
Posts: 1340
Joined: Fri Apr 03, 2015 6:58 am

Re: Fidelity Security

Post by student » Sun Sep 10, 2017 8:35 am

Cash wrote:
Sun Sep 10, 2017 7:41 am
student wrote:
Sat Sep 09, 2017 8:00 pm
I haven't signed up for the voice security as I am not sure whether it is more or less secure than password. It would be more secure if it requires both but I think it is using voice to replace password.
You think it would be easier for someone to mimic your voice than to figure out your password?
That's my concern.

bawr
Posts: 45
Joined: Thu May 19, 2011 9:10 pm

Re: Fidelity Security

Post by bawr » Tue Sep 12, 2017 5:41 am

I was dismayed to discover recently that the Fidelity's Active Trader Pro software bypasses the Symantec VIP two factor authentication system. A simple username and password is all you need to log into your account when using ATP.

Alchemist
Posts: 225
Joined: Sat Aug 30, 2014 6:35 am
Location: Florida

Re: Fidelity Security

Post by Alchemist » Tue Sep 12, 2017 7:35 am

student wrote:
Sat Sep 09, 2017 8:00 pm
I haven't signed up for the voice security as I am not sure whether it is more or less secure than password. It would be more secure if it requires both but I think it is using voice to replace password.
I definitely think it is more secure than a password. The reason I say that is two fold. The first part is that over the phone passwords are not necessarily insecure by themselves, however, the weakness lies when the attacker (pretending to be you) successfully convinces the person on the phone that they simply forgot their password. The helpful company rep then resets said password using security questions which the attacker has a better chance at defeating, especially if they are based on other info they could steal. For example: previous address, employers, birthdays, SSN or other info that is easily guessable or stolen from other data breaches (looking at you, Equifax). This has been demonstrated to actually have happened at cell phone companies in order to steal people's numbers and therefore get access to their SMS based two factor codes. It is why two factor via text messaging is inherently less secure than app or physical token based 2FA methods. Or in other words, why the Symantic app is far more secure than text messaging.

Voice authentication, on the other hand, cannot be socially engineered. The way Fidelity implements it in particular would be hard to fake. You do not say a simple passcode for the system to recognize you, it happens automatically in the background while talking with the customer service rep. This means the attacker would not just need a recording of your voice but actually mimic it in real time over the phone. I am sure some spy agency out there could probably come up with a way to defeat it, but I find the likelihood of this being done by a criminal hacker to be extremely low. I am a very paranoid person when it comes to cyber security, but I feel very comfortable with the combination of app based 2 FA with Symantic and Fidelity MyVoice.

As an aside, I use 2FA on everything I possibly can. For me Symantec works with Fidelity and USAA (my bank) and I use Authy for Amazon, Facebook, and email.

student
Posts: 1340
Joined: Fri Apr 03, 2015 6:58 am

Re: Fidelity Security

Post by student » Tue Sep 12, 2017 8:08 am

Alchemist wrote:
Tue Sep 12, 2017 7:35 am
student wrote:
Sat Sep 09, 2017 8:00 pm
I haven't signed up for the voice security as I am not sure whether it is more or less secure than password. It would be more secure if it requires both but I think it is using voice to replace password.
I definitely think it is more secure than a password. The reason I say that is two fold. The first part is that over the phone passwords are not necessarily insecure by themselves, however, the weakness lies when the attacker (pretending to be you) successfully convinces the person on the phone that they simply forgot their password. The helpful company rep then resets said password using security questions which the attacker has a better chance at defeating, especially if they are based on other info they could steal. For example: previous address, employers, birthdays, SSN or other info that is easily guessable or stolen from other data breaches (looking at you, Equifax). This has been demonstrated to actually have happened at cell phone companies in order to steal people's numbers and therefore get access to their SMS based two factor codes. It is why two factor via text messaging is inherently less secure than app or physical token based 2FA methods. Or in other words, why the Symantic app is far more secure than text messaging.

Voice authentication, on the other hand, cannot be socially engineered. The way Fidelity implements it in particular would be hard to fake. You do not say a simple passcode for the system to recognize you, it happens automatically in the background while talking with the customer service rep. This means the attacker would not just need a recording of your voice but actually mimic it in real time over the phone. I am sure some spy agency out there could probably come up with a way to defeat it, but I find the likelihood of this being done by a criminal hacker to be extremely low. I am a very paranoid person when it comes to cyber security, but I feel very comfortable with the combination of app based 2 FA with Symantic and Fidelity MyVoice.

As an aside, I use 2FA on everything I possibly can. For me Symantec works with Fidelity and USAA (my bank) and I use Authy for Amazon, Facebook, and email.
Thanks for the reply.

JBTX
Posts: 1530
Joined: Wed Jul 26, 2017 12:46 pm

Re: Fidelity Security

Post by JBTX » Tue Sep 12, 2017 9:04 am

Alchemist wrote:
Tue Sep 12, 2017 7:35 am
student wrote:
Sat Sep 09, 2017 8:00 pm
I haven't signed up for the voice security as I am not sure whether it is more or less secure than password. It would be more secure if it requires both but I think it is using voice to replace password.
I definitely think it is more secure than a password. The reason I say that is two fold. The first part is that over the phone passwords are not necessarily insecure by themselves, however, the weakness lies when the attacker (pretending to be you) successfully convinces the person on the phone that they simply forgot their password. The helpful company rep then resets said password using security questions which the attacker has a better chance at defeating, especially if they are based on other info they could steal. For example: previous address, employers, birthdays, SSN or other info that is easily guessable or stolen from other data breaches (looking at you, Equifax). This has been demonstrated to actually have happened at cell phone companies in order to steal people's numbers and therefore get access to their SMS based two factor codes. It is why two factor via text messaging is inherently less secure than app or physical token based 2FA methods. Or in other words, why the Symantic app is far more secure than text messaging.

Voice authentication, on the other hand, cannot be socially engineered. The way Fidelity implements it in particular would be hard to fake. You do not say a simple passcode for the system to recognize you, it happens automatically in the background while talking with the customer service rep. This means the attacker would not just need a recording of your voice but actually mimic it in real time over the phone. I am sure some spy agency out there could probably come up with a way to defeat it, but I find the likelihood of this being done by a criminal hacker to be extremely low. I am a very paranoid person when it comes to cyber security, but I feel very comfortable with the combination of app based 2 FA with Symantic and Fidelity MyVoice.

As an aside, I use 2FA on everything I possibly can. For me Symantec works with Fidelity and USAA (my bank) and I use Authy for Amazon, Facebook, and email.
The voice authentication is probably an improvement but it isn't fool proof. I had set up the VA some time back. I called last week and the rep said he was having "computer problems" and VA wasn't working and needed to ask me a couple of security questions. If for some reason the VA doesn't work, which appears is a possibility, they revert to the old methodology of asking a couple of security questions

User avatar
AAA
Posts: 843
Joined: Sat Jan 12, 2008 8:56 am

Re: Fidelity Security

Post by AAA » Tue Sep 12, 2017 9:44 am

Alchemist wrote:
Tue Sep 12, 2017 7:35 am
This has been demonstrated to actually have happened at cell phone companies in order to steal people's numbers and therefore get access to their SMS based two factor codes. It is why two factor via text messaging is inherently less secure than app or physical token based 2FA methods.
Can you elaborate? If someone steals your number, wouldn't you realize this fairly quickly as you would stop getting calls and texts? Also, if it's a two factor code from the past, and possibly somehow still in your text history somewhere, it would no longer be valid.

Alchemist
Posts: 225
Joined: Sat Aug 30, 2014 6:35 am
Location: Florida

Re: Fidelity Security

Post by Alchemist » Tue Sep 12, 2017 8:07 pm

AAA wrote:
Tue Sep 12, 2017 9:44 am

Can you elaborate? If someone steals your number, wouldn't you realize this fairly quickly as you would stop getting calls and texts? Also, if it's a two factor code from the past, and possibly somehow still in your text history somewhere, it would no longer be valid.
Yes you are right that an old code from the past would not be usable, the danger is that if they hijack your number and request a new code they would receive it on their device. You could realize it when your phone stops working, but how long until you realize why and then convince the phone company they were scammed so they turn off the fraudulent SIM card? That would probably take hours, at least. More than enough time for an attacker to log into your account, change your password, and do whatever nefarious transactions they wanted to. When this has happened, so far, it has been mainly to celebrities/high profile individuals since their personal details are largely public so the social engineering aspect is easier. Here is a link describing some of these attacks, as well as the technical side of the vulnerabilities in the SMS system that do not rely on social engineering:

https://www.wired.com/2016/06/hey-stop- ... tication/

I want to make clear that this does not mean SMS based 2FA is a bad thing. It is definitely better than password alone, as the level of personal detail the attacker needs to know about you is still pretty high and the level of effort is higher than just cracking a password (which is itself pretty hard if you have a strong password). However, my point is just that if your institution offers better methods like a Token (app or physical) then you should use those better methods instead. There is no need for panic, just good to be aware of the limitations of various security methods. And as always, so long as you follow the cyber policies of the institution they will make you whole in the unlikely event that an attacker compromises your account.
JBTX wrote:
Tue Sep 12, 2017 9:04 am
The voice authentication is probably an improvement but it isn't fool proof. I had set up the VA some time back. I called last week and the rep said he was having "computer problems" and VA wasn't working and needed to ask me a couple of security questions. If for some reason the VA doesn't work, which appears is a possibility, they revert to the old methodology of asking a couple of security questions
Well that is a little concerning. I guess the level of concern warranted depends on if that is the same protocol they use in the event a caller fails VA. A couple years ago I had my credit card company call me one morning and ask if I had recently attempted to change my address because someone called in claiming to be me wanting to do so. They found it suspicious, denied it, and called me on my cell number I had on record. I do not know what criteria they used to determine the attacker was not me; though in hindsight I wish I had asked more detail. In that case I just got a new card issued with a new number on it to be safe. Maybe credit card companies have more practice at this since they are the more common target of fraud/ID theft?

JBTX
Posts: 1530
Joined: Wed Jul 26, 2017 12:46 pm

Re: Fidelity Security

Post by JBTX » Tue Sep 12, 2017 8:16 pm

Alchemist wrote:
Tue Sep 12, 2017 8:07 pm
AAA wrote:
Tue Sep 12, 2017 9:44 am

Can you elaborate? If someone steals your number, wouldn't you realize this fairly quickly as you would stop getting calls and texts? Also, if it's a two factor code from the past, and possibly somehow still in your text history somewhere, it would no longer be valid.
Yes you are right that an old code from the past would not be usable, the danger is that if they hijack your number and request a new code they would receive it on their device. You could realize it when your phone stops working, but how long until you realize why and then convince the phone company they were scammed so they turn off the fraudulent SIM card? That would probably take hours, at least. More than enough time for an attacker to log into your account, change your password, and do whatever nefarious transactions they wanted to. When this has happened, so far, it has been mainly to celebrities/high profile individuals since their personal details are largely public so the social engineering aspect is easier. Here is a link describing some of these attacks, as well as the technical side of the vulnerabilities in the SMS system that do not rely on social engineering:

https://www.wired.com/2016/06/hey-stop- ... tication/

I want to make clear that this does not mean SMS based 2FA is a bad thing. It is definitely better than password alone, as the level of personal detail the attacker needs to know about you is still pretty high and the level of effort is higher than just cracking a password (which is itself pretty hard if you have a strong password). However, my point is just that if your institution offers better methods like a Token (app or physical) then you should use those better methods instead. There is no need for panic, just good to be aware of the limitations of various security methods. And as always, so long as you follow the cyber policies of the institution they will make you whole in the unlikely event that an attacker compromises your account.
JBTX wrote:
Tue Sep 12, 2017 9:04 am
The voice authentication is probably an improvement but it isn't fool proof. I had set up the VA some time back. I called last week and the rep said he was having "computer problems" and VA wasn't working and needed to ask me a couple of security questions. If for some reason the VA doesn't work, which appears is a possibility, they revert to the old methodology of asking a couple of security questions
Well that is a little concerning. I guess the level of concern warranted depends on if that is the same protocol they use in the event a caller fails VA. A couple years ago I had my credit card company call me one morning and ask if I had recently attempted to change my address because someone called in claiming to be me wanting to do so. They found it suspicious, denied it, and called me on my cell number I had on record. I do not know what criteria they used to determine the attacker was not me; though in hindsight I wish I had asked more detail. In that case I just got a new card issued with a new number on it to be safe. Maybe credit card companies have more practice at this since they are the more common target of fraud/ID theft?
I guess the way I see it is the VA adds some level of security, but given the process it isn't foolproof. Somebody would have to have a LOT of your information to be able to answer the questions they ask, but it isn't impossible.

It may be naive, but I tend to think the fraudsters out there are going to pursue the low hanging fruit. If you have a fair amount of security around your account, why would they go through all the trouble to hack yours, when somebody else out there has the password set to "password" or "123456"

Alchemist
Posts: 225
Joined: Sat Aug 30, 2014 6:35 am
Location: Florida

Re: Fidelity Security

Post by Alchemist » Tue Sep 12, 2017 8:33 pm

JBTX wrote:
Tue Sep 12, 2017 8:16 pm
I guess the way I see it is the VA adds some level of security, but given the process it isn't foolproof. Somebody would have to have a LOT of your information to be able to answer the questions they ask, but it isn't impossible.
Like, say, all the information that Equifax knows about you? Or in my case the Fed government which has lost my data (including my security clearance info!) multiple times....

Though I definitely agree with the sentiment. The fact that no security is full proof is not a criticism of companies like Fidelity, Vanguard, or even Amazon doing good faith efforts to improve theirs.
It may be naive, but I tend to think the fraudsters out there are going to pursue the low hanging fruit. If you have a fair amount of security around your account, why would they go through all the trouble to hack yours, when somebody else out there has the password set to "password" or "123456"
I may get too overzealous on this topic since I find it very interesting and nerd out a bit on it. But you are completely right. I am sure some determined group of criminal hackers could break into my accounts and make my life very difficult. However, why would they bother attacking the paranoid guy with 2FA and encryption everywhere when the next person over does none of those things. We do not really need to be perfect, just reasonably difficult enough to target in order to not make it worth their while.

JBTX
Posts: 1530
Joined: Wed Jul 26, 2017 12:46 pm

Re: Fidelity Security

Post by JBTX » Tue Sep 12, 2017 9:01 pm

Alchemist wrote:
Tue Sep 12, 2017 8:33 pm
JBTX wrote:
Tue Sep 12, 2017 8:16 pm
I guess the way I see it is the VA adds some level of security, but given the process it isn't foolproof. Somebody would have to have a LOT of your information to be able to answer the questions they ask, but it isn't impossible.
Like, say, all the information that Equifax knows about you? Or in my case the Fed government which has lost my data (including my security clearance info!) multiple times....

Though I definitely agree with the sentiment. The fact that no security is full proof is not a criticism of companies like Fidelity, Vanguard, or even Amazon doing good faith efforts to improve theirs.
It may be naive, but I tend to think the fraudsters out there are going to pursue the low hanging fruit. If you have a fair amount of security around your account, why would they go through all the trouble to hack yours, when somebody else out there has the password set to "password" or "123456"
I may get too overzealous on this topic since I find it very interesting and nerd out a bit on it. But you are completely right. I am sure some determined group of criminal hackers could break into my accounts and make my life very difficult. However, why would they bother attacking the paranoid guy with 2FA and encryption everywhere when the next person over does none of those things. We do not really need to be perfect, just reasonably difficult enough to target in order to not make it worth their while.
While I am no match for a hacker, my hope is that I am far enough ahead of the masses that they figure out I'm not worth the effort. Wishful thinking, perhaps.

Fclevz
Posts: 306
Joined: Fri Mar 30, 2007 11:28 am

Re: Fidelity Security

Post by Fclevz » Fri Sep 15, 2017 9:40 am

I see that Fidelity's Symantec VIP 2FA app can only be installed in one place at a time (phone, laptop, desktop, whatever). This makes sense since you don't want the possibility of conflicting codes.

But am I correct in assuming that doesn't restrict you to one device? For example, if you have the app on your phone, it doesn't restrict you to only logging in on your phone, right? Can you still log in to Fidelity using your desktop computer too, as long as you have your phone nearby to get a code?

User avatar
tfb
Posts: 7731
Joined: Mon Feb 19, 2007 5:46 pm
Contact:

Re: Fidelity Security

Post by tfb » Fri Sep 15, 2017 10:38 am

Fclevz wrote:
Fri Sep 15, 2017 9:40 am
I see that Fidelity's Symantec VIP 2FA app can only be installed in one place at a time (phone, laptop, desktop, whatever). This makes sense since you don't want the possibility of conflicting codes.

But am I correct in assuming that doesn't restrict you to one device? For example, if you have the app on your phone, it doesn't restrict you to only logging in on your phone, right? Can you still log in to Fidelity using your desktop computer too, as long as you have your phone nearby to get a code?
That's correct. The app only generates the code. You can use the code on any device. If you have accounts with other institutions that use the same Symantec VIP system, for example Schwab, you can register the same credential ID from the app to your Schwab account as well. That one app will work with all devices on all accounts that use Symantec VIP.
Harry Sit, taking a break from the forums.

hlfo718
Posts: 756
Joined: Wed Dec 01, 2010 9:17 am
Location: NYC

Re: Fidelity Security

Post by hlfo718 » Fri Sep 15, 2017 10:57 am

Have you noticed that most banks and credit unions are way behind in terms of security? Sure they have the usual 2FA using SMS or email but I have yet to see Ally, PenFed, TD, Cap One, Citi, Chase and many others implement either a hard or software token.

Thinking about consolidate all cash at Fido/Schw/Vang since at least they are more proactive in trying to safe keep our assets.

david99
Posts: 579
Joined: Sat Mar 03, 2007 11:56 am

Re: Fidelity Security

Post by david99 » Fri Sep 15, 2017 11:43 am

hlfo718 wrote:
Fri Sep 15, 2017 10:57 am
Have you noticed that most banks and credit unions are way behind in terms of security? Sure they have the usual 2FA using SMS or email but I have yet to see Ally, PenFed, TD, Cap One, Citi, Chase and many others implement either a hard or software token.

Thinking about consolidate all cash at Fido/Schw/Vang since at least they are more proactive in trying to safe keep our assets.
Some banks don't even have 2FA. It's probably a good idea to consolidate accounts with Fido/Vanguard ---at least they are taking more steps to keep assets safe.

need403bhelp
Posts: 434
Joined: Thu May 28, 2015 6:25 pm

Re: Fidelity Security

Post by need403bhelp » Mon Sep 25, 2017 1:53 pm

FYI, I wasn't super excited about Symantec VIP (I use Google Authenticator for all accounts that allow to use it WITHOUT an SMS backup option, and don't like only being able to configure Symantec VIP with my account on one device), but decided to enable it.

Called Fidelity.

Apparently, it is ONLY available as an option for personal accounts, although IF one has a personal account and turns it on, it will be extended to one's employer-based retirement account.

I ONLY have employer-based retirement accounts. So, for me this is NOT an option.

I did ask whether opening a non-deductible IRA for $1 would work, and the rep seemed to think that it would.

Thus, next year, I may do a $1 non-deductible IRA to Fidelity just to have 2FA via Symantec VIP. I will then do the other $5,499 to Vanguard to do my backdoor Roth.

User avatar
oldcomputerguy
Posts: 2004
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Fidelity Security

Post by oldcomputerguy » Mon Sep 25, 2017 1:58 pm

Fclevz wrote:
Fri Sep 15, 2017 9:40 am
I see that Fidelity's Symantec VIP 2FA app can only be installed in one place at a time (phone, laptop, desktop, whatever). This makes sense since you don't want the possibility of conflicting codes.

But am I correct in assuming that doesn't restrict you to one device? For example, if you have the app on your phone, it doesn't restrict you to only logging in on your phone, right? Can you still log in to Fidelity using your desktop computer too, as long as you have your phone nearby to get a code?
Correct. This in fact is what I do when I access Fidelity. I use my desktop computer's browser, but the code I enter into the browser comes from the VIP app on my iPad.
Anybody know why there's a 20-pound frozen turkey up in the light grid?

User avatar
FIREchief
Posts: 1370
Joined: Fri Aug 19, 2016 6:40 pm

Re: Fidelity Security

Post by FIREchief » Mon Sep 25, 2017 4:03 pm

Not sure if this will ever happen, but I'm looking forward to the day when Fidelity will allow me to require a physical visit to their local brick and mortar in order to reset my password. Sure, that would be an inconvenience, but I've never had to have them reset my password and the day my mind can't properly recall a memorized password, of this importance, is the day that I probably need to start thinking about exercising that POA.
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.

mouses
Posts: 2338
Joined: Sat Oct 24, 2015 12:24 am

Re: Fidelity Security

Post by mouses » Mon Sep 25, 2017 4:53 pm

stlutz wrote:
Fri Sep 08, 2017 11:41 pm
How does the VIP app really provide any extra security? To deactivate it all you have to do is call...
That's what Schwab told me when I was talking to them about some of their two factor a few days ago "you can just call in."

learning_head
Posts: 810
Joined: Sat Apr 10, 2010 6:02 pm

Re: Fidelity Security

Post by learning_head » Mon Sep 25, 2017 5:57 pm

When I downloaded Symantec VIP app installer (following links from Fidelity site) to my computer and ran the file against virustotal.com, 2 of the 60+ engines indicated the file has potential malware. :annoyed

aj76er
Posts: 347
Joined: Tue Dec 01, 2015 11:34 pm
Location: Portland, OR

Re: Fidelity Security

Post by aj76er » Mon Sep 25, 2017 7:18 pm

need403bhelp wrote:
Mon Sep 25, 2017 1:53 pm
Thus, next year, I may do a $1 non-deductible IRA to Fidelity just to have 2FA via Symantec VIP. I will then do the other $5,499 to Vanguard to do my backdoor Roth.
You could also just do a taxable brokerage account and not fund it. Seems easier.
"Buy-and-hold, long-term, all-market-index strategies, implemented at rock-bottom cost, are the surest of all routes to the accumulation of wealth" - John C. Bogle

Post Reply