How real is cyber risk?

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
Topic Author
Coato
Posts: 215
Joined: Wed Oct 21, 2015 4:34 pm

How real is cyber risk?

Post by Coato »

I think the header says it. I have heard that the biggest security weakness right now is phone-based, since it is fairly easy to get a sim card and lock someone out of their phone account. So I am a little concerned about the phone security stuff.

We have accounts at Merrill, Vanguard, Fidelity, Nationwide and Schwab (brokerages, Roths, 457bs, 403bs) and are sprawled everywhere. I was thinking of condensing, to the extent it is possible but my wife thinks we are better not assuming the cyber risk of one firm.
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: How real is cyber risk?

Post by VictoriaF »

Coato wrote: Fri Sep 14, 2018 9:41 am We have accounts at Merrill, Vanguard, Fidelity, Nationwide and Schwab (brokerages, Roths, 457bs, 403bs) and are sprawled everywhere. I was thinking of condensing, to the extent it is possible but my wife thinks we are better not assuming the cyber risk of one firm.
A technical term for your wife's recommendation is Single Point of Failure. She is right: if one of your financial institutions became nonfunctional due to a cyber attack or other reasons you would want to rely on others while the institution comes back.

You need to have redundancy but not pursue every opportunity under the banner of redundancy. 2-3 custodians of your assets, 2-3 banks or credit unions with ATM cards and access to cash, 3-4 credit cards -- are optimal.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
btenny
Posts: 5702
Joined: Sun Oct 07, 2007 6:47 pm

Re: How real is cyber risk?

Post by btenny »

Agree with Victoria. Use 2 brokers for your stocks, 2 banks for checking and 3 to 5 credit cards and keep some cash on hand.
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: How real is cyber risk?

Post by VictoriaF »

Coato wrote: Fri Sep 14, 2018 9:41 am I think the header says it. I have heard that the biggest security weakness right now is phone-based, since it is fairly easy to get a sim card and lock someone out of their phone account. So I am a little concerned about the phone security stuff.
The cyber risk depends on how you use your smart phone. Is it a Single Point of Failure?

Some of the most common exploits are triggered by phishing. People know, in general, not to click on links. But people forget about it when the topic is exciting or the sender is trustworthy. And so attackers send messages with irresistible subjects and impersonate trusted sources. It's more tempting to click a link in a text message that comes over a small-screen device than to click a link in email viewed on a large-screen device.

All your financial accounts and primary email accounts must be configured for 2-Factor Authentication, and you must make sure that your two factors are entered over different devices. You don't want someone to penetrate your smartphone and gain access to both of your factors.

And of course, you should use different complex passwords on all your critical accounts.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
randomguy
Posts: 11295
Joined: Wed Sep 17, 2014 9:00 am

Re: How real is cyber risk?

Post by randomguy »

VictoriaF wrote: Fri Sep 14, 2018 10:26 am
Coato wrote: Fri Sep 14, 2018 9:41 am I think the header says it. I have heard that the biggest security weakness right now is phone-based, since it is fairly easy to get a sim card and lock someone out of their phone account. So I am a little concerned about the phone security stuff.
The cyber risk depends on how you use your smart phone. Is it a Single Point of Failure?

Some of the most common exploits are triggered by phishing. People know, in general, not to click on links. But people forget about it when the topic is exciting or the sender is trustworthy. And so attackers send messages with irresistible subjects and impersonate trusted sources. It's more tempting to click a link in a text message that comes over a small-screen device than to click a link in email viewed on a large-screen device.

All your financial accounts and primary email accounts must be configured for 2-Factor Authentication, and you must make sure that your two factors are entered over different devices. You don't want someone to penetrate your smartphone and gain access to both of your factors.

And of course, you should use different complex passwords on all your critical accounts.

Victoria

Anyone have stats on how much cybercrime there is that involves people losing money from brokerage accounts or having thier bank account emptied? I am not aware of much.What I am aware of is a ton of companies getting hacked, losing data, and people getting hit with all sorts of identity theft issues. At the personal level it seems to be mainly scams that rip people off and in most of them the person does the work. Think pyramid schemes, buying fake goods, dating scams,... Or basically the same scams that have been ripping off people for hundreds of years.
Topic Author
Coato
Posts: 215
Joined: Wed Oct 21, 2015 4:34 pm

Re: How real is cyber risk?

Post by Coato »

randomguy wrote: Fri Sep 14, 2018 11:09 am
VictoriaF wrote: Fri Sep 14, 2018 10:26 am
Coato wrote: Fri Sep 14, 2018 9:41 am I think the header says it. I have heard that the biggest security weakness right now is phone-based, since it is fairly easy to get a sim card and lock someone out of their phone account. So I am a little concerned about the phone security stuff.
The cyber risk depends on how you use your smart phone. Is it a Single Point of Failure?

Some of the most common exploits are triggered by phishing. People know, in general, not to click on links. But people forget about it when the topic is exciting or the sender is trustworthy. And so attackers send messages with irresistible subjects and impersonate trusted sources. It's more tempting to click a link in a text message that comes over a small-screen device than to click a link in email viewed on a large-screen device.

All your financial accounts and primary email accounts must be configured for 2-Factor Authentication, and you must make sure that your two factors are entered over different devices. You don't want someone to penetrate your smartphone and gain access to both of your factors.

And of course, you should use different complex passwords on all your critical accounts.

Victoria

Anyone have stats on how much cybercrime there is that involves people losing money from brokerage accounts or having thier bank account emptied? I am not aware of much.What I am aware of is a ton of companies getting hacked, losing data, and people getting hit with all sorts of identity theft issues. At the personal level it seems to be mainly scams that rip people off and in most of them the person does the work. Think pyramid schemes, buying fake goods, dating scams,... Or basically the same scams that have been ripping off people for hundreds of years.
Statistically, Is the problem more likely to be a single account looting, or a huge system attack or theft?
All Seasons
Posts: 227
Joined: Sun Dec 10, 2017 3:14 pm

Re: How real is cyber risk?

Post by All Seasons »

Very real. Be sure to have some gold.
BackOfTheNet
Posts: 259
Joined: Mon Nov 30, 2009 8:24 pm

Re: How real is cyber risk?

Post by BackOfTheNet »

You can buy a physical key if you want additional protection on your Vanguard (or google) account:

Something like this:

https://www.yubico.com/product/yubikey-neo/

https://investor.vanguard.com/security/security-keys

Once configured, someone would need to steal the key to gain access to your Vanguard account.
increment
Posts: 1736
Joined: Tue May 15, 2018 2:20 pm

Re: How real is cyber risk?

Post by increment »

BackOfTheNet wrote: Fri Sep 14, 2018 12:10 pm You can buy a physical key if you want additional protection
I use the Yubikey at Vanguard.

It does not provide additional protection because it's easy to ask Vanguard to bypass the Yubikey and authorize with the phone code instead.
User avatar
damjam
Posts: 955
Joined: Thu Mar 25, 2010 7:46 am
Location: Brooklyn, NY

Re: How real is cyber risk?

Post by damjam »

BackOfTheNet wrote: Fri Sep 14, 2018 12:10 pm You can buy a physical key if you want additional protection on your Vanguard (or google) account:

Something like this:

https://www.yubico.com/product/yubikey-neo/

https://investor.vanguard.com/security/security-keys

Once configured, someone would need to steal the key to gain access to your Vanguard account.
If only that were 100% true. Unfortunately it is a relatively trivial exercise to disable the key and request a text (SMS) message instead. Currently, Vanguard will not disable the SMS recovery option.

However, Vanguard does offer another option. You can "lock" online access to your account to a specific computer/device. Of course you could lock yourself out if you should inadvertently change the wrong thing about you computer, such as wipe your cookies. Then you would have to call to regain access. An inconvenience possibly, but I think worth it.

Also, Vanguard offers Voice Verification for transacting business over the phone. I would encourage everyone to go through the process of establishing the voice print. Why? Because if you don't someone else pretending to be you could. If the impostor has the correct answers to any questions the Vanguard employee may have, the Vanguard employee will pass them through and let them create the voice print.
User avatar
Vulcan
Posts: 2996
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan »

The best way to mitigate the risk associated with phones/SIM cards is not to use cell phone numbers for 2FA.

Use Google Voice instead. Text messages come into your Google Account that is in turn protected by 2FA.

No excuses.
Last edited by Vulcan on Fri Sep 14, 2018 2:39 pm, edited 2 times in total.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
User avatar
damjam
Posts: 955
Joined: Thu Mar 25, 2010 7:46 am
Location: Brooklyn, NY

Re: How real is cyber risk?

Post by damjam »

Vulcan wrote: Fri Sep 14, 2018 1:21 pm The best way to mitogate the risk associate with phones/SIM cards is not to use cell phone numbers for 2FA.

Use Google Voice instead. Text messages come into your Google Account that is in turn protected by 2FA.

No excuses.
Please correct me if I'm wrong, but don't you have to have a phone number associated with your Google Account?
User avatar
Vulcan
Posts: 2996
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan »

damjam wrote: Fri Sep 14, 2018 1:45 pm
Vulcan wrote: Fri Sep 14, 2018 1:21 pm The best way to mitigate the risk associated with phones/SIM cards is not to use cell phone numbers for 2FA.

Use Google Voice instead. Text messages come into your Google Account that is in turn protected by 2FA.

No excuses.
Please correct me if I'm wrong, but don't you have to have a phone number associated with your Google Account?
Yes, but you don't have to have your messages forwarded to it.
You will receive them via GMail and/or Hangouts, which are already strongly protected by 2FA, or if they aren't, you have bigger problems, as your email is the key to your digital kingdom.

And if you are using any other email besides GMail... Well, good reason to switch to GMail.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
User avatar
damjam
Posts: 955
Joined: Thu Mar 25, 2010 7:46 am
Location: Brooklyn, NY

Re: How real is cyber risk?

Post by damjam »

Vulcan wrote: Fri Sep 14, 2018 2:38 pm
damjam wrote: Fri Sep 14, 2018 1:45 pm
Vulcan wrote: Fri Sep 14, 2018 1:21 pm The best way to mitigate the risk associated with phones/SIM cards is not to use cell phone numbers for 2FA.

Use Google Voice instead. Text messages come into your Google Account that is in turn protected by 2FA.

No excuses.
Please correct me if I'm wrong, but don't you have to have a phone number associated with your Google Account?
Yes, but you don't have to have your messages forwarded to it.
You will receive them via GMail and/or Hangouts, which are already strongly protected by 2FA, or if they aren't, you have bigger problems, as your email is the key to your digital kingdom.

And if you are using any other email besides GMail... Well, good reason to switch to GMail.
I'm having are hard time trying to untangle this in my head, so please bear with me. Keep in mind I know nothing about Goggle Voice and that would probably explain part of my confusion.

I think you're suggesting that I set up Google Voice as the recipient of SMS type 2fa for various accounts. Then forwarding those messages to a gmail account.

But are you also suggesting using Google Voice as the recovery method for that gmail account? Or would you recommend something else? Because the final recovery method for gmail is the phone number associated with it and that number would receive an SMS (To date I have not figured out a way to disable the recovery phone fall back from gmail).

I'm wondering if I might end up creating a situation where I would be locked out of my gmail and the Google Voice account at the same time.
User avatar
warner25
Posts: 934
Joined: Wed Oct 29, 2014 4:38 pm

Re: How real is cyber risk?

Post by warner25 »

damjam wrote: Fri Sep 14, 2018 3:14 pm...Because the final recovery method for gmail is the phone number associated with it... I'm wondering if I might end up creating a situation where I would be locked out of my gmail and the Google Voice account at the same time.
Look up the one-time recovery codes that Google offers. I printed out my 5 or 10 codes and put them somewhere safe in case all else fails.
User avatar
Vulcan
Posts: 2996
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan »

damjam wrote: Fri Sep 14, 2018 3:14 pm I'm having are hard time trying to untangle this in my head, so please bear with me. Keep in mind I know nothing about Goggle Voice and that would probably explain part of my confusion.

I think you're suggesting that I set up Google Voice as the recipient of SMS type 2fa for various accounts. Then forwarding those messages to a gmail account.

But are you also suggesting using Google Voice as the recovery method for that gmail account? Or would you recommend something else? Because the final recovery method for gmail is the phone number associated with it and that number would receive an SMS (To date I have not figured out a way to disable the recovery phone fall back from gmail).

I'm wondering if I might end up creating a situation where I would be locked out of my gmail and the Google Voice account at the same time.
For GMail you would use Authenticator app for 2FA.
Nothing gets sent anywhere.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
User avatar
Vulcan
Posts: 2996
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan »

Vulcan wrote: Fri Sep 14, 2018 4:05 pm For GMail you would use Authenticator app for 2FA.
Nothing gets sent anywhere.
On newer Android phones you can also use phone prompts, with one-time codes saved as last-ditch backup.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
golfCaddy
Posts: 728
Joined: Wed Jan 10, 2018 9:02 pm

Re: How real is cyber risk?

Post by golfCaddy »

Cyber risk is real: https://www.nytimes.com/interactive/201 ... heist.html, but it's nothing something I worry about much. If Vanguard or your bank account was hacked, I would expect you to eventually be made whole by the financial institutions.
randomguy
Posts: 11295
Joined: Wed Sep 17, 2014 9:00 am

Re: How real is cyber risk?

Post by randomguy »

Coato wrote: Fri Sep 14, 2018 11:17 am
randomguy wrote: Fri Sep 14, 2018 11:09 am

Anyone have stats on how much cybercrime there is that involves people losing money from brokerage accounts or having thier bank account emptied? I am not aware of much.What I am aware of is a ton of companies getting hacked, losing data, and people getting hit with all sorts of identity theft issues. At the personal level it seems to be mainly scams that rip people off and in most of them the person does the work. Think pyramid schemes, buying fake goods, dating scams,... Or basically the same scams that have been ripping off people for hundreds of years.
Statistically, Is the problem more likely to be a single account looting, or a huge system attack or theft?
I am not sure it is either. You don't hear stories about people losing 50k+ from fraud or companies losing millions. You hear about low level (3k charges or transfers) and various identity theft things (sign up for a credit card and run up a 20k bill). The big losses I see at an individual level pretty much always are a result of a person giving away their money. There are tons of stories (maybe not to this extreme) along the lines https://www.mypalmbeachpost.com/news/lo ... 0JKJCal2O/ where people basically just hand their money over.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: How real is cyber risk?

Post by tadamsmar »

golfCaddy wrote: Fri Sep 14, 2018 4:13 pm Cyber risk is real: https://www.nytimes.com/interactive/201 ... heist.html, but it's nothing something I worry about much. If Vanguard or your bank account was hacked, I would expect you to eventually be made whole by the financial institutions.
You should not expect to be made whole without some due diligence on your part.

For personal bank accounts and credit cards, there are federal regulations that require reimbursement if you report the fraud in a timely manner. I don't recall what timely means but I think it's at least 30 days after your bank statement is available.

For Vanguard and other brokerage and mutual fund companies there is no federal regulation if you are hacked. Some firms offer a policy. Here is Vanguard policy about your responsibilities:

https://personal.vanguard.com/us/help/S ... ontent.jsp
3funder
Posts: 1814
Joined: Sun Oct 15, 2017 9:35 pm

Re: How real is cyber risk?

Post by 3funder »

I don't lose sleep over it.
Global stocks, US bonds, and time.
User avatar
randomizer
Posts: 1547
Joined: Sun Jul 06, 2014 3:46 pm

Re: How real is cyber risk?

Post by randomizer »

Seems pretty real to me. I'm trying not to lose sleep over it.
87.5:12.5, EM tilt — HODL the course!
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: How real is cyber risk?

Post by VictoriaF »

3funder wrote: Fri Sep 14, 2018 5:24 pm I don't lose sleep over it.
Losing sleep is not a recommended mitigation for cyber risk. 2FA and other methods recommended above are.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: How real is cyber risk?

Post by tadamsmar »

Here is a recent hack, pump, and dump:

https://www.cnbc.com/2017/10/30/day-tra ... s-say.html

But it looks like the brokerage firms picked up the bill, at least there is no mention of investor losses.

One thing about this kind of attack is that it happens fast. It just requires trades in your account that, in principle, can lose money fast.

These have been happening for many years and many brokerage firms have been victims.
User avatar
damjam
Posts: 955
Joined: Thu Mar 25, 2010 7:46 am
Location: Brooklyn, NY

Re: How real is cyber risk?

Post by damjam »

tadamsmar wrote: Fri Sep 14, 2018 5:19 pm
golfCaddy wrote: Fri Sep 14, 2018 4:13 pm Cyber risk is real: https://www.nytimes.com/interactive/201 ... heist.html, but it's nothing something I worry about much. If Vanguard or your bank account was hacked, I would expect you to eventually be made whole by the financial institutions.
You should not expect to be made whole without some due diligence on your part.

For personal bank accounts and credit cards, there are federal regulations that require reimbursement if you report the fraud in a timely manner. I don't recall what timely means but I think it's at least 30 days after your bank statement is available.

For Vanguard and other brokerage and mutual fund companies there is no federal regulation if you are hacked. Some firms offer a policy. Here is Vanguard policy about your responsibilities:

https://personal.vanguard.com/us/help/S ... ontent.jsp
I found this requirement from Vanguard interesting:
Don't store your password or answers to security questions on the computer or device you use to access your Vanguard accounts.
I suppose they don't intend us to use password managers then?

Also from Vanguard policy:
If Vanguard investigates suspected unauthorized activity in your account, you must fully cooperate with us. For example, we may ask you to file a police report, provide us with a statement of facts, or allow us access to your computer.
I assume this has been discussed before on this forum. Thanks for the link tadamsmar
User avatar
damjam
Posts: 955
Joined: Thu Mar 25, 2010 7:46 am
Location: Brooklyn, NY

Re: How real is cyber risk?

Post by damjam »

Vulcan wrote: Fri Sep 14, 2018 4:05 pm
damjam wrote: Fri Sep 14, 2018 3:14 pm I'm having are hard time trying to untangle this in my head, so please bear with me. Keep in mind I know nothing about Goggle Voice and that would probably explain part of my confusion.

I think you're suggesting that I set up Google Voice as the recipient of SMS type 2fa for various accounts. Then forwarding those messages to a gmail account.

But are you also suggesting using Google Voice as the recovery method for that gmail account? Or would you recommend something else? Because the final recovery method for gmail is the phone number associated with it and that number would receive an SMS (To date I have not figured out a way to disable the recovery phone fall back from gmail).

I'm wondering if I might end up creating a situation where I would be locked out of my gmail and the Google Voice account at the same time.
For GMail you would use Authenticator app for 2FA.
Nothing gets sent anywhere.
OK

However, have you every tried testing gmail to see what it does when you "lose" your second factor?

My very unscientific study into the matter turned up this:
It seems if you keep answering no to the question of "do you want to use ... method" it eventually lands at sending an SMS to the phone number associated with the account. From what I can tell that phone number is the recovery number you've assigned. If no number is assigned, it is ultimately the number you used to create the account. AFAIK you must have a valid phone number to create an account and to keep it. I tried removing all numbers associated with a gmail account and the account was deactivated. So here we are back with an SMS, the thing we were trying to avoid.

I guess the only workaround for this is to have a recovery number that is not easily associated to oneself. Google Voice perhaps?

I think I just made myself dizzy.
IHateCasinos
Posts: 72
Joined: Fri Jan 22, 2016 3:58 pm
Location: Portland, OR

Re: How real is cyber risk?

Post by IHateCasinos »

As someone who just today, was the victim of a hack, i can give empirical evidence that since last year the existence of fraud has gone up 100%.
i do the same type of business transactions via lawyers trust accounts for the last 5 years. last year no crimes. Today, my lawyers document was copied/bank details changed and the client paid funds into a 3rd parties account, and then it was withdrawn in cash over few days. $20k gone.

no, it was not the fashionable cyber fraud phishing style but it involved email hacking/impersonation and possibly a follow up phone call when the client started wavering to pay the correct bank account!! The lawyer was the one actually targeted since he handles lots of deals and their associated payments rather than the client. this client was victim number 1.

Its relevant to note that the lawyer was very old school , himself very trustworthy, but not at all versed in cyber-threats (as older/ old school people typically are). So: a good target.


I actully liked the google voice idea, but .... anything sms based is liable to get simswapped. so that will defraud you before before google voice sees it higher up in the chain. T-mobile did a (genuine) sim swap for me without my voicemail pin.

Banks, in high fraud countries have software to tell them how old a sim card is, and thus if its likely to be hot. eg its brand-new and suddenly changing /adding payees. fraud alert! better quality fraud is very likely to come to the USA, as the safeguards arent here [yet].
In-app authentications initially avoid the sms risk. but sadly everyone then uses an sms as a fallback...
Ask me i know. :annoyed
User avatar
damjam
Posts: 955
Joined: Thu Mar 25, 2010 7:46 am
Location: Brooklyn, NY

Re: How real is cyber risk?

Post by damjam »

VictoriaF talked about the concept of Single Point of Failure.

People's smart phones have become just that, a single point of failure.

Almost every site/app that offers 2fa defaults to SMS as the last ditch recovery option.

It's extremely frustrating. What's the point of having a strong front door, when the back is just a screen?
Last edited by damjam on Fri Sep 14, 2018 8:14 pm, edited 1 time in total.
Northern Flicker
Posts: 15367
Joined: Fri Apr 10, 2015 12:29 am

Re: How real is cyber risk?

Post by Northern Flicker »

BackOfTheNet wrote: Fri Sep 14, 2018 12:10 pm You can buy a physical key if you want additional protection on your Vanguard (or google) account:

Something like this:

https://www.yubico.com/product/yubikey-neo/

https://investor.vanguard.com/security/security-keys

Once configured, someone would need to steal the key to gain access to your Vanguard account.
Unfortunately, that is not correct for Vanguard's current implementation of yubikey. The person logging in has the option of using a text code in lieu of the yubikey, so currently, the authentication is no stronger than using text codes for 2FA.

Moreover, if the text codes fail for some financial institution and you lock your account, it is entirely possible that you or a malicious user may be able to call and answer wallet questions with publicly available information to get access to the account. I once called a former 401K provider (not Vanguard) with a need to reset my password, and after asking me some fairly flimsy questions, unlocked the account, reset to a temporary password, and emailed the temporary password to me saying it was good for 24 hours.

Password reset protocols are the weakest link generally. Hijacking your smartphone SIM and non-robust implementations of hardware keys are often well ahead of that for robustness. Many providers use 2FA to a phone for a password reset. The question is what happens if you call and say your phone died or was stolen.
User avatar
damjam
Posts: 955
Joined: Thu Mar 25, 2010 7:46 am
Location: Brooklyn, NY

Re: How real is cyber risk?

Post by damjam »

jalbert wrote: Fri Sep 14, 2018 8:12 pm
BackOfTheNet wrote: Fri Sep 14, 2018 12:10 pm You can buy a physical key if you want additional protection on your Vanguard (or google) account:

Something like this:

https://www.yubico.com/product/yubikey-neo/

https://investor.vanguard.com/security/security-keys

Once configured, someone would need to steal the key to gain access to your Vanguard account.
Unfortunately, that is not correct for Vanguard's current implementation of yubikey. The person logging in has the option of using a text code in lieu of the yubikey, so currently, the authentication is no stronger than using text codes for 2FA.

Moreover, if the text codes fail for some financial institution and you lock your account, it is entirely possible that you or a malicious user may be able to call and answer wallet questions with publicly available information to get access to the account. I once called a former 401K provider (not Vanguard) with a need to reset my password, and after asking me some fairly flimsy questions, unlocked the account, reset to a temporary password, and emailed the temporary password to me saying it was good for 24 hours.

Password reset protocols are the weakest link generally. Hijacking your smartphone SIM and non-robust implementations of hardware keys are often well ahead of that for robustness. Many providers use 2FA to a phone for a password reset. The question is what happens if you call and say your phone died or was stolen.
This is very true.
One would hope that if your account was emptied using customer service as a point of entry, you would have a very good case to make that the company was at fault. I would also hope you could convince them to make you whole again.
User avatar
tuningfork
Posts: 885
Joined: Wed Oct 30, 2013 8:30 pm

Re: How real is cyber risk?

Post by tuningfork »

randomguy wrote: Fri Sep 14, 2018 11:09 am [Anyone have stats on how much cybercrime there is that involves people losing money from brokerage accounts or having thier bank account emptied? I am not aware of much.What I am aware of is a ton of companies getting hacked, losing data, and people getting hit with all sorts of identity theft issues. At the personal level it seems to be mainly scams that rip people off and in most of them the person does the work. Think pyramid schemes, buying fake goods, dating scams,... Or basically the same scams that have been ripping off people for hundreds of years.
No stats, but here is one instance last year where a person's IRA was drained by an imposter. It has a happy ending but required persistence to force the financial institution to return the funds.
viewtopic.php?t=228799
User avatar
Vulcan
Posts: 2996
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan »

damjam wrote: Fri Sep 14, 2018 7:02 pm However, have you every tried testing gmail to see what it does when you "lose" your second factor?

My very unscientific study into the matter turned up this:
It seems if you keep answering no to the question of "do you want to use ... method" it eventually lands at sending an SMS to the phone number associated with the account. From what I can tell that phone number is the recovery number you've assigned. If no number is assigned, it is ultimately the number you used to create the account. AFAIK you must have a valid phone number to create an account and to keep it. I tried removing all numbers associated with a gmail account and the account was deactivated. So here we are back with an SMS, the thing we were trying to avoid.

I guess the only workaround for this is to have a recovery number that is not easily associated to oneself. Google Voice perhaps?

I think I just made myself dizzy.
That is precisely what I do. I have GV number specified as recovery phone.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
golfCaddy
Posts: 728
Joined: Wed Jan 10, 2018 9:02 pm

Re: How real is cyber risk?

Post by golfCaddy »

tadamsmar wrote: Fri Sep 14, 2018 5:19 pm
golfCaddy wrote: Fri Sep 14, 2018 4:13 pm Cyber risk is real: https://www.nytimes.com/interactive/201 ... heist.html, but it's nothing something I worry about much. If Vanguard or your bank account was hacked, I would expect you to eventually be made whole by the financial institutions.
You should not expect to be made whole without some due diligence on your part.

For personal bank accounts and credit cards, there are federal regulations that require reimbursement if you report the fraud in a timely manner. I don't recall what timely means but I think it's at least 30 days after your bank statement is available.

For Vanguard and other brokerage and mutual fund companies there is no federal regulation if you are hacked. Some firms offer a policy. Here is Vanguard policy about your responsibilities:

https://personal.vanguard.com/us/help/S ... ontent.jsp
Let's take the most likely scenario. Someone hacks Vanguard, steal's Vanguard's password file from Vanguard's servers, and then extracts tens to hundreds of thousands of passwords. I happen to be one of those accounts. There would be a class action lawsuit against Vanguard and I bet a federal judge would be more than happy to throw out whatever nonsensical language Vanguard has in those user agreements no one reads. Disclaimer:IANAL
dknightd
Posts: 3727
Joined: Wed Mar 07, 2018 10:57 am

Re: How real is cyber risk?

Post by dknightd »

cyber risk is real, and potentially serious. Be careful
Retired 2019. So far, so good. I want to wake up every morning. But I want to die in my sleep. Just another conundrum. I think the solution might be afternoon naps ;)
User avatar
Vulcan
Posts: 2996
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan »

damjam wrote: Fri Sep 14, 2018 8:08 pm VictoriaF talked about the concept of Single Point of Failure.

People's smart phones have become just that, a single point of failure.

Almost every site/app that offers 2fa defaults to SMS as the last ditch recovery option.

It's extremely frustrating. What's the point of having a strong front door, when the back is just a screen?
I think you may be misunderstanding the point of the two factor authentication.

Neither one factor is impenetrable, but because your phone is something you have, as opposed to your password, which is something you know, it makes it exponentially more difficult to actually gain access to an account that is protected with the second factor. You have to both intercept my password and lay hands on my phone. Or, as the case may be, hack into my Google account that I use as second factor. But that account is in turn protected by my phone that you must physically have to login to my GMail.

Concerns about SMS, while mostly theoretical, are nonetheless easily alleviated by using GV instead of carrier number for code delivery, as I described earlier in the thread.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
Finridge
Posts: 1096
Joined: Mon May 16, 2011 7:27 pm

Re: How real is cyber risk?

Post by Finridge »

Coato wrote: Fri Sep 14, 2018 9:41 am I think the header says it. I have heard that the biggest security weakness right now is phone-based, since it is fairly easy to get a sim card and lock someone out of their phone account. So I am a little concerned about the phone security stuff.

We have accounts at Merrill, Vanguard, Fidelity, Nationwide and Schwab (brokerages, Roths, 457bs, 403bs) and are sprawled everywhere. I was thinking of condensing, to the extent it is possible but my wife thinks we are better not assuming the cyber risk of one firm.
I agree that you should have at least two firms. Four is probably more than necessary though.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: How real is cyber risk?

Post by tadamsmar »

golfCaddy wrote: Fri Sep 14, 2018 8:38 pm
tadamsmar wrote: Fri Sep 14, 2018 5:19 pm
golfCaddy wrote: Fri Sep 14, 2018 4:13 pm Cyber risk is real: https://www.nytimes.com/interactive/201 ... heist.html, but it's nothing something I worry about much. If Vanguard or your bank account was hacked, I would expect you to eventually be made whole by the financial institutions.
You should not expect to be made whole without some due diligence on your part.

For personal bank accounts and credit cards, there are federal regulations that require reimbursement if you report the fraud in a timely manner. I don't recall what timely means but I think it's at least 30 days after your bank statement is available.

For Vanguard and other brokerage and mutual fund companies there is no federal regulation if you are hacked. Some firms offer a policy. Here is Vanguard policy about your responsibilities:

https://personal.vanguard.com/us/help/S ... ontent.jsp
Let's take the most likely scenario. Someone hacks Vanguard, steal's Vanguard's password file from Vanguard's servers, and then extracts tens to hundreds of thousands of passwords. I happen to be one of those accounts. There would be a class action lawsuit against Vanguard and I bet a federal judge would be more than happy to throw out whatever nonsensical language Vanguard has in those user agreements no one reads. Disclaimer:IANAL
I think Vanguard would be responsible for that.

I said "if you are hacked" and I meant you not Vanguard.

I don't think that is the most likely scenario. All the cases I know of involved hacks of individual investors or seemed to involve hacks of individual investors. Never heard of a hack of a brokerage firm's password file.
SpaethCo
Posts: 372
Joined: Wed Jan 13, 2016 11:58 pm
Location: Minneapolis

Re: How real is cyber risk?

Post by SpaethCo »

VictoriaF wrote: Fri Sep 14, 2018 10:26 amAll your financial accounts and primary email accounts must be configured for 2-Factor Authentication, and you must make sure that your two factors are entered over different devices. You don't want someone to penetrate your smartphone and gain access to both of your factors.
2FA doesn’t offer all that much protection, in reality.

For the second factor to come into play, an attacker needs to already have your password. The most likely way someone is going to get your password is via a successful phishing campaign, and if that happens most 2FA methods don’t offer any protection.

See: https://youtube.com/watch?v=xaOX8DS-Cto
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: How real is cyber risk?

Post by tadamsmar »

damjam wrote: Fri Sep 14, 2018 6:36 pm
tadamsmar wrote: Fri Sep 14, 2018 5:19 pm
golfCaddy wrote: Fri Sep 14, 2018 4:13 pm Cyber risk is real: https://www.nytimes.com/interactive/201 ... heist.html, but it's nothing something I worry about much. If Vanguard or your bank account was hacked, I would expect you to eventually be made whole by the financial institutions.
You should not expect to be made whole without some due diligence on your part.

For personal bank accounts and credit cards, there are federal regulations that require reimbursement if you report the fraud in a timely manner. I don't recall what timely means but I think it's at least 30 days after your bank statement is available.

For Vanguard and other brokerage and mutual fund companies there is no federal regulation if you are hacked. Some firms offer a policy. Here is Vanguard policy about your responsibilities:

https://personal.vanguard.com/us/help/S ... ontent.jsp
I found this requirement from Vanguard interesting:
Don't store your password or answers to security questions on the computer or device you use to access your Vanguard accounts.
I suppose they don't intend us to use password managers then?

Also from Vanguard policy:
If Vanguard investigates suspected unauthorized activity in your account, you must fully cooperate with us. For example, we may ask you to file a police report, provide us with a statement of facts, or allow us access to your computer.
I assume this has been discussed before on this forum. Thanks for the link tadamsmar
Actually, the fraud policy has been revised since that last time I read it, not sure this specific one has been discussed here.

I don't recall the thing about not storing your password on your computer. I don't think Vanguard wants to be in the business of providing a guarantee for damages done for every password manager on the planet. I don't have a password manager, do they guarantee for all damages if the thing is hacked?
User avatar
TimeRunner
Posts: 1939
Joined: Sat Dec 29, 2012 8:23 pm
Location: Beach-side, CA

Re: How real is cyber risk?

Post by TimeRunner »

Deleted
Last edited by TimeRunner on Wed Sep 19, 2018 1:43 pm, edited 1 time in total.
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
User avatar
Vulcan
Posts: 2996
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan »

SpaethCo wrote: Fri Sep 14, 2018 8:59 pm
VictoriaF wrote: Fri Sep 14, 2018 10:26 amAll your financial accounts and primary email accounts must be configured for 2-Factor Authentication, and you must make sure that your two factors are entered over different devices. You don't want someone to penetrate your smartphone and gain access to both of your factors.
2FA doesn’t offer all that much protection, in reality.

For the second factor to come into play, an attacker needs to already have your password. The most likely way someone is going to get your password is via a successful phishing campaign, and if that happens most 2FA methods don’t offer any protection.
The most likely way someone is going to get my password is via a successful hack of some web site.
Because that's the only way they've ever gotten it before.
Statistically speaking;)

But I agree that phishing threat is real, and easy to protect yourself from.
Just don't click any links in emails. Ever.
Or if you did, at least do not enter your password for god's sake.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
3504PIR
Posts: 979
Joined: Mon Jul 26, 2010 2:46 am

Re: How real is cyber risk?

Post by 3504PIR »

This goes back to the OP which asked a broad question, rather than some of the more specific examples given throughout the thread at the micro level.

I don’t think the internet as we know it will still be around in the next 5-10 years. The ability to disrupt it or even to a degree destroy it by an actor with sufficient resources already exists and I think it’s just a matter of time. Or it,could become just too difficult or unsafe to use. I certainly hope it is still around as it makes life easy, but I don’t have a lot of confidence.
golfCaddy
Posts: 728
Joined: Wed Jan 10, 2018 9:02 pm

Re: How real is cyber risk?

Post by golfCaddy »

tadamsmar wrote: Fri Sep 14, 2018 8:51 pm I think Vanguard would be responsible for that.

I said "if you are hacked" and I meant you not Vanguard.

I don't think that is the most likely scenario. All the cases I know of involved hacks of individual investors or seemed to involve hacks of individual investors. Never heard of a hack of a brokerage firm's password file.
For the types of hacks you're talking about, most of the advice in this thread is useless. If someone pwns your phone, it doesn't matter that you use two-factor authentication or strong passwords. They have access to your password because you type it on your phone and they have access to the SMS text codes which get sent to your phone. 2FA and strong passwords are designed to protect you against dictionary attacks, in other words someone hacks Vanguard's servers.
User avatar
damjam
Posts: 955
Joined: Thu Mar 25, 2010 7:46 am
Location: Brooklyn, NY

Re: How real is cyber risk?

Post by damjam »

Vulcan wrote: Fri Sep 14, 2018 8:40 pm
damjam wrote: Fri Sep 14, 2018 8:08 pm VictoriaF talked about the concept of Single Point of Failure.

People's smart phones have become just that, a single point of failure.

Almost every site/app that offers 2fa defaults to SMS as the last ditch recovery option.

It's extremely frustrating. What's the point of having a strong front door, when the back is just a screen?
I think you may be misunderstanding the point of the two factor authentication.

Neither one factor is impenetrable, but because your phone is something you have, as opposed to your password, which is something you know, it makes it exponentially more difficult to actually gain access to an account that is protected with the second factor. You have to both intercept my password and lay hands on my phone. Or, as the case may be, hack into my Google account that I use as second factor. But that account is in turn protected by my phone that you must physically have to login to my GMail.

Concerns about SMS, while mostly theoretical, are nonetheless easily alleviated by using GV instead of carrier number for code delivery, as I described earlier in the thread.
It took me a while to get here, but I think I have it now.
Thank you.
Rwsawbones
Posts: 133
Joined: Fri Jan 20, 2017 10:21 pm

Re: How real is cyber risk?

Post by Rwsawbones »

Does anyone know What does Fidelity do to prevent accounts from being stolen and what is their policy for making customers whole?
Northern Flicker
Posts: 15367
Joined: Fri Apr 10, 2015 12:29 am

Re: How real is cyber risk?

Post by Northern Flicker »

Neither one factor is impenetrable, but because your phone is something you have, as opposed to your password, which is something you know, it makes it exponentially more difficult to actually gain access to an account that is protected with the second factor. You have to both intercept my password and lay hands on my phone. Or, as the case may be, hack into my Google account that I use as second factor. But that account is in turn protected by my phone that you must physically have to login to my GMail.
Not really true. Your phone could be compromised with malware to intercept a text code, and there have been documented successful examples of people moving a cell phone number to a phone in their possession as if the account holder got a new phone. If you map that gmail account to your phone, malware in the phone can read it also.
Northern Flicker
Posts: 15367
Joined: Fri Apr 10, 2015 12:29 am

Re: How real is cyber risk?

Post by Northern Flicker »

2FA doesn’t offer all that much protection, in reality.

For the second factor to come into play, an attacker needs to already have your password. The most likely way someone is going to get your password is via a successful phishing campaign, and if that happens most 2FA methods don’t offer any protection.
The point of 2FA is that if your password is compromised, you have more time to change it before it can be abused. If you use text codes for 2FA you should never type the password being protected into the phone for any reason.
The most likely way someone is going to get my password is via a successful hack of some web site.
Because that's the only way they've ever gotten it before.
Statistically speaking;)
Why would your financial account password be on some web site? Hopefully you are not using the same password for a mutual fund online account and some retailer’s rewards points account or whatever. If the financial services company itself has their passwords compromised, proper implementation would mean that cryptohashes of the passwords or at least encrypted passwords were compromised. With 2FA enabled, the attackers would have to break your password and break your 2FA before the financial provider announces the breach and you change your password.

The most common weakness of a less than fully robust 2FA like a text code is when it is used for password reset. In this scenario the password is not needed, just the phone to be compromised.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: How real is cyber risk?

Post by tadamsmar »

golfCaddy wrote: Fri Sep 14, 2018 9:39 pm
tadamsmar wrote: Fri Sep 14, 2018 8:51 pm I think Vanguard would be responsible for that.

I said "if you are hacked" and I meant you not Vanguard.

I don't think that is the most likely scenario. All the cases I know of involved hacks of individual investors or seemed to involve hacks of individual investors. Never heard of a hack of a brokerage firm's password file.
For the types of hacks you're talking about, most of the advice in this thread is useless. If someone pwns your phone, it doesn't matter that you use two-factor authentication or strong passwords. They have access to your password because you type it on your phone and they have access to the SMS text codes which get sent to your phone. 2FA and strong passwords are designed to protect you against dictionary attacks, in other words someone hacks Vanguard's servers.
I own a phone, and I never type my brokerage account password into my phone. It would be a problem for someone who does that.

Some common weak passwords are easy to guess without a dictionary attack.

Note that living up to your responsibilities under a reimbursement guarantee represents a different level of security against losing money. It merely involves engaging in a list of security practices, it does not involve being 100% hack-proof.
User avatar
damjam
Posts: 955
Joined: Thu Mar 25, 2010 7:46 am
Location: Brooklyn, NY

Re: How real is cyber risk?

Post by damjam »

golfCaddy wrote: Fri Sep 14, 2018 9:39 pm
tadamsmar wrote: Fri Sep 14, 2018 8:51 pm I think Vanguard would be responsible for that.

I said "if you are hacked" and I meant you not Vanguard.

I don't think that is the most likely scenario. All the cases I know of involved hacks of individual investors or seemed to involve hacks of individual investors. Never heard of a hack of a brokerage firm's password file.
For the types of hacks you're talking about, most of the advice in this thread is useless. If someone pwns your phone, it doesn't matter that you use two-factor authentication or strong passwords. They have access to your password because you type it on your phone and they have access to the SMS text codes which get sent to your phone. 2FA and strong passwords are designed to protect you against dictionary attacks, in other words someone hacks Vanguard's servers.
Vanguard opens people's accounts up to the possibility of this type of attack. Vanguard requires SMS as a recovery method and they offer a phone app to access accounts.

This trend of tying everything to a person's smart phone is just creating an Achilles heal that will be increasingly targeted.

Meanwhile Vanguard's fraud policy seems to say that using a password manager is verboten for storing passwords and notes re the Vanguard account. Any decent password manager highly encrypts all that information for goodness sake. From what I can gather it's when entering the password that your most vulnerable, not when it's stored in an encrypted format. Password managers enable and encourage long, complicated and unique passwords for every site. PMs make keeping and remembering non-obvious answers to challenge questions simple. Why forbid the use of password managers?
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: How real is cyber risk?

Post by tadamsmar »

damjam wrote: Fri Sep 14, 2018 6:36 pm
tadamsmar wrote: Fri Sep 14, 2018 5:19 pm For Vanguard and other brokerage and mutual fund companies there is no federal regulation if you are hacked. Some firms offer a policy. Here is Vanguard policy about your responsibilities:

https://personal.vanguard.com/us/help/S ... ontent.jsp
I found this requirement from Vanguard interesting:
Don't store your password or answers to security questions on the computer or device you use to access your Vanguard accounts.
I suppose they don't intend us to use password managers then?
If you follow the informational links from the fraud pledge page, get to a page that says that you are not supposed to store your password unencrypted on your computer:

https://investor.vanguard.com/security/credentials

I guess that means encrypted is OK. But, interpreting the fraud pledge has always been a guessing game!

The pledge used to imply that not sharing your password was one of your responsibilities required for the reimbursement guarantee. Now it just states that all shared-password transactions are considered to be authorized by you. A good clarification for the many clients that share passwords with their spouses.
Post Reply