I understand. I agree with your statement "if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped" which is what bd7 was proposing. Then Northern Flicker mentioned that his/her credit union has such a feature but it seems that it is the ability to set levels that trigger alerts. Maybe I misunderstood Northern Flicker's post.BirdFood wrote: ↑Sun Sep 01, 2024 5:19 pmAn alert likely wouldn't have because the money would probably already be gone, but if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped.student wrote: ↑Sun Sep 01, 2024 5:12 pmI agree that it is nice to have such a feature. I can't argue with having more options. (However, I would not be surprised that some people would still blame financial firms regardless. For example, it is confusing because there are too many options.) In any case, I don't think this feature of alerts would have helped the couple in the video.Northern Flicker wrote: ↑Sun Sep 01, 2024 5:08 pm I think users should be able to set the threshold for the minimum amount that matters to them for both external alerts and the institutions internal processes if the customer is taking on any of the liability.
My point is that setting thresholds already is in common usage even if not for the precise use case in question.
As I recall, my credit union forbids most risky activities for a couple of weeks after a mailing address change. (There's an old-fashioned feel about this; not much business happens by mail any more. I hope they have similar safeguards for other sorts of changes.)
Did Schwab Fraud Protection Guarantee fail here?
Re: Did Schwab Fraud Protection Guarantee fail here?
Re: Did Schwab Fraud Protection Guarantee fail here?
I agree with you that password reset is a vulnerability. I recall one of the firm has a 14 days policy (I don't remember which) where if you change the password, you lose the ability to transfer for 14 days. I wish that Vanguard did not use security question. I recall you might be able to reset password using the security question.Northern Flicker wrote: ↑Sun Sep 01, 2024 2:56 pm While one should never reuse passwords or use the same password for multiple services, if a password is strong, its use for multiple services would be a weakness, but not be nearly as big a weakness as most password reset protocols.
Re: Did Schwab Fraud Protection Guarantee fail here?
15 years ago, my Dad's Schwab account suffered a take-over. Password was changed, e-mail was changed, snail-mail address was changed, and phone number was changed. Money was attempted to be transferred. Due to the number of simultaneous profile changes, Schwab blocked transfers and locked the account. Schwab then emailed the original email, called the original phone number, and sent snail-mail to the original address. When Dad called, they quickly validated he was the account owner, restored his original profile data, and had him create a new logon id and password. No money was moved.student wrote: ↑Sun Sep 01, 2024 5:24 pmI understand. I agree with your statement "if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped" which is what bd7 was proposing. Then Northern Flicker mentioned that his/her credit union has such a feature but it seems that it is the ability to set levels that trigger alerts. Maybe I misunderstood Northern Flicker's post.BirdFood wrote: ↑Sun Sep 01, 2024 5:19 pmAn alert likely wouldn't have because the money would probably already be gone, but if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped.student wrote: ↑Sun Sep 01, 2024 5:12 pmI agree that it is nice to have such a feature. I can't argue with having more options. (However, I would not be surprised that some people would still blame financial firms regardless. For example, it is confusing because there are too many options.) In any case, I don't think this feature of alerts would have helped the couple in the video.Northern Flicker wrote: ↑Sun Sep 01, 2024 5:08 pm I think users should be able to set the threshold for the minimum amount that matters to them for both external alerts and the institutions internal processes if the customer is taking on any of the liability.
My point is that setting thresholds already is in common usage even if not for the precise use case in question.
As I recall, my credit union forbids most risky activities for a couple of weeks after a mailing address change. (There's an old-fashioned feel about this; not much business happens by mail any more. I hope they have similar safeguards for other sorts of changes.)
My Dad's computer and his actions were not factors in the take-over. Of course, Schwab gave no details to us.
-
- Posts: 16418
- Joined: Fri Apr 10, 2015 12:29 am
Re: Did Schwab Fraud Protection Guarantee fail here?
My point was just for clients to have some input into the level of asset at which they would want more stringent controls, balancing their need for use of the asset with the inconvenience of the more stringent controls. I was not trying to describe how to implement it or what use cases should be covered.
Re: Did Schwab Fraud Protection Guarantee fail here?
Thanks for the info. I support giving customers more options.Northern Flicker wrote: ↑Sun Sep 01, 2024 11:03 pm My point was just for clients to have some input into the level of asset at which they would want more stringent controls, balancing their need for use of the asset with the inconvenience of the more stringent controls. I was not trying to describe how to implement it or what use cases should be covered.
Re: Did Schwab Fraud Protection Guarantee fail here?
Thanks for the info. It is good that they blocked the transfer.RetiredAL wrote: ↑Sun Sep 01, 2024 9:58 pm15 years ago, my Dad's Schwab account suffered a take-over. Password was changed, e-mail was changed, snail-mail address was changed, and phone number was changed. Money was attempted to be transferred. Due to the number of simultaneous profile changes, Schwab blocked transfers and locked the account. Schwab then emailed the original email, called the original phone number, and sent snail-mail to the original address. When Dad called, they quickly validated he was the account owner, restored his original profile data, and had him create a new logon id and password. No money was moved.student wrote: ↑Sun Sep 01, 2024 5:24 pmI understand. I agree with your statement "if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped" which is what bd7 was proposing. Then Northern Flicker mentioned that his/her credit union has such a feature but it seems that it is the ability to set levels that trigger alerts. Maybe I misunderstood Northern Flicker's post.BirdFood wrote: ↑Sun Sep 01, 2024 5:19 pmAn alert likely wouldn't have because the money would probably already be gone, but if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped.student wrote: ↑Sun Sep 01, 2024 5:12 pmI agree that it is nice to have such a feature. I can't argue with having more options. (However, I would not be surprised that some people would still blame financial firms regardless. For example, it is confusing because there are too many options.) In any case, I don't think this feature of alerts would have helped the couple in the video.Northern Flicker wrote: ↑Sun Sep 01, 2024 5:08 pm I think users should be able to set the threshold for the minimum amount that matters to them for both external alerts and the institutions internal processes if the customer is taking on any of the liability.
My point is that setting thresholds already is in common usage even if not for the precise use case in question.
As I recall, my credit union forbids most risky activities for a couple of weeks after a mailing address change. (There's an old-fashioned feel about this; not much business happens by mail any more. I hope they have similar safeguards for other sorts of changes.)
My Dad's computer and his actions were not factors in the take-over. Of course, Schwab gave no details to us.
Re: Did Schwab Fraud Protection Guarantee fail here?
Interesting for the info about password change. Putting transfer/redemption on hold/with restriction after address change may be more common. viewtopic.php?t=395441 https://www.reddit.com/r/fidelityinvest ... trictions/gavinsiu wrote: ↑Sun Sep 01, 2024 9:12 pmI agree with you that password reset is a vulnerability. I recall one of the firm has a 14 days policy (I don't remember which) where if you change the password, you lose the ability to transfer for 14 days. I wish that Vanguard did not use security question. I recall you might be able to reset password using the security question.Northern Flicker wrote: ↑Sun Sep 01, 2024 2:56 pm While one should never reuse passwords or use the same password for multiple services, if a password is strong, its use for multiple services would be a weakness, but not be nearly as big a weakness as most password reset protocols.
Re: Did Schwab Fraud Protection Guarantee fail here?
I think my 529 also prevents you from using a bank account for 14 days after you added it as an external account. This can be inconvenient (what if you need to pay a bill), but somewhat effective in countering a transfer since it might be discovered in those 14 days.student wrote: ↑Mon Sep 02, 2024 6:03 am
Interesting for the info about password change. Putting transfer/redemption on hold/with restriction after address change may be more common. viewtopic.php?t=395441 https://www.reddit.com/r/fidelityinvest ... trictions/
Re: Did Schwab Fraud Protection Guarantee fail here?
I agree company's send mixed signals, I do get the difference though that if I initiate the call/session, request something then immediately after it's ok to click or share. What grinds my gears is when company's randomly email/sms me and tell my to click, like WTF. They should email/sms me asking me to log in and check my secure messages, and no darn links. Bean counters superseding IT.NYCaviator wrote: ↑Sat Aug 31, 2024 7:52 amAgree 100%. Not only is it true for log in security, but also for card transactions. Why, in 2024 don't we have PIN protected credit card transactions in the US? Or why don't we have forced 3DS for online security? Because the banks determined it is cheaper to deal with rampant fraud than make cards more secure.
Banks also think consumers are too ignorant or lazy to use more secure protocols such as app or hardware based 2FA (and they may be correct), so they use insecure SMS or e-mail based 2FA so they don't risk having a customer leave.
With respect to the whole 2FA code, Bank of America's texts always say something to the effect of "we will never ask you for this code" and "don't share this code with anyone." So some liability fall on the consumer if their bank does the same thing yet they still give that code to someone on the phone.
On the other hand, when I've dealt with Chase, customer service often sends a code via text and they ask for it over the phone or will send a link that you have to click. That seems like a very bad security protocol because it trains the customer to think that it's perfectly normal for someone to ask for a 2FA code over the phone.
Long story short, US financial institutions need to get it together and bring their security up into the 21st century. Because fraudsters are only getting more sophisticated with AI and social engineering so this can only get worse.
-
- Posts: 2548
- Joined: Sat Apr 09, 2016 5:06 pm
- Location: NYC
Re: Did Schwab Fraud Protection Guarantee fail here?
Merrill did this to me recently. One of their reps sent me an email that required me to sign up for some secure email to read it. Proofpoint I think? I tried but never got the code to work so I couldn’t read the email and, of course, the rep is non-responsive.runr wrote: ↑Wed Sep 04, 2024 3:47 pmI agree company's send mixed signals, I do get the difference though that if I initiate the call/session, request something then immediately after it's ok to click or share. What grinds my gears is when company's randomly email/sms me and tell my to click, like WTF. They should email/sms me asking me to log in and check my secure messages, and no darn links. Bean counters superseding IT.NYCaviator wrote: ↑Sat Aug 31, 2024 7:52 amAgree 100%. Not only is it true for log in security, but also for card transactions. Why, in 2024 don't we have PIN protected credit card transactions in the US? Or why don't we have forced 3DS for online security? Because the banks determined it is cheaper to deal with rampant fraud than make cards more secure.
Banks also think consumers are too ignorant or lazy to use more secure protocols such as app or hardware based 2FA (and they may be correct), so they use insecure SMS or e-mail based 2FA so they don't risk having a customer leave.
With respect to the whole 2FA code, Bank of America's texts always say something to the effect of "we will never ask you for this code" and "don't share this code with anyone." So some liability fall on the consumer if their bank does the same thing yet they still give that code to someone on the phone.
On the other hand, when I've dealt with Chase, customer service often sends a code via text and they ask for it over the phone or will send a link that you have to click. That seems like a very bad security protocol because it trains the customer to think that it's perfectly normal for someone to ask for a 2FA code over the phone.
Long story short, US financial institutions need to get it together and bring their security up into the 21st century. Because fraudsters are only getting more sophisticated with AI and social engineering so this can only get worse.
It’s a legitimate email, but annoying. Why not just send it in the secure messaging center? The mish-mash of IT systems at the big banks have a lot to do with it.
Re: Did Schwab Fraud Protection Guarantee fail here?
When I rolled over my 401(k) from John Hancock to Vanguard I received a missed call from JH's fraud department. When I heard the voice mail saying "please call us right away" I thought, Oh, boy, let the scams begin. I was pleasantly surprised, however, when the rep asked me to call him back at the phone number listed on my statement. I called back right away and spoke with the gentleman that called. That's how it should be done.runr wrote: ↑Wed Sep 04, 2024 3:47 pmI agree company's send mixed signals, I do get the difference though that if I initiate the call/session, request something then immediately after it's ok to click or share. What grinds my gears is when company's randomly email/sms me and tell my to click, like WTF. They should email/sms me asking me to log in and check my secure messages, and no darn links. Bean counters superseding IT.NYCaviator wrote: ↑Sat Aug 31, 2024 7:52 amAgree 100%. Not only is it true for log in security, but also for card transactions. Why, in 2024 don't we have PIN protected credit card transactions in the US? Or why don't we have forced 3DS for online security? Because the banks determined it is cheaper to deal with rampant fraud than make cards more secure.
Banks also think consumers are too ignorant or lazy to use more secure protocols such as app or hardware based 2FA (and they may be correct), so they use insecure SMS or e-mail based 2FA so they don't risk having a customer leave.
With respect to the whole 2FA code, Bank of America's texts always say something to the effect of "we will never ask you for this code" and "don't share this code with anyone." So some liability fall on the consumer if their bank does the same thing yet they still give that code to someone on the phone.
On the other hand, when I've dealt with Chase, customer service often sends a code via text and they ask for it over the phone or will send a link that you have to click. That seems like a very bad security protocol because it trains the customer to think that it's perfectly normal for someone to ask for a 2FA code over the phone.
Long story short, US financial institutions need to get it together and bring their security up into the 21st century. Because fraudsters are only getting more sophisticated with AI and social engineering so this can only get worse.
What the bold print givith, the fine print taketh away. |
-meowcat