Did Schwab Fraud Protection Guarantee fail here?

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
student
Posts: 11475
Joined: Fri Apr 03, 2015 6:58 am

Re: Did Schwab Fraud Protection Guarantee fail here?

Post by student »

BirdFood wrote: Sun Sep 01, 2024 5:19 pm
student wrote: Sun Sep 01, 2024 5:12 pm
Northern Flicker wrote: Sun Sep 01, 2024 5:08 pm I think users should be able to set the threshold for the minimum amount that matters to them for both external alerts and the institutions internal processes if the customer is taking on any of the liability.

My point is that setting thresholds already is in common usage even if not for the precise use case in question.
I agree that it is nice to have such a feature. I can't argue with having more options. (However, I would not be surprised that some people would still blame financial firms regardless. For example, it is confusing because there are too many options.) In any case, I don't think this feature of alerts would have helped the couple in the video.
An alert likely wouldn't have because the money would probably already be gone, but if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped.

As I recall, my credit union forbids most risky activities for a couple of weeks after a mailing address change. (There's an old-fashioned feel about this; not much business happens by mail any more. I hope they have similar safeguards for other sorts of changes.)
I understand. I agree with your statement "if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped" which is what bd7 was proposing. Then Northern Flicker mentioned that his/her credit union has such a feature but it seems that it is the ability to set levels that trigger alerts. Maybe I misunderstood Northern Flicker's post.
gavinsiu
Posts: 5820
Joined: Sun Nov 14, 2021 11:42 am

Re: Did Schwab Fraud Protection Guarantee fail here?

Post by gavinsiu »

Northern Flicker wrote: Sun Sep 01, 2024 2:56 pm While one should never reuse passwords or use the same password for multiple services, if a password is strong, its use for multiple services would be a weakness, but not be nearly as big a weakness as most password reset protocols.
I agree with you that password reset is a vulnerability. I recall one of the firm has a 14 days policy (I don't remember which) where if you change the password, you lose the ability to transfer for 14 days. I wish that Vanguard did not use security question. I recall you might be able to reset password using the security question.
RetiredAL
Posts: 3990
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: Did Schwab Fraud Protection Guarantee fail here?

Post by RetiredAL »

student wrote: Sun Sep 01, 2024 5:24 pm
BirdFood wrote: Sun Sep 01, 2024 5:19 pm
student wrote: Sun Sep 01, 2024 5:12 pm
Northern Flicker wrote: Sun Sep 01, 2024 5:08 pm I think users should be able to set the threshold for the minimum amount that matters to them for both external alerts and the institutions internal processes if the customer is taking on any of the liability.

My point is that setting thresholds already is in common usage even if not for the precise use case in question.
I agree that it is nice to have such a feature. I can't argue with having more options. (However, I would not be surprised that some people would still blame financial firms regardless. For example, it is confusing because there are too many options.) In any case, I don't think this feature of alerts would have helped the couple in the video.
An alert likely wouldn't have because the money would probably already be gone, but if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped.

As I recall, my credit union forbids most risky activities for a couple of weeks after a mailing address change. (There's an old-fashioned feel about this; not much business happens by mail any more. I hope they have similar safeguards for other sorts of changes.)
I understand. I agree with your statement "if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped" which is what bd7 was proposing. Then Northern Flicker mentioned that his/her credit union has such a feature but it seems that it is the ability to set levels that trigger alerts. Maybe I misunderstood Northern Flicker's post.
15 years ago, my Dad's Schwab account suffered a take-over. Password was changed, e-mail was changed, snail-mail address was changed, and phone number was changed. Money was attempted to be transferred. Due to the number of simultaneous profile changes, Schwab blocked transfers and locked the account. Schwab then emailed the original email, called the original phone number, and sent snail-mail to the original address. When Dad called, they quickly validated he was the account owner, restored his original profile data, and had him create a new logon id and password. No money was moved.

My Dad's computer and his actions were not factors in the take-over. Of course, Schwab gave no details to us.
Northern Flicker
Posts: 16418
Joined: Fri Apr 10, 2015 12:29 am

Re: Did Schwab Fraud Protection Guarantee fail here?

Post by Northern Flicker »

My point was just for clients to have some input into the level of asset at which they would want more stringent controls, balancing their need for use of the asset with the inconvenience of the more stringent controls. I was not trying to describe how to implement it or what use cases should be covered.
student
Posts: 11475
Joined: Fri Apr 03, 2015 6:58 am

Re: Did Schwab Fraud Protection Guarantee fail here?

Post by student »

Northern Flicker wrote: Sun Sep 01, 2024 11:03 pm My point was just for clients to have some input into the level of asset at which they would want more stringent controls, balancing their need for use of the asset with the inconvenience of the more stringent controls. I was not trying to describe how to implement it or what use cases should be covered.
Thanks for the info. I support giving customers more options.
student
Posts: 11475
Joined: Fri Apr 03, 2015 6:58 am

Re: Did Schwab Fraud Protection Guarantee fail here?

Post by student »

RetiredAL wrote: Sun Sep 01, 2024 9:58 pm
student wrote: Sun Sep 01, 2024 5:24 pm
BirdFood wrote: Sun Sep 01, 2024 5:19 pm
student wrote: Sun Sep 01, 2024 5:12 pm
Northern Flicker wrote: Sun Sep 01, 2024 5:08 pm I think users should be able to set the threshold for the minimum amount that matters to them for both external alerts and the institutions internal processes if the customer is taking on any of the liability.

My point is that setting thresholds already is in common usage even if not for the precise use case in question.
I agree that it is nice to have such a feature. I can't argue with having more options. (However, I would not be surprised that some people would still blame financial firms regardless. For example, it is confusing because there are too many options.) In any case, I don't think this feature of alerts would have helped the couple in the video.
An alert likely wouldn't have because the money would probably already be gone, but if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped.

As I recall, my credit union forbids most risky activities for a couple of weeks after a mailing address change. (There's an old-fashioned feel about this; not much business happens by mail any more. I hope they have similar safeguards for other sorts of changes.)
I understand. I agree with your statement "if there were a structure that forbid outgoing transfers for a certain period after a password change, or required an enhanced confirmation before allowing a transfer (phone call, human being, a series of questions that the hacker might not have answers to), it seems to me that that would have helped" which is what bd7 was proposing. Then Northern Flicker mentioned that his/her credit union has such a feature but it seems that it is the ability to set levels that trigger alerts. Maybe I misunderstood Northern Flicker's post.
15 years ago, my Dad's Schwab account suffered a take-over. Password was changed, e-mail was changed, snail-mail address was changed, and phone number was changed. Money was attempted to be transferred. Due to the number of simultaneous profile changes, Schwab blocked transfers and locked the account. Schwab then emailed the original email, called the original phone number, and sent snail-mail to the original address. When Dad called, they quickly validated he was the account owner, restored his original profile data, and had him create a new logon id and password. No money was moved.

My Dad's computer and his actions were not factors in the take-over. Of course, Schwab gave no details to us.
Thanks for the info. It is good that they blocked the transfer.
student
Posts: 11475
Joined: Fri Apr 03, 2015 6:58 am

Re: Did Schwab Fraud Protection Guarantee fail here?

Post by student »

gavinsiu wrote: Sun Sep 01, 2024 9:12 pm
Northern Flicker wrote: Sun Sep 01, 2024 2:56 pm While one should never reuse passwords or use the same password for multiple services, if a password is strong, its use for multiple services would be a weakness, but not be nearly as big a weakness as most password reset protocols.
I agree with you that password reset is a vulnerability. I recall one of the firm has a 14 days policy (I don't remember which) where if you change the password, you lose the ability to transfer for 14 days. I wish that Vanguard did not use security question. I recall you might be able to reset password using the security question.
Interesting for the info about password change. Putting transfer/redemption on hold/with restriction after address change may be more common. viewtopic.php?t=395441 https://www.reddit.com/r/fidelityinvest ... trictions/
gavinsiu
Posts: 5820
Joined: Sun Nov 14, 2021 11:42 am

Re: Did Schwab Fraud Protection Guarantee fail here?

Post by gavinsiu »

student wrote: Mon Sep 02, 2024 6:03 am
Interesting for the info about password change. Putting transfer/redemption on hold/with restriction after address change may be more common. viewtopic.php?t=395441 https://www.reddit.com/r/fidelityinvest ... trictions/
I think my 529 also prevents you from using a bank account for 14 days after you added it as an external account. This can be inconvenient (what if you need to pay a bill), but somewhat effective in countering a transfer since it might be discovered in those 14 days.
User avatar
runr
Posts: 226
Joined: Thu Oct 19, 2023 10:34 pm
Location: CA

Re: Did Schwab Fraud Protection Guarantee fail here?

Post by runr »

NYCaviator wrote: Sat Aug 31, 2024 7:52 am
bd7 wrote: Fri Aug 30, 2024 11:09 pm They also have chosen convenience and low cost over effectiveness.
Agree 100%. Not only is it true for log in security, but also for card transactions. Why, in 2024 don't we have PIN protected credit card transactions in the US? Or why don't we have forced 3DS for online security? Because the banks determined it is cheaper to deal with rampant fraud than make cards more secure.

Banks also think consumers are too ignorant or lazy to use more secure protocols such as app or hardware based 2FA (and they may be correct), so they use insecure SMS or e-mail based 2FA so they don't risk having a customer leave.

With respect to the whole 2FA code, Bank of America's texts always say something to the effect of "we will never ask you for this code" and "don't share this code with anyone." So some liability fall on the consumer if their bank does the same thing yet they still give that code to someone on the phone.

On the other hand, when I've dealt with Chase, customer service often sends a code via text and they ask for it over the phone or will send a link that you have to click. That seems like a very bad security protocol because it trains the customer to think that it's perfectly normal for someone to ask for a 2FA code over the phone.

Long story short, US financial institutions need to get it together and bring their security up into the 21st century. Because fraudsters are only getting more sophisticated with AI and social engineering so this can only get worse.
I agree company's send mixed signals, I do get the difference though that if I initiate the call/session, request something then immediately after it's ok to click or share. What grinds my gears is when company's randomly email/sms me and tell my to click, like WTF. They should email/sms me asking me to log in and check my secure messages, and no darn links. Bean counters superseding IT.
NYCaviator
Posts: 2548
Joined: Sat Apr 09, 2016 5:06 pm
Location: NYC

Re: Did Schwab Fraud Protection Guarantee fail here?

Post by NYCaviator »

runr wrote: Wed Sep 04, 2024 3:47 pm
NYCaviator wrote: Sat Aug 31, 2024 7:52 am
bd7 wrote: Fri Aug 30, 2024 11:09 pm They also have chosen convenience and low cost over effectiveness.
Agree 100%. Not only is it true for log in security, but also for card transactions. Why, in 2024 don't we have PIN protected credit card transactions in the US? Or why don't we have forced 3DS for online security? Because the banks determined it is cheaper to deal with rampant fraud than make cards more secure.

Banks also think consumers are too ignorant or lazy to use more secure protocols such as app or hardware based 2FA (and they may be correct), so they use insecure SMS or e-mail based 2FA so they don't risk having a customer leave.

With respect to the whole 2FA code, Bank of America's texts always say something to the effect of "we will never ask you for this code" and "don't share this code with anyone." So some liability fall on the consumer if their bank does the same thing yet they still give that code to someone on the phone.

On the other hand, when I've dealt with Chase, customer service often sends a code via text and they ask for it over the phone or will send a link that you have to click. That seems like a very bad security protocol because it trains the customer to think that it's perfectly normal for someone to ask for a 2FA code over the phone.

Long story short, US financial institutions need to get it together and bring their security up into the 21st century. Because fraudsters are only getting more sophisticated with AI and social engineering so this can only get worse.
I agree company's send mixed signals, I do get the difference though that if I initiate the call/session, request something then immediately after it's ok to click or share. What grinds my gears is when company's randomly email/sms me and tell my to click, like WTF. They should email/sms me asking me to log in and check my secure messages, and no darn links. Bean counters superseding IT.
Merrill did this to me recently. One of their reps sent me an email that required me to sign up for some secure email to read it. Proofpoint I think? I tried but never got the code to work so I couldn’t read the email and, of course, the rep is non-responsive.

It’s a legitimate email, but annoying. Why not just send it in the secure messaging center? The mish-mash of IT systems at the big banks have a lot to do with it.
User avatar
meowcat
Posts: 880
Joined: Wed May 09, 2012 5:46 am

Re: Did Schwab Fraud Protection Guarantee fail here?

Post by meowcat »

runr wrote: Wed Sep 04, 2024 3:47 pm
NYCaviator wrote: Sat Aug 31, 2024 7:52 am
bd7 wrote: Fri Aug 30, 2024 11:09 pm They also have chosen convenience and low cost over effectiveness.
Agree 100%. Not only is it true for log in security, but also for card transactions. Why, in 2024 don't we have PIN protected credit card transactions in the US? Or why don't we have forced 3DS for online security? Because the banks determined it is cheaper to deal with rampant fraud than make cards more secure.

Banks also think consumers are too ignorant or lazy to use more secure protocols such as app or hardware based 2FA (and they may be correct), so they use insecure SMS or e-mail based 2FA so they don't risk having a customer leave.

With respect to the whole 2FA code, Bank of America's texts always say something to the effect of "we will never ask you for this code" and "don't share this code with anyone." So some liability fall on the consumer if their bank does the same thing yet they still give that code to someone on the phone.

On the other hand, when I've dealt with Chase, customer service often sends a code via text and they ask for it over the phone or will send a link that you have to click. That seems like a very bad security protocol because it trains the customer to think that it's perfectly normal for someone to ask for a 2FA code over the phone.

Long story short, US financial institutions need to get it together and bring their security up into the 21st century. Because fraudsters are only getting more sophisticated with AI and social engineering so this can only get worse.
I agree company's send mixed signals, I do get the difference though that if I initiate the call/session, request something then immediately after it's ok to click or share. What grinds my gears is when company's randomly email/sms me and tell my to click, like WTF. They should email/sms me asking me to log in and check my secure messages, and no darn links. Bean counters superseding IT.
When I rolled over my 401(k) from John Hancock to Vanguard I received a missed call from JH's fraud department. When I heard the voice mail saying "please call us right away" I thought, Oh, boy, let the scams begin. I was pleasantly surprised, however, when the rep asked me to call him back at the phone number listed on my statement. I called back right away and spoke with the gentleman that called. That's how it should be done.
What the bold print givith, the fine print taketh away. | -meowcat
Post Reply