All your eggs in one basket vs. concern about being hacked?

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
Topic Author
mmcmonster
Posts: 377
Joined: Sun Jan 12, 2014 1:18 pm

All your eggs in one basket vs. concern about being hacked?

Post by mmcmonster » Thu Dec 29, 2016 11:03 am

As I'm starting to accumulate a sizeable (for me) amount of funds, my wife is concerned that my Vanguard account may get hacked in the future and all my funds get stolen.

I guess it's a reasonable concern. Having a large sum of money protected by a single password is a bit concerning.

I know that any transfer will show up as an email to notify me what's going on. But with weekly transfers into the Vanguard account from my bank, should I be concerned that a transfer out will be lost in all the other emails?

Do you get worried by this sort of thing? How do you protect against it? Do you keep half your funds in Vanguard and half somewhere else? Or some other protection mechanism?

EDIT:
Based on the discussion so far, I configured my email (GMail) account to filter out all email from Alerts@vanguard.com with "Notice of transaction submission" or "Your brokerage transaction confirmation is ready" as the subject (they will skip the inbox and go to a backups folder/label). That way I will notice any transfer of funds emails from Vanguard in my inbox more promptly.
Last edited by mmcmonster on Thu Dec 29, 2016 12:49 pm, edited 2 times in total.

McGilicutty
Posts: 205
Joined: Tue Dec 13, 2016 5:24 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by McGilicutty » Thu Dec 29, 2016 11:24 am

I check my account balance every day and the brokerage I use (Interactive Brokers) allows me to see any pending transfers. Maybe Vanguard also allows you to see pending transfers? Also, Interactive Brokers uses two-factor (e.g., a card with codes they send you in the mail) authentication in addition to a password.

DetroitRick
Posts: 757
Joined: Wed Mar 23, 2016 9:28 am
Location: SE Michigan

Re: All your eggs in one basket vs. concern about being hacked?

Post by DetroitRick » Thu Dec 29, 2016 11:41 am

I think your concern is totally reasonable. I'm in the same boat (although with Schwab), and have considered moving some money elsewhere as part of an overall strategy to dealing with this type of risk. But have not done so yet, because that too can be a p.i.t.a.

Lots of people think SIPC offers protection, but based on this statement from their website, I personally do not:

"Does SIPC protect me if my account is hacked and cash and/or securities are stolen?

SIPC’s role and responsibilities are as defined under the Securities Investor Protection Act (SIPA). Under that law, SIPC only becomes involved when a SIPC member brokerage firm is eligible for liquidation under the Securities Investor Protection Act. If you discover that your account has been hacked or your securities or cash have been stolen, you should contact your brokerage firm, the SEC, FINRA, your state securities regulator, and/or law enforcement authorities."

I believe all of us with major brokerages can take some comfort in the guarantees that our companies offer (Schwab's is quite extensive). Not to mention THEIR security protocols (hidden though they may be) and our own. Of the things we can control, close watch on notification emails, best security practices on our computers (that's a long discussion ....), and careful account management (reconciling statements, etc.) are all critical. One thing I especially favor is using an aggregator like Quicken - one click to see account activity, immediate exposure to any problems with very little effort. I think that added benefit far outweighs any incremental risk.

I'm in the camp of being neither paranoid nor lackadaisical. Online access to me is an absolute necessity, so I'm going to take risk no matter what. Not to mention the fact that hacking can originate from either side anyway. I did get a security key from Schwab last year. Still, I'm also considering moving just one account elsewhere - with enough money to carry me across any sorting-out period that hacking might cause. In other words, my biggest concern is temporary inconvenience (vs. permanent financial loss).

Thanks for starting this thread. Maybe we can get some additional tips here.

Topic Author
mmcmonster
Posts: 377
Joined: Sun Jan 12, 2014 1:18 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by mmcmonster » Thu Dec 29, 2016 11:49 am

DetroitRick wrote:[...]One thing I especially favor is using an aggregator like Quicken - one click to see account activity, immediate exposure to any problems with very little effort. I think that added benefit far outweighs any incremental risk.
I think there are two risks in using an aggregator
1 - The belief that having an aggregator gives a false sense of security. The fact is, you still need to check the aggregator on a regular basis.
2 - The aggregator will need access to your Vanguard, Fidelity, etc. accounts. This may void your protection with your actual brokerage accounts and they may be less inclined to help you if you gave out your username/password to the aggregator (and I'm quite sure they already know that your account details are being accessed by quicken.com on a regular basis).

In addition, there's the concern that we have information overload with all the emails we get from our brokerage accounts. Easier to delete emails without reading them than 'wasting' the time reading something you know 99%+ of the time. :oops:

User avatar
JMacDonald
Posts: 2257
Joined: Mon Feb 19, 2007 5:53 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by JMacDonald » Thu Dec 29, 2016 11:50 am

I check all of my financial accounts on a regular basis. That way I will see if anything is not right.
Here is what Vanguard has about security:

https://investor.vanguard.com/security/
Best Wishes, | Joe

User avatar
ResearchMed
Posts: 9372
Joined: Fri Dec 26, 2008 11:25 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by ResearchMed » Thu Dec 29, 2016 12:06 pm

JMacDonald wrote:I check all of my financial accounts on a regular basis. That way I will see if anything is not right.
Here is what Vanguard has about security:

https://investor.vanguard.com/security/

Here is another version:

https://personal.vanguard.com/us/help/S ... ontent.jsp

What annoys me is this requirement:

"Never share your user name, password, or other account-related information with anyone."

Yet Vanguard INVITES us to aggregate outside accounts, which requires sharing exactly that information with the other vendors where one has accounts to be aggregated.

:confused

RM
This signature is a placebo. You are in the control group.

DetroitRick
Posts: 757
Joined: Wed Mar 23, 2016 9:28 am
Location: SE Michigan

Re: All your eggs in one basket vs. concern about being hacked?

Post by DetroitRick » Thu Dec 29, 2016 12:08 pm

mmcmonster wrote:
DetroitRick wrote:[...]One thing I especially favor is using an aggregator like Quicken - one click to see account activity, immediate exposure to any problems with very little effort. I think that added benefit far outweighs any incremental risk.
I think there are two risks in using an aggregator
1 - The belief that having an aggregator gives a false sense of security. The fact is, you still need to check the aggregator on a regular basis.
2 - The aggregator will need access to your Vanguard, Fidelity, etc. accounts. This may void your protection with your actual brokerage accounts and they may be less inclined to help you if you gave out your username/password to the aggregator (and I'm quite sure they already know that your account details are being accessed by quicken.com on a regular basis).

In addition, there's the concern that we have information overload with all the emails we get from our brokerage accounts. Easier to delete emails without reading them than 'wasting' the time reading something you know 99%+ of the time. :oops:
I definitely make it a point to use that aggregator daily. Otherwise, your right, it wouldn't provide incremental security advantages. But the total time for me to do so in Quicken, covering over 20 accounts (credit, brokerage, banks) is under 2 minutes per day. (actually only seconds of my time, 2 minutes of wait time). I consider it part of my routine.

Yes, I am absolutely sure that Schwab knows about the aggregator. Their Quicken connection is via Direct Connect (rather than a web-based connection). In fact, their Direct Connect protocol bypasses the security token by design (unlike the website). But there is Direct Connect maintenance on both sides (Quicken AND Schwab), so they would have to know this is going on. I see no exclusion of liability in their guarantee on this - but I suppose that's a question for the lawyers. Interesting point! But I can't imagine how they could leverage a tool that they maintain to absolve their own liability that easily.

On the email deluge issues, solution is very easy with filtering. I am 100% sure to see a email notice of withdrawal. I think this is just a great example of our own individual responsibility.

mhalley
Posts: 7692
Joined: Tue Nov 20, 2007 6:02 am

Re: All your eggs in one basket vs. concern about being hacked?

Post by mhalley » Thu Dec 29, 2016 12:36 pm

The chances of this happening is extremely low, but I feel more comfortable having my money spread out between Schwab, Fidelity and Vanguard. More a "gut" thing than a "mind" thing.

User avatar
FelixTheCat
Posts: 1671
Joined: Sat Sep 24, 2011 12:39 am

Re: All your eggs in one basket vs. concern about being hacked?

Post by FelixTheCat » Thu Dec 29, 2016 12:40 pm

IF I had any doubts about Vanguard (or any other institution), I would not invest with them.
Felix is a wonderful, wonderful cat.

Topic Author
mmcmonster
Posts: 377
Joined: Sun Jan 12, 2014 1:18 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by mmcmonster » Thu Dec 29, 2016 12:47 pm

FelixTheCat wrote:IF I had any doubts about Vanguard (or any other institution), I would not invest with them.
I think the doubts aren't with Vanguard (or any other particular brokerage company).

The concern is that a virus/Trojan got on your computer and logged all your passwords (or stole all your saved passwords from your browser) and managed to figure out the Vanguard password and send it to a Bad Person.

User avatar
TheTimeLord
Posts: 6294
Joined: Fri Jul 26, 2013 2:05 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by TheTimeLord » Thu Dec 29, 2016 12:49 pm

ResearchMed wrote:
JMacDonald wrote:I check all of my financial accounts on a regular basis. That way I will see if anything is not right.
Here is what Vanguard has about security:

https://investor.vanguard.com/security/

Here is another version:

https://personal.vanguard.com/us/help/S ... ontent.jsp

What annoys me is this requirement:

"Never share your user name, password, or other account-related information with anyone."

Yet Vanguard INVITES us to aggregate outside accounts, which requires sharing exactly that information with the other vendors where one has accounts to be aggregated.

:confused

RM

Ever wonder if they would use that against you if your share it with your spouse?
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

User avatar
ResearchMed
Posts: 9372
Joined: Fri Dec 26, 2008 11:25 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by ResearchMed » Thu Dec 29, 2016 12:51 pm

mhalley wrote:The chances of this happening is extremely low, but I feel more comfortable having my money spread out between Schwab, Fidelity and Vanguard. More a "gut" thing than a "mind" thing.
I agree the chance is pretty low... of money vanishing in a way that can't/won't be reimbursed.

But we are much more concerned, and increasingly so, of some sort of intrusion/hacking or simply a SW glitch that shuts down access to the money or simply to the website.
If just the website stays down, then Vanguard's absolutely Stellar Service [sic :wink: ] isn't going to be able to handle much of the overflow, and then a probably antiquated phone system will crash, too.

So it's primarily *access* to necessary funds that is the reason we'll continue to use several vendors, beyond that needed to get funds/investments of choice that are offered one place but not the other(s).

RM
This signature is a placebo. You are in the control group.

boglesmkcents
Posts: 88
Joined: Tue Jul 24, 2012 4:57 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by boglesmkcents » Thu Dec 29, 2016 12:57 pm

We use two factor authentication with Vanguard for our logins, we have a very secure password that we only use with Vanguard, we receive email and cell phone notifications if anything changes in our accounts (including any transfers), we never check our accounts using public wifi, we do not receive any physical mail from Vanguard and we check our accounts daily. Vanguard also has a clean record when it comes to security.

Based on all this, I am comfortable with nearly all our eggs in the Vanguard basket.

I am interested if there are other best practices people use to safeguard their Vanguard accounts?
Last edited by boglesmkcents on Thu Dec 29, 2016 6:45 pm, edited 2 times in total.

Yankuba
Posts: 84
Joined: Wed Dec 07, 2016 10:45 am

Re: All your eggs in one basket vs. concern about being hacked?

Post by Yankuba » Thu Dec 29, 2016 1:02 pm

Vanguard says they will make you whole:

"Our online fraud policy
Our commitment regarding online security is simple. If assets are taken from your account in an unauthorized online transaction on vanguard.com—and you've followed the steps described in the "Your responsibilities" section of our online fraud policy—we'll reimburse the assets taken from your account in the unauthorized transaction."

I turn on all e-mail notifications - so I know when transactions are submitted, when money movements occur, etc. If fraudsters get my Vanguard user name and password I will be alerted via e-mail to changes of address, sales of securities, additions of bank accounts, debits of funds, etc.

If they get your e-mail user name and password and Vanguard user name and password then it will get messy.

But I check my Vanguard account each day at work just to make sure everything is there.

hirlaw
Posts: 323
Joined: Tue Sep 29, 2009 10:20 am

Re: All your eggs in one basket vs. concern about being hacked?

Post by hirlaw » Thu Dec 29, 2016 1:41 pm

Some brokerages/banks are making an exception to their fraud reimbursement policies in the case of a client's passwords being hacked from third party aggregators, such as Mint.

BogleTails
Posts: 34
Joined: Sun Aug 21, 2016 4:07 am

Re: All your eggs in one basket vs. concern about being hacked?

Post by BogleTails » Thu Dec 29, 2016 2:24 pm

hirlaw wrote:Some brokerages/banks are making an exception to their fraud reimbursement policies in the case of a client's passwords being hacked from third party aggregators, such as Mint.
Do you mean an exception that it's OK to use mint or personal capital or not?

hirlaw
Posts: 323
Joined: Tue Sep 29, 2009 10:20 am

Re: All your eggs in one basket vs. concern about being hacked?

Post by hirlaw » Thu Dec 29, 2016 3:10 pm

Here is a quote from Jaime Dimon this year:
"If you wake up tomorrow and there's no money in your bank account, that's my problem. But if you gave your passcode away to a company and that company itself did something wrong, that's your problem."

Jonathan
Posts: 406
Joined: Tue Apr 30, 2013 5:36 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by Jonathan » Thu Dec 29, 2016 3:35 pm

Is there any evidence of any incident in which someone's investment funds held at Vanguard were lost due to a computer security issue, whether or not the account holder was at fault? Anyone even heard of an incident in which funds were stolen, but were reimbursed?

Just my guess, but in such a situation, Vanguard would be highly motivated to rapidly reimburse the account, and compel the account holder to not disclose anything about it. A single occurrence of such an event, publicized on various financial forums, could rapidly do billions of dollars of damage to Vanguard.

Another guess: since Vanguard is the largest manager of assets in the history of humanity, they have a robust 24-hour social media team aggressively monitoring all mentions of their brand, in all social media forms, including all financial forums, at very least so that they can react rapidly to a fabricated "Vanguard funds vanished" social media campaign.

TigerNest
Posts: 334
Joined: Mon May 10, 2010 12:58 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by TigerNest » Thu Dec 29, 2016 3:41 pm

I strongly recommend asking Vanguard to enable two-factor authentication on your account:

https://personal.vanguard.com/us/insigh ... des-112015
Logon security codes: An added layer of security
NOVEMBER 13, 2015

The security of your accounts and personal information is paramount at Vanguard. That's why we're offering an optional logon feature that sends a security code to your phone. Clients with individual accounts or accounts in employer-sponsored plans are eligible to enroll in this service on vanguard.com.

If you sign up for this service—sometimes referred to as "two-step authentication" or "two-factor authentication"—you'll enter your security code when you log on to vanguard.com. During enrollment, you can choose to use a security code every time you log on to your account or only when Vanguard doesn't recognize your computer or device.

How it works
You'll receive a text message or automated call with a security code on your registered phone. Simply enter that code in the designated box. It's as easy as that. Each security code can only be used once and will expire if you don't enter it within 10 minutes.

User avatar
topper1296
Posts: 634
Joined: Fri Apr 03, 2009 10:50 pm
Location: Nashville TN

Re: All your eggs in one basket vs. concern about being hacked?

Post by topper1296 » Thu Dec 29, 2016 3:58 pm

My $0.02 is that having all of your assets/eggs with one institution is as a bad idea as keeping all of your assets/eggs in one asset class. I believe in diversifying both WHAT I have and WHERE I have it.

User avatar
Phineas J. Whoopee
Posts: 8833
Joined: Sun Dec 18, 2011 6:18 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by Phineas J. Whoopee » Thu Dec 29, 2016 5:35 pm

I agree with many posters above, especially about enabling two-factor authentication everywhere you hold assets that offers it, including fake-two-factor that's really only one factor. Even multiple things you know is better than just one thing you know, although less good than the factors as truly defined: something you know; something you have; and something you are. If you can set it up on the email account you use with them, all the better.

That said, I'm not especially worried about losing everything forever from a brokerage or a bank, but as, among other things, an old systems guy, I value security, reliability, and availability, and therefore redundancy.

I'm perfectly happy with keeping all my investments with one firm, as long as I build in a buffer so I can continue for a period while any breach gets sorted out. Therefore, instead of proliferating brokers, I proliferate banks.

I have two checking accounts. Charles Schwab Bank holds the primary one. I conduct financial operations from there. Anywhere I have a checking account I like to keep a savings account right next to it. In it, beyond other amounts that vary over time, I keep enough to cover (a little more than) two months of budgeted expenses. I chose Schwab Bank because their checking account closely matches my needs. The savings account isn't great, but that's not why I'm there. The two months expenses is kind of like an emergency supply depot, should I become unable, for any reason, to receive money from elsewhere.

The other is at a local, and literal, brick-and-mortar bank. The architecture is quite fetching. Also, although I won't go into detail, I have reason to rent a safe deposit box, and they're the cheapest in the area by enough that questions of slightly higher or lower interest, or minimum balances, are lost in the noise. Anywhere I have a checking account I like to keep a savings account right next to it. This one has enough for two budgeted months. I use this bank for some purposes, like for example if I give anybody permission to draw funds directly from checking rather than my issuing instructions. I'm prepared to fail over to it with immediate effect, and toward that end I maintain the full list of online payees I have at Schwab. In computer system railroad terms it's a hot standby.

If I lose access to direct deposit and my investment firm I can continue operations for four months while the problem gets resolved. If I lose access to one bank I can fail over immediately, and I can direct funds to both checking accounts so I simply switch operations to the hot standby (it's happened once). If I lose access to direct deposit, investments, and one bank I can continue for two months while the issues get sorted out.

It would take a pretty extreme event, like a persistent Internet or financial system failure, or the FBI or FSB targeting me personally, to knock everything out at once.

Full disclosure: At present I have investments spread across three places, but that's for logistical reasons I expect will fade in six or seven years. I anticipate then I will consolidate to one investment firm plus Treasury Direct for I Bonds. I also have my main savings account at an online bank chosen for that purpose, rather than for checking or secure physical storage.

No doubt some readers gave up at the beginning. Others must think it's overcomplicated. They're probably right, but the system is symmetrical; and easy for me, as a former systems person, to grasp as a whole.

So, no, I'm not worried about Vanguard or another firm being hacked because I've built enough slack into the system to continue operations for a time while any problem gets diagnosed and fixed.

PJW
Last edited by Phineas J. Whoopee on Fri Dec 30, 2016 5:33 pm, edited 1 time in total.

selftalk
Posts: 1096
Joined: Thu Mar 08, 2012 10:08 am

Re: All your eggs in one basket vs. concern about being hacked?

Post by selftalk » Thu Dec 29, 2016 5:42 pm

I wonder if conservative and cautious John Bogle has all his accounts with Vanguard. Maybe he`ll say something in an upcoming interview.

Call_Me_Op
Posts: 7395
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: All your eggs in one basket vs. concern about being hacked?

Post by Call_Me_Op » Thu Dec 29, 2016 6:10 pm

Yankuba wrote:Vanguard says they will make you whole:

"Our online fraud policy
Our commitment regarding online security is simple. If assets are taken from your account in an unauthorized online transaction on vanguard.com—and you've followed the steps described in the "Your responsibilities" section of our online fraud policy—we'll reimburse the assets taken from your account in the unauthorized transaction."
Therein lies the rub. Lot's of wiggle-room on their part to claim that you did not exactly follow the steps described in "Your Responsibilities."
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

User avatar
ResearchMed
Posts: 9372
Joined: Fri Dec 26, 2008 11:25 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by ResearchMed » Thu Dec 29, 2016 6:17 pm

Call_Me_Op wrote:
Yankuba wrote:Vanguard says they will make you whole:

"Our online fraud policy
Our commitment regarding online security is simple. If assets are taken from your account in an unauthorized online transaction on vanguard.com—and you've followed the steps described in the "Your responsibilities" section of our online fraud policy—we'll reimburse the assets taken from your account in the unauthorized transaction."
Therein lies the rub. Lot's of wiggle-room on their part to claim that you did not sufficiently exercise your responsibilities.
So are we - or are we not - allowed to use Vanguard's OWN aggregator software (per their own website, not a simple link to an outside company) in which we are required (or we can't use this Vanguard offered service) to share login/PW information?

Inquiring minds have wanted to know...
:confused

RM
This signature is a placebo. You are in the control group.

HoosierJim
Posts: 700
Joined: Wed Mar 24, 2010 7:11 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by HoosierJim » Thu Dec 29, 2016 6:24 pm

When possible - use a YUBIKEY as in a previous post by pragmatist and use it from your chomebook over a wired connection.

boglesmkcents
Posts: 88
Joined: Tue Jul 24, 2012 4:57 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by boglesmkcents » Thu Dec 29, 2016 6:50 pm

Phineas J. Whoopee wrote:I
No doubt some readers gave up at the beginning. Others must think its overcomplicated. They're probably right, but the system is symmetrical; and easy for me, as a former systems person, to grasp as a whole.

So, no, I'm not worried about Vanguard or another firm being hacked because I've built enough slack into the system to continue operations for a time while any problem gets diagnosed and fixed.

PJW
I am a computer engineer who now works in operations, so I neither gave up at the beginning, nor did I think it is over-complicated! Love the systems thinking! I'll wager you have a generator at home too :)

User avatar
ClevrChico
Posts: 1559
Joined: Tue Apr 03, 2012 8:24 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by ClevrChico » Thu Dec 29, 2016 6:51 pm

How would a hacker go about stealing your funds? Doesn't a change of address or bank account change trigger a mailed letter in addition to the email alerts?

You'd have to ignore both of those AND ignore the transaction alerts as your money is being siphoned away. I think it would be reasonable that Vanguard would have some kind of fraud detection for this scenario as it would be highly suspicious and easy to detect. (That's speculation, though.)

A hacker would need control of your Vanguard account + email account + snail mail + your phone if you have two factor enabled + account owner asleep at the wheel.

Maybe a free yubikey should be a benefit of Flagship status?
Last edited by ClevrChico on Thu Dec 29, 2016 7:05 pm, edited 1 time in total.

bondsr4me
Posts: 1244
Joined: Fri Oct 18, 2013 7:08 am

Re: All your eggs in one basket vs. concern about being hacked?

Post by bondsr4me » Thu Dec 29, 2016 6:57 pm

TigerNest wrote:I strongly recommend asking Vanguard to enable two-factor authentication on your account:

https://personal.vanguard.com/us/insigh ... des-112015
Logon security codes: An added layer of security
NOVEMBER 13, 2015

The security of your accounts and personal information is paramount at Vanguard. That's why we're offering an optional logon feature that sends a security code to your phone. Clients with individual accounts or accounts in employer-sponsored plans are eligible to enroll in this service on vanguard.com.

If you sign up for this service—sometimes referred to as "two-step authentication" or "two-factor authentication"—you'll enter your security code when you log on to vanguard.com. During enrollment, you can choose to use a security code every time you log on to your account or only when Vanguard doesn't recognize your computer or device.

How it works
You'll receive a text message or automated call with a security code on your registered phone. Simply enter that code in the designated box. It's as easy as that. Each security code can only be used once and will expire if you don't enter it within 10 minutes.
+10 on this.
I use this text message authentication and feel more secure with it.

Tamales
Posts: 1402
Joined: Sat Jul 05, 2014 10:47 am

Re: All your eggs in one basket vs. concern about being hacked?

Post by Tamales » Fri Dec 30, 2016 9:21 am

Phineas J. Whoopee wrote:I agree with many posters above, especially about enabling two-factor authentication everywhere you hold assets that offers it, including fake-two-factor that's really only one factor.
PJW
A question for the thread: If you are incapacitated and have multiple accounts, how will your designated "financial affairs handler" (DFAH) manage your bill paying in the face of 2-factor authentication?

Probably more complicated if your DFAH is not a spouse, and/or if one of the factors is biometric?

Is this something where language in a living trust or POA or other legal document might streamline accessibility by your DFAH? If so, how might that work?

edit: oops, that should have been DFAH
Last edited by Tamales on Fri Dec 30, 2016 10:15 am, edited 1 time in total.

User avatar
Johnnie
Posts: 554
Joined: Sat May 28, 2016 3:18 pm
Location: Michigan

Re: All your eggs in one basket vs. concern about being hacked?

Post by Johnnie » Fri Dec 30, 2016 10:11 am

Tamales wrote: A question for the thread: If you are incapacitated and have multiple accounts, how will your designated "financial affairs handler" (DFAA) manage your bill paying in the face of 2-factor authentication?

Probably more complicated if your DFAA is not a spouse, and/or if one of the factors is biometric?

Is this something where language in a living trust or POA or other legal document might streamline accessibility by your DFAA? If so, how might that work?
Legislatures around the country are starting to wrestle with this and related issues. Here's an example from Michigan:

2015 House Bill 5034: Give fiduciary authority over “digital assets”
Public Act 59 of 2016
To create a new law giving fiduciaries authorized by other state laws to oversee or manage the property of an estate or a vulnerable individual access and authority over the person’s “digital assets” and accounts, defined as “electronic record in which a user has a right or interest.” See also House Bill 4072, which amends an existing state law to do the same thing, which also clarifies rights to an online username, word, character, code, or contract right under a terms-of-service agreement. The bill would also provide a way for an individual's heirs to gain access to and possession of his or her digital property after death. (From MichiganVotes.org)

~~~~~~~~~~~~~

I don't worry so much about my accounts being hacked, but do worry some that all my financial assets are nothing but electrons bouncing around unbelievably complex electronic networks that no one really understands. Is that system robust of fragile? I haven't a clue.
"I know nothing."

Hukedonfonix4me
Posts: 145
Joined: Thu Oct 13, 2016 3:00 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by Hukedonfonix4me » Fri Dec 30, 2016 10:28 am

+1 on two factor authentication

if that is not satisfactory, I would get hard copy prints of monthly statements and file them away, If there was ever a problem at least you have something showing "current" balances
"While some mutual fund founders chose to make billions, he chose to make a difference." | -The Bogleheads' Guide to Investing

User avatar
fishandgolf
Posts: 514
Joined: Fri Nov 25, 2016 2:50 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by fishandgolf » Fri Dec 30, 2016 10:51 am

Hukedonfonix4me wrote:+1 on two factor authentication

if that is not satisfactory, I would get hard copy prints of monthly statements and file them away, If there was ever a problem at least you have something showing "current" balances
I am as much concerned about someone hijacking my mail as my online account. Rather than have statements delivered via mail, perhaps printing a copy of one's account each month so you have a record of the details.

Also, Vanguard has the option to restrict access from just one device. If someone tries to log on to your account from another device, access is denied. This feature might be cumbersome if a person does use multiple devices (which I do not) to logon but it is an extra measure of security.

User avatar
Phineas J. Whoopee
Posts: 8833
Joined: Sun Dec 18, 2011 6:18 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by Phineas J. Whoopee » Fri Dec 30, 2016 11:29 am

Tamales wrote:...
A question for the thread: If you are incapacitated and have multiple accounts, how will your designated "financial affairs handler" (DFAH) manage your bill paying in the face of 2-factor authentication?
...
Don't physical checks still work, at least unless one specifically chooses an account which doesn't support them? Two-factor authentication is for online access. It is possible to manage one's affairs without logging in to a webpage. If the situation goes on for very long, presumably the POA-holder can begin to make other arrangements for h/er/is own convenience.

It's best not to share passwords anyhow, to comply with terms of service and secure guarantees of repayment in the event of fraud. There is no need to impersonate somebody when managing their affairs for them.

Without sharing the passwords, 2FA won't help anyway. That's the point of using multiple factors.

PJW

User avatar
Phineas J. Whoopee
Posts: 8833
Joined: Sun Dec 18, 2011 6:18 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by Phineas J. Whoopee » Fri Dec 30, 2016 2:52 pm

ResearchMed wrote:...
So are we - or are we not - allowed to use Vanguard's OWN aggregator software (per their own website, not a simple link to an outside company) in which we are required (or we can't use this Vanguard offered service) to share login/PW information?
...
Vanguard isn't objecting to your using their aggregator, which does not mean sharing your Vanguard credentials with any other firm, but the outside institutions where you hold assets might say otherwise in their terms of service and fraud guarantees, and probably do.

Only you can take a look and find out for sure.

Security and convenience are, as always, in tension with each other.

I personally, as I've recently written and then defended downthread, use the discontinued Microsoft Money to view my whole financial position, because I have a quarter century of data in it, which I've tried and failed to port to something newer. Nobody other than me needs to see the big picture.

PJW

juliewongferra
Posts: 307
Joined: Fri Oct 09, 2009 10:53 am

Re: All your eggs in one basket vs. concern about being hacked?

Post by juliewongferra » Fri Dec 30, 2016 3:16 pm

mhalley wrote:The chances of this happening is extremely low, but I feel more comfortable having my money spread out between Schwab, Fidelity and Vanguard. More a "gut" thing than a "mind" thing.
Yes, but the chances of your house burning down are low, but you have fire insurance, right? And the chances of someone tripping in front of your house are low, but you have homeowners' insurance, right? And the chances of a young, healthy parent dying is low, but families have life insurance, right? And on and on.

And I'm not *really* worried about losing my money and not being made whole, but I am worried about the possibility of long-term inconvenience. So I like what Phineas says about diversifying funds across companies so that if your account at one company is hacked, you still have access to cash to pay bills, etc. If the cost is marginal, spreading assets across companies is good practice, IMO.

I especially have become a jot more nervous when Vanguard announced that it passed Fidelity, American Funds, et al for the most assets. Big assets = big target for hackers.

cheers,
jwf
If you aren't familiar with Mr. Bogle and his investment philosophy, then you don't know Jack!

User avatar
Phineas J. Whoopee
Posts: 8833
Joined: Sun Dec 18, 2011 6:18 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by Phineas J. Whoopee » Sat Dec 31, 2016 4:45 pm

Jonathan wrote:...
Another guess: since Vanguard is the largest manager of assets in the history of humanity, they have a robust 24-hour social media team aggressively monitoring all mentions of their brand, in all social media forms, including all financial forums, at very least so that they can react rapidly to a fabricated "Vanguard funds vanished" social media campaign.
Almost Certainly Not Mark Twain wrote:A lie can travel halfway around the world while the truth is putting on its shoes.
And Almost C. N. M. Twain had never heard of Facebook.

PJW

LeeMKE
Posts: 1885
Joined: Mon Oct 14, 2013 9:40 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by LeeMKE » Mon Jan 02, 2017 9:53 pm

I do what some others here do, keep 10% at another firm so I might have access to cash if it takes a few months to come back online after a major attack.

1. It is not a matter of if, but when.
2. The website you see is not actual access to your accounts, and there is plenty of security baked into the system to minimize damage to individual account holders. So, the bigger threat is that the website is forced offline and it takes awhile to test and reconstruct. That's why I keep plenty at a different house, in case I need to use that cash for awhile until things are fixed and stable. Six months living expenses is probably plenty.
3. A targeted individual can be much more easily hacked than a financial institution. So don't be a Kardashian about your personal finance, and you are less likely to attract hackers.
The mightiest Oak is just a nut who stayed the course.

Sandi_k
Posts: 1119
Joined: Sat May 16, 2015 11:55 am
Location: SF Bay Area

Re: All your eggs in one basket vs. concern about being hacked?

Post by Sandi_k » Fri Jan 06, 2017 2:35 am


User avatar
tadamsmar
Posts: 8563
Joined: Mon May 07, 2007 12:33 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by tadamsmar » Fri Jan 06, 2017 8:35 am

If you are concerned about this stuff then you might want to visit your Vanguard account maintenance page.

Check out the Alerts section and the Security Profile section. A few things of interest:

Phone alerts
Security codes
Physical USB security keys
Computer access restrictions
Account permissions: this can be used in lieu of giving your login credentials to your spouse.
Security Questions: it's considered best to avoid answers that could be determined by just researching you.

Some of these can be set up for only unknown computers and mobile devices.

User avatar
oldcomputerguy
Moderator
Posts: 6449
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods in East Tennessee

Re: All your eggs in one basket vs. concern about being hacked?

Post by oldcomputerguy » Fri Jan 06, 2017 8:45 am

In today's environment, your fears certainly cannot be considered groundless. I myself have my 401k at Fido and my taxable at Vanguard, DW has her 401k with Schwab and her play-money brokerage account at Scottrade. I have 2FA set up at Vanguard and Fido, and alerts set up on both (as well as my credit card vendors) so that my phone gets pinged for any and all transactions.
"I’ve come around to this: If you’re dumb, surround yourself with smart people; and if you’re smart, surround yourself with smart people who disagree with you." (Aaron Sorkin)

User avatar
oldcomputerguy
Moderator
Posts: 6449
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods in East Tennessee

Re: All your eggs in one basket vs. concern about being hacked?

Post by oldcomputerguy » Fri Jan 06, 2017 8:54 am

Tamales wrote:A question for the thread: If you are incapacitated and have multiple accounts, how will your designated "financial affairs handler" (DFAH) manage your bill paying in the face of 2-factor authentication?
I have a document in which I keep all my financial information (accounts, URLs, usernames, passwords, 2FA info, everything). A printed copy is in the family safe, as well as a passworded electronic version on a USB stick. Everything the DFAH would need to cover my incapacity (or to settle my estate) is there.

As for paying bills, unfortunately my local brick-and-mortar bank (where my checking account resides) doesn't use 2FA, so I'm looking for another one.
"I’ve come around to this: If you’re dumb, surround yourself with smart people; and if you’re smart, surround yourself with smart people who disagree with you." (Aaron Sorkin)

User avatar
tadamsmar
Posts: 8563
Joined: Mon May 07, 2007 12:33 pm

Re: All your eggs in one basket vs. concern about being hacked?

Post by tadamsmar » Fri Jan 06, 2017 9:52 am

Vanguard says to search for passwords after the death of a loved one:
Ideally, you (or a family member, friend, advisor, or attorney) know where your loved one stored this information, along with financial account numbers and passwords. You may have to put on your detective hat and search through papers and possessions to find the details you need.
https://personal.vanguard.com/us/insigh ... one-032014

But Vanguard's fraud reimbursement policy says:
Never share your user name, password, or other account-related information with anyone.
https://personal.vanguard.com/us/help/S ... ontent.jsp

:-?

Vanguard's policies and advice seem to be inconsistent.

If you review the process for handling an estate, you will see that personal (non-joint) account passwords are not needed at any point. It's not clear what it means for a deceased person to be making online transactions. It's not clear that POAs or Account Authorizations still have legal force after death. The process implies that the funds be directed to the beneficiaries, but it takes some time to arrange that, not sure there is any approved process for shorter term transactions.

Post Reply