Investment account fraud?

[One]

Anybody ever have someone hack into their investment accounts or do some type of bank fraud?  I've had my credit cards used but never had a problem with the bank or investments accounts. 

[Assetup]

No but I always set up 2 step authentication just to be safe. I highly recommend doing the same

[Blueberries]

No but I always set up 2 step authentication just to be safe. I highly recommend doing the same

This.  I think a lot of places are forcing 2-factor authentication, as they should.

[Maenad]

There have been claims of 2FA being inadequate if you log in to your investment accounts on the same phone as your code is sent to.

Apparently people have been able to transfer numbers to new SIM cards and hack into accounts that way. It usually requires someone on the inside at the cell provider, but it happens here and there.

[EricEng]

Apparently people have been able to transfer numbers to new SIM cards and hack into accounts that way. It usually requires someone on the inside at the cell provider, but it happens here and there.

It can be quite easy to transfer a number to a different sim without insider help.  Just takes common identity theft info that can be bought for pennies and call customer serivce.  Not an easy solution for this.

[One]

I use the 2 factor and also only log in from my desktop. I know that nothing is 100 percent secure so I was trying to see if anyone here has actually had a breach on their accounts and how much of a hassle it was to resolve.

[RyanAtTanagra]

I wonder about this as well, and just diversified across two investment companies because I was worried about identity theft/account hacking and having all my eggs in one basket.

[stasherus-maximus]

Yep. 2 step isn't everything. I tried to explain this to my investment firm. They didn't think it was a problem. I'm not so sure.

https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief#mystory

[Dave1442397]

Anybody ever have someone hack into their investment accounts or do some type of bank fraud?  I've had my credit cards used but never had a problem with the bank or investments accounts.

We got an email about it at work. Apparently some hackers managed to get into the 401(k) accounts of senior management and extract large amounts of cash.

[MilesTeg]

There have been claims of 2FA being inadequate if you log in to your investment accounts on the same phone as your code is sent to.

Apparently people have been able to transfer numbers to new SIM cards and hack into accounts that way. It usually requires someone on the inside at the cell provider, but it happens here and there.

A code sent to your phone is more properly referred to as "wish it were two factor" authentication. The most common real 2FA is to have a hardware token with a certificate or code generator along with a passphrase (i.e. something you have and something you know). It's way too easy to clone a SIM or hack into a SFA email account.

Even bloody video games implement decent 2FA to protect virtual possessions, it's a travesty that financial institutions fail to do this. Of course, when presented with a decent upgrade in credit card security, the industry also dropped the ball and fatally weakened chip+pin 2FA in favor of chip-only 1FA.

With the complete lack of sane security practices, the only way you can combat issues (while still using online services) is:


* Use a password manager: https://keepass.info/
* Use passphrases, not passwords (especially as the master password for your password manager): https://www.useapassphrase.com/
* never, ever use a passphrase more than once.
* DO NOT FILL OUT PASSWORD RESET QUESTIONS! This is an absurdly bad idea for a webpage to implement. Even if you have a decent passphrase, if you answered "what is your mother's maiden name" you have a completely insecure account. If you are required to use these, use randomly generated strings or arbitrary passphrases as the answers for these.
* Use a system-on-a-stick (i.e. an O/S installed/maintained on removable media or VM that is only plugged in when used) for all financial access. An easier but more expensive alternative is a dedicated device (i.e. a laptop). Don't use a mobile device, the security of mobile devices (especially cheap Andriod, but also iOS) is effectively non-existent.
* Never use Android, iOS or other mobile operating systems for anything where security is important.

[Blueberries]

Yep. 2 step isn't everything. I tried to explain this to my investment firm. They didn't think it was a problem. I'm not so sure.

https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief#mystory

There is more to 2 factor than a text option.  Hardware tokens, code generators, etc.  I don't believe anything is 100% safe, but there are others options.

[Enigma]

There are three common factors used for authentication: Something you know (such as a password) Something you have (such as a smart card/cell phone) Something you are (such as a fingerprint or other biometric method)

Vanguard made me change over to a phone generated two-factor authentication.  It isn’t perfect...  Oh and I use dashlane as my password manager and create complex passwords separate for each account.  It keeps an eye on the darkwebs for my passwords becoming stolen or compromised.