Thieves Targeting Retirement Accounts

[Dicey]

I wasn't sure where to post this, but certainly Fidelity needs to be shamed for their part in this saga. Since "Set It and Forget It" (except to rebalance) is part of a Mustachian's FIRE arsenal, I wanted to spread the alarm.

I believe the rules should be changed to protect consumers better. For starters, it should be "within 30 days of the discovery of the fraud", not from the time the fraud was committed. This case also reeks of insider fraud, IMO.

https://www.nbcchicago.com/consumer/sleeping-giant-thieves-target-retirement-accounts/2518741/?amp

[mckaylabaloney]

This is pretty alarming, especially as it's not something that would require the victim to make a mistake or fall for a scam.

Something similar happened to me with Ally a few years back, though in that case the scammer first got into my cell phone account (this was my fault; my bank accounts had very secure passwords but my cell phone account didn't), reported my phone as lost or missing, and transferred my number to their device. Then they called Ally, told them they couldn't remember their (my) password, and when Ally sent a verification code to my phone number, it went to their device. They got in that way and immediately transferred a bunch of money to themselves via Zelle. Thankfully: (1) I noticed it instantly, as Ally sent me an email saying "this is just confirming that you just spoke with an agent and changed your password," and since I hadn't done that, I called right away and put a halt to things as much as possible; and (2) Ally (or their insurance, I guess) reimbursed me in full a few weeks later.

The Fidelity thing is worse, both in scale and in the fact that it seems like the couple couldn't have done anything to prevent this (aside from catching the fraud more quickly after the fact, which they shouldn't have to do). I'm glad they got their money back and concerned that there's not a robust mechanism to prevent it from happening again.

[Morning Glory]

I saw that and I was a bit confused too. I thought that SIPC insurance covered brokerage accounts for this kind of stuff just like FDIC does for banks. Shame on Fidelity by the way.

This does highlight the usefulness of aggregating services like Mint. I quickly see all of my transactions and account balances in one place and monitor transfers between accounts, catch fraudulent charges, bills due, etc.. There's no way I would log into each account separately every month to check for that sort of thing.

[bacchi]

I'm wondering how to avoid this besides checking my accounts once per month.

I use VIP Access but if the thief can social engineer past that, it means squat. "I lost my phone and the VIP Access is different." Even a yubikey is useless if customer service is too "helpful."

[brandon1827]

This is terrifying for sure. After reading that article, I immediately went and updated my passwords on all my bank accounts and my Vanguard. A potential weak spot could be my phone...I keep a lot of passwords stored in there...guess I need to find a better way to store them, but I'll be worried about this forever now, lol

[mckaylabaloney]

This is terrifying for sure. After reading that article, I immediately went and updated my passwords on all my bank accounts and my Vanguard. A potential weak spot could be my phone...I keep a lot of passwords stored in there...guess I need to find a better way to store them, but I'll be worried about this forever now, lol

Like...where on your phone? If they're in the notes app or something, yes, that's bad. But! You can use a password manager to store them more securely. I use LastPass.

[Sibley]

Well, that's vindication for the times people (on this forum) have implied that I was wasting money on Quicken. Because my accounts are linked to Quicken. If the balance changes, it'll show up in Quicken and I do pay attention to that.

But yeah, this sounds kinda fishy. I suspect that Fidelity did mess up in some way or had insider action.

[Morning Glory]

This is terrifying for sure. After reading that article, I immediately went and updated my passwords on all my bank accounts and my Vanguard. A potential weak spot could be my phone...I keep a lot of passwords stored in there...guess I need to find a better way to store them, but I'll be worried about this forever now, lol

Like...where on your phone? If they're in the notes app or something, yes, that's bad. But! You can use a password manager to store them more securely. I use LastPass.

Google just remembers my paypal password and fills in the blank. Anyone who can get into my phone can get into my paypal account.  I don't use the app since I'm not in it that often, this is the Chrome browser.

[Sibley]

This is terrifying for sure. After reading that article, I immediately went and updated my passwords on all my bank accounts and my Vanguard. A potential weak spot could be my phone...I keep a lot of passwords stored in there...guess I need to find a better way to store them, but I'll be worried about this forever now, lol

Like...where on your phone? If they're in the notes app or something, yes, that's bad. But! You can use a password manager to store them more securely. I use LastPass.

Google just remembers my paypal password and fills in the blank. Anyone who can get into my phone can get into my paypal account.  I don't use the app since I'm not in it that often, this is the Chrome browser.

And at some point, you told Chrome to remember it. You can also manage the remembered passwords and remove them. So that's on you.

[Morning Glory]

This is terrifying for sure. After reading that article, I immediately went and updated my passwords on all my bank accounts and my Vanguard. A potential weak spot could be my phone...I keep a lot of passwords stored in there...guess I need to find a better way to store them, but I'll be worried about this forever now, lol

Like...where on your phone? If they're in the notes app or something, yes, that's bad. But! You can use a password manager to store them more securely. I use LastPass.

Google just remembers my paypal password and fills in the blank. Anyone who can get into my phone can get into my paypal account.  I don't use the app since I'm not in it that often, this is the Chrome browser.

And at some point, you told Chrome to remember it. You can also manage the remembered passwords and remove them. So that's on you.

Ahh, but I don't remember the password so if I turn it off I will never be able to get in there (jk). All my other stuff uses fingerprint unlock.

I do worry about my husband not being able to get into things and pay bills if I become incapacitated. I have nightmares about waking up from my coma to thousands of dollars in late fees. How would he even realize that I had a bill due if it goes to my email? He would not think to check it. I set up mint for both of us (same concept as quicken) but I don't think he would check that either.

[brandon1827]

I've always kept passwords in my phone in Notes. I just figured with the 6-digit passcode and face recognition functionality it was perhaps a tiny bit safer than putting it in a third-party's app. Because I've had them in Notes, I've always chosen different passwords for everything also. I don't know if that offers me any protection at all, but if someone managed to get one password, it will only work for one thing. My bank apps and Vanguard also have face recognition setup...so hopefully that's helping?

[mckaylabaloney]

I've always kept passwords in my phone in Notes. I just figured with the 6-digit passcode and face recognition functionality it was perhaps a tiny bit safer than putting it in a third-party's app. Because I've had them in Notes, I've always chosen different passwords for everything also. I don't know if that offers me any protection at all, but if someone managed to get one password, it will only work for one thing. My bank apps and Vanguard also have face recognition setup...so hopefully that's helping?

My iPhone is too old to have face recognition so admittedly I don't know exactly how it works, but...doesn't that mean someone would just need to hold up your phone to your face and then run off with it? That's not very likely, I'm sure, but I'd personally be more worried about that than about the potential failure of a password manager.

If I learned anything from my personal hacking debacle, it's that the bolded should be true regardless of where you're storing your passwords (I was already using LastPass at the time but was not being careful about using unique passwords for everything).

[Frankies Girl]

Fidelity has two factor authorization, voice recognition, and sends me emails for every single transaction, including changing or adding contact info.

The article does not actually say how the account was breached, just that a phone number was changed. It is very unlikely that they had any of the above security features active either, and I guess the only factor then is that they used a weak password or one that was used for multiple accounts. I know for a fact that changing info does trigger an email and alert on the account itself, so they must not have had any email set up in the account, and then they never logged in in 6 months to review anything? They didn't review their monthly statements in the mail and see a transfer out of the account?

I do use budgeting software and I'm in that at least once a week. I also log into my investment accounts at least once a month and review the activity just for giggles. It takes me less than half an hour if that, and I do it when I'm reconciling my general budget stuff.

I do not agree with Fidelity trying to weasel out of going after the fraud once they discovered it, but I do think the account holders bear responsibility for not actually looking at their accounts every once in a while and making sure to take advantage of the security features, especially now days.

[FINate]

Online security is a hot mess. A little tutorial/reminder on keeping your accounts secure:

1) Use Two-Factor Authentication (2FA) wherever possible. Preferably a security key (e.g. Yubikey) or authenticator app (e.g. Google Authenticator), but a code sent via text or email is better than nothing if that's all a site offers. At a minimum you should have 2FA  enabled for your email (this is how passwords are usually reset), your online account with your cellphone provider (because you don't want someone hijacking your number by requesting a new SIM card thereby being able to bypass SMS based 2FA), banks and investment accounts (because, duh). If your cell provider doesn't offer 2FA authentication and have protections in place to prevent number hijacking, move to another provider. I switched to Google Fi primarily because all their properties use the same security w/ 2FA.

2) Use strong passwords. Using words in a password is easy to remember, but it also makes you susceptible to a dictionary attack. Variations like replacing an 'e' with '3' in words don't help, as attackers are smart and simply add these variations to their dictionaries.

3) Do NOT reuse passwords across sites. It doesn't matter how strong your password is if you go around using it all over the place. When you sign up for that free online service and reuse a password, that site now has your information for logging in to other sites. Even if the site itself isn't malicious, it likely has atrocious security practices. The bad guys know this, so they go after these soft targets to get information that can be used to break into higher value sites.

4) Keep your phones/computers/routers/etc. patched with the latest security updates. If a device is no longer supported (e.g. not getting updates) you need to upgrade the OS to something supported or replace the device. And don't install crappy "free" software or browser plugins.

5) Change your router to use OpenDNS or similar trusted DNS provider that filters malicious sites.

Do these things and you'll probably be fine. 

[iluvzbeach]

I've always kept passwords in my phone in Notes. I just figured with the 6-digit passcode and face recognition functionality it was perhaps a tiny bit safer than putting it in a third-party's app. Because I've had them in Notes, I've always chosen different passwords for everything also. I don't know if that offers me any protection at all, but if someone managed to get one password, it will only work for one thing. My bank apps and Vanguard also have face recognition setup...so hopefully that's helping?

With regard to using the Notes feature on your phone, this may not be as secure as you might think. My Notes also get stored in a Notes folder on my email account. If yours does this as well, then anyone who gains access to your email account can also access credentials you’ve stored in Notes.

The situation Dicey shared in this thread is right in my line of business and, while I don’t work for Fidelity, there are so many ways this could have been either prevented or caught so much sooner. As consumers we are the weakest link in the equation and we must be vigilant about not only protecting ourselves against fraud (using methods mentioned by other posters above), but also actively monitoring our accounts on a regular basis so that we can alert the business as soon as we see something unusual. Fidelity offers all the monitoring/alerting tools this couple needed, but it’s up to them to take advantage of those tools and act immediately on suspicious activity.

[brandon1827]

My iPhone Notes aren't attached to my email. I've had the same email address since college and never have attached it to anything like my Notes. I do utilize that main email for more "serious" things, and store receipts and other financial-related stuff in there....so I do potentially have some risk exposure there. I use a separate gmail account that I created a couple of years ago for silly stuff in an attempt to keep things separated that could leave a door open. So a third-party (app/website) password keeper is the way to go? I guess I just feel like that's an extra layer of exposure and since I've managed to go my entire adult life so far without any issues, I'm a little hesitant to do something different.

[Metalcat]

This is terrifying for sure. After reading that article, I immediately went and updated my passwords on all my bank accounts and my Vanguard. A potential weak spot could be my phone...I keep a lot of passwords stored in there...guess I need to find a better way to store them, but I'll be worried about this forever now, lol

Like...where on your phone? If they're in the notes app or something, yes, that's bad. But! You can use a password manager to store them more securely. I use LastPass.

Google just remembers my paypal password and fills in the blank. Anyone who can get into my phone can get into my paypal account.  I don't use the app since I'm not in it that often, this is the Chrome browser.

And at some point, you told Chrome to remember it. You can also manage the remembered passwords and remove them. So that's on you.

Ahh, but I don't remember the password so if I turn it off I will never be able to get in there (jk). All my other stuff uses fingerprint unlock.

I do worry about my husband not being able to get into things and pay bills if I become incapacitated. I have nightmares about waking up from my coma to thousands of dollars in late fees. How would he even realize that I had a bill due if it goes to my email? He would not think to check it. I set up mint for both of us (same concept as quicken) but I don't think he would check that either.

You can write instructions for your accounts into your will.

[bacchi]

So a third-party (app/website) password keeper is the way to go? I guess I just feel like that's an extra layer of exposure and since I've managed to go my entire adult life so far without any issues, I'm a little hesitant to do something different.

You can always encrypt a note using AES as encryption.

https://support.apple.com/guide/security/secure-features-in-the-notes-app-sec1782bcab1/web

The Notes app includes a secure notes feature that allows users to protect the contents of specific notes.

[RWD]

There's no way I would log into each account separately every month to check for that sort of thing.

I log into every single financial account (credit cards, banks, investments, etc.) every two weeks and check every transaction because I do everything manually in GnuCash.

[neo von retorch]

We use Bitwarden.com (password manager). You can set up a free 2-person organization, and share important passwords between you. You still each have your own master password, and can have passwords you don't share.

https://nerdschalk.com/how-to-share-passwords-on-bitwarden/

Bitwarden is awesome and free, though we pay $10/year for some of their bonus features which automate finding stale, weak, or duplicate/re-used passwords.

On your phone you can set a PIN or use fingerprint unlock (if you have it) for unlocking the password vault.

The important thing here, is sharing important passwords - so if I expire prematurely, my spouse can still access my accounts. (It would still be good to add access information to a will so I could benefit someone in my family if we both go!)

I log into every single financial account (credit cards, banks, investments, etc.) every two weeks and check every transaction because I do everything manually in GnuCash.

Yup - I wrote my own software; similar to GnuCash. But I have every transaction that's every happened since 2003 in my records, and none of that was imported automatically (the way Mint/Personal Capital/Plaid/etc. do.) Most things I log "when they happen" i.e. sometime in the evening after we went to a restaurant, or the next day over lunch. Some stuff I review and enter periodically. I review my investment accounts more often than I should, but I record to my software only when making non-automatic transactions, and then quarterly.

[SoftwareGoddess]

I log into every single financial account (credit cards, banks, investments, etc.) every two weeks and check every transaction because I do everything manually in GnuCash.

+1, except for me it's usually once per month.

[hooplady]

For the past couple of years I've been trying to clean up my online accounts (financial and otherwise).  Before I retired I tried to update all the ones that had been set up with my work email and phone# but I still find them occasionally. When I made my health insurance elections this year I found that the new administrator still had my work info attached to my profile, even though I've been retired 5 years and updated everything with my former employer and the previous insurance admin. I came across another that had challenge questions asking for info related to when I had opened the account. I had no idea when that was so I had to keep refreshing until I finally found questions that I could answer.

I first went online in the early '90's (wow I'm old) and I think I've had 7 different email addresses. I mention this only because the article indicates that Fidelity sent warnings to the account holders - but who knows where they went?

[Kimera757]

This is terrifying for sure. After reading that article, I immediately went and updated my passwords on all my bank accounts and my Vanguard. A potential weak spot could be my phone...I keep a lot of passwords stored in there...guess I need to find a better way to store them, but I'll be worried about this forever now, lol

Everybody should be using offline password generators. People have suggested I use Authy (an app) as well as it's more secure than SMS.

I have over 200 unique passwords. All of them are long, random things. There is no way I could memorize them without a generator. (The generator stores the passwords, but I have to remember the generator's password.)

[Sugaree]

If you are military or a federal employee it is possible to lock your TSP.  You can still make contribution changes or allocation changes, but in order to do something like a transfer out or loan you have to unlock it by mailing a form in. 

[brandon1827]

There's no way I would log into each account separately every month to check for that sort of thing.

I log into every single financial account (credit cards, banks, investments, etc.) every two weeks and check every transaction because I do everything manually in GnuCash.

Thanks for this! I didn't know this was an option as I don't regularly keep up with iPhone features. I've locked several of my Notes with a password/faceID

[FireLane]

This is my greatest fear. I use Vanguard for my retirement accounts, but their security practices aren't any better than Fidelity's.

The best way to protect your account would be a dedicated hardware token like a Yubikey. Vanguard does support that, but they also use SMS authentication as a backup and don't allow users to turn it off.

SMS authentication can be worse than nothing. If a thief knows your number, the only thing they have to do is convince a phone company employee to transfer your number to their device (shockingly easy to do), and then they can reset your password and log in as you.

The only thing I've got going for me is that I log on to my Vanguard account to check the balances every few days. Probably not a good habit, but if there was a large unauthorized withdrawal, I'd notice right away.

[BudgetSlasher]

Yes they are. A different and more active strategy was used against co-workers of DW.

A while ago they underwent a corporate reorganization and as a result there where changes to the retirement plan including what company would be used to administer them. They change over was automatic and no action was needed on the part of the employee (unless they wanted to make changes to how the money was invested in the new account).

Several employees were targeted via phone calls. The call purported to be calling from the old plan administrator and armed with details including new and old plan administrators, employee names, critical dates, and supposedly in one case account balance, said they were calling to complete the close out of the old accounts. Of course to do such a thing you would need to confirm your identity ...

[Paul der Krake]

Yes they are. A different and more active strategy was used against co-workers of DW.

A while ago they underwent a corporate reorganization and as a result there where changes to the retirement plan including what company would be used to administer them. They change over was automatic and no action was needed on the part of the employee (unless they wanted to make changes to how the money was invested in the new account).

Several employees were targeted via phone calls. The call purported to be calling from the old plan administrator and armed with details including new and old plan administrators, employee names, critical dates, and supposedly in one case account balance, said they were calling to complete the close out of the old accounts. Of course to do such a thing you would need to confirm your identity ...

I think the best way to handle a live call is to ask for the caller's name and extension. Then look up the main phone number on the firm's website and dial them back yourself. If they have trouble with that, it's probably a scam.

[BudgetSlasher]

Yes they are. A different and more active strategy was used against co-workers of DW.

A while ago they underwent a corporate reorganization and as a result there where changes to the retirement plan including what company would be used to administer them. They change over was automatic and no action was needed on the part of the employee (unless they wanted to make changes to how the money was invested in the new account).

Several employees were targeted via phone calls. The call purported to be calling from the old plan administrator and armed with details including new and old plan administrators, employee names, critical dates, and supposedly in one case account balance, said they were calling to complete the close out of the old accounts. Of course to do such a thing you would need to confirm your identity ...

I think the best way to handle a live call is to ask for the caller's name and extension. Then look up the main phone number on the firm's website and dial them back yourself. If they have trouble with that, it's probably a scam.

I completely agree and would give the same guidance to anyone who asked.