Author Topic: How to keep my brokerage account safe?  (Read 8419 times)

Kalergie

  • Stubble
  • **
  • Posts: 221
How to keep my brokerage account safe?
« on: December 17, 2016, 03:53:49 AM »
So the ONE thing that keeps me up at night sometimes is not the market and it's unpredictability but some hackers getting their hands on my brokerage account. Especially in light of recent Yahoo news, I sometimes think, what are the chances for someone to hack into my account and steal money or shares? What if this happens and what would I even do in this case? What can I do to protect myself? I am a non-US investor and my portfolio is with Interactive Brokers.

So, what do you guys do to protect yourselves? Change passwords regularly, how do you determine a good password?





 

johnny847

  • Magnum Stache
  • ******
  • Posts: 3192
    • My Blog
Re: How to keep my brokerage account safe?
« Reply #1 on: December 17, 2016, 09:03:12 AM »
I use a password manager. I like KeePass. There are other options such as 1Password and Last pass which store your passwords encrypted in the cloud, but I prefer not having them in the cloud. Regardless, because I use a password manager, I know none of my passwords aside from the ones for school, email, and KeePass. I use KeePass to generate random strong passwords for each of my accounts.

I use two factor authentication for Gmail - they need my phone or the backup codes printed out and stored in my wallet to hack in, after figuring out my password.

I don't know about other brokerages security, but even if I were to hand you my Vanguard password, I have two factor authentication enabled there so again you'd need my phone. And even if j handed you my phone, you'd only initially be able to transfer money out to my linked bank accounts. So you'd have to either have access to one of my linked bank accounts or link a new bank account. When you link a new bank account a letter is mailed to my address. If you were to link a new bank account, a letter notifying me of the change of address is sent to both old and new addresses, and sales of shares are restricted for five business days.
And all account changes trigger a email notification as well.

As you can see, even if someone got your Vanguard password, it'd be hard for them to get money from your account, particularly if you have enabled two factor authentication
« Last Edit: December 17, 2016, 09:06:02 AM by johnny847 »

Heckler

  • Handlebar Stache
  • *****
  • Posts: 1354
Re: How to keep my brokerage account safe?
« Reply #2 on: December 17, 2016, 09:27:01 AM »
I recently set up two factor on mine with my phone.   Unfortunately Mint doesn't work anymore because of it. Probably a good thing.

Spork

  • Walrus Stache
  • *******
  • Posts: 5748
    • Spork In The Eye
Re: How to keep my brokerage account safe?
« Reply #3 on: December 17, 2016, 09:57:04 AM »
Some of these have been mentioned already:

* A complex password.  Not a dictionary word.  I use a password generator that minimally does 16 character (and guarantees upper/lower/special characters).  It has options for longer/shorter/etc because some sites have ridiculous, bad password requirements. 
* since it is a random bunch of characters, you'll have to use a password manager, as mentioned
* Don't re-use that password anywhere
* Don't re-use your userid (if there is one).
* Don't re-use your email address either.  If you get an email from Vanguard, it better damn well go to the email address you expect it to.  If you get an email address from spammyguy and it comes to the Vanguard email address you've never used anywhere else... this is a flag that something dastardly is going on. 
* Because you're using multiple email addresses, these will also have to be folded into your password manager.  For my many multiple email addresses, I use a combination of dedicatedmail@mydomain.com and sneakemail.  Sneakemail is a paid service that will generate unique email addresses and tag them.  They will then forward to one or more back end accounts with the reply-to rewritten.  If you reply, it goes back through sneakemail and rewrites it to the original sender.  Highly recommended.
* for account reset questions: ALWAYS LIE.  These are usually stupid questions that are public knowledge.  Use a different one for every account.  "What's your mother's maiden name?  Blackwoodpecker"   Add these to your password manager.
* I actually use an entirely separate browser instance for financial institutions.  For normal browsing, I try to use plugins to limit scripting and ads (both of these are slowly becoming impossible to limit these days).  For financial institutions, I pretty much allow everything.  Minimally this keeps cookies separate.  If nothing else, it makes you think:  I'm using the financial browser... think before you click.  It also keeps things like tabnapping from happening.
* I don't actually believe in changing passwords often.  I think this is a bad practice that tends to make people make bad passwords.  Instead of a password like "1fF1F4dnP1I1oHv4" ... you end up with "MyPassword01" that changes to "MyPassword02" ... etc. 
* Two factor auth is awesome.  I'd take it further and make sure you keep it 2 factor.  In other words, if you're browsing on your phone and the 2nd factor is SMS... it's really not a second factor.  You already are holding both factors on the same device.  (I worked for a company with a complicated login process, but every single factor was controlled by your Windows credentials.  If you had those, you owned every 2nd factor in the system: email, desk phone options, etc.)
* As much as automated stuff is cool... I'd say do not use it for financial data.  I am not a fan of web sites (Mint, etc) that log into your financial institutions and download data.  The primary mantra of computer security is "least required privilege".  The least required privilege for those sites is "none". 
* Keep your computer up to date.  "Do you want to update/upgrade?" is a question you cannot refuse.  Don't run on out of date platforms.  If Windows XP is not supported, upgrade or buy a new computer.  (The same goes for smart phones.  When Google/Apple/Moto/etc stop supporting your model, you pretty much have to upgrade.)
* Stay away from shady web sites.  Even on-the-level web sites tend to sell ads that can run javascript on your machine.  Bad actors have become pretty smart.  I try very hard to limit javascript... but that really is becoming difficult.  If you're going to play around on those sites... use separate machines (or VMs) for those sites vs financial sites.
* It's not a bad idea to learn Linux.  It can be more secure, IMO.  (But: it's totally possible to make a insecure mess with Linux just like it is with any OS.)  If nothing else, you are a smaller target.  Large scale hacks tend to go towards the mainstream.  The IoT is slowly changing this, as a lot of IoT is embedded Linux.  It is becoming a larger target over time.

edit to add:
* Never use a user id on your computer that has administrative privileges.  Use a "normal" userid for daily use.  When you need admin privs, it should require a (strong) password to escalate your privs.
« Last Edit: December 17, 2016, 04:05:06 PM by Spork »

Financial.Velociraptor

  • Handlebar Stache
  • *****
  • Posts: 1562
  • Age: 47
  • Location: Houston TX
  • Devour your prey raptors!
    • Financial Velociraptor
Re: How to keep my brokerage account safe?
« Reply #4 on: December 17, 2016, 02:12:25 PM »
Interactive Brokers uses two factor: https://www.interactivebrokers.com/en/?f=ibgstrength&p=log1

Pretty secure plus they have internal monitoring team.

Kalergie

  • Stubble
  • **
  • Posts: 221
Re: How to keep my brokerage account safe?
« Reply #5 on: December 17, 2016, 09:45:46 PM »
I love this two factor system. It seems quite secure to me. But what happens if IB gets hacked themselves? The real world equivalent would be a bank robbery. What would happen if IB gets hacked, somehow cash or shares in my name are "stolen"  or reassigned to a new owner somehow? Is that technically possible? By the way other than the broker, who else knows who owns what shares? How could I proof to authorities that i was the rightful owner of shares and that I was robbed?

Yes, i am worried about a very low probability very very high impact risk scenario, but I wouldn't do my job if I didn't worry about this. At least I need to know about the risk and it's impact.


johnny847

  • Magnum Stache
  • ******
  • Posts: 3192
    • My Blog
Re: How to keep my brokerage account safe?
« Reply #6 on: December 17, 2016, 09:55:57 PM »
I love this two factor system. It seems quite secure to me. But what happens if IB gets hacked themselves? The real world equivalent would be a bank robbery. What would happen if IB gets hacked, somehow cash or shares in my name are "stolen"  or reassigned to a new owner somehow? Is that technically possible? By the way other than the broker, who else knows who owns what shares? How could I proof to authorities that i was the rightful owner of shares and that I was robbed?

Yes, i am worried about a very low probability very very high impact risk scenario, but I wouldn't do my job if I didn't worry about this. At least I need to know about the risk and it's impact.

Sure, anything is possible.

Download all of your statements and transaction confirmations so you always have a record of what and how many shares you have.

Furtheremore, you should read up on SIPC insurance, which is somewhat analagous to the FDIC for brokerages.

Indexer

  • Handlebar Stache
  • *****
  • Posts: 1455
Re: How to keep my brokerage account safe?
« Reply #7 on: December 17, 2016, 10:39:23 PM »
Quote
* I actually use an entirely separate browser instance for financial institutions.  For normal browsing, I try to use plugins to limit scripting and ads (both of these are slowly becoming impossible to limit these days).  For financial institutions, I pretty much allow everything.  Minimally this keeps cookies separate.  If nothing else, it makes you think:  I'm using the financial browser... think before you click.  It also keeps things like tabnapping from happening.

I take this to the next level. Completely different user on my computer for non-financial VS financial.

I also use a chromebook. I highly recommend one for financials. It is arguably the most virus resistant computer an individual can get their hands on.

1. It is linux based so many viruses won't run on it.
2. It sandboxes files. It doesn't let program A interact with program B unless it actually has a reason to. It does this across the computer, and especially blocks files from interacting with the actual operating system.
3. When you restart the computer it cleans itself. It is similar to how a PC can be rebooted from the original Windows CD. Anything that isn't suppose to be there gets removed. Best part, this process takes about 8 seconds...
4. It also auto updates when you restart it. If there is a software update it just happens.

A virus is unlikely to get past 1 because most viruses target Microsoft or Apple operating systems. If it does get past 1 it gets stuck in 2. If you restart your computer every time you use it 3 & 4 take care of the rest.


Oh, and the VERY best protection you can have is to be informed. Have alerts go to your phone, have 2 factor authentication, read your emails, check your mail, log onto the account, etc. If someone did break into your bank or investment account the best thing you can do is catch it quick. Until the money is in physical cash you can get it back. If someone hacks your investment account they can normally only transfer the money to a bank account in your name or as a check to your address of record. That means in order to get your money the criminal would need to add a new bank or change your address. If they do either you get an email. Most companies put limits on withdrawals for the first few days after a new bank or address is added. Let's say you don't catch it then. Then they have to mail a check or transfer money to the bank. You get a notification. If someone transfers 200k to a new bank account it gets put on hold. The bank isn't going to authorize any large cash withdrawals, wire transfers, or big purchases until time has passed. If you catch the fraud at this point your investment firm will contact the bank and have them freeze the account. It gets transferred back.

Paul der Krake

  • Magnum Stache
  • ******
  • Posts: 4861
  • Age: 12
  • Location: UTC-10:00
Re: How to keep my brokerage account safe?
« Reply #8 on: December 17, 2016, 10:54:14 PM »
I just add "!" at the end of all my passwords.

It messes with the hackers' tools.

Monkey Uncle

  • Handlebar Stache
  • *****
  • Posts: 1582
  • Location: West-by-god-Virginia
Re: How to keep my brokerage account safe?
« Reply #9 on: December 18, 2016, 05:01:25 AM »
My broker says it will cover 100% of losses due to unauthorized activity as long as it is reported in a timely manner, and as long as the "unauthorized activity" isn't committed by someone to whom I have given account access.

Spork

  • Walrus Stache
  • *******
  • Posts: 5748
    • Spork In The Eye
Re: How to keep my brokerage account safe?
« Reply #10 on: December 18, 2016, 08:23:43 AM »
I just add "!" at the end of all my passwords.

It messes with the hackers' tools.

I'm assuming this is a joke.  If not, rethink.

Kalergie

  • Stubble
  • **
  • Posts: 221
Re: How to keep my brokerage account safe?
« Reply #11 on: December 18, 2016, 10:41:33 AM »
My broker says it will cover 100% of losses due to unauthorized activity as long as it is reported in a timely manner, and as long as the "unauthorized activity" isn't committed by someone to whom I have given account access.

I'll contact Interactive Brokers to clarify their policy.

meerkat

  • Magnum Stache
  • ******
  • Posts: 3809
Re: How to keep my brokerage account safe?
« Reply #12 on: December 19, 2016, 05:52:07 AM »
Some of these have been mentioned already:

* A complex password.  Not a dictionary word.  I use a password generator that minimally does 16 character (and guarantees upper/lower/special characters).  It has options for longer/shorter/etc because some sites have ridiculous, bad password requirements. 
* since it is a random bunch of characters, you'll have to use a password manager, as mentioned
* Don't re-use that password anywhere
* Don't re-use your userid (if there is one).
* Don't re-use your email address either.  If you get an email from Vanguard, it better damn well go to the email address you expect it to.  If you get an email address from spammyguy and it comes to the Vanguard email address you've never used anywhere else... this is a flag that something dastardly is going on. 
* Because you're using multiple email addresses, these will also have to be folded into your password manager.  For my many multiple email addresses, I use a combination of dedicatedmail@mydomain.com and sneakemail.  Sneakemail is a paid service that will generate unique email addresses and tag them.  They will then forward to one or more back end accounts with the reply-to rewritten.  If you reply, it goes back through sneakemail and rewrites it to the original sender.  Highly recommended.
* for account reset questions: ALWAYS LIE.  These are usually stupid questions that are public knowledge.  Use a different one for every account.  "What's your mother's maiden name?  Blackwoodpecker"   Add these to your password manager.
* I actually use an entirely separate browser instance for financial institutions.  For normal browsing, I try to use plugins to limit scripting and ads (both of these are slowly becoming impossible to limit these days).  For financial institutions, I pretty much allow everything.  Minimally this keeps cookies separate.  If nothing else, it makes you think:  I'm using the financial browser... think before you click.  It also keeps things like tabnapping from happening.
* I don't actually believe in changing passwords often.  I think this is a bad practice that tends to make people make bad passwords.  Instead of a password like "1fF1F4dnP1I1oHv4" ... you end up with "MyPassword01" that changes to "MyPassword02" ... etc. 
* Two factor auth is awesome.  I'd take it further and make sure you keep it 2 factor.  In other words, if you're browsing on your phone and the 2nd factor is SMS... it's really not a second factor.  You already are holding both factors on the same device.  (I worked for a company with a complicated login process, but every single factor was controlled by your Windows credentials.  If you had those, you owned every 2nd factor in the system: email, desk phone options, etc.)
* As much as automated stuff is cool... I'd say do not use it for financial data.  I am not a fan of web sites (Mint, etc) that log into your financial institutions and download data.  The primary mantra of computer security is "least required privilege".  The least required privilege for those sites is "none". 
* Keep your computer up to date.  "Do you want to update/upgrade?" is a question you cannot refuse.  Don't run on out of date platforms.  If Windows XP is not supported, upgrade or buy a new computer.  (The same goes for smart phones.  When Google/Apple/Moto/etc stop supporting your model, you pretty much have to upgrade.)
* Stay away from shady web sites.  Even on-the-level web sites tend to sell ads that can run javascript on your machine.  Bad actors have become pretty smart.  I try very hard to limit javascript... but that really is becoming difficult.  If you're going to play around on those sites... use separate machines (or VMs) for those sites vs financial sites.
* It's not a bad idea to learn Linux.  It can be more secure, IMO.  (But: it's totally possible to make a insecure mess with Linux just like it is with any OS.)  If nothing else, you are a smaller target.  Large scale hacks tend to go towards the mainstream.  The IoT is slowly changing this, as a lot of IoT is embedded Linux.  It is becoming a larger target over time.

edit to add:
* Never use a user id on your computer that has administrative privileges.  Use a "normal" userid for daily use.  When you need admin privs, it should require a (strong) password to escalate your privs.

My issue with the above is that there's a lot of reliance on a password manager and then I feel like if that password manager is compromised then I'm up a creek. Aside from that it sound great but I just can't get past that. Wouldn't hackers be specifically targeting password managers because of the treasure trove of information they'd gain access to?

caracarn

  • Handlebar Stache
  • *****
  • Posts: 1534
  • Age: 50
  • Location: Ohio
Re: How to keep my brokerage account safe?
« Reply #13 on: December 19, 2016, 06:09:33 AM »
Some of these have been mentioned already:

* A complex password.  Not a dictionary word.  I use a password generator that minimally does 16 character (and guarantees upper/lower/special characters).  It has options for longer/shorter/etc because some sites have ridiculous, bad password requirements. 
* since it is a random bunch of characters, you'll have to use a password manager, as mentioned
* Don't re-use that password anywhere
* Don't re-use your userid (if there is one).
* Don't re-use your email address either.  If you get an email from Vanguard, it better damn well go to the email address you expect it to.  If you get an email address from spammyguy and it comes to the Vanguard email address you've never used anywhere else... this is a flag that something dastardly is going on. 
* Because you're using multiple email addresses, these will also have to be folded into your password manager.  For my many multiple email addresses, I use a combination of dedicatedmail@mydomain.com and sneakemail.  Sneakemail is a paid service that will generate unique email addresses and tag them.  They will then forward to one or more back end accounts with the reply-to rewritten.  If you reply, it goes back through sneakemail and rewrites it to the original sender.  Highly recommended.
* for account reset questions: ALWAYS LIE.  These are usually stupid questions that are public knowledge.  Use a different one for every account.  "What's your mother's maiden name?  Blackwoodpecker"   Add these to your password manager.
* I actually use an entirely separate browser instance for financial institutions.  For normal browsing, I try to use plugins to limit scripting and ads (both of these are slowly becoming impossible to limit these days).  For financial institutions, I pretty much allow everything.  Minimally this keeps cookies separate.  If nothing else, it makes you think:  I'm using the financial browser... think before you click.  It also keeps things like tabnapping from happening.
* I don't actually believe in changing passwords often.  I think this is a bad practice that tends to make people make bad passwords.  Instead of a password like "1fF1F4dnP1I1oHv4" ... you end up with "MyPassword01" that changes to "MyPassword02" ... etc. 
* Two factor auth is awesome.  I'd take it further and make sure you keep it 2 factor.  In other words, if you're browsing on your phone and the 2nd factor is SMS... it's really not a second factor.  You already are holding both factors on the same device.  (I worked for a company with a complicated login process, but every single factor was controlled by your Windows credentials.  If you had those, you owned every 2nd factor in the system: email, desk phone options, etc.)
* As much as automated stuff is cool... I'd say do not use it for financial data.  I am not a fan of web sites (Mint, etc) that log into your financial institutions and download data.  The primary mantra of computer security is "least required privilege".  The least required privilege for those sites is "none". 
* Keep your computer up to date.  "Do you want to update/upgrade?" is a question you cannot refuse.  Don't run on out of date platforms.  If Windows XP is not supported, upgrade or buy a new computer.  (The same goes for smart phones.  When Google/Apple/Moto/etc stop supporting your model, you pretty much have to upgrade.)
* Stay away from shady web sites.  Even on-the-level web sites tend to sell ads that can run javascript on your machine.  Bad actors have become pretty smart.  I try very hard to limit javascript... but that really is becoming difficult.  If you're going to play around on those sites... use separate machines (or VMs) for those sites vs financial sites.
* It's not a bad idea to learn Linux.  It can be more secure, IMO.  (But: it's totally possible to make a insecure mess with Linux just like it is with any OS.)  If nothing else, you are a smaller target.  Large scale hacks tend to go towards the mainstream.  The IoT is slowly changing this, as a lot of IoT is embedded Linux.  It is becoming a larger target over time.

edit to add:
* Never use a user id on your computer that has administrative privileges.  Use a "normal" userid for daily use.  When you need admin privs, it should require a (strong) password to escalate your privs.

My issue with the above is that there's a lot of reliance on a password manager and then I feel like if that password manager is compromised then I'm up a creek. Aside from that it sound great but I just can't get past that. Wouldn't hackers be specifically targeting password managers because of the treasure trove of information they'd gain access to?

Passwords are the most misunderstood item in technology.  This is why password managers seem like a "need".  You can generate simple, easy to remember passwords that defeat the security of basically anything you can develop on your own.  Random generated passwords cannot be remembered and require a manager, which is a gap.  A password such as "this is fun" is more secure than anything you can dream up.  Don't believe me?  If you want to learn more, read this excellent article with analysis:

https://www.baekdal.com/insights/password-security-usability
« Last Edit: December 19, 2016, 06:12:45 AM by caracarn »

Spork

  • Walrus Stache
  • *******
  • Posts: 5748
    • Spork In The Eye
Re: How to keep my brokerage account safe?
« Reply #14 on: December 19, 2016, 07:21:45 AM »
Some of these have been mentioned already:

* A complex password.  Not a dictionary word.  I use a password generator that minimally does 16 character (and guarantees upper/lower/special characters).  It has options for longer/shorter/etc because some sites have ridiculous, bad password requirements. 
* since it is a random bunch of characters, you'll have to use a password manager, as mentioned
* Don't re-use that password anywhere
* Don't re-use your userid (if there is one).
* Don't re-use your email address either.  If you get an email from Vanguard, it better damn well go to the email address you expect it to.  If you get an email address from spammyguy and it comes to the Vanguard email address you've never used anywhere else... this is a flag that something dastardly is going on. 
* Because you're using multiple email addresses, these will also have to be folded into your password manager.  For my many multiple email addresses, I use a combination of dedicatedmail@mydomain.com and sneakemail.  Sneakemail is a paid service that will generate unique email addresses and tag them.  They will then forward to one or more back end accounts with the reply-to rewritten.  If you reply, it goes back through sneakemail and rewrites it to the original sender.  Highly recommended.
* for account reset questions: ALWAYS LIE.  These are usually stupid questions that are public knowledge.  Use a different one for every account.  "What's your mother's maiden name?  Blackwoodpecker"   Add these to your password manager.
* I actually use an entirely separate browser instance for financial institutions.  For normal browsing, I try to use plugins to limit scripting and ads (both of these are slowly becoming impossible to limit these days).  For financial institutions, I pretty much allow everything.  Minimally this keeps cookies separate.  If nothing else, it makes you think:  I'm using the financial browser... think before you click.  It also keeps things like tabnapping from happening.
* I don't actually believe in changing passwords often.  I think this is a bad practice that tends to make people make bad passwords.  Instead of a password like "1fF1F4dnP1I1oHv4" ... you end up with "MyPassword01" that changes to "MyPassword02" ... etc. 
* Two factor auth is awesome.  I'd take it further and make sure you keep it 2 factor.  In other words, if you're browsing on your phone and the 2nd factor is SMS... it's really not a second factor.  You already are holding both factors on the same device.  (I worked for a company with a complicated login process, but every single factor was controlled by your Windows credentials.  If you had those, you owned every 2nd factor in the system: email, desk phone options, etc.)
* As much as automated stuff is cool... I'd say do not use it for financial data.  I am not a fan of web sites (Mint, etc) that log into your financial institutions and download data.  The primary mantra of computer security is "least required privilege".  The least required privilege for those sites is "none". 
* Keep your computer up to date.  "Do you want to update/upgrade?" is a question you cannot refuse.  Don't run on out of date platforms.  If Windows XP is not supported, upgrade or buy a new computer.  (The same goes for smart phones.  When Google/Apple/Moto/etc stop supporting your model, you pretty much have to upgrade.)
* Stay away from shady web sites.  Even on-the-level web sites tend to sell ads that can run javascript on your machine.  Bad actors have become pretty smart.  I try very hard to limit javascript... but that really is becoming difficult.  If you're going to play around on those sites... use separate machines (or VMs) for those sites vs financial sites.
* It's not a bad idea to learn Linux.  It can be more secure, IMO.  (But: it's totally possible to make a insecure mess with Linux just like it is with any OS.)  If nothing else, you are a smaller target.  Large scale hacks tend to go towards the mainstream.  The IoT is slowly changing this, as a lot of IoT is embedded Linux.  It is becoming a larger target over time.

edit to add:
* Never use a user id on your computer that has administrative privileges.  Use a "normal" userid for daily use.  When you need admin privs, it should require a (strong) password to escalate your privs.

My issue with the above is that there's a lot of reliance on a password manager and then I feel like if that password manager is compromised then I'm up a creek. Aside from that it sound great but I just can't get past that. Wouldn't hackers be specifically targeting password managers because of the treasure trove of information they'd gain access to?

Passwords are the most misunderstood item in technology.  This is why password managers seem like a "need".  You can generate simple, easy to remember passwords that defeat the security of basically anything you can develop on your own.  Random generated passwords cannot be remembered and require a manager, which is a gap.  A password such as "this is fun" is more secure than anything you can dream up.  Don't believe me?  If you want to learn more, read this excellent article with analysis:

https://www.baekdal.com/insights/password-security-usability

A couple of thoughts here:
*  I currently have 726 unique passwords...   That's post-FIRE.  When I was working in IT security, you could easily add several hundred in there.  You don't just need to know every unique password out there, but you need all the old passwords... because inevitably SOMETHING will get missed and some system will have a password that is "5 passwords old"
* I have no earthly clue where the article linked gets 100 password guesses per second.  Maybe that number works for a web site where you are guessing over the network using their front end -- and they have controls in place to slow down password guessing.  Most password cracking happens after someone steals the entire hashed password file.  These cracks are measured in billions of password guesses per second.  And depending on what algorithm is used for the back end, whether the passwords are salted, etc... it could be faster.  Unsalted passwords can be "pre-computed" with rainbow tables and cracked almost immediately.  Bottom line: 6 character passwords are way too short. 

Rubic

  • Handlebar Stache
  • *****
  • Posts: 1083
Re: How to keep my brokerage account safe?
« Reply #15 on: December 19, 2016, 07:25:23 AM »
I just add "!" at the end of all my passwords.

It messes with the hackers' tools.

I'm assuming this is a joke.  If not, rethink.

I just use "password".  I'm told it's the most popular password.  ;-)

Seriously, in addition to the other advice from everyone above, never
click on a link provided by an email from your financial institution.

Instead, just log directly into your account and check for any
alerts/messages.

An email message is easy to spoof, and the link provided may be an
attempt to get you to reveal your password by presenting you with
a fake website.

Scandium

  • Handlebar Stache
  • *****
  • Posts: 2317
  • Location: EastCoast
Re: How to keep my brokerage account safe?
« Reply #16 on: December 19, 2016, 09:17:05 AM »
My issue with the above is that there's a lot of reliance on a password manager and then I feel like if that password manager is compromised then I'm up a creek. Aside from that it sound great but I just can't get past that. Wouldn't hackers be specifically targeting password managers because of the treasure trove of information they'd gain access to?

Keepass (the one I use) uses 256 bit AES (and a hash) to encrypt/decrypt the database, which I store in my own dropbox folder which I believe is also encrypted when transferred.
http://keepass.info/help/base/security.html
Quote
These algorithms are well-known, analyzed thoroughly and considered to be very secure (see [1] for comments by the NIST on AES for example). AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.

If someone can crack that they could break into lots of juicier targets. Do you think they would use those skills to break intelligence service communication, or rather change my facebook status and add adult diapers to my shopping list..?

Paul der Krake

  • Magnum Stache
  • ******
  • Posts: 4861
  • Age: 12
  • Location: UTC-10:00
Re: How to keep my brokerage account safe?
« Reply #17 on: December 19, 2016, 09:20:34 AM »
If someone can crack that they could break into lots of juicier targets. Do you think they would use those skills to break intelligence service communication, or rather change my facebook status and add adult diapers to my shopping list..?


tarheeldan

  • Pencil Stache
  • ****
  • Posts: 780
Re: How to keep my brokerage account safe?
« Reply #18 on: December 19, 2016, 09:26:08 AM »
Two-factor authentication - Vanguard has implemented this - and a very difficult, unique to the site, password.

Scandium

  • Handlebar Stache
  • *****
  • Posts: 2317
  • Location: EastCoast
Re: How to keep my brokerage account safe?
« Reply #19 on: December 19, 2016, 09:32:54 AM »
If someone can crack that they could break into lots of juicier targets. Do you think they would use those skills to break intelligence service communication, or rather change my facebook status and add adult diapers to my shopping list..?



(thanks for making me have to type stuff into g.translate..)

For on thing it would likely be resource intensive to crack AES/SHA. Maybe hundreds of hours on S3? Would you use this on a low profile individual?
Second, once you break it the cats out of the bag at some point. Show your hand too much and the world finds out and move to another encryption algorithm. Again; why waste your shot on a single person when you could go after higher profile/return targets?

Paul der Krake

  • Magnum Stache
  • ******
  • Posts: 4861
  • Age: 12
  • Location: UTC-10:00
Re: How to keep my brokerage account safe?
« Reply #20 on: December 19, 2016, 06:36:05 PM »
For on thing it would likely be resource intensive to crack AES/SHA. Maybe hundreds of hours on S3? Would you use this on a low profile individual?
Second, once you break it the cats out of the bag at some point. Show your hand too much and the world finds out and move to another encryption algorithm. Again; why waste your shot on a single person when you could go after higher profile/return targets?
Right, I don't seriously expect the NSA to spend massive CPU hours on mass surveillance. But I don't expect them either to let us know when it's no longer expensive to do so.

We are talking about the US government, the same entity that insists on having over one million people on active duty military during peace time, and whose national security budget can't even be audited. It wouldn't take much to convince them to spend a couple billions extra "just in case".

SpareChange

  • Bristles
  • ***
  • Posts: 475
Re: How to keep my brokerage account safe?
« Reply #21 on: December 21, 2016, 01:07:18 AM »
Great advice above. I have 3 accounts at TD Ameritrade, and I'm a little disappointed they haven't implemented TFA. They could also allow stronger passwords...currently you're limited to 15 characters...letters and numbers only. Ugh.

Scandium

  • Handlebar Stache
  • *****
  • Posts: 2317
  • Location: EastCoast
Re: How to keep my brokerage account safe?
« Reply #22 on: December 21, 2016, 08:15:47 AM »
Right, I don't seriously expect the NSA to spend massive CPU hours on mass surveillance. But I don't expect them either to let us know when it's no longer expensive to do so.

We are talking about the US government, the same entity that insists on having over one million people on active duty military during peace time, and whose national security budget can't even be audited. It wouldn't take much to convince them to spend a couple billions extra "just in case".

I'm concerned about hackers, not the US government. The NSA could just hack the broker directly, or get the data via secret court "warrant". They wouldn't even bother hacking your keepass database.

Kalergie

  • Stubble
  • **
  • Posts: 221
Re: How to keep my brokerage account safe?
« Reply #23 on: December 21, 2016, 10:37:27 PM »
I also don't have the US government on my list of potential threats to me. The government's interests are in line with my own to be honest. I want the US economy to prosper  and bad guys to go to jail.

Kalergie

  • Stubble
  • **
  • Posts: 221
Re: How to keep my brokerage account safe?
« Reply #24 on: December 22, 2016, 10:35:28 PM »
Answer from Interactive Brokers:
"Dear customer,
Consider this: if an Internet hacker or identity thief should somehow manage to obtain your IB username and password, they WILL NOT be able to access your account without physical possession of your Secure Login System security device.

There's no additional theft insurance."

So I better keep my Factor 2 devise safe.

Playing with Fire UK

  • Magnum Stache
  • ******
  • Posts: 2982
Re: How to keep my brokerage account safe?
« Reply #25 on: January 24, 2017, 09:25:33 AM »
I just add "!" at the end of all my passwords.

It messes with the hackers' tools.

I changed all my passwords to CorrectHorseBatteryStaple!

Aggie1999

  • Bristles
  • ***
  • Posts: 383
Re: How to keep my brokerage account safe?
« Reply #26 on: January 24, 2017, 12:06:06 PM »
Any offline password managers out there that work similar to how on offline bitcoin Armory wallet works? Here's would be the basics:

1. Password manager database is installed only on an offline computer that never sees a network/Internet.
2. Password manager database is encrypted with a hard password that an individual would remember. Needed so a thief that steals the offline computer cannot get into the database.
3. Password manager auto-generates passwords to use other places. The password database knows all passwords that have been generated and ever will be generated in the future.
4. This is key: Password manager database can be backed up to a hard copy. User would store the backup in something like a safe deposit box. If user ever forgot the password to decrypt the password database then the electronic database could be restored with the hard copy.

Thoughts? I wonder if it would be feasible to just use addresses generated by an offline Armory bitcoin wallet as passwords? Obviously one would never disclose the addresses generated. Complication would be the addresses are very long (hard to enter) and probably to long for most sites.

MoonLiteNite

  • Bristles
  • ***
  • Posts: 411
Re: How to keep my brokerage account safe?
« Reply #27 on: January 24, 2017, 12:25:55 PM »
- Only use bank/money sites that actually protect the passwords, nearly all large sites encrypt their passwords these days, the httpS is a good sign of it.
- Change passwords, the more often the safer
- have a good password, more numbers, letters, symbols and uppercase letters help, test you password at https://howsecureismypassword.net/ If this says your password will takes 100 years to crack, you should be safe.
- Do NOT use same password on any two sites, EVER
- Avoid key loggers, if you get a key logger on your computer, you are basically doomed. The only way to stop that from harming you is to change passwords often. The sooner, the less likely the key logger will actually do harm.
- Use those text/calls, and way lesser, email. Like when you log in, you also have to provide ANOTHER code, which is sent to you. This is basically the safest thing to have setup right now

edit:

This is my previous password's strength...
« Last Edit: January 24, 2017, 12:30:04 PM by MoonLiteNite »

MoonLiteNite

  • Bristles
  • ***
  • Posts: 411
Re: How to keep my brokerage account safe?
« Reply #28 on: January 24, 2017, 12:27:41 PM »
I just add "!" at the end of all my passwords.

It messes with the hackers' tools.

Depending, if the hacker knows his target, he may actually account for that, and the layer of protection drops to almost 0. Same thing for substitues. Like 4 for A, ! for i, 0 for O, etc.... alot of brute force programs and rainbow tables now account for those things.


smilla

  • Stubble
  • **
  • Posts: 145
  • Location: Canada
Re: How to keep my brokerage account safe?
« Reply #29 on: January 24, 2017, 12:28:19 PM »
Thanks for all the helpful tips everyone.

Spork

  • Walrus Stache
  • *******
  • Posts: 5748
    • Spork In The Eye
Re: How to keep my brokerage account safe?
« Reply #30 on: January 24, 2017, 01:13:55 PM »
Any offline password managers out there that work similar to how on offline bitcoin Armory wallet works? Here's would be the basics:

1. Password manager database is installed only on an offline computer that never sees a network/Internet.
2. Password manager database is encrypted with a hard password that an individual would remember. Needed so a thief that steals the offline computer cannot get into the database.
3. Password manager auto-generates passwords to use other places. The password database knows all passwords that have been generated and ever will be generated in the future.
4. This is key: Password manager database can be backed up to a hard copy. User would store the backup in something like a safe deposit box. If user ever forgot the password to decrypt the password database then the electronic database could be restored with the hard copy.

Thoughts? I wonder if it would be feasible to just use addresses generated by an offline Armory bitcoin wallet as passwords? Obviously one would never disclose the addresses generated. Complication would be the addresses are very long (hard to enter) and probably to long for most sites.

Assuming you have a reasonable disk or file encryption scheme... All you'd really need to do is run a script to generate 10,000 good passwords and pipe it to a file.  When you need a new password, decrypt file, edit file and "Tag" a line as "www.newsite.com".


Paul der Krake

  • Magnum Stache
  • ******
  • Posts: 4861
  • Age: 12
  • Location: UTC-10:00
Re: How to keep my brokerage account safe?
« Reply #31 on: January 24, 2017, 01:59:21 PM »
I just add "!" at the end of all my passwords.

It messes with the hackers' tools.

Depending, if the hacker knows his target, he may actually account for that, and the layer of protection drops to almost 0. Same thing for substitues. Like 4 for A, ! for i, 0 for O, etc.... alot of brute force programs and rainbow tables now account for those things.
Nah, you're wrong. I've never been hacked, so clearly I'm doing it right.

Playing with Fire UK

  • Magnum Stache
  • ******
  • Posts: 2982
Re: How to keep my brokerage account safe?
« Reply #32 on: January 25, 2017, 12:35:47 AM »
- Change passwords, the more often the safer

Not for me.

I can be bothered to think about and remember one decent password system, the more I need to change it the crapper it gets.

Kalergie

  • Stubble
  • **
  • Posts: 221
Re: How to keep my brokerage account safe?
« Reply #33 on: January 25, 2017, 04:49:46 AM »
- Only use bank/money sites that actually protect the passwords, nearly all large sites encrypt their passwords these days, the httpS is a good sign of it.
- Change passwords, the more often the safer
- have a good password, more numbers, letters, symbols and uppercase letters help, test you password at https://howsecureismypassword.net/ If this says your password will takes 100 years to crack, you should be safe.
- Do NOT use same password on any two sites, EVER
- Avoid key loggers, if you get a key logger on your computer, you are basically doomed. The only way to stop that from harming you is to change passwords often. The sooner, the less likely the key logger will actually do harm.
- Use those text/calls, and way lesser, email. Like when you log in, you also have to provide ANOTHER code, which is sent to you. This is basically the safest thing to have setup right now

edit:

This is my previous password's strength...


So this website wants me to put in my password? Haha who tells me they aren't putting it in their database along other credentials they can save I don't know about?

arebelspy

  • Administrator
  • Senior Mustachian
  • *****
  • Posts: 28254
  • Age: -999
  • Location: Seattle, WA
Re: How to keep my brokerage account safe?
« Reply #34 on: January 25, 2017, 05:59:30 AM »
So this website wants me to put in my password? Haha who tells me they aren't putting it in their database along other credentials they can save I don't know about?

You can put in something different with the same amount of entropy.
We are two former teachers who accumulated a bunch of real estate, retired at 29, spent some time traveling the world full time and are now settled with three kids.
If you want to know more about us, or how we did that, or see lots of pictures, this Business Insider profile tells our story pretty well.
We (rarely) blog at AdventuringAlong.com. Check out our Now page to see what we're up to currently.

yodella

  • 5 O'Clock Shadow
  • *
  • Posts: 64
  • Location: US
Re: How to keep my brokerage account safe?
« Reply #35 on: January 25, 2017, 06:40:06 AM »
Let's not forget the extremely high-tech option of....paper. Use unique passwords, and write them down. Keep the list in a book or other hidden place in your home. No internet hacker can get to it, and any robbers breaking into your house are probably going for your TV and laptop, not the old copy of Mastering the Art of French Cooking (or whatever).

arebelspy

  • Administrator
  • Senior Mustachian
  • *****
  • Posts: 28254
  • Age: -999
  • Location: Seattle, WA
Re: How to keep my brokerage account safe?
« Reply #36 on: January 25, 2017, 06:43:17 AM »
Let's not forget the extremely high-tech option of....paper. Use unique passwords, and write them down. Keep the list in a book or other hidden place in your home. No internet hacker can get to it, and any robbers breaking into your house are probably going for your TV and laptop, not the old copy of Mastering the Art of French Cooking (or whatever).

There's always points of weaknesses though.  Un-updated applications with vulnerabilities lead to exploits and rootkits or keyloggers.  At some point you have to type in the password, however you store it.

2 Factor Auth is better than security by obscurity or anything of that nature.
We are two former teachers who accumulated a bunch of real estate, retired at 29, spent some time traveling the world full time and are now settled with three kids.
If you want to know more about us, or how we did that, or see lots of pictures, this Business Insider profile tells our story pretty well.
We (rarely) blog at AdventuringAlong.com. Check out our Now page to see what we're up to currently.

Spork

  • Walrus Stache
  • *******
  • Posts: 5748
    • Spork In The Eye
Re: How to keep my brokerage account safe?
« Reply #37 on: January 25, 2017, 08:08:32 AM »
- Change passwords, the more often the safer

Not for me.

I can be bothered to think about and remember one decent password system, the more I need to change it the crapper it gets.

I totally agree with you PWF UK.  And I think a large amount of the security community does, too.  Changing passwords -- especially forcing changes -- often makes things worse.  You end up with people moving from areallygoodpassword* to areallygoodpassword1, areallygoodpassword2, areallygoodpassword3.

Passwords should be as complex as you can make them... and then changed when you have a really good reason to do so.  (Known or suspected breach, accidentally exposed, etc.)

*I am not saying "areallygoodpassword" is a really good password.  It's a placeholder for a concept.

NoStacheOhio

  • Handlebar Stache
  • *****
  • Posts: 2137
  • Location: Cleveland
Re: How to keep my brokerage account safe?
« Reply #38 on: January 25, 2017, 10:28:02 AM »
- Change passwords, the more often the safer

Not for me.

I can be bothered to think about and remember one decent password system, the more I need to change it the crapper it gets.

I totally agree with you PWF UK.  And I think a large amount of the security community does, too.  Changing passwords -- especially forcing changes -- often makes things worse.  You end up with people moving from areallygoodpassword* to areallygoodpassword1, areallygoodpassword2, areallygoodpassword3.

Passwords should be as complex as you can make them... and then changed when you have a really good reason to do so.  (Known or suspected breach, accidentally exposed, etc.)

*I am not saying "areallygoodpassword" is a really good password.  It's a placeholder for a concept.

We recently switched HR portals at work, and they went from single sign-on through the Microsoft/Outlook server, to a completely separate system. They instituted a pretty high bar for password requirements, and made the passwords expire (I think it's 3 months, but I can't be sure). The Outlook server also has strong (but different) password requirements and expiration. My office runs a separate server environment for video production, which has separate password requirements and expiration timelines. Sometimes I have to go through the HR portal to access the payroll system (using my Outlook credentials), like when I update my W-4. Also, I can ONLY use Internet Explorer to do this.

I remember trying to explain why this was worse to the guy from HR/employee communications, and he was just acting like I was bitching about being forced to use a good password. And he wouldn't shut up about how people want to access this stuff from home (are you fucking kidding me? I'm not doing shit when I'm not on the clock). I'm like, "this is how passwords get stuck on a Post-It on the front of a computer monitor." The response was literally, "We don't care about individual users being compromised, that's your problem. We only care about protecting the integrity of the enterprise system."

I mean, points for honesty I guess?

Spork

  • Walrus Stache
  • *******
  • Posts: 5748
    • Spork In The Eye
Re: How to keep my brokerage account safe?
« Reply #39 on: January 25, 2017, 10:34:06 AM »
- Change passwords, the more often the safer

Not for me.

I can be bothered to think about and remember one decent password system, the more I need to change it the crapper it gets.

I totally agree with you PWF UK.  And I think a large amount of the security community does, too.  Changing passwords -- especially forcing changes -- often makes things worse.  You end up with people moving from areallygoodpassword* to areallygoodpassword1, areallygoodpassword2, areallygoodpassword3.

Passwords should be as complex as you can make them... and then changed when you have a really good reason to do so.  (Known or suspected breach, accidentally exposed, etc.)

*I am not saying "areallygoodpassword" is a really good password.  It's a placeholder for a concept.

We recently switched HR portals at work, and they went from single sign-on through the Microsoft/Outlook server, to a completely separate system. They instituted a pretty high bar for password requirements, and made the passwords expire (I think it's 3 months, but I can't be sure). The Outlook server also has strong (but different) password requirements and expiration. My office runs a separate server environment for video production, which has separate password requirements and expiration timelines. Sometimes I have to go through the HR portal to access the payroll system (using my Outlook credentials), like when I update my W-4. Also, I can ONLY use Internet Explorer to do this.

I remember trying to explain why this was worse to the guy from HR/employee communications, and he was just acting like I was bitching about being forced to use a good password. And he wouldn't shut up about how people want to access this stuff from home (are you fucking kidding me? I'm not doing shit when I'm not on the clock). I'm like, "this is how passwords get stuck on a Post-It on the front of a computer monitor." The response was literally, "We don't care about individual users being compromised, that's your problem. We only care about protecting the integrity of the enterprise system."

I mean, points for honesty I guess?

Exactly.

As an aside: probably 80-90% of the time when something "only works with internet explorer" ... you can lie to it.  Look for a user agent switcher plugin to your browser of choice.  It won't work 100% of the time, but I am surprised how often it works.  I don't remember ever having a Microsoft based system at work (other than a box I used to test things on.)  I always managed to find a way around this sort of thing. My career ranged from 1988-2015.

NoStacheOhio

  • Handlebar Stache
  • *****
  • Posts: 2137
  • Location: Cleveland
Re: How to keep my brokerage account safe?
« Reply #40 on: January 25, 2017, 10:39:13 AM »
- Change passwords, the more often the safer

Not for me.

I can be bothered to think about and remember one decent password system, the more I need to change it the crapper it gets.

I totally agree with you PWF UK.  And I think a large amount of the security community does, too.  Changing passwords -- especially forcing changes -- often makes things worse.  You end up with people moving from areallygoodpassword* to areallygoodpassword1, areallygoodpassword2, areallygoodpassword3.

Passwords should be as complex as you can make them... and then changed when you have a really good reason to do so.  (Known or suspected breach, accidentally exposed, etc.)

*I am not saying "areallygoodpassword" is a really good password.  It's a placeholder for a concept.

We recently switched HR portals at work, and they went from single sign-on through the Microsoft/Outlook server, to a completely separate system. They instituted a pretty high bar for password requirements, and made the passwords expire (I think it's 3 months, but I can't be sure). The Outlook server also has strong (but different) password requirements and expiration. My office runs a separate server environment for video production, which has separate password requirements and expiration timelines. Sometimes I have to go through the HR portal to access the payroll system (using my Outlook credentials), like when I update my W-4. Also, I can ONLY use Internet Explorer to do this.

I remember trying to explain why this was worse to the guy from HR/employee communications, and he was just acting like I was bitching about being forced to use a good password. And he wouldn't shut up about how people want to access this stuff from home (are you fucking kidding me? I'm not doing shit when I'm not on the clock). I'm like, "this is how passwords get stuck on a Post-It on the front of a computer monitor." The response was literally, "We don't care about individual users being compromised, that's your problem. We only care about protecting the integrity of the enterprise system."

I mean, points for honesty I guess?

Exactly.

As an aside: probably 80-90% of the time when something "only works with internet explorer" ... you can lie to it.  Look for a user agent switcher plugin to your browser of choice.  It won't work 100% of the time, but I am surprised how often it works.  I don't remember ever having a Microsoft based system at work (other than a box I used to test things on.)  I always managed to find a way around this sort of thing. My career ranged from 1988-2015.

Well I already have to use my PC box to log in to a lot of the enterprise systems anyway, so I just use IE when they force me to, because it's not frequent enough to matter.

Playing with Fire UK

  • Magnum Stache
  • ******
  • Posts: 2982
Re: How to keep my brokerage account safe?
« Reply #41 on: January 26, 2017, 10:04:00 AM »
I totally agree with you PWF UK.  And I think a large amount of the security community does, too.  Changing passwords -- especially forcing changes -- often makes things worse.  You end up with people moving from areallygoodpassword* to areallygoodpassword1, areallygoodpassword2, areallygoodpassword3.

For me it's worse than that, I go from a very good password to shitpassword*01 etc.

I heard of an investment bank somewhere that mandated random (like provided by IT) 20 character alpha-numeric passwords that were changed every ~14 days, so everyone kept their passwords on a hidden post it and there was very little stopping anyone from logging into anyone else's computer - you just needed to know where they hid their post-it.

NoStacheOhio

  • Handlebar Stache
  • *****
  • Posts: 2137
  • Location: Cleveland
Re: How to keep my brokerage account safe?
« Reply #42 on: January 26, 2017, 12:10:51 PM »
I totally agree with you PWF UK.  And I think a large amount of the security community does, too.  Changing passwords -- especially forcing changes -- often makes things worse.  You end up with people moving from areallygoodpassword* to areallygoodpassword1, areallygoodpassword2, areallygoodpassword3.

For me it's worse than that, I go from a very good password to shitpassword*01 etc.

I heard of an investment bank somewhere that mandated random (like provided by IT) 20 character alpha-numeric passwords that were changed every ~14 days, so everyone kept their passwords on a hidden post it and there was very little stopping anyone from logging into anyone else's computer - you just needed to know where they hid their post-it.

If you're that concerned with access control, you'd be better off with biometrics + a rolling key generator. Maybe only allow users to access specific machines.

kaizen soze

  • Stubble
  • **
  • Posts: 130
Re: How to keep my brokerage account safe?
« Reply #43 on: December 09, 2017, 06:30:19 AM »
* Don't re-use your email address either.  If you get an email from Vanguard, it better damn well go to the email address you expect it to.  If you get an email address from spammyguy and it comes to the Vanguard email address you've never used anywhere else... this is a flag that something dastardly is going on. 


I know I'm late to this party. Spork's post had good advice, but I wonder about the logistics of managing all these email addresses. How often do you log in to check them? It seems that using a single app to read these emails will be a security vulnerability. Also if you use phone apps to push  notifications, it might somewhat  defeat the purpose of using multiple emails. But not checking the emails would be a vulnerability, since you'll want to routinely monitor your account for fraud. Is there a good way to make this less of an administrative burden for yourself? I don't want to manually check 5 email accounts every day.

arebelspy

  • Administrator
  • Senior Mustachian
  • *****
  • Posts: 28254
  • Age: -999
  • Location: Seattle, WA
Re: How to keep my brokerage account safe?
« Reply #44 on: December 09, 2017, 06:59:24 AM »
Several solutions.

You can add a "+word" to an email address (and then use filters to sort). You can link accounts and have multiple connected from one (easy with gmail for it to check multiple Gmail accounts). You can set up forwarding from the others into the main one.

Lots of options for that. :)
We are two former teachers who accumulated a bunch of real estate, retired at 29, spent some time traveling the world full time and are now settled with three kids.
If you want to know more about us, or how we did that, or see lots of pictures, this Business Insider profile tells our story pretty well.
We (rarely) blog at AdventuringAlong.com. Check out our Now page to see what we're up to currently.

kaizen soze

  • Stubble
  • **
  • Posts: 130
Re: How to keep my brokerage account safe?
« Reply #45 on: December 10, 2017, 11:46:43 AM »
Several solutions.

You can add a "+word" to an email address (and then use filters to sort). You can link accounts and have multiple connected from one (easy with gmail for it to check multiple Gmail accounts). You can set up forwarding from the others into the main one.

Lots of options for that. :)

Hey thanks for replying! I understood Spork's advice to be a security solution. And linking multiple Gmail accounts together, or using the "+" trick wouldn't really achieve that. A single u/p is all that is needed to access all emails in both of those scenarios.

I *think* that the threat scenario is like this. A hacker gains access to your email account. Once in, the hacker can use your email as part of an effort to reset access to your brokerage and bank accounts. So Spork, and others on the interwebs, recommend using mutiple emails, each with unique logon credentials. This seems to accomplish two things. One, a single compromised email account exposes only one brokerage account to fraud. Second, a mass hack of some other web site (LinkedIn, say) that reveals your primary email address, does not also reveal the email address associated with your brokerage account.

So the multiple emails idea sounds good. But thinking through the logistics, it seems difficult to pull off. Complicating factors include:

1. Do your email accounts need their own recovery emails? Using your primary email for this defeats the purpose. Some email services require some form of recovery, such as another email or a phone number.
 
2. Once set up, what means do you use to monitor all of your emails? A single email app on your phone? Not monitoring the emails is not really an option. And forwarding emails to your primary account defeats the purpose if what we're worried about is your primary account being taken over.

3. Similar to #1, do these email accounts need two factor authentication, and if so, do you need to set up a separate means of 2FA for each one? Like not the same SMS phone number for each.

This is what I'm struggling with. Perhaps I'm overthinking. But I don't think so. If you're going to use multiple emails, you may as well do it right. Do it wrong and you end up with something both more complicated and less secure than what you're replacing. Or you just end up pushing your single point of vulnerability to another place, like if all emails used a single phone number as their recovery method.

I'm starting to think that this may be a game not worth the candle. Just secure your existing email account(s) as best you can and call it good.

Paul der Krake

  • Magnum Stache
  • ******
  • Posts: 4861
  • Age: 12
  • Location: UTC-10:00
Re: How to keep my brokerage account safe?
« Reply #46 on: December 10, 2017, 01:38:05 PM »
You're overthinking.

Have one email account that you protect very well with 2FA and a solid unique password.

caracarn

  • Handlebar Stache
  • *****
  • Posts: 1534
  • Age: 50
  • Location: Ohio
Re: How to keep my brokerage account safe?
« Reply #47 on: December 11, 2017, 10:13:06 AM »
You're overthinking.

Have one email account that you protect very well with 2FA and a solid unique password.
Yes.  Gmail with 2FA and only allow your home computer to not require the 2FA ever.  Every single time someone tried to log in I'd get a text to my phone so the hacker might have like two seconds before I was aware of a hacking attempt.

TreeTired

  • Bristles
  • ***
  • Posts: 451
  • Age: 136
  • Location: North Carolina
  • I think we can make it
Re: How to keep my brokerage account safe?
« Reply #48 on: December 11, 2017, 09:03:00 PM »
2FA,  I like it, I use it, (I also love getting a text message every time my credit card is used) but don't get too complacent. I have heard of people having their phone number hacked and they lose control of their own phone number. Or hackers have been known to change the phone number inside your account. Then there is the trick of spamming your email with 1000s of messages so you miss the one from your broker telling you that your phone number has been changed.

I check my accounts almost daily. And, I have more than one account.  A few years ago I became uncomfortable having 80% of my financial assets with one firm.

Back when I was working for a big bank, the IT department made us change our passwords every month, and the password had the typical requirements:  Must be at least 8 characters long, must contain upper and lower case letters, must contain a number, and must contain a special character.  How the heck can I design or remember a password that does all that??? And every freaking month?    So I was out for a couple of days and the IT guy changed my password and left me a note:   Your new password is,  April@2006   

Paul der Krake

  • Magnum Stache
  • ******
  • Posts: 4861
  • Age: 12
  • Location: UTC-10:00
Re: How to keep my brokerage account safe?
« Reply #49 on: December 11, 2017, 10:29:03 PM »
2FA doesn't have to be by SMS. Google also provides support for their authenticator app and yubikeys.