Wednesday, July 31, 2019

You're Responsible for Your Own Online Security

Credit cards, debit cards, ATMs, and electronic fund transfers (EFTs) offer excellent fraud protection but your bank, credit union and investment company's online protections aren't as strong.

In response to my post, The Best Inflation Protection You Never Heard Of, a reader commented that he/she avoids I Bonds due to security concerns with TreasuryDirect.® It didn't take long to find several threads on the topic. The primary concern seems to be this statement from the Code of Federal Regulations:
§363.17   Who is liable if someone else accesses my TreasuryDirect® account using my password? You are solely responsible for the confidentiality and use of your account number, password, and any other form(s) of authentication we may require. We will treat any transactions conducted using your password as having been authorized by you. We are not liable for any loss, liability, cost, or expense that you may incur as a result of transactions made using your password.[72 FR 30978, June 5, 2007]
Should you be concerned about security issues at TreasuryDirect,® the only place where you can purchase I Bonds? I think you should be concerned about the security of online access to your holdings at all financial services companies and I think your security is largely up to you.

Having your financial services company hacked is different than having your individual account hacked using Internet access. I'm addressing the latter but the former happens with amazing frequency and you will be protected from those breaches. You probably won't even know it happened to your company until you read about it in the paper.[1]

You will probably find wording similar to that of the TreasuryDirect® statement above at the websites of all of your banks, credit unions, investments companies, and other financial services.

First, let's look at where we are protected.

Electronic Fund Transfers.

According to the Federal Reserve, "Regulation E provides a basic framework that establishes the rights, liabilities, and responsibilities of participants in electronic fund transfer systems such as automated teller machine transfers, telephone bill-payment services, point-of-sale (POS) terminal transfers in stores, and preauthorized transfers from or to a consumer's account (such as direct deposit and social security payments). The term "electronic fund transfer" (EFT) generally refers to a transaction initiated through an electronic terminal, telephone, computer, or magnetic tape that instructs a financial institution either to credit or to debit a consumer's asset account."[2]

Section 205.6 of Regulation E states the liability of [the] consumer for unauthorized transfers, "[Regulation E] limits a consumer's liability for unauthorized electronic fund transfers, such as those arising from loss or theft of an access device, to $50; if the consumer fails to notify the depository institution in a timely fashion, the amount may be $500 or unlimited."

At first glance that would appear to cover online access to your account at a bank or credit union — they are both subject to Regulation E and it specifically mentions computers — but that does not appear to be the case. The catch seems to be in how your bank or credit union defines "unauthorized access."

Credit Cards.

According to[3],
"Under the Fair Credit Billing Act, your liability for unauthorized charges depends on whether the thief personally presented your card to make the purchase, or just stole the number.
    • If the thief personally presents your card to make the purchase, the card issuer can't hold you liable for more than $50 in fraudulent charges. (12 C.F.R. § 1026.12). Many card issuers waive this $50.
    • If the thief stole the number, but not the card, you have no liability.
In either of the above situations, however, it's important to notify the card issuer as soon as you know of the theft—by phone and in writing.
Additional information regarding how to report fraud is also available at the NOLO link.[3]

ATM and Debit Cards.

Also from,
"With ATM or debit cards, you must act quickly in order to avoid full liability for unauthorized charges when your card is lost or stolen. Under the federal Electronic Fund Transfer Act, your liability is:
    • $0 if you report the loss or theft of the card immediately and the card has not been used
    • up to $50 if you notify the bank within two business days after you realize the card is missing
    • up to $500 if you fail to notify the bank within two business days after you realize the card is missing, but do notify the bank within 60 days after your bank statement is mailed to you listing the unauthorized withdrawals, or
    • unlimited if you fail to notify the bank within 60 days after your bank statement is mailed to you listing the unauthorized withdrawals. (15 U.S. Code § 1693g).
If you can convince the bank that your notification failure was due to extenuating circumstances, it must extend the notification timeline for a "reasonable period."
If your card wasn't lost or stolen, but the number is used for unauthorized transactions, you aren't liable for those transactions so long as you report them within 60 days of the statement being sent to you.
In response to consumer complaints about the possibility of unlimited liability, some card issuers cap the liability on debit cards at $50. And some banks don't charge anything if unauthorized withdrawals appear on your statement. Also, some states have capped the liability for unauthorized withdrawals on an ATM or debit card at $50."
So, for ETFs, credit cards, debit cards, and ATMs, the fraud protections are pretty strong but what is the extent of our protection for accounts with other financial services?

Banks and Credit Unions.

As I previously mentioned, banks and credit unions are subject to Regulation E and that regulation seems to protect online access to your account. A review of a few online-fraud policies, however, reveals a loophole that limits their guarantees of "100% fund recovery" if you "share" your login credentials or don't "adequately" protect them.

My credit union states in its "Zero Liability Guarantee for Online Fraud" policy, "You should not share your UserID and/or password with anyone. If you share this information with anyone, any actions they perform on your accounts online are considered to be authorized by you."

I found similar statements at bank websites. Wells Fargo's states, "To qualify for the protections provided by the Online Security Guarantee, you must. . . Never disclose your personal account information to others (including your Personal Identification Number (PIN), online username, password, one time passcodes, RSA SecurID® token, or any other security credential you may use to access your accounts)"[4]

Wells Fargo's statement goes on to warn that, "If your device allows access to anyone other than you via fingerprint, that person will also be able to access your Wells Fargo Mobile downloadable applications on the same device when Touch ID® or fingerprint is enabled, and their transactions will be considered authorized."

So, if your phone's fingerprint access feature fails, allowing someone to gain access to your login credentials, Wells Fargo treats that as your authorization for that person to make transactions in your account. And, those fingerprint readers may not be as secure as you think.[5]

You can find your investment company's online-fraud protection policies, well. . . online.[6,7,8] Most of the investment companies I researched do offer full protection against fraud except for fraud committed when you share your login credentials. The problem is that most have a very broad definition of "sharing." Fidelity Investments states, for example,[6]
"What are examples of where I won't be covered?

If you grant authority to, or share your Fidelity account access credentials or information with, any persons or entities, their activity will be considered authorized by you. Losses of cash or securities transferred to outside accounts that are beneficially owned by you are not covered by this guarantee. Also not covered is any activity by an employer/plan administrator, financial intermediary, or third-party who is authorized by you to access your data (or who received your data as a result of that access), or with whom you've shared your username, password, or account number, or from malware or a breach of security that affects the systems of any of those parties."
Fidelity also lists some types of assets that aren't protected:
"What assets may not be covered?

Assets including certain annuities and insurance products, Fidelity Advisor Fund accounts, and Fidelity Advisor 529 accounts are not covered because they are held away from or maintained by someone other than Fidelity."
In a timely email, Charles Schwab just this week sent me the following information:
"We want you to have the highest level of confidence when you do business with Schwab. That's why we offer you this simple guarantee: Schwab will cover 100% of any losses in any of your Schwab accounts due to unauthorized activity. Read more about our Security Guarantee at"[7]
That sounds excellent until you click on that link and see the limitations of the guarantee:
"Does the guarantee apply to my account if I use a financial application ("app") or program that retrieves my account data from Schwab for things like financial planning or to help me manage my finances?

Yes, with some conditions. You must not share your Schwab login credentials with anyone or through a non-Schwab app. A firm that retrieves, aggregates, and presents account information to a customer for financial activities is known as an "aggregator." When you authorize an aggregator and instruct Schwab to allow the aggregator access to your account information, the aggregator as well as its employees, agents and financial apps and companies the aggregator does business with who receive your Schwab account information ("aggregator third parties") are considered your authorized persons. The guarantee only applies to unauthorized activity in your account. What an aggregator or an aggregator third party does in connection with your account and your information is authorized, so the guarantee does not apply to their actions."
Sharing login credentials typically invalidates that "100% guarantee" that your loss will be recovered. How broad can a financial service company's definition of "sharing" be?

  • Providing your login credentials to any other person, such as a financial advisor, is generally considered sharing. One company's website suggested that giving your login credentials to your spouse is sharing and recommended that spouses submit paperwork to give one another access to their accounts, instead.
  • Providing login credentials to a third-party aggregator is typically considered sharing. Popular third-party aggregators include, Vanguard's Portfolio Watch, and Fidelity Investments Fullview.
  • As mentioned above, Wells Fargo assumes that you have shared your login credentials with anyone who can fool your smartphone's fingerprint ID feature.
  • Fidelity Investments assumes that someone who learns your login credentials by a security breach or malware is authorized to access your account.
  • TreasuryDirect®'s statement above appears to state that anyone who has your login credentials is authorized to make transactions in your account regardless of how the credentials were obtained.
The message is quite clear: if you want a guarantee against online fraud, don't share your login credentials with anyone or anything and don't let them be stolen. Some recurring themes run through these policies.

  • You have no fraud protection guarantee at any investment company I have researched if you share your login credentials,
  • The company's definition of "sharing" can be quite broad,
  • Investment companies can have vastly different descriptions of what they consider "adequate" protection of your credentials, and
  • Some company's don't protect all types of accounts.

When I began research for this post, I had hoped to be able to provide some general guidelines for all banks, credit unions and investment companies regarding their online fraud protection. Unfortunately, I found that they vary so much that I needed to read every policy for every financial services company that I use to understand my protections and what I am required to do to be eligible for their "100% online guarantees." I changed my passwords at each one, in part so I no longer run afoul of "third-party-aggregator sharing" rules and to be completely honest, in part because the protections weren't as ironclad as I had assumed. I strongly suggest that you do the same.

So, bottom line, fraud protection at investment companies, banks and credit unions is significantly weaker than for credit cards, debit cards, ETFs, and ATMs.

But what about SIPC, you ask? Isn't it the equivalent of FDIC for banks? No, SIPC offers protection of assets at failed brokerage firms. According to their website[9], "SIPC protects against the loss of cash and securities – such as stocks and bonds – held by a customer at a financially-troubled SIPC-member brokerage firm. The limit of SIPC protection is $500,000, which includes a $250,000 limit for cash. Most customers of failed brokerage firms are protected when assets are missing from customer accounts."

Unless it is failing, your investment company backs your brokerage accounts, not SIPC.

Having read this post, extremely risk-averse investors might be tempted to try to find financial services companies with no Internet access. They may be surprised by how difficult that has become. This is the world we live in: we're forced online but not adequately protected from online security problems. Security is largely in our own hands.

Fortunately, there are steps we can take to secure our accounts. Unfortunately, none is perfect.

Here's my advice. Google "online fraud protection company name" for every bank, credit union, investment company or other financial services company you use online. (Links to a few are provided below in REFERENCES.) Search their websites for the following information:
  1. Is there an online fraud guarantee?
  2. Under what conditions are you not covered?
  3. What types of accounts are covered?
  4. What actions does the company require on your part to ensure that your login credentials are "adequately" secured?
Here's a tech hint that will help when they play the fine-print game. Command+ on a Mac or CTRL+ on Windows will usually increase that tiny font as much as you'd like. (I'm looking at you, Fidelity.)

Because this post is already, as my grandfather would say, longer than a horse's face, I have posted  some recommend security measures you should implement with all of your financial accounts, including TreasuryDirect® at How to Secure Your Online Financial Accounts.


[1] For Big Banks, It’s an Endless Fight With Hackers, New York Times.

[2] Regulation E, federalreserve.

[3] Your Liability for Unauthorized Credit and Debit Card Charges,

[4] Wells Fargo online fraud policy.

[5] That Fingerprint Sensor on Your Phone Is Not as Safe as You Think, New York Times.

[6] Fidelity Investments online fraud policy.

[7] Charles Schwab fraud policy.

[8] Vanguard Investments Online Fraud Policy

[9] Securities Investor Protection Corporation (SIPC) website.


  1. Hi Dirk, Vanguard appears to have a pretty simple and comprehensive fraud protection policy. However, I was a bit surprised to see "Don't store your password or answers to security questions on the computer or device you use to access your Vanguard accounts." since many people use password managers. And I thought using a good password manager is preferred over typing username and password manually which could be stolen by a keyboard logging virus.

    1. I don't find the policy clear, at all. Will using a third-party aggregator invalidate my guarantee? They imply it but don't clearly state it.

      The website says, "activities performed with your shared or accessed credentials or information may be considered authorized." May be? Does that mean they will decide whether to cover your losses after you incur them? On what basis will they decide?

      What are "accessed credentials?" If a hacker steals my password, is it then an "accessed credential?"

      A clear policy would say, "If your account is hacked, we'll cover your losses." The policy doesn't state that.

      I'm not picking on Vanguard; their policy looks pretty much like everyone else's.

      A password manager should protect you from basic keyloggers but keyloggers come in all shapes and sizes. Some can screen-capture, some can intercept a cut-and-paste, etc. I wouldn't rely on what a hacker's keylogger might or might not be able to do. The best protection here, I think, is to use anti-malware software to keep keyloggers off your computer to begin with, not to hope that your password manager can defeat them.

      Thanks for reading!