You may be thinking, "That's a lot of trouble. In the unlikely event that my account is hacked, the financial services company will reimburse me." I think that's a mistake for a few reasons. First, even if the company covers your losses, recovering from the fraud is unlikely to be a pleasant experience. Second, if you don't meet the company's security requirements spelled out clearly on their websites, you might not be covered by their online fraud guarantee, at all. Do you want to take that risk with your savings?
My goals for this post don't include boring you to tears, though that is certainly a risk when one explains technology to people who just want things to work. The truth is that Internet passwords don't work. We need a very different solution for securing online access but unless and until we get that, we have to work with what's available.
One of my goals is to help you avoid losing your hard-earned wealth to online fraud. A second goal is to help you avoid the long, painful process of recovering from online fraud when recovery is possible — you'll find it much easier to stop fraud before it happens than to tidy up afterward. And, my third goal is to keep you from running afoul of requirements that might preclude those "100% online fraud guarantees" offered by financial services companies. I used to refer to them as "online financial services companies" but now almost all of them are.
I warn you up front that some of these measures can be complicated to implement and that they will complicate your financial life a bit. It won't be as easy for you to access your online financial services but it should be a lot more difficult for a thief to do so.
And finally, before diving into security measures, be aware that many online services offer different levels of security that you can implement depending on how much set-up work you are willing to do and how much inconvenience you will tolerate to achieve greater security. You can improve security significantly with stronger passwords, for example. With more work and complexity, you can greatly improve on long-password security by adding two-factor authentication. You will need to decide if the extra security is worth the effort.
You might also think, "This is way too difficult. I'm just going to avoid online access to my accounts altogether."
While this might be achievable in some limited way, it will preclude most investment opportunities. I asked Fidelity Investments if it is possible to open an account with no online access. They thought I had lost my mind. And, should you decide to simply not set up the online access, a thief might well do it for you.
Wade Pfau and the gang at RetirementResearcher.com are seeking volunteers for a research project called the Retirement Income Style Awareness,™ (RISA™). Please consider following this link to the survey. Participants will be able to get results from the survey in the fall.
First, if your computer, smartphone, or tablet is compromised, no other security process can be trusted. If someone installs a keylogger on your computer, for example, that person can watch you type in your log-in credentials from half a world away and it won't matter what other security measures you take, they're looking over your shoulder. Run anti-malware software on your computer and only download smartphone apps from your apps store. This step is essential. There are several excellent free anti-malware products for computers. I like Avast for Mac[1]. Windows Defender[2] generally gets high marks, as well.
Next, you probably have a lot of sensitive information on your smartphone. Many services will use your phone to reset your password, for example. A thief doesn't need to learn your password if she can more easily reset it. Actually, a thief doesn't need to physically steal your phone. He may be able to illegally "port-out" your phone number and receive all your phone calls and text messages. Your smartphone is a key to your online security whether or not you intended it to be.
You need to keep that key beyond the grasp of hackers. Bite the bullet and change your lock-screen passcode to at least 8-digits.[3] (Are you still using four digits?) This step is also essential. I'd recommend avoiding lock-screen patterns on Android phones.
For many financial services companies, the use of "third-party aggregators" like Mint.com, Fidelity Fullview and Vanguard Portfolio Watch will violate your guarantee of fraud protection. Charles Schwab explicitly states next to the button to enable these services that they invalidate your guarantee. Stop using them. This is an essential step. You can go to the aggregator websites and turn off the feature but you can also change the passwords on all your financial services accounts (which you probably should do, anyway) and simply not update them at the aggregator website. If your financial data still shows up at your aggregator site, you know you're not finished. The aggregators will no longer have access to your data and you will no longer be in violation of the terms of your guarantee.
Creating strong passwords is an essential step. Make passwords to all your sensitive online accounts at least 12 random characters long. Use upper and lower case letters, numbers and special characters as allowed by the website. Here's an example: Wt4e-7B13^qS. As the saying goes, the best password is the one you can't remember. It has been estimated that an 8-character password can be cracked in hours, nine characters in months, and 12-character passwords in hundreds of years with a brute force attack. If your password contains recognizable words, a dictionary attack can be even faster.
Don't reuse passwords. This is essential because cracking one of your passwords compromises every other account using that password. Every sensitive account should have its own.
Never share your password with anyone other than a spouse on a joint account. That will almost certainly invalidate your online fraud protection. If you want an advisor or a spouse to have access to your individual accounts, grant that authority explicitly by filing the appropriate paperwork with your financial services companies instead of going through the "back door" of sharing your passwords. Recognize the risk you're taking by doing this and consider sharing "read-only" access and not authority to transact in your account.
If you write them down, store the list of passwords in a secure location and hide a backup in a different physical location. The next step isn't essential but I find it helpful. I use a password manager to both create random passwords and store them. LastPass, Dashlane, and 1Password are perhaps the best known and you can access passwords from your computer, smartphone, and tablet.
The next level of security (and complexity to implement and use) beyond strong passwords is two-factor authentication. 2FA is perhaps not as essential as strong passwords but many experts would disagree. I consider it mandatory for my accounts but I also recognize that it is complicated for a "non-techie" to understand and implement. I can imagine that most will consider it too complex and that's a shame because it is a huge step up in security.
In essence, 2FA provides a second password that changes every minute and can only be read from an app on your smartphone (or a dedicated hardware token[4]). Unless a thief has access to your smartphone, she can't log in to your account even if she knows your password.
2FA is now offered by most, though not all, financial services websites. I even use 2FA at social media websites and on my email accounts. Two Factor Auth[5] provides a list of websites that support 2FA and PCMag.com[6] explains how to use many of them.
I have found that customer service departments of financial services companies will walk you through implementing 2FA over the phone if you ask and it only takes a few minutes. This is far and away the easiest way to implement 2FA on your account.
There are several ways in which 2FA can be implemented. The passcode can be sent to you in an email, sent to your phone in a text message (SMS), delivered by a voice phone call, or created by an app on your phone. If your financial services company offers a choice, the app approach (or a hardware token) is the safest.[7]
Some websites, like TreasuryDirect®, will email a one-time password (OTP) as a second layer of authentication after you enter the correct password. A lot of people know I can be reached at JDCPlanning@gmail.com and that's the first place a hacker might search for my one-time password. It would be harder for a hacker to intercept my OTP if I have it sent to say, dog73202@gmail.com, which doesn't identify me.
If any of your accounts use 2FA by sending an email, consider setting up an email account with a random name solely to receive 2FA passcodes. Set up a notification in that email account to alert you anytime you receive an email.
Many websites have a "password recovery" process that will reset your password if you answer security questions like "What was your high school mascot?" It makes no sense to go to all this trouble to secure a password when someone can "recover" your password by answering these security questions after reading your social media posts or by Googling your name.[10]
(I checked my password recovery questions on an email account I use for junk and found that that a hacker would need to either spend hundreds of years guessing my password or simply guess the name of my favorite band to gain access to my account.)
I make up unrelated answers to these questions and store both the questions and the answers with my passwords. For example, I might choose the question "What was your school mascot?" ("Eagles" is a good guess for a hacker.) I might enter "bookbinder" as the answer.
Thieves can sometimes illegally "port-out" your mobile phone number to theiro phone and the only indication you will get that this has happened is that your phone will stop working. They'll receive your text messages and phone calls so they'll intercept any one-time passwords sent by either of those methods. Furthermore, many online accounts will allow you or a thief to recover your password by texting or calling your phone and the thief is now the recipient of both of those. You may have the physical phone in your hand but all of your voice calls and text messages will now go to the thief's phone.
To illegally port-out your phone number, a thief only needs some basic name and address information about you and a PIN that is set up at your wireless carrier's website. Better beef-up the security of wireless carrier passwords and PINS with your wireless carrier. Krebs on Security tells you how.
Log on to your wireless carrier online account and make sure your PIN isn't something obvious like "1234" or the last four digits of your social security number. Use a strong password on your wireless carrier's website. I added 2FA to mine. Otherwise, the fraudster can hack into your wireless carrier account and change that PIN. Your smartphone, one way or the other, is the key to much of your online security. If it is lost or stolen, take action immediately.[8,9]
Since this all began with a reader's comment regarding security at TreasuryDirect®, let's look at how we might secure accounts there.
To log on to a TreasuryDirect® account, a thief will need your account number, a password for that account, an email address to which TreasuryDirect® will send a one-time passcode each time we attempt to log on, and that one-time passcode.
First, create a random password at TreasuryDirect® that is at least 12 characters long. Then, create unrelated answers to password recovery security questions at TreasuryDirect®, as described above.
Create a new email address with a random name and direct TreasuryDirect® to send one-time passwords there instead of sending it to your public primary email address. Secure the email account with a long, random password.
Now, a hacker will need to learn your TreasuryDirect® account number, hack its long random password, figure out what e-mail account you have told TreasuryDirect® to send your one-time password, and hack that e-mail's long random password to learn your OTP. If he tries to hack your TreasuryDirect® account using password recovery, he will need to know that you told TreasuryDirect® that your father was born in the city of banjo.
I believe any web-based service is hackable but a thief could probably find an easier way to steal money than this.
If you only install anti-malware software on your computer and improve your passwords, you will greatly enhance your online security. If this seems overwhelming, start by improving all of your passwords on financial services company websites and do more later.
You can download a checklist in Word to organize your security enhancement project. I included a sample using a Charles Schwab account. Click the link to see the document, then click download to save a copy.
This is the world we live in. Practically all financial services companies have an online presence with fraud guarantees provided only if the company considers that you have adequately protected your login credentials.
I realize that most readers will find this all quite complicated even with the links I have provided but this is your retirement savings we're trying to protect here and i4 your security doesn't meet the standards of financial services companies, their "100% online fraud guarantee" might not be available to you. Follow these steps and you are far less likely to ever need to recover from online fraud or rely on a fraud protection guarantee.
Some readers are having problems posting comments anonymously. Please feel free to email comments to JDCFinance@gmail.com and request that I post them anonymously.
REFERENCES
[1] Avast for Mac
[2] Windows Defender, Microsoft.
[3] Change Your IOS Passcode. or Change Your Android Passcode for Android.
[4] Some financial services companies will provide, often for free, a hardware "token" to generate the 2FA passcode instead of using your phone. See Protect Your Investment Accounts With A Security Token.
[5] Two Factor Auth list of 2FA supported websites.
[6] Two-Factor Authentication: Who Has It and How to Set It Up, PC magazine.
[7] This is why you shouldn’t use texts for two-factor authentication, TheVerge.com. Major SMS security lapse is a reminder to use authenticator apps instead, TheVerge.com.
[8] If your iPhone, iPad, or iPod touch is lost or stolen.
[9] Find, lock, or erase a lost Android device, Google Help.
[10] Time to Kill Security Questions—or Answer Them With Lies, Wired.
[11] This is why your six-digit iPhone passcode isn’t secure, BGR.com.
See for a better password recommendation: https://blog.1password.com/better-master-passwords-the-geek-edition/
ReplyDeleteHi Dirk, Thank you for the excellent article! I believe you have one piece of advice that is in direct conflict with Vanguard's fraud protection policy. You say to use a password manager program which I agree is excellent advise. However, Vanguard states on their web site the following: "Don't store your password or answers to security questions on the computer or device you use to access your Vanguard accounts." In order to comply with the letter of this policy I have removed my Vanguard accounts from my password manager that is stored on my computer. I have a separate encrypted thumb drive that I now plug in to my USB port to access my username and password when needed. After logging in I then remove the thumb drive. I'm not sure what Vanguard actually had in mind but I'm not taking any chances.
ReplyDeleteIt is in conflict but it is not clear to me how not to be in conflict with it.
DeleteI am forced to choose between making my account less hackable with a password manager, possibly invalidating the guarantee, or being less secure and hoping Vanguard will honor the guarantee if I am hacked.
A thumb drive would appear to technically satisfy Vanguard's requirements but would have many of the same issues as a paper list. USB drives do fail, can be lost or stolen, etc. I would recommend that you keep a backup of the USB drive in a different physical location, though then you have doubled the chances of having it stolen.
I don't know a perfect solution but I think making the risks clear is important.
The Kingston Data Traveler USB drive I purchased is password protected. I actually have two and carry one on my key ring and store one at home. If either is stolen they can't be accessed (hopefully!!). If my house burns down, I have the other with me.
DeleteGreat article Dirk! Here are a few other ideas/comments (some are iOS specific, as I have no Android expertise) for your readers:
ReplyDeleteI am glad you discussed security questions and promoted lying as a solution. The best sites allow you to create your own question and answer.
When I asked Schwab, they stated investors can open and manage accounts without online access or a cell phone. Everything can still be done via paper, landline and/or in-person, which is crucial for many seniors. I was told this approach is common, even for seniors who have a computer, but who are not comfortable using it for financial needs. This approach would insure additional trading costs.
It is also important to minimize the risk of hacking via social engineering. I suggest setting-up obscure verbal passwords for all critical accounts. This way the first thing you are asked when calling is the password. Without it they should not discuss or allow changes to the account. Just like online passwords, these can be saved in a password manager.
Freezing your credit at the three major agencies is also beneficial and is now free to all. When doing so, be sure you secure these accounts as you would a bank or brokerage account.
Password managers are a great tool. Users should consider where the data is stored, who holds the encryption key and if browser integration is desired. These choices will entail a tradeoff between security and convenience.
Rather than an 8-digit lock-screen password, I suggest using a long letter/number/character combination, as you would for other passwords. This is somewhat less onerous with biometric access features.
Learn how to quickly force your phone to require a password, rather than biometrics, for those times/places where you might be at risk.
Settings in iOS allow you to block conventional brute force passcode hacking, via adding a delay after failed attempts and erasing all data after 10 failed attempts. Note that if you are forgetful and/or have little ones who play with your phone this may not be a good fit. :-)
If you believe your iPhone has been stolen or permanently lost, you can delete the data via find my iPhone.
Adding a trusted person to your account records may be beneficial. Atypical transaction attempts, whether do to cognition or hacking, may get flagged and held up until the trusted person is contacted.
Thanks for penning one of the best financial security articles I have read in many years.
Thanks for the kind words and the additional information!
DeleteGreat to know you can open an account with Schwab that has no online access. Since they offer a broad range of services and products, they're an option for people who just don't want to go online.
I contacted Vanguard and asked if it is possible to create an account with no online access. They replied that it is possible for a new account (which suggests that they can't convert an existing account) and they weren't all that encouraging:
Delete"Yes, a brand new investor can open an account at Vanguard without online access. In theory, they would submit a paper account application and then call into Vanguard every time they needed assistance with their account."
I got good ideas from this Dirk. I already have 1Password and like it, but there are several other things I had not considered. Thanks. Jan
ReplyDeleteI am concerned about the security of the written question/passwords lists. Any practical suggestions for enhancing their security?
ReplyDeleteThank you
Some people (I'm not one of them) are reluctant to store their encrypted passwords in the cloud when using a password manager. They insist on writing them down. Some worry about writing them on paper because the list can be found, lost in a fire or flood, etc. There is no remote access to a paper list if you happen to be away from home and need it. It's also hard to keep a paper list updated.
DeleteThe main complaint about writing down passwords is that you won't hide the list well and, instead, will write it on a sticky note attached to your monitor. It's obviously better to keep the list in a fireproof safe or, at a minimum, hide it well away from your computer.
Neither solution is perfect. Do what feels best for you.
I read your August 6 post and your July 31 post with great interest. I follow you on twitter and read all of your blog posts at The Retirement Cafe—they are excellent—thank you for all that you do.
ReplyDeleteI did have few questions. I use Personal Capital—which is a financial aggregator, and I very much like it. It is the one place that allows me to see all of my accounts (I have investment accounts at Vanguard, Schwab and Wells Fargo, and have a checking account at a different bank) all in one place. Based on your articles, it sounds like I should stop using it altogether. If I do that, is there any other site that you like that would be more secure than Personal Capital?
If I do stay with Personal Capital, is there anything you would recommend to try and make Personal Capital more secure? What if contacted them and requested that they add two factor authorization—would that change your opinion in any way?
Do you have the same concerns about aggregation sites, such as Personal Capital, when it comes to accounts that are in a 401k plan with an employer? In other words, I understand that a hacker might access my taxable accounts, but do you have the same worry about a hacker accessing and stealing my 401k account balance that is with my employer?
Thanks again for all you do.
Good questions, all.
DeleteThe easy one first. Unrelated to the aggregator and "sharing passwords" issue, I recommend 2FA for all online financial accounts. And, you need to start with a long, random password even with 2FA. Adding 2FA, however, won't fix the password-sharing issue.
The sharing issue is unrelated to the security of the aggregator website. Let me explain by using just two investments firms, Vanguard and Fidelity. Let's assume that you have investments with each. Each offers an aggregation service, Fidelity Fullview and Vanguard Portfolio Watch.
If you choose to use Fidelity Fullview to aggregate your accounts, then you need to provide Fidelity with your Vanguard login credentials. Fidelity would be very happy if you used their aggregator service. Vanguard won't be as happy if you use Fidelity to aggregate your accounts because you will be sharing your Vanguard password.
The Vanguard website says:
"We'll reimburse you the amount taken from your Vanguard account in an unauthorized online transaction on vanguard.com if you've followed the steps described in the Your responsibilities section below.
Your responsibilities
You should be aware of the risks of sharing your account information: If you share your vanguard.com user name and password, or if you allow someone to access your account information, activities performed with your shared or accessed credentials or information may be considered authorized. If you've given someone authority to transact on your behalf, that person's activity is authorized."
Note the phrase, "may be considered authorized." This is common and suggests that under certain circumstances they may or may not reimburse you. Doesn't inspire a lot of confidence.
On the other hand, if you decide to aggregate at Vanguard, Fidelity will be less happy with you. From Fidelity:
"Also not covered is any activity by an employer/plan administrator, financial intermediary, or third-party who is authorized by you to access your data (or who received your data as a result of that access), or with whom you've shared your username, password, or account number, or from malware or a breach of security that affects the systems of any of those parties."
So, the issue isn't one with the aggregator website (Personal Capital in your case), or the aggregator website's security, but with the "aggregated websites" whose login credentials you have shared.
By the way, you could choose Mint.com as your aggregator and neither Vanguard nor Fidelity would be happy and you might not have online fraud protection from either.
My best advice is to google the online fraud guarantee of all parties, read what they have to say about sharing login credentials, and make your decision. You have to weigh the convenience of an aggregator with some degree of uncertainty as to whether the aggregated companies will back their online fraud guarantee.
In response to your last question about retirement plans with your employer, you have to read their online fraud guarantee, too. We communicated after you asked and I am aware that you found that your 401(k) plan has a fraud protection statement with a similar caveat.
Thanks for the questions!
I use the Vanguard portfolio watch to have a one stop view of my stash. I do not give Vanguard access to my outside account credentials though. I update them manually once a month when interest posts and when quarterly dividends or other significant transactions occur. It’s a bit inconvenient, but secure.
ReplyDeleteI would suggest also utilizing your broker’s voice recognition system. I very rarely call them, but I don’t want them thinking a hacker is me for lack of setting this up.
If you're handy with Excel, you can also download .csv files from your various financial services companies and merge that way.
DeleteI use and recommend voice recognition where available.
I use a program called fund manager. It automatically updates the prices with one click. I don't give the program access to my accounts so I need to update dividends and other distributions manually. But at least I can see all of my accounts in one place. Have been using it for years and like the program a lot. https://www.fundmanagersoftware.com/
DeleteThe situation doesn't seem sustainable. As time goes on, the ability to come up with protections seems outpaced by hackers' ability to hack. And as people approach and enter retirement, their life savings amount is the largest, making them attractive targets of hacking. But their cognitive ability to implement the increasingly complex protections might be declining.
ReplyDeleteAt some point the sisters and brothers, daughters and sons, will be upset enough that the pendulum has to start swinging back the other way. Am I wrong? Oh, how I long for a flip phone!
I think you're absolutely correct. It isn't sustainable. And, there seem to be market pressures against aggregators. Vanguard's website says, "Account aggregation through vanguard.com is closed to new enrollments. However, it's available to select shareholders."
DeleteBanks have issues with aggregators and FINRA issued a warning.
So, I think the industry is aware of the problems but I don't think most consumers are.
Until there is a solution, though, we have to work with we have.
Hi Dick, nice article. Question on sites like Vanguard/Fidelity they have a feature that if someone tries to sign in from another computer not known to them they then ask security questions to allow access. Not perfect but still does add some extra steps to stop or slow down a hacker. Also if your accounts have alerts set up do you think that helps? That is a text and or email notice when a transaction on your account is being done?
ReplyDeletethanks
Good questions. I address the security question issue in the post. Their weakness is that people tend to choose answers that are easily guessed or discernible from your social media or by googling you. The post suggests creating random answers.
DeleteIf the answers are easily guessed or can be easily found, like the city in which you were born, they actually hurt security. You will see in another of my response's above that I recently reviewed an email account that I created just for junk, so nothing personal. I was allowed to set up one security question and I found I had chosen "city of birth." So, a hacker would either need to crack my long, random password or search the web for the city of my birth. Guess which one takes longer. The security question was an easy-to-unlock alternative door to my account.
Alerts definitely help and I always enable them. But, if a hacker in Russia hacks my account while I'm sleeping, she may drain my account before I can stop her. Then I'm back to depending on the brokerage company to deem me worthy of covering my losses.
Hi, Dirk,
ReplyDeleteGreat article as always. A point of clarification though. You state, "There are several excellent free anti-malware products for computers. I like Avast for Mac[1]. Windows Defender[2] generally gets high marks, as well." I can't comment on Avast for Mac, but Windows Defender is an Anti-Virus program, not an anti-malware program. Malwarebytes, though, IS an anti-malware program that works on many platforms, comes as a free product, or can be upgraded to a paid version.
For those using a Password Manager, any of the programs you mention do NOT store passwords on the personal computer but on a secure website. They are great for accessing passwords from multiple devices.
Thanks for the comments but I believe you are mistaken on all three points. "Malware" is short for "malicious software" so all viruses are malware, though all malware are not viruses.
DeletePassword managers do, in fact, store passwords on your computer, as LastPass, and I suspect most others, will also operate in an offline mode with no server access.
Lastly, password managers generally don't store your passwords on a secure server. LastPass, for example, encrypts and decrypts all passwords on your local machine and stores only a one-way salted hash of your pasword on their servers. Consequently, someone hacking LastPass' servers will not be able to decrypt your passwords because the keys are on your local machine.
I do share your fondness for Malwarebytes and appreciate you reading my blog!