OVER A PRODUCTIVE 30-year career that ended in 1950, Willie Sutton robbed as many as 100 banks for gains worth $40 million today—without ever firing a shot. That sort of bank robbery is rare now and, when it happens, customers don’t lose a dime, thanks to FDIC insurance.
Today, Sutton—the Babe Ruth of robbers—wouldn’t waste time knocking over banks. Trillions of dollars held in millions of internet-accessible retirement and brokerage accounts are much softer and more lucrative targets. He’d use a cyber-heist known as an account takeover. For that, our modern Willie Sutton would access your account with your weak and often reused password (the one in that massive leak) or by stealing your password when you click on links in his spear phishing outreach. In a typical takeover, Sutton would log into your account, link a bank account he controls to yours and then start transferring cash out. All while sipping espresso.
But that won’t happen to your online retirement accounts, right?
In a recent incident, elderly grandparents in Illinois had $40,000 wired out of their hijacked Fidelity Investments account. They discovered the theft long after the money had vanished by wire transfer into a bank account that the attacker had linked to theirs. The money was then transferred again and lost forever. It seems investors don’t need to dump their retirement savings into cryptocurrency or lottery tickets to lose it all. Instead, just sign up for online access to your investment accounts.
Was the couple reimbursed? At first, the answer was “no” because they reported the incident long after the deadline in their account agreement. On top of that, they hadn’t enabled certain security features that would have made it harder to change account contact information or to add additional linked bank accounts to their investment account.
Who bears the cost of these sorts of incidents is highly dependent on circumstances. There’s little consistency in cybercrime fraud policies across mutual fund and brokerage firms, and no industry-wide insurance system that pools risk and reimburses losses. Investment firms aren’t keen to bear the full burden of liability unless you’ve used certain security features on their site—many of which are off by default. This feels a bit like an automaker that sells cars with seat belts and airbags that are optional, and then accuses customers injured in car crashes of negligence.
Want to reduce the risk of loss? Here are five habits that’ll help protect you and your investment company:
1. You keep your devices and network secure. Strong security must start here. On each device used for account access, you have an operating system that’s current with the latest security fixes. Ditto for your web browser. You’re using anti-malware software on each device. Your home network is protected with a firewall. Its wireless network is not open and uses the latest wi-fi security (WPA2 or WPA3, never WEP).
2. Your account passwords are strong, site-specific and never shared with anyone. In a strong security world, you’re using a good quality password manager to generate the longest random password that each account’s website or app will support.
3. You protect sensitive accounts with multifactor authentication (MFA). Your investment and bank accounts are ideal places for MFA, but so too is your email account, cell phone service account and password manager.
On mobile devices, facial or fingerprint recognition can be used for MFA. For MFA, you can also use hardware security keys like YubiKey, which are highly secure, pretty cheap, durable, easy to use, and work with virtually all devices and browsers. Get at least two to avoid locking yourself out when you lose one. Companies like Vanguard Group and Bank of America support security keys that meet industry standards, and more are expected. Until then, you can still get short security codes from your financial firm via text message or an authenticator mobile app, which is less secure but better than no MFA at all.
4. You reduce your risk exposure. You never use public computers or public wi-fi networks to access financial accounts. When someone calls claiming to represent your bank or investment company, you hang up and call back the firm at the phone number on your recent statement or send a secure message within the firm’s mobile app or web site. You’re vigilant for oddities in emails or text messages which tip off a phishing attack.
5. You closely monitor your account balances. Ideally, you’ve configured each account to notify you of all transactions, as well as security sensitive operations like adding a new bank account, changing the address or phone numbers on record, or cash transfers out. Even with that, it’s wise to check balances at least monthly to avoid reporting an incident past any required notification period.
Nothing in this world is perfectly secure, but habits like these put you at less risk of falling victim to this century’s Willie Sutton. Showing you’ve taken care with security will also help you avoid accusations of gross negligence, which may lead to a more favorable outcome if a bad incident happens.
This critical thinking goes both ways. Choose to keep investments with companies that are secure themselves—tricky, as there are no industry scorecards. Also favor firms that have clear and reasonable fraud protection policies, and that are helping their customers get and stay more secure with convenient, state-of-the-art technology.
David Powell has spent his career writing software and leading engineering teams. During his 40 years working in tech, he has come to respect the limits of human imagination in any planning. Follow David on Twitter @AmpedGo and check out his earlier articles.