OVER A PRODUCTIVE 30-year career that ended in 1950, Willie Sutton robbed as many as 100 banks for gains worth $40 million today—without ever firing a shot. That sort of bank robbery is rare now and, when it happens, customers don’t lose a dime, thanks to FDIC insurance.
Today, Sutton—the Babe Ruth of robbers—wouldn’t waste time knocking over banks. Trillions of dollars held in millions of internet-accessible retirement and brokerage accounts are much softer and more lucrative targets. He’d use a cyber-heist known as an account takeover. For that, our modern Willie Sutton would access your account with your weak and often reused password (the one in that massive leak) or by stealing your password when you click on links in his spear phishing outreach. In a typical takeover, Sutton would log into your account, link a bank account he controls to yours and then start transferring cash out. All while sipping espresso.
But that won’t happen to your online retirement accounts, right?
In a recent incident, elderly grandparents in Illinois had $40,000 wired out of their hijacked Fidelity Investments account. They discovered the theft long after the money had vanished by wire transfer into a bank account that the attacker had linked to theirs. The money was then transferred again and lost forever. It seems investors don’t need to dump their retirement savings into cryptocurrency or lottery tickets to lose it all. Instead, just sign up for online access to your investment accounts.
Was the couple reimbursed? At first, the answer was “no” because they reported the incident long after the deadline in their account agreement. On top of that, they hadn’t enabled certain security features that would have made it harder to change account contact information or to add additional linked bank accounts to their investment account.
Who bears the cost of these sorts of incidents is highly dependent on circumstances. There’s little consistency in cybercrime fraud policies across mutual fund and brokerage firms, and no industry-wide insurance system that pools risk and reimburses losses. Investment firms aren’t keen to bear the full burden of liability unless you’ve used certain security features on their site—many of which are off by default. This feels a bit like an automaker that sells cars with seat belts and airbags that are optional, and then accuses customers injured in car crashes of negligence.
Want to reduce the risk of loss? Here are five habits that’ll help protect you and your investment company:
1. You keep your devices and network secure. Strong security must start here. On each device used for account access, you have an operating system that’s current with the latest security fixes. Ditto for your web browser. You’re using anti-malware software on each device. Your home network is protected with a firewall. Its wireless network is not open and uses the latest wi-fi security (WPA2 or WPA3, never WEP).
2. Your account passwords are strong, site-specific and never shared with anyone. In a strong security world, you’re using a good quality password manager to generate the longest random password that each account’s website or app will support.
3. You protect sensitive accounts with multifactor authentication (MFA). Your investment and bank accounts are ideal places for MFA, but so too is your email account, cell phone service account and password manager.
On mobile devices, facial or fingerprint recognition can be used for MFA. For MFA, you can also use hardware security keys like YubiKey, which are highly secure, pretty cheap, durable, easy to use, and work with virtually all devices and browsers. Get at least two to avoid locking yourself out when you lose one. Companies like Vanguard Group and Bank of America support security keys that meet industry standards, and more are expected. Until then, you can still get short security codes from your financial firm via text message or an authenticator mobile app, which is less secure but better than no MFA at all.
4. You reduce your risk exposure. You never use public computers or public wi-fi networks to access financial accounts. When someone calls claiming to represent your bank or investment company, you hang up and call back the firm at the phone number on your recent statement or send a secure message within the firm’s mobile app or web site. You’re vigilant for oddities in emails or text messages which tip off a phishing attack.
5. You closely monitor your account balances. Ideally, you’ve configured each account to notify you of all transactions, as well as security sensitive operations like adding a new bank account, changing the address or phone numbers on record, or cash transfers out. Even with that, it’s wise to check balances at least monthly to avoid reporting an incident past any required notification period.
Nothing in this world is perfectly secure, but habits like these put you at less risk of falling victim to this century’s Willie Sutton. Showing you’ve taken care with security will also help you avoid accusations of gross negligence, which may lead to a more favorable outcome if a bad incident happens.
This critical thinking goes both ways. Choose to keep investments with companies that are secure themselves—tricky, as there are no industry scorecards. Also favor firms that have clear and reasonable fraud protection policies, and that are helping their customers get and stay more secure with convenient, state-of-the-art technology.
David Powell has spent his career writing software and leading engineering teams. During his 40 years working in tech, he has come to respect the limits of human imagination in any planning. Check out David’s earlier articles.
Want to receive our weekly newsletter? Sign up now. How about our daily alert about the site's latest posts? Join the list.
Surprisingly not all online banks seem to support MFA or 2FA. I opened an account with Marcus assuming that they would be supporting this, and much to my chagrin they don’t support 2FA. I have checked with Sallie Mae bank and Synchrony and neither of them support 2FA.
It is shocking in this age. I chose our current bank and brokerage company because they seem invested in fraud detection and better account security while respecting usability.
David, I am curious if you have an opinion on the password manager on Norton 360.
Have no experience with that one, Mark. Last Pass and Dashlane are the ones I know best.
David, thanks for a terrific article. I need to get up to speed on YubiKey!
MFA saved me when someone hacked the password to my credit union account. One morning I saw three text messages from my credit union with a one time code to enter for online account access. I had over $130K in it from an insurance settlement.
I called the credit union and they told me someone in another country was trying to gain access and told me to change my password, AND also my user name.
Good reminder and great summary. Nothing is 100% secure, but such actions can make your account magnitudes harder to breach.
This reminds me of the two hikers who meet a bear in the woods. One stops to put on running shoes and the other asks him why, after all he won’t be able to outrun the bear in any case. The other responds that he doesn’t have to outrun the bear, he just has to outrun the other hiker.
Security often works the same way. If your security is strong, thieves will often go looking for easier pickings.
So true. The goal is stay one step ahead of the one in front of the bear.
Great article! Two questions:
1) I’ve heard that Yubikey and authenticator apps are essentially equal in terms of security, but this article implied that Yubikey is better. Am I reading this correctly?
2) Is receiving a text to Google Voice any more secure than to my regular phone number? Specificlaly if I only use Google Voice for financial accounts, it theoretically isn’t known to my friends and family, to any place I’ve ever sent a resume or made a table reservation, or signed up for package tracking notifications, etc.
Personally, I kind of get hung up on using “the best way” when, in this case, just about anything I do to make it harder to get to my accounts will discourage someone. They’ll move to the next, possibly easier, target. Kind of like locking the doors on your car. It’s not a foolproof solution but someone looking for easy access will move on to the next car.
Yes, I would expect FIDO security keys like Yubikey to be harder to hack then an Authenticator app. Companies like Google and Microsoft are using these in a big way to enhance security and reduce risks from phishing attacks. I’ll say the FIDO protocols are still pretty new. It can take time for creative minds to find ways to exploit any weak spots in new things but I personally prefer them wherever supported for their security and convenience.
I don’t know much about Google voice security to compare with cellular carrier network security.
Google Voice is better for a simple reason, there is the inability to do a SIM hijack. If a SIM hijack is successful, then you lost one of the most simplest ways to do MFA authentication. In fact, you lost the ability to receive text or phone calls at your number. With Google voice, there is no SIM to hijack. If you loose your phone, you can still access google voice by another phone or computer.
Thank you for these very helpful tips! One can call me paranoid if they wish and that’s fine but every single morning it literally takes me 1 minute to sign into our bank accounts and then our investment accounts to see if anything looks odd from the previous morning’s check-in. If you can’t spare 1 minute each morning to check these accounts then perhaps you are much too busy in your life. I believe this should be a required daily check in, not a weekly or monthly check, my HD friends.
Checking regularly is always good.
Great checklist, David, and very timely. Thanks for keeping us on our toes!
Thanks David, excellent article.
I got a 100%, and I have been doing all of these for years and encourage family and friends to do the same.
One can never be too cautious!
Friendly addition for people who use smartphones…
Contact your cell provider and ask them to add a password to your account that you will provide to them if/when you upgrade to a new phone by transferring your SIM.
Yes indeed. Wish the cellular carriers would support Yubikey or another FIDO-compatible security key.