Brokerage hackable?

[dallas27]

I keep money at tdameritrade, and formerly fidelity. I figure eventually, one of these days, their will be a security breach. I've read the insurance print, but what do you guys think will happen if there is a major breach and loss of millions or billions? Even if my money is safe, being locked up in court for 5 years could be disastrous.


Sent from my iPhone using Early Retirement Forum

 

[MRG]

Don't worry be happy.

Nobody's going to allow that to happen. There's ways the funds have to protect the 0s and 1s that represent your assets. If your really afraid both Fidelity and Vanguard provide no loss gaurentee due to hackers. Sure you have resposibility to have virus protection etc. Just normal security.

The silly ways people hacked Anthem and Target et al. don't apply to apply to fund companies. They have real security. Did anyone steal money with the data that was lost to date, not directly, just the possibility of id theft. There's a big difference between getting a list of names and using that list to wire funds out.

Worry about asteroids much bigger danger.

 

[Fermion]

It is a very real threat. You can joke it aside but the systems are far more vulnerable than you think. Coming from a software engineer who has worked on said systems.

 

[target2019]

I keep money at tdameritrade, and formerly fidelity. I figure eventually, one of these days, their will be a security breach. I've read the insurance print, but what do you guys think will happen if there is a major breach and loss of millions or billions? Even if my money is safe, being locked up in court for 5 years could be disastrous.

There are security breaches every day. It's a question of how you define security breach and how extensive the next one goes.

I think of the next breach like this. In 1993 the WTC was bombed. The effect was limited, but deadly. In 2001 the WTC was bombed. The effect was devastation on a scale not seen in the US. The effect was geo-centered, but involved many nearby buildings, and disrupted communications. It had lasting impact.

We have had security breaches continuously since forever. These inflict damage every time. Eventually we will have a breach of great magnitude, and the lasting effects will be on a scale not seen before.

But a meteor may get us first. For now life goes on as usual.

 

[brewer12345]

One point in favor of Schwab over Fidelity is that Schwab owns a thrift/S&L/bank and therefore is subject to federal reserve regulation from the very top of the company on down and a savings and loan holding company. That means that they are regularly bonked on the head by their very own federal regulators (who are not the politically conflicted SEC) to do things like spend money on security.

 

[dallas27]

Im talking about a breach that causes the company to fold, not just a few million here and there each month


Sent from my iPhone using Early Retirement Forum

 

[MRG]

How would that many transfers happen in short order without the brokerage being aware? They do monitor for unusual activity. If all their assets were stolen I'd guess that would seem unusual.

 

[Lakewood90712]

Im talking about a breach that causes the company to fold, not just a few million here and there each month


Sent from my iPhone using Early Retirement Forum

That type of hack could conceivably shut down operations for a day or two , but the money always has a trail , don't see large permanent loss.

I would be far more worried about someone hacking my own accounts and siphoning off money. If you don't catch it within a specified time period, you may be screwed.

 

[GrayHare]

Exactly what would be stolen? A bunch of digits? Can't the brokerage put the digits right back where they were?

 

[MRG]

Exactly what would be stolen? A bunch of digits? Can't the brokerage put the digits right back where they were?

+ 1

It's been done many times.

 

[dallas27]

Wow, seems many of you guys believe theft is impossible. Scary.


Sent from my iPhone using Early Retirement Forum

 

[brewer12345]

Wow, seems many of you guys believe theft is impossible. Scary.


Sent from my iPhone using Early Retirement Forum

Whether we believe it is possible or not, what can we do about it?

 

[Fermion]

Wow, seems many of you guys believe theft is impossible. Scary.


Sent from my iPhone using Early Retirement Forum

Yeah, nobody thought a plane could take down a huge skyscraper either.

It may not be easy to reconstruct the accounts to pre-attack status and it may not matter if panic sets in and faith in the financial system is lost.

 

[dallas27]

I'm surprised considering we all know that banks were recently robbed for a billion dollars, and apparently it's unrecoverable.




Sent from my iPhone using Early Retirement Forum

 

[Lakewood90712]

I'm surprised considering we all know that banks were recently robbed for a billion dollars, and apparently it's unrecoverable.




Sent from my iPhone using Early Retirement Forum

Some examples ?

I would think such things could occur when banks are carelessly or illegally doing business with international criminal enterprises, which they should not be doing anyway.

 

[MRG]

...snip..

It may not be easy to reconstruct the accounts to pre-attack status and it may not matter if panic sets in and faith in the financial system is lost.

Data recovery 101; have known check/restore points. Remember a 24x7x365 shop can piece together atomic transactions for months.

You avoid panick by fixing data before anyone knows. How normal are these type recoveries? They might occur more often than you think.

 

[M Paquette]

Know what's really scary? Reasoning by false analogy...

Be careful out there.

 

[ClockWatcher]

Whether we believe it is possible or not, what can we do about it?

Other than trying to choose a brokerage that you have cause to believe will have better security practices than a different one, I don’t think that there is much that we can do to limit the possibility that a company with which we do business will get hacked.

At the same time, I don’t like feeling helpless. There are steps we can take to improve the security of our own systems. While breaches/hacks to individuals don't make the news like company breaches do, they are often hacked as well. Individuals do have better legal protections than businesses when it comes to restoring illicitly transferred monies – think credit cards for instance. As long as improper transactions are reported soon after they occur, your liability is only $50. A big concern where individuals must take care is phishing. If the bank, brokerage, or credit card company decides that you improperly gave out your user ID and password, I have read that they may and sometimes do disclaim any obligation to restore your funds.

I have come across guides to improving the security of home systems. In my opinion, these are some of the better ones (in no particular order):

• https://www.bestvpn.com/the-ultimate-privacy-guide/
  
• https://secure.cryptohippie.com/pubs/CH-OnlinePrivacyGuide.pdf
  
• Jolly Roger's Security Guide for Beginners - Deep Dot Web
  
• https://epic.org/privacy/tools.html
  
• A Complete Guide To Privacy Online - GreyCoder
  
• https://prism-break.org/en/
  
• https://ssd.eff.org/en
  
• Home Computer / Network Security / Privacy

The steps that they recommend take time and effort to implement, but given a choice, I would rather put my time into preventing a loss, than recovering from it.

 

[gauss]

+ 1

It's been done many times.

They can only restore the 1's and 0's that represent the funds in your account back if they have the money to back it up. They can't create it out of thin air. Otherwise it would be illegal.

Only the Federal Reserve has the power to create money out of thin air and there actually is an accounting record of when it is done FWIW.

I share OP's concern that for anyone with significant assets (ie average retirement accounts of ER board members) that this should be a larger concern than the "Identity Theft" hype that we see in the media that is getting everyone all riled up.

I would like to have a better personal understanding of the law (if any, Fed or state) that protect the holders of these types of accounts due to theft (internal or external) and the conditions under which the holder is protected or not.
- basic mutual funds
- brokerage accounts
- IRA wrappers
- 401k wrappers

I would also be interested in knowing how this would apply to paper securities -- ie those not held in "street name".

-gauss

 

[MichaelB]

Generally speaking, the laws that protect us against theft from our brokerage accounts are the same laws that protect us from crimes in our homes or against our persons. The only regs that are specific to electronic theft of financial assets are part of the ETFA, which protect us from unauthorized transactions in personal accounts at banks.

 

[target2019]

How would that many transfers happen in short order without the brokerage being aware? They do monitor for unusual activity. If all their assets were stolen I'd guess that would seem unusual.

There is always a false sense of security, and it has roots in our need to feel safe. That helps many of us act properly, rather than being afraid of participating.

But the pendulum always swings too far, doesn't it? Their is no single definition of security with regard to financial institutions. Oh, they have various seals that attest to just how secure they are now, but things change. The attacks evolve every minute of each day. Reminds me of a biological virus...

The protection is just devices, programming and people. Most devices just sit there and perform. The programming in the device and systems that are watching is flawed, and needs patches, updates, fixes, etc. People apply the fixes as best they can, but people are not infallible.

What if an external entity plants new code in the devices that makes it seem that transactions are normal, and nothing to worry about?

If the NSA can/has planted firmware code in hard drives, it seems to me that one attack vector in the future will be the compromise of devices that can have a catastrophic and lasting effect on the economy.

This article describes many compromises that have taken place in this century. It's filled with jargon and tech-speak, but it is not science fiction.

Your hard drives were RIDDLED with NSA SPYWARE for YEARS • The Register

 

[MRG]

They can only restore the 1's and 0's that represent the funds in your account back if they have the money to back it up. They can't create it out of thin air. Otherwise it would be illegal.

Only the Federal Reserve has the power to create money out of thin air and there actually is an accounting record of when it is done FWIW.

I share OP's concern that for anyone with significant assets (ie average retirement accounts of ER board members) that this should be a larger concern than the "Identity Theft" hype that we see in the media that is getting everyone all riled up.

I would like to have a better personal understanding of the law (if any, Fed or state) that protect the holders of these types of accounts due to theft (internal or external) and the conditions under which the holder is protected or not.
- basic mutual funds
- brokerage accounts
- IRA wrappers
- 401k wrappers

I would also be interested in knowing how this would apply to paper securities -- ie those not held in "street name".

-gauss

You're trusting the funds will honor their gaurentees(the ones that give them). Or that fund XYZ doesn't want it's name on the front page of the WSJ saying it lost 100,000 Americans retirement(bad for business).

Of course any time I've seen a loss, the brokerage, transfer agent, or insurance company provided the funds to make the account holder whole. So yes, the monies were put back. The moneys not manufactured it came from a legit source.

Then the brokerage and fund company goes after and finds the real assets. These companies have dealt with fraud recapture since day one of being in business. Fraud is not limited to the internet age, it happened long before. The brokerage and fund companies freely share information about fradulant schemes. They all have safeguards in place to avoid fraud up front. I spent many years watching the industry mature in this aspect. I sleep very well at night knowing the safeguards that are in place.

Like mentioned earlier it's one thing to spear fish a techie to gain access to a test, big data implementation. I've never known a techie that had a user profile on a system of record for the application. If they did they would be terminated. You don't need an system of record id to do a techies job.

I guess the only way you could be sure is keep your assets in an FDIC account, or under a mattress. I prefer to put my money in places that gaurentee no loss from fraud. Running systems out of redundant tier 4 data centers, with well trained staff that monitor possible fraud scenarios. Strict state of art audits; scheduled fradulant activities thrown in to test the monitoring and the employees reactions. But I'm a little polyanna.

 

[rodi]

SIPC would cover the loss of shares (up to a certain amount - I think it's $500k). It doesn't cover collapse in value of those shares - but I believe it covers loss of the shares (taken/stolen from your account).

Most of the brokerages have a self-insurance coop - so as long as the attack is limited to one or two brokerages, the other brokerages would backstop. Schwab, IIRC, is not part of the coop - it has a Lloyds of London policy for the coverage.

 

[audreyh1]

Fidelity has some guarantees for backing up customers in the event of unauthorized account access - above and beyond the SIPC protection. https://www.fidelity.com/security/customer-protection-guarantee

I haven't been too concerned about someone hacking into my account. We have quite a few safeguards in place. I figure Fidelity has to deal with attempts to steal funds all the time.

Fidelity is a multi-generational family-owned* and run private company founded in 1946. These kinds of companies usually take a much longer term view and aren't under the quarter-to-quarter performance scrutiny of a public company. It comes down to culture. So far Fidelity has shown the inclination to have good systems in place which indicates a willingness to invest in infrastructure. I've never noticed them to be sloppy. https://www.fidelity.com/security/how-fidelity-keeps-you-safe

*Fidelity Investments is currently run by Abigail Johnson (3rd generation) who is the 7th richest woman in the world on the Forbes list. Her father, Ned Johnson, still holds the CEO position.

 

[Mulligan]

I have become a bit more complacent. I remember when I first opened up my brokerage account, being the true luddite, I would literally print every transaction and amounts so they couldn't screw me out of my money if it just disappeared.
Now, I just print the yearly statement. Though I do have a chromebook that its sole use is for financial transactions involving my bank, brokerage, TD, and HSA.


Sent from my iPad using Tapatalk