Attempted Fraud at Fidelity

[luckydude]

Heard this rather alarming story from a friend yesterday:

She has a retirement account at Fidelity. Yesterday she got a call from Fidelity informing her that someone called with a request to liquidate her retirement account and wire the proceeds to a bank account. The caller was able to provide my friend’s SSN, address and birth date to Fidelity, and apparently the only reason Fidelity suspected fraud was because the individual was a male, whereas my friend is female.

My friend was naturally quite alarmed. She obtained the account number that the fraudster provided and tracked it to a bank. It turned out that the bank account was under a different individual’s name with a different SSN, and not hers, and yet aside from the gender mis-match, it appears that Fidelity was quite ready to wire the proceeds to any account number that the fraudster provided.

Subsequently my friend filed a police report, put a 90-day credit watch through Equifax, and requested Fidelity put a restriction on her account such that any redemption request must be made in person through a Fidelity branch.

I have a retirement account at Fidelity so I decided to call Fidelity and find out what verifications they perform for redemption requests. It turns out that other than SSN, address and birth date information, Fidelity really doesn’t do any other verification, which is more than a little disconcerting to me. So if a fraudster has someone’s SSN, address and birth date, he/she could conceivable just call up Fidelity and ask that an account be liquidated.

In this day and age where identify theft is rampant, it seems to me that Fidelity should at least have another layer of verification, such as a set of security questions. Vanguard for example has a set of security questions as an additional layer of verification, which is required for both web and phone access.

Your thoughts?

[Fishingmn]

Kinda scary.

My hope is that if Fidelity had approved it that they would have covered the loss. Kind of like a bogus credit card charge that you are not liable for.

[gauss]

I am under the understanding, but if anyone can confirm this I would appreciate it, that if Fidelity looses your money due to fraud, that they will be on the hook for it.

-gauss

[Senator]

I just did a larger wire transfer from Fidelity. I could not do it online, I had to call in. Also fill out some paperwork. It went to a mortgage with my name, and I thought quite a bit of hoops, which I appreciated.

You would think even Fidelity would be pressing changes. Typically, wires go overseas, and there is little anyone can do.

[clifp]

I have a verbal password on my Schwab account, which the reps ask for everytime I talk to them.

I did have to ask them for an additional layer of security.

I'm pretty cavalier about the rest of my online identity (except for routinely lying about my birth year.) But since Schwab has the bulk of my money I take it pretty seriously.

[eta2020]

Quote:

Originally Posted by clifp I have a verbal password on my Schwab account, which the reps ask for everytime I talk to them. I did have to ask them for an additional layer of security. I'm pretty cavalier about the rest of my online identity (except for routinely lying about my birth year.) But since Schwab has the bulk of my money I take it pretty seriously.

Additionally you can get RSA secureid key which one needs to use in addition to password when login online.

I would not open account without RSA key and I know Fidelity will not give you one while Schwab will.

[marko]

Quote:

Originally Posted by eta2020 Additionally you can get RSA secureid key which one needs to use in addition to password when login online. I would not open account without RSA key and I know Fidelity will not give you one while Schwab will.

T R Price just introduced RSA keys. Its also a good idea to have your accounts (checking, savings, portfolio) set up with email notification on any notable transactions, so if something changes, you usually know within a few seconds.

[eta2020]

Plus if one has substantial amount of money I would maintain 2 brokerage accounts.

In a event of fraud I am quite certain one would get reimbursed but you may loose access to your money for few months before things get resolved.

It is like Asset Protection. Get it before you need it and most likely you will never need it.

[frayne]

I have a FIDO account with email verification/confirmation for any activity. In the past when I have been rebalancing I have gotten a call from Fidelity just to make sure it was me doing the changes.

[John Galt III]

Fidelity reminds me every so often that they want my email address. So far I have not given them one, since it seems like one more point of vulnerability for hackers to exploit.

[audreyh1]

For a normal withdrawal, transfer, liquidation, etc., Fidelity requires the receiving bank account to have the same name. And they spend some time verifying this too, which is why adding a linked account online usually takes 10 business days.

For a wire transfer (not a liquidation) to another entity you have to fax in a form and they at least compare to your signature on file.

[audreyh1]

Quote:

Originally Posted by John Galt III Fidelity reminds me every so often that they want my email address. So far I have not given them one, since it seems like one more point of vulnerability for hackers to exploit.

That's how Fidelity notifies me of all activity right away. I think it makes me less vulnerable.

[MRG]

Quote:

Originally Posted by audreyh1 That's how Fidelity notifies me of all activity right away. I think it makes me less vulnerable.

+1
Any check I write to Fidelity or from them I get emails. Anything that changes. Yes the transfer agent would be liable. A better question how did someone aquire the needed information?

Sent from my SAMSUNG-SGH-I337 using Early Retirement Forum mobile app

[Corporateburnout]

+1 I get notified of every transaction with Fido via email.

Sent from my XT1058 using Early Retirement Forum mobile app

[Bestwifeever]

Quote:

Originally Posted by luckydude ...I have a retirement account at Fidelity so I decided to call Fidelity and find out what verifications they perform for redemption requests. It turns out that other than SSN, address and birth date information, Fidelity really doesn’t do any other verification, which is more than a little disconcerting to me. So if a fraudster has someone’s SSN, address and birth date, he/she could conceivable just call up Fidelity and ask that an account be liquidated....

Did you close your account?

[prudent_one]

I'm shocked that the bank told your friend anything about the name and SSN (even if simply confirming it wasn't hers) of the other account.

[eytonxav]

Quote:

Originally Posted by audreyh1 For a normal withdrawal, transfer, liquidation, etc., Fidelity requires the receiving bank account to have the same name. And they spend some time verifying this too, which is why adding a linked account online usually takes 10 business days. For a wire transfer (not a liquidation) to another entity you have to fax in a form and they at least compare to your signature on file.

Agree, something doesn't sound quite right about what OP's friend told him.

[MooreBonds]

Quote:

Originally Posted by MRG +1 Any check I write to Fidelity or from them I get emails. Anything that changes. Yes the transfer agent would be liable. A better question how did someone aquire the needed information?

Just a copy of a driver's license will do (some states still automatically use your SSN as your default driver's license number) will do. It has your name, address, birthdate, and SSN! (and if you moved, it should be fairly easy with whitepages.com to find your possible new address, or even look it up on a real estate assessor's website for your county).

Sometimes people ask for your DL to verify age, or make a copy of it for their 'files'. Heck, even if you're standing in line at the TSA checkpoint with your DL between your fingers, a quick thinking thief could discreetly write down your SSN if it's visible and your name and state, and that alone could narrow down your address.

Quote:

Originally Posted by prudent_one I'm shocked that the bank told your friend anything about the name and SSN (even if simply confirming it wasn't hers) of the other account.

+1.

[RunningBum]

Quote:

Originally Posted by MooreBonds Sometimes people ask for your DL to verify age, or make a copy of it for their 'files'. Heck, even if you're standing in line at the TSA checkpoint with your DL between your fingers, a quick thinking thief could discreetly write down your SSN if it's visible and your name and state, and that alone could narrow down your address.

I don't think I've ever been in a state where my SSN is on my license. My address is though. If the SSN was on there, a quick photo would be the way for someone to get it, because afterward they'd have more time to read zoom in on the photo and read the data.

Edit: I googled DL images and see that Missouri does put the SSN on. That's pretty stupid. Really stupid, because not only are you exposing it every time you check in at an airport, or at a bar (if you're somewhat young) or other places where ID is asked for, if you lose your wallet or it is stolen your identify is also at very serious risk.

I didn't check every state, but the 15 or so I did first didn't have it.

[audreyh1]

Quote:

Originally Posted by DFW_M5 Agree, something doesn't sound quite right about what OP's friend told him.

I also don't see how the friend got the target bank account number.