Fidelity Account Hacked

Archman said:
Today, I saw on Fox Business News that Fidelity will cover your losses if you get hacked. I'm gonna have to check that out, since I have accounts with Fidelity.
Click to expand...
Fidelity, Schwab, and Vanguard all have about the same thing. They're the only ones I know of who can do that. Check out their website most of what they expect is common sense security things.
 
"I also have my password manager on my phone where you need to know the Master Password (20 characters)".



Want to say something about passwords here. Longer passwords do not mean better passwords. The best passwords pull from 4 character sets: a...z, A...Z, 0...9, $...&. A password that pulls from all 4 character sets (if allowed by the website) that is 8 characters long is better than a password that is twice as long that pulls from 3 of the character sets. No need to make long, complicated passwords. There is more to it, but will leave it at that.
 
I just skimmed through the thread and I have to agree with the people that don't think this was a hack. It makes no sense to hack in like this and actually create an account. If I was a criminal I'd be trying to get money out as fast as possible if I had had gained access to the account.


Here's my best guess as to what happened:


Somebody decided to set up an IRA account at Fidelity before the end of the year and typo'ed an incorrect SSN. The incorrect SSN matched your SSN and got attached to your account since they probably index the accounts using SSN in their database (That would make sense to me since SSNs are supposed to be unique). They logged in using their own credentials and the fraud department saw a valid login in the logs and just initially assumed they logged in using your credentials. I'll bet they've figured it out by now but are likely waiting for a bug fix before letting you know what happened. Or they may not want to admit what really happened as security is always a sensitive area with financial companies.



There's probably another person that is wondering why their account was never set up properly.


Having worked for a software security vendor to large financial firms (although not specifically Fidelity) you won't believe how creaky some financial software is. A lot of it was originally well designed but as endless new features are hastily added over the years to compete with what other companies are offering the software gradually becomes unwieldy and in some cases downright incomprehensible - especially when many of the original programmers are no longer there.



Other possibilities that people have already mentioned that seem viable to me are employee data entry error or some obscure year-end software bugs.
 
gooddog said:
Want to say something about passwords here. Longer passwords do not mean better passwords. The best passwords pull from 4 character sets: a...z, A...Z, 0...9, $...&. A password that pulls from all 4 character sets (if allowed by the website) that is 8 characters long is better than a password that is twice as long that pulls from 3 of the character sets. No need to make long, complicated passwords. There is more to it, but will leave it at that.
Click to expand...
I disagree. Password length is extremely important even if you're using a complex password. An 8 character password can be cracked by brute force in hours, maybe minutes if the attacker is using today's fastest computers. Each additional character you add increases by an order of magnitude the time it takes to brute force a password.

Here is some password advice from ProtonMail https://protonmail.com/blog/how-long-should-my-password-be/ Later in the article they suggest 15 as the absolute minimum safe password length today. I've read the same advice at many other sites.
There are two ways to make it more difficult for someone to brute force your password: make your password longer (by using more characters), and make it more complex (by using a greater variety of character types, like numbers and capital letters). Note, however, that length is much more effective than complexity at preventing a brute force attack.
Click to expand...
 
NameRedacted said:
I just skimmed through the thread and I have to agree with the people that don't think this was a hack. It makes no sense to hack in like this and actually create an account. If I was a criminal I'd be trying to get money out as fast as possible if I had had gained access to the account.


Here's my best guess as to what happened:


Somebody decided to set up an IRA account at Fidelity before the end of the year and typo'ed an incorrect SSN. The incorrect SSN matched your SSN and got attached to your account since they probably index the accounts using SSN in their database (That would make sense to me since SSNs are supposed to be unique). They logged in using their own credentials and the fraud department saw a valid login in the logs and just initially assumed they logged in using your credentials. I'll bet they've figured it out by now but are likely waiting for a bug fix before letting you know what happened. Or they may not want to admit what really happened as security is always a sensitive area with financial companies.



There's probably another person that is wondering why their account was never set up properly.


Having worked for a software security vendor to large financial firms (although not specifically Fidelity) you won't believe how creaky some financial software is. A lot of it was originally well designed but as endless new features are hastily added over the years to compete with what other companies are offering the software gradually becomes unwieldy and in some cases downright incomprehensible - especially when many of the original programmers are no longer there.



Other possibilities that people have already mentioned that seem viable to me are employee data entry error or some obscure year-end software bugs.
Click to expand...

That's a very plausible explanation. I spent a few years working around that "creaky financial software". "Quirks of operation" is preferred to "creaky", someone paid good money for that junk. Much was written back when development was rewarded for delivering efficient code.

Social security number is frequently used as a secondary index column in mutual fund software solutions. I'm not sure why typing any SSN would be allowed to freely traverse their database, maybe that is the bug? [emoji23] Who knows, it's amazing how people can take something so simple and convolute it all up.

I'd agree any fund/brokerage will understand exactly who did what if they want to. Certainly if they believe it's a hack there's logs to go through that break app's transactions down . Obviously their explanation will be cleansed by the right internal people.
 
The title should be changed on this thread to Fidelity Account Jacked.
 
For those who doubt:


These two passwords are of equal length, but one has the additional character set of symbols. These are both being (theoretically) hacked with a super computer. The extra character set takes the same length password (10 characters) from 2 MILLENNIA to break to 121 MILLENNIA.


Of note, I was hacking systems for the government as far back as 1982.



PASSWORD with extra character set: T3535^hike
[FONT=&quot]
[/FONT]
[FONT=&quot]TIME TO BREAK
[/FONT]
[FONT=&quot]121:MILLENNIA[/FONT]
[FONT=&quot]3:CENTURIES[/FONT]
[FONT=&quot]3:DECADES[/FONT]
[FONT=&quot]7:YEARS[/FONT]

PASSWORD without extra character set: Fa38896j89
[FONT=&quot]TIME TO BREAK
[/FONT]
[FONT=&quot]2:MILLENNIA[/FONT]
[FONT=&quot]3:CENTURIES[/FONT]
[FONT=&quot]4:DECADES[/FONT]
[FONT=&quot]4:YEARS[/FONT]
 
cranberryjoe said:
I disagree. Password length is extremely important even if you're using a complex password. An 8 character password can be cracked by brute force in hours, maybe minutes if the attacker is using today's fastest computers. Each additional character you add increases by an order of magnitude the time it takes to brute force a password.

Here is some password advice from ProtonMail https://protonmail.com/blog/how-long-should-my-password-be/ Later in the article they suggest 15 as the absolute minimum safe password length today. I've read the same advice at many other sites.
Click to expand...
You’re assuming unlimited tries, I don’t think any financial system would allow that. Usually they freeze account, sometimes for a period of time and sometimes requires you to call.
 
NameRedacted said:
I just skimmed through the thread and I have to agree with the people that don't think this was a hack. It makes no sense to hack in like this and actually create an account. If I was a criminal I'd be trying to get money out as fast as possible if I had had gained access to the account.


Here's my best guess as to what happened:


Somebody decided to set up an IRA account at Fidelity before the end of the year and typo'ed an incorrect SSN. The incorrect SSN matched your SSN and got attached to your account since they probably index the accounts using SSN in their database (That would make sense to me since SSNs are supposed to be unique). They logged in using their own credentials and the fraud department saw a valid login in the logs and just initially assumed they logged in using your credentials. I'll bet they've figured it out by now but are likely waiting for a bug fix before letting you know what happened. Or they may not want to admit what really happened as security is always a sensitive area with financial companies.



There's probably another person that is wondering why their account was never set up properly.


Having worked for a software security vendor to large financial firms (although not specifically Fidelity) you won't believe how creaky some financial software is. A lot of it was originally well designed but as endless new features are hastily added over the years to compete with what other companies are offering the software gradually becomes unwieldy and in some cases downright incomprehensible - especially when many of the original programmers are no longer there.



Other possibilities that people have already mentioned that seem viable to me are employee data entry error or some obscure year-end software bugs.
Click to expand...

Could be, but the odd thing is the zero balance.. one would something would have been deposited in a new account...the end of year really means nothing for an IRA..
 
ivinsfan said:
Could be, but the odd thing is the zero balance.. one would something would have been deposited in a new account...the end of year really means nothing for an IRA..
Click to expand...


I imagine they they didn't deposit anything because they don't see the account. Only the OP is seeing the account?



It's all just guesswork on our end really since we have no visibility inside Fidelity's systems.
 
Extra Zero Balance Account for DW

I thought nothing of it, but when I set-up DW's Fidelity, she got an 'extra' zero balance account. I didn't review the whole thread, but a few posts made me think this story might be relevant here.

DW had a tIRA and Roth for a long time at Fidelity, but no brokerage account and no money market account. She got a windfall sum that she didn't want to put in her normal spending account (gets no interest), so I opened a Fidelity brokerage account.

When "done", under the section "Investment Accounts", she now has "INDIVIDUAL - TOD" with a cash position (SPAXX**) and an equity position.

But also, and something I didn't specifically ask for, under a section called "Savings, Checking and Spending Accounts" is another "INDIVIDUAL - TOD" and it has a position "CORE**" with a description of "UNFUNDED CORE POSITION".

I'm not sure why this 'extra' account was added, but I didn't see that it was doing any harm.
 
sengsational said:
I thought nothing of it, but when I set-up DW's Fidelity, she got an 'extra' zero balance account. I didn't review the whole thread, but a few posts made me think this story might be relevant here.

DW had a tIRA and Roth for a long time at Fidelity, but no brokerage account and no money market account. She got a windfall sum that she didn't want to put in her normal spending account (gets no interest), so I opened a Fidelity brokerage account.

When "done", under the section "Investment Accounts", she now has "INDIVIDUAL - TOD" with a cash position (SPAXX**) and an equity position.

But also, and something I didn't specifically ask for, under a section called "Savings, Checking and Spending Accounts" is another "INDIVIDUAL - TOD" and it has a position "CORE**" with a description of "UNFUNDED CORE POSITION".

I'm not sure why this 'extra' account was added, but I didn't see that it was doing any harm.
Click to expand...

That sounds like their cash management accounts, a brokerage account with a separate but related checking account. I have a few old ones and they screw up Quicken a bit. Probably a selection you made while opening the account, maybe by default.
 
sengsational said:
I thought nothing of it, but when I set-up DW's Fidelity, she got an 'extra' zero balance account. I didn't review the whole thread, but a few posts made me think this story might be relevant here.

DW had a tIRA and Roth for a long time at Fidelity, but no brokerage account and no money market account. She got a windfall sum that she didn't want to put in her normal spending account (gets no interest), so I opened a Fidelity brokerage account.

When "done", under the section "Investment Accounts", she now has "INDIVIDUAL - TOD" with a cash position (SPAXX**) and an equity position.

But also, and something I didn't specifically ask for, under a section called "Savings, Checking and Spending Accounts" is another "INDIVIDUAL - TOD" and it has a position "CORE**" with a description of "UNFUNDED CORE POSITION".

I'm not sure why this 'extra' account was added, but I didn't see that it was doing any harm.
Click to expand...


Nothing evil. Fidelity IRA's have a default investment called the CORE position. In some cases its FDIC insured bank. Sometimes the CORE investment can be changed, sometimes there are no other options available.
There are usually "learn more about CORE positions" links all over the Fidelity website.
https://www.fidelity.com/learning-center/investment-products/mutual-funds/core-position-video
 
Two days ago, I was on my Fidelity account just checking balances. I did nothing else. I got an email the next day stating that I had signed up for a brokerage account. I did not do this. I tried to log in the next day (yesterday) and was locked out. I called Fidelity and they believe that I was hacked. I wondered though that perhaps they set up this account themselves? I have to get my computer checked (it's a company issued computer with all of the upgrades and firewalls in place as well as get a new account number and use symantec log in which is great. I'm not sure why this was not offered to existing account users? Anyway, it's been quite a hassle but my money is safe. I'm not sure what happened and not sure I will ever know. I wonder how secure the Fidelity site really is?
 
donahuem said:
Two days ago, I was on my Fidelity account just checking balances. I did nothing else. I got an email the next day stating that I had signed up for a brokerage account. I did not do this. I tried to log in the next day (yesterday) and was locked out. I called Fidelity and they believe that I was hacked. I wondered though that perhaps they set up this account themselves? I have to get my computer checked (it's a company issued computer with all of the upgrades and firewalls in place as well as get a new account number and use symantec log in which is great. I'm not sure why this was not offered to existing account users? Anyway, it's been quite a hassle but my money is safe. I'm not sure what happened and not sure I will ever know. I wonder how secure the Fidelity site really is?
Click to expand...

I wonder how secure your computer is? If someone installed a keyboard logger, they will have your userid & password. This why I set up login to require code that’s texted to me. It’s both an extra layer of protection and a notification someone is logging into my account.
 
If one is using an account aggregator such as MINT, or Personal Capital then Fidelity could take the position that you are in violation of their security agreement and not cover losses from a hack.

This is true for every other financial institution.
Might want to keep this in mind if your using Fidelity's FULL VIEW to access non-Fidelity accounts.
 
As a Fidelity client who has consolidated most of our assets, I will be very interested in hearing from poster donahuem if and how they are locked out of their account.
While I am pretty comfortable that Fido will make me whole, I do not understand what happens in a "lock down". For example, do your auto pays still get processed? Are your ATM card and checks still functional? Can you take RMDs? etc, etc.
While the priority is clearly protecting your assets, it appears your ability to manage your financial affairs could go in the tank if you are locked down
 
JOBO said:
If one is using an account aggregator such as MINT, or Personal Capital then Fidelity could take the position that you are in violation of their security agreement and not cover losses from a hack.

This is true for every other financial institution.
Might want to keep this in mind if your using Fidelity's FULL VIEW to access non-Fidelity accounts.
Click to expand...

I think Fidelity owns eMoney which is the company behind FullView so it might get fuzzy.
FullView also is horrible since they moved it to the eMoney platform. That move motivated me to create my own aggregator in Excel.
 
Since password length was discussed here: I don't know if it is still true or not, but some online places only used the first 8 characters of one's password and some online places used case-insensitive usernames and/or passwords.

You can test this with your accounts for yourself.
 
JOBO said:
If one is using an account aggregator such as MINT, or Personal Capital then Fidelity could take the position that you are in violation of their security agreement and not cover losses from a hack.

This is true for every other financial institution.
Might want to keep this in mind if your using Fidelity's FULL VIEW to access non-Fidelity accounts.
Click to expand...

One of the dangers of getting information from discussion groups is getting information that is really a persons "viewpoint" rather than "fact".

While there is no doubt there is (very small) risk in an aggregator storing passwords, the issue of how various financial institutions would handle a breach and losses is unsettled. The reason it is unsettled is because there has not been a breach of these aggregators and the resulting determination being needed.

The agreements are clear on "sharing passwords"...but courts (or Arbitrators) have not ruled on whether using password services such as lastpass, 1 password etc counts as sharing, nor have they ruled on using aggregators counts as sharing.
 
Aggregator policy

BeachOrCity said:
One of the dangers of getting information from discussion groups is getting information that is really a persons "viewpoint" rather than "fact".
Click to expand...
Agreed. In the meantime who wants to be the test case?

The Retirement Café: How to Secure Your Online Financial Accounts

https://www.bogleheads.org/forum/viewtopic.php?t=219620

https://www.reuters.com/article/us-...-mint-other-aggregators-idUSKCN0SY2GC20151109

Perhaps the fintech industry will adopt a standard?
https://www.yodlee.com/fintech/whos-on-the-hook-for-a-hack-aggregators-team-up-on-answer
 
You must log in or register to reply here.

Similar threads

S
Fidelity Instead...
2 3
Replies
60
Views
5K
youbet
youbet
S
Vanguard small-business retirement plan is moving to Ascensus
Replies
9
Views
385
RE2Boys
R
C
PSA: BROKERED CD'S cannot be transferred in-kind to Fidelity
Replies
12
Views
1K
copyright1997reloaded
C
S
Problems with Fidelity Bond depth of book
Replies
3
Views
482
foxfirev5
F
I
RMD Question
Replies
16
Views
1K
TrvlBug
T

Latest posts

Back
Top Bottom