Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Security concerns
Old 04-15-2011, 12:49 AM   #1
Recycles dryer sheets
 
Join Date: Mar 2006
Posts: 247
Security concerns

Up until a few years ago, I had funds from over four families. I felt more comfortable having my eggs in "multiple baskets". After reading a lot of posts, I came to the conclusion that my fears were probably unfounded, and I've consolidated most of my savings into two fund families, with 85% of those funds in one family.

With the fairly recent and increasing concerns about malware, etc., I wonder again about the wisdom of having all funds together. Let's say I'm not worried about Vanguard having internal failures of accounting, etc, which would cause my funds to be lost (something like Madoff-lite). But what about malware? I've even heard it suggested that you should have a dedicated PC ONLY for accessing your online accounts, and you do no email or browsing on that PC. The problem of course is that even if you are careful, you never really know if some keylogger might have embedded itself and is happily transmitting your passwords to some other site.

Anybody concerned about this, or have other perspectives (to be more or less worried)?
__________________

__________________
Surfdaddy is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 04-15-2011, 03:19 AM   #2
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,086
Yes, it concerns me, but I travel a lot and am encouraged that even using my same laptop, I get security challenge questions when attempting to access my accounts from a new location.

I have an on-line account with a UK bank and I recently listened to a BBC Money program on the radio and they said that all UK banks follow the same practice of never asking you enter your whole password on-line. You only ever ever get asked to enter 3 characters from the password, and it's a different 3 each time.

eg when I log on it might ask "Please enter the 2nd, 4th and next to last digits in your passcode"

Also, you should always have your banks bookmarked or in your favorites list so that you never type in the same of the website. Many banks also allow you to save your username so you rarely have to type your name in either.

All these precautions help to defeat any key-loggers that get by your anti-virus / anti-malware software, and also help defeat phishing programs.

The program I listened to had a caller who said he'd accessed his bank in his usual way and had been prompted to enter his whole pass code, so he called the bank (HSBC) who told him they never asked for a complete password - ever. Turned out that his usual way of getting to the HSBC website was put the name in his Google search bar. (not recommended)
__________________

__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Old 04-15-2011, 08:38 AM   #3
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,885
Unfortunately, I think it's difficult to only have one PC solely for online accounts, now browsing. If one has enough self-discipline, perhaps. But that having two cars, but for one of them, never aking that car on the freeway.

Instead, I think the best approach make sure your computer is up to date with a good password manager to create/store security passwords, antivirus and anti-keylogging software. One can also use a virtual keyboard program to enter the master password in the password managing software with a mouse instead of keystrokes. I have a virtural keyboard program. Yet, I find that I get lazy at times and just type the password in (old habits die hard ).
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is offline   Reply With Quote
Old 04-15-2011, 10:44 AM   #4
Moderator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Rocky Inlets
Posts: 24,426
Reasonable protection for your computer (up to date antivirus & anti-malware), safe browsing and computing practices, understanding the law, your responsibilities and the liabilities of the financial custodian should do. Beyond that, too much focus may not materially improve one's security. For most people, too much complexity leads to decreased effectiveness - writing down passwords and such.

IIRC most fraud affecting individuals is carried out by family members.

Pay attention, check accounts regularly, make sure your contact information is always current, understand and comply with the security measures of your financial institutions. They have immediate direct liability for unauthorized electronic withdrawals and have more at stake. Among the once I have dealt with there are clear differences and some (USAA, Vanguard) are more effective than others .
__________________
MichaelB is online now   Reply With Quote
Old 04-15-2011, 11:04 AM   #5
Thinks s/he gets paid by the post
Katsmeow's Avatar
 
Join Date: Jul 2009
Posts: 3,395
Quote:
Originally Posted by easysurfer View Post

Instead, I think the best approach make sure your computer is up to date with a good password manager to create/store security passwords, antivirus and anti-keylogging software. One can also use a virtual keyboard program to enter the master password in the password managing software with a mouse instead of keystrokes. I have a virtural keyboard program. Yet, I find that I get lazy at times and just type the password in (old habits die hard ).
What are some good password manager programs? I perhaps have an outmoded view of them. It just seemed to me that having a piece of software that had all my passwords in it would be wise since if someone got into that software then they had everything. Yet, as I try to use more and more passwords it does get difficult to remember them all.
__________________
Katsmeow is offline   Reply With Quote
Old 04-15-2011, 11:34 AM   #6
Moderator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Rocky Inlets
Posts: 24,426
Quote:
Originally Posted by Katsmeow View Post
What are some good password manager programs? I perhaps have an outmoded view of them. It just seemed to me that having a piece of software that had all my passwords in it would be wise since if someone got into that software then they had everything. Yet, as I try to use more and more passwords it does get difficult to remember them all.
I like roboform - although it does cost and they are trying to move to a yearly charge. I use it for passwords (and form filler) for non-financial stuff - which is still over 100 usernames and passwords - and keep the 4 financial ones to myself (and DW). I still can't bring myself to use a password manager for my financial accounts.
__________________
MichaelB is online now   Reply With Quote
Old 04-15-2011, 11:48 AM   #7
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,885
Quote:
Originally Posted by Katsmeow View Post
What are some good password manager programs? I perhaps have an outmoded view of them. It just seemed to me that having a piece of software that had all my passwords in it would be wise since if someone got into that software then they had everything. Yet, as I try to use more and more passwords it does get difficult to remember them all.

You can go to a site like download.com (password manager downloads - Free software downloads and software reviews - CNET) and try them out for one that fits your needs.

The master password is sort of like if you have a physical key box with keys to various locks for you house/car (your front door, back door, car keys, storage room, etc.). The box holds a copy of all the keys, but you hold a master key (preferable, put in a safe or a good hiding place).

The password manager works with the same principle. One strong master password or pass phrase that holds all your passwords. Of course, you want a program that automatically encrypts your password file (any good password manager should do this) so they can't be read if someone steals or you lose the password file.

Right now, I'm using a simple program called MyPadlock. It's only version 1.0, but very easy to use. But could you some areas of improvement, I like that it has a drag/drop feature of your user names/passwords.

Before MyPadlock, I had been using a program called AnyPassword which I was totally happy with, but the free version isn't Windows 7 compatible and the paid version, to me seems more complicated than needed. When I got a netbook that uses Win 7, I didn't want to have a program for Win 7, then one for XP on my desktop.

I've also tried Password Safe which I liked too. Works in both XP and Win 7.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is offline   Reply With Quote
Old 04-15-2011, 12:30 PM   #8
Thinks s/he gets paid by the post
 
Join Date: Jul 2010
Location: Chicago
Posts: 1,001
If you're really concerned, most financial institutions still support telephone services to check your accounts, make trades, etc. If you use an old fashioned wired land line, this will prevent anyone from picking up any information. Don't use a wireless unencrypted phone when calling.
__________________
Dimsumkid is offline   Reply With Quote
Old 04-16-2011, 01:03 AM   #9
Recycles dryer sheets
 
Join Date: Feb 2011
Posts: 200
I avoid logging into my bank or brokerage accounts over wifi when traveling unless it's vital. It can wait until I get home and on a land line. That's why Morningstar service is handy - you can see your balances but you can't give away an important password where funds can be transferred!
__________________
PaddyMac is offline   Reply With Quote
Old 04-16-2011, 07:12 AM   #10
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,705
There are no guarantees, unfortunately. For online accounts, you have a long list of potential failure points. It begins at your keyboard, and ends somewhere in the institution. You've mentioned two items out of thousands.
I'm not sure that reducing the number of institutions helps lessen the probability of loss. Unless you picked up on something specific. Let's say an account rep provided your spouse with a piece of information not to be provided. That might suggest their internal controls, training and procedures were lacking.
As for the security on one PC at your home, that is an approach. It would be wired (NOT wireless), physically isolated, have installed protection of various kinds, and so on. Still, it could be stolen!
I work in a secure area and we have closed spaces. I have heightened awareness, but am realistic. Rather than using a password program, I store all information in an encrypted area of my hard drive (TrueCrypt). Initially, I did this to protect my contact database, which contains information on hundreds of accounts and passwords. If stolen, someone will have to guess the 13 character master password. I also store tax information, etc. in that space.
As for keyloggers, that is a category of software, and no longer includes just apps that record key presses. A keylogger can operate in many ways. These programs can access your clipboard, capture the contents of what you paste or type into fields, or even capture a portion of the screen where you've typed in some information.
__________________
target2019 is offline   Reply With Quote
Old 04-16-2011, 12:45 PM   #11
Recycles dryer sheets
 
Join Date: Sep 2009
Posts: 62
Well I don't want to scare anybody, but this malware is getting very dangerous, very fast. I work as a software engineer for a subsidiary of a MAJOR defense contractor and use their supplied (encrypted) laptop. In February that laptop was breached and a keylogger installed on it (a large number of laptops where targetted at the company, not just mine). It was immediately replaced (the original sent in to the corporate CERT group for forensic analysis) and then we added RSA devices to harden the security even more. I was targetted again this week (as well as a few others at my company) and another keylogger was identified by network monitoring as coming from my laptop. Since I was travelling, I also immediately called my financial institution and put a freeze on my accounts. I don't think I did any personal business on that laptop, but wasn't 100% sure.

I'm still evaluating what I will do going forward. I have upped the security on my personal machine, ran multiple virus/malware scans (all clean) and reviewed all the firewall settings on the home router, but I have not unfrozen my accounts yet. I have never had any problems on my personal machines, and these attacks have all been against my employers network, but I don't have a comfortable feeling any more.
__________________
SomedaySoon is offline   Reply With Quote
Old 04-16-2011, 02:04 PM   #12
Thinks s/he gets paid by the post
 
Join Date: Jun 2010
Location: France
Posts: 1,195
Do any of these major malware worries run on anything other than Windows ? I thought Windows Seven was going to be super secure and put an end to them for ever ?
__________________
Age 56, retired July 1, 2012; DW is 60 and working for 2 more years. Current portfolio is 2000K split 50 stocks/20 bonds/30 cash. Renting house, no debts.
BigNick is offline   Reply With Quote
Old 04-16-2011, 02:21 PM   #13
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,705
Quote:
Originally Posted by SomedaySoon View Post
Well I don't want to scare anybody, but this malware is getting very dangerous, very fast. I work as a software engineer for a subsidiary of a MAJOR defense contractor and use their supplied (encrypted) laptop. In February that laptop was breached and a keylogger installed on it (a large number of laptops where targetted at the company, not just mine). It was immediately replaced (the original sent in to the corporate CERT group for forensic analysis) and then we added RSA devices to harden the security even more. I was targetted again this week (as well as a few others at my company) and another keylogger was identified by network monitoring as coming from my laptop. Since I was travelling, I also immediately called my financial institution and put a freeze on my accounts. I don't think I did any personal business on that laptop, but wasn't 100% sure.
Curious as to what identified the keylogger on your machine.
__________________
target2019 is offline   Reply With Quote
Old 04-16-2011, 03:19 PM   #14
Moderator
MBAustin's Avatar
 
Join Date: Jul 2010
Posts: 4,150
Take a look at Passpack as a password manager, it is free for personal use with a decent # of passwords.
__________________
"One of the funny things about the stock market is that every time one person buys, another sells, and both think they are astute." William Feather
----------------------------------
ER'd Oct. 2010 at 53. Life is good.
MBAustin is offline   Reply With Quote
Old 04-16-2011, 03:52 PM   #15
Confused about dryer sheets
 
Join Date: Dec 2010
Posts: 1
Quote:
Originally Posted by SomedaySoon View Post
...then we added RSA devices to harden the security even more.
If your financial institution offers key fobs, they are one of the best security mechanisms. An attacker must know not only your username and password (usually), but also physically possess the fob to access your account(s).
__________________
krm1312 is offline   Reply With Quote
Old 04-16-2011, 04:34 PM   #16
Thinks s/he gets paid by the post
GregLee's Avatar
 
Join Date: Oct 2010
Location: Waimanalo, HI
Posts: 1,881
I'm not convinced that computer system security for home or small scale users, like me, is worth worrying about, beyond a few obvious things when you set a system up. I administered at work from 1 to 4 Unix systems for over 20 years, never giving the problem much time or attention, and had only one real problem --- some sort of rootkit, I guess, that I couldn't get rid of without reloading the operating system. Even then, no users were inconvenienced, or even noticed a problem.

On my home systems -- 2 computers (one Linux and one Microsoft) and other things on a wifi network with weak security -- I've never had a problem. When setting up the systems, I told them, yes, do automatically install security updates to the operating systems and any programs using the network (e.g., Firefox). But that's not something I have to attend to now --- it just happens.

Firefox (and Thunderbird, and other browsers/email managers) incorporates a password manager. It's not necessary to have another. I did, for a while, use the Lastpass addon password manager, for Firefox, which was occasionally more convenient, but it started to make me uneasy having all my passwords stored elsewhere, so I went back to using just the Firefox manager, with all passwords stored only on my own system.

I think most time spent obsessing over system security is time wasted.
__________________
Greg (retired in 2010 at age 68, state pension)
GregLee is offline   Reply With Quote
Old 04-16-2011, 09:13 PM   #17
Recycles dryer sheets
 
Join Date: Sep 2009
Posts: 62
Quote:
Curious as to what identified the keylogger on your machine
.

I don't know. I was just contacted by the company's network security that they were monitoring the system and multiple machines were sending packets to a foriegn IP. They isolated these machines and had them turned in. They were not able to "cleanse" the machines and they were then wiped clean.
__________________
SomedaySoon is offline   Reply With Quote
Old 04-16-2011, 09:22 PM   #18
Recycles dryer sheets
 
Join Date: Sep 2009
Posts: 62
Quote:
If your financial institution offers key fobs, they are one of the best security mechanisms. An attacker must know not only your username and password (usually), but also physically possess the fob to access your account(s).
I'm not sure if it is general knowledge, but the RSA encryption was recently hacked and most companies are responding with additional mechanisms for security on top of the RSA device.

RSA's Secure IDs Hacked - What to Do - NYTimes.com

Look, I'm not saying that the sky is falling. I would just suggest that people ask their financial institutions what additional security mechanisms are available to them and then to utilize them. This is not something I am personally going to just ignore. The only accounts I've locked down are my "big" ones. I still do online banking and check my credit card balances online.
__________________
SomedaySoon is offline   Reply With Quote
Old 04-17-2011, 07:59 AM   #19
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
There is no such thing as a completely secure computer... unless it is turned off.

After that... there are layers of security and hopefully those layers (technology and practices) guard against the bad guys. Technology.... firewalls, antivirus, etc. Practices... keeping the system patched, using secure accounts, etc.

One issue that is often overlooked by home users is to have administrative privileges on the account they use for general work (surfing, etc). In some cases this can allow the attacker to install software and update certain system areas.

A better practice is to use a limited privilege account (or guest access privileges). Those accounts do not allow the user to install software (or attackers that try to take control during their logged in session). Of course, the user cannot install software themselves so they would need to log in the an admin level account for computer maintenance tasks. This is a hassle, but IMO a worthwhile trade-off of convenience for security.

This practice is not fool proof but it can foil certain types of attacks. There are other ways attackers can compromise a computer that is in use with a limited privilege account... because scripts or exes can still be downloaded and run directly that might be able to take advantage of a weakness in the computer to install malware or perform tasks while the session is running.
__________________
chinaco is offline   Reply With Quote
Old 04-17-2011, 08:04 AM   #20
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,705
Here is an article ('Tricked' RSA Worker Opened Backdoor to APT Attack) with more 'techy" stuff in it. Stay out of those Junk folders!!!
Quote:
A well-crafted e-mail with the subject line "2011 Recruitment Plan" tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company's information systems, a top technologist at the security vendor says in a blog.
__________________

__________________
target2019 is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
New Toy Safety concerns: calmloki Other topics 2 11-15-2007 06:35 PM
Thoughts concerns for ex military. newguy88 Other topics 5 07-01-2007 07:25 PM
FIRE Health Insurance Concerns mikex Health and Early Retirement 14 05-26-2007 04:39 PM
Weak Dollar - Any Concerns F-One FIRE and Money 30 04-25-2007 02:25 PM
After you are gone ! Any concerns ? frayne Life after FIRE 32 12-16-2005 10:12 PM

 

 
All times are GMT -6. The time now is 07:32 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.