Cyber protection

[Finally]

Hi all. Long time lurker and a new member. I am Finally getting close to later than planned retirement. Didn’t give the notice yet (probably next month), but not really hiding my plans.

I have few questions for this forum that hopefully will alleviate my anxiety.

Financially we should be fine, most likely over saved. Liability protection seems OK - about 70% of assets in 401Ks plus umbrella insurance. The only thing that keeps bothering me is cyber fraud. I realize that anything can be hacked. Possibility of losing the assets keeps me awake at night. I use 2FA for my accounts, check my balances twice a week – ones on a company laptop with VPN (probably will use my own VPN after leaving w**k) and second time on my Chromebook. But still feel uneasy.

So, the questions are

1. Am I too paranoid?
2. If not, what is your advice?

I am thinking of
a) Cyber insurance for fund reimbursement – a minimum amount we can leave on.
b) SPIA for the same minimum amount until we reach 70 and then SS should be enough to survive.

The insurance seems like a simpler, more flexible and fairly inexpensive option. But SPIA is real monthly cash, although even SPIA can be technically “canceled and get stolen”.

Please share your thoughts and any practical recommendations regarding particular products, companies etc.

 

[mrfeh]

Are you saying you're considering buying an SPIA for the sole reason that you're worried your investment account(s) will be emptied by hackers?

 

[joesxm3]

If your broker or bank offers it, use some 2FA that does not depend on your phone.

Text messages are the worst.

Google Authenticator would be next best, but I read an article saying that malware on your phone can access some sort of secret key storage and defeat things like Google Authenticator.

If you can use a physical device like Yubikey, that would probably be the best.

You should also make sure that your passwords are truly random and long enough to prevent brute force attacks. 12 alpha-numeric characters would be good, better if using upper and lower case and special characters. To be random, though you should use dice or some sort of good password generator.

I read an article that said even a 12 character alpha-numeric only lower case would cost over a billion dollars of AWS time to crack using brute force if it were truly random.

You should also consider a dedicated computer for financial activities.

 

[luckydude]

You should also consider a dedicated computer for financial activities.

+1

Set up a home PC that you use for the sole purpose logging into your accounts only. Don't use that PC for anything else---no surfing the net, no downloading/installing apps, no playing games, no streaming, etc.

Set up an e-mail that is dedicated to your financial accounts only. Don't use or give out that e-mail address to anyone else.

For 2FA, set it up such that it's a call to your landline. No text messaging.

Don't EVER use your phone to access your accounts (no matter how tempting).

Do all these, and you should be pretty bullet proof.

 

[Sunset]

OP - I would not purchase a SPIA simply due to the fear of cyber hack.

I would practice good techniques, like UNIQUE long complex passwords for each site, and unique usernames.
It would also be good to have separate emails for each institution, but not everyone can do this.

It's best (IMHO) to use a password manager as it makes it easy.

You don't have to have all your investments at 1 place, You could split your IRA's (and other accounts) across more than 1 brokerage (some will pay you to open an account there too). This way not all your eggs are in 1 basket.

 

[Dash man]

Just yesterday I watched a Schwab webcast on cyber security. Interesting thing they said was smart phones, iPhone or Android, are safer than laptop or desktop computers.
They strongly encouraged password managers, changing passwords every ninety days, and using fingerprint or facial recognition for logging in. VPN is good, but prevents them from recognizing your device, so they may call to verify or send a code.
Make sure you keep your anti virus software up to date.
Never share codes sent to you and they will never ask.
Use a broker or bank that guarantees reimbursement for unauthorized transactions. He emphasized unauthorized though, so I assume if you authorize a transaction and find later it was to a scammer, it’s on you.
They talked a lot about phishing techniques and to only use phone numbers you know are legitimate and hover over a url to see where a link really takes you. Best to use your own bookmarks or type in the url if you’re not sure. If you do click on a link, check the url in your browser’s address bar to make sure it’s correct. A “1” may be used to replace an “l” or similar tricks.
The time you don’t want to use your cell phone for finance is on a public WiFi.
Hope this helps.

 

[Finally]

Thank you for the responses and good tips. Judging from the responses, the answer to my question #1 is a resounding YES.
I try to practice good cyber hygiene. In the past I used only dedicated Chromebook for my 3 brokerage accounts. I use the same e-mail address, but only dedicated to them. I always login as a guest and type URL. Quicken, spreadsheets etc. are on another PC. After 2FAs (phone apps) were activated for all 3 brokerages, my concern shifted toward Wi-Fi security. Like I mentioned before, anything can be hacked. So, I started to use my company laptop with a commercial grade VPN while WFH. Since I will lose it soon anyway, I am thinking to use a reputable VPN on my dedicated machine. And use some additional measures recommended here.
As for phones vs. computers use, I believe it’s more about a network than the nodes.
Regarding SPIA, it gives comfort to know that a paycheck is coming. In case not just cyber issues, but any unforeseeable events. But most likely I will drop that idea.
And regarding cyber insurance – any experience/thoughts?

 

[joesxm3]

Still can use cat5 cable

 

[OldShooter]

"Schwab will cover 100% of any losses in any of your Schwab accounts due to unauthorized activity." is my ultimate defense. Check with your broker to see what guarantee you have; probably it will be similar. I really do not worry about this.

For additional security, as @joesxm3, you may be able to get a physical authentication key. This is a keychain gadget from which you get a number to provide for validation. I used to have one when I was treasurer of our flying club and DW used to have one as a megabank SVP. I don't recall either of us having any problems with them.

Re hard to guess passwords, yes/can't hurt, but exhaustive password attacks are not very cost-effective for the bad guys compared to just blasting out a million phishing emails and waiting for victims to check in.

I never perform any financial activities on my phone or on the tablet that I carry when we travel. No web bookmarks. No apps. Nothing that could get hacked if the device was lost or stolen. It is a mystery to me why so many people want to fiddle with their money often enough that they need phone access to their accounts.

 

[ExFlyBoy5]

Thank you for the responses and good tips. Judging from the responses, the answer to my question #1 is a resounding YES.
I try to practice good cyber hygiene. In the past I used only dedicated Chromebook for my 3 brokerage accounts. I use the same e-mail address, but only dedicated to them. I always login as a guest and type URL. Quicken, spreadsheets etc. are on another PC. After 2FAs (phone apps) were activated for all 3 brokerages, my concern shifted toward Wi-Fi security. Like I mentioned before, anything can be hacked. So, I started to use my company laptop with a commercial grade VPN while WFH. Since I will lose it soon anyway, I am thinking to use a reputable VPN on my dedicated machine. And use some additional measures recommended here.
As for phones vs. computers use, I believe it’s more about a network than the nodes.
Regarding SPIA, it gives comfort to know that a paycheck is coming. In case not just cyber issues, but any unforeseeable events. But most likely I will drop that idea.
And regarding cyber insurance – any experience/thoughts?

This sounds like you are opening a remote office for the NSA.

 

[OldShooter]

... As for phones vs. computers use, I believe it’s more about a network than the nodes. ...

True, as long as you have physical possession of all the nodes. Phones and tablets, though, are lost and stolen all the time. Their threat environment is much more dangerous, for example, than the threat environment of your home desktop.

 

[Sunset]

T..... I always login as a guest and type URL. ...

OP - You sound very careful, the only issue I can see is you type the URL ?

Typing a URL is (IMHO) unsafe, as everyone makes typo's , much safer to have the login site bookmarked , or in the password manager.

Scammers set up hundreds of websites that are spelling mistakes of good sites, waiting to trap a typo event.

I was going to give an example using the misspelling of a bank. So I fired up an virtual machine and did it, but realized the misspelled site redirected to another site,which tried to install/download something. I reverted my VM to be safe.
I won't post the misspelling as it's not safe for anyone to go there.

 

[Finally]

Great responses.
My taxable/Roth accounts brokerage should reimburse for lost finds, I have to check my 401K.
Agree with typing URL, I am trying to be extra careful, but may reconsider it in the future. Typing URL as a guest is generally the most secure option, unless it’s mistyped.
As for network security, if a home router is compromised than dedicated machine/hardwire/credentials wouldn’t matter. VPN may help, I guess.

And ExFlyBoy5, we know where you live.

 

[Sunset]

..
Agree with typing URL, I am trying to be extra careful, but may reconsider it in the future. Typing URL as a guest is generally the most secure option, unless it’s mistyped.
...

I am not understanding what exactly is: "Typing URL as a guest" Not sure what is meant by guest.

I save bookmarks to my browser so I can click on them and go there by selecting the bookmark. Example https://www.nsa.gov/

If that is not possible because for example you are using a live CD to run an OS, Then at least consider creating a text file listing the URL's you want to use. This way you can simply copy and paste, or depending upon OS, right click and open in a browser

 

[ExFlyBoy5]

And ExFlyBoy5, we know where you live.

Oh, I know. My best bud is a super secret squirrel for them. I have been interviewed a couple of times by them when his security clearance came up for renewal and travel with him and his DW quite often.

 

[Finally]

I use a Chromebook, in “guest” mode you don’t need to login with your Google account. Thus, no history, bookmarks etc. Kinda super “incognito” mode.

 

[ExFlyBoy5]

I use a Chromebook, in “guest” mode you don’t need to login with your Google account. Thus, no history, bookmarks etc. Kinda super “incognito” mode.

Oh yes, Incognito. Never mind that Alphabet is involved in a number of lawsuits about the lack of true privacy using Incognito mode. Plenty of filings out there if you would like to research.