Fidelity Account Hacked

[Blueskies123]

I use ‘VIP ACCESS’ app from Symantec for my Fido account. It generates code on the fly which is good for 30 secs.... Its free and Fidelity will help you link your account.

So for someone to hack...they need to know your id, passwd then they need to have access to your phone and then knowledge of VIP app. I think its better than two factor authentication.. saves you from ‘SIM Swap’.

I have gone this route also. For your information, I asked what if I lost my phone and needed to get into my accounts and they said I could just call and do what I needed to do over the phone after I identified myself.
As long as someone cannot get into my phone and somehow stole my passwords I should be safe. I only do online banking on my home network.

 

[Cobra9777]

...So for someone to hack...they need to know your id, passwd then they need to have access to your phone and then knowledge of VIP app.

And to unlock my phone, they would need access to my right index finger... which conjures up some gory images.

 

[sengsational]

So for someone to hack...they need to know your id, passwd then they need to have access to your phone and then knowledge of VIP app. I think its better than two factor authentication.. saves you from ‘SIM Swap’.

Better than normal 2FA. You still need to trust the outfit providing the service, and they are a juicy target.


Also, for this and regular 2FA with the code sent by SMS, the normal thinking is "access to my phone", which is not quite true because there can be spying in place on the communications link to your phone. In the case of sending a code via SMS, it's really not very hard to spy on that communication since it's not encrypted. It's probably not common for 2FA codes to be intercepted and used, but there have been cases.

 

[JoeWras]

And to unlock my phone, they would need access to my right index finger... which conjures up some gory images.

The old Kiefer Southerland show, 24, had a few scenes regarding this. It may require an axe or a hacksaw, depending on just how much of the part you need.

Also, for this and regular 2FA with the code sent by SMS, the normal thinking is "access to my phone", which is not quite true because there can be spying in place on the communications link to your phone. In the case of sending a code via SMS, it's really not very hard to spy on that communication since it's not encrypted. It's probably not common for 2FA codes to be intercepted and used, but there have been cases.

SIM swapping is generally easier. Jack Dorsey, twitter CEO, was SIM swapped.

SIM swapping generally goes for high profile people, but if someone has a target on you, for some reason, you won't be immune.

 

[samclem]

I've been through setting up a new bank account recently with Vanguard (2016, so actually a few years ago!!) and it takes a lot of steps and a lot of time. Well after they had transferred several micro-amounts and reversed them from our new bank account and had me verify the actual amounts it still took so long that I called them up to ask what was going on. The rep told me that as well as the steps I could see, they also did more verification steps in the background before allowing me to start transferring money to and from the new established bank account.

On two separate occasions I've tried to help set up a Vanguard account for my daughter. She's a little more "casual" with monitoring/replying to messages/email than many people, and in every case she failed to jump through one hoop or another, so the account didn't get established. Next step: try to do it via paper forms ala 1985. Obviously, she's an adult and this is not technically "my" problem, but . . .

 

[MRG]

And to unlock my phone, they would need access to my right index finger... which conjures up some gory images.

Are you sure? I returned a firearm safe with biometric authentication. Turns out it didn't check the fingerprint, any warm skin would open the safe.

 

[Alan]

And to unlock my phone, they would need access to my right index finger... which conjures up some gory images.

At least it is only a finger, my phone unlocks via Face ID.

 

[Cobra9777]

Are you sure? I returned a firearm safe with biometric authentication. Turns out it didn't check the fingerprint, any warm skin would open the safe.

Yep, no other finger works. I've tried.

 

[teejayevans]

At least it is only a finger, my phone unlocks via Face ID.

Does it work with your eyes closed?

 

[Alan]

Does it work with your eyes closed?

No, I just tried it several times. I close my eyes, tap my locked phone, and after a few seconds open my eyes. The first thing I see is the lock screen with the prompt for the PIN, then the PIN fills in automatically and the phone unlocks.

This was also my experience when on holiday last year and had sunglasses on. It works with my regular glasses on.

 

[braumeister]

No, I just tried it several times. I close my eyes, tap my locked phone, and after a few seconds open my eyes. The first thing I see is the lock screen with the prompt for the PIN, then the PIN fills in automatically and the phone unlocks.

This was also my experience when on holiday last year and had sunglasses on. It works with my regular glasses on.

From what I've read, the facial recognition algorithm is constantly updating itself. So if you change to different glasses, add/subtract facial hair, get a new scar, etc., it may fail once or twice but then after you've entered your PIN it will learn your new appearance and work as normal. Based on my own experience, that does seem to be the case, and it's pretty darn good at it.

 

[Alan]

From what I've read, the facial recognition algorithm is constantly updating itself. So if you change to different glasses, add/subtract facial hair, get a new scar, etc., it may fail once or twice but then after you've entered your PIN it will learn your new appearance and work as normal. Based on my own experience, that does seem to be the case, and it's pretty darn good at it.

I think you are right. I have changed my glasses a few months ago, the new ones being quite different in appearance to the old ones.

 

[TrvlBug]

Does it work with your eyes closed?

It also doesn't work right after you're put drops into your eyes .

 

[GrayHare]

Will pictures of you fake it out?

 

[audreyh1]

Will pictures of you fake it out?

No. It's using 3D measurements.

 

[MissMolly]

I've done it with my hair up, my hair down, glasses on, glasses off, curlers in my hair (which I figured was a no go, but I was wrong) and it always recognizes me. Tried it with my eyes closed or eyes looking away from the phone and it did not recognize me. I think it's just something to do with the eyes.

 

[braumeister]

Analyzing over 30,000 points in the blink of an eye is a most impressive achievement.

The technology that enables Face ID is some of the most advanced hardware and software that we’ve ever created. The TrueDepth camera captures accurate face data by projecting and analyzing over 30,000 invisible dots to create a depth map of your face and also captures an infrared image of your face. A portion of the neural engine of the A11, A12 Bionic, A12X Bionic, and A13 Bionic chip — protected within the Secure Enclave — transforms the depth map and infrared image into a mathematical representation and compares that representation to the enrolled facial data.

Face ID automatically adapts to changes in your appearance, such as wearing cosmetic makeup or growing facial hair. If there is a more significant change in your appearance, like shaving a full beard, Face ID confirms your identity by using your passcode before it updates your face data. Face ID is designed to work with hats, scarves, glasses, contact lenses, and many sunglasses. Furthermore, it's designed to work indoors, outdoors, and even in total darkness.

https://support.apple.com/en-us/HT208108

 

[MichaelB]

Over the summer my son-in-law complained his brother picked up his new iPhme, it did a face scan and let him in. There is a resemblance but they are not twins.

 

[gauss]

I have starting to seriously think about spreading our assets out over 10 different financial institutions. My concern is if one of the accounts were to be hacked and the worse worse case scenario unfolds, ie. all the funds were lost and we were not made whole by the institution.

I have worried about this for years, and I am not sure how many of you are following this, but there is an active case in the northern California Federal courts about a 401k that was emptied, apparently due to error by the service providers. The poor lady called them 28 times or so after she started to see the funds disappear in 3 different transactions. After the service provider completed their investigation, the response was basically - "yeah - we didn't recover any of the money and we are not going to reimburse you. Was their anything else I could assist you with today?". The victim has linked up with an employee benefits law firm and they have filed suit.

Here is a link to a media article describing the event.

I was able to find the court filing online for free and plan to follow this case.

Oh - I almost forgot to mention - DW's 401k at her former Megacorp (not Estee Lauder), but rather somewhere you would find many engineers employed is using the same pair of service providers for DW's 401k that services Estee Lauder.

For those of you who want to reply "yeah -but, My firm gives me a guarnatee to be made whole". Have you run the legal document defining the guarantee by a trained lawyer in these matters to see how many escape clauses they have built in in case they don't want to pay you?

10 different firms, as long as they are uncorrelated, should be enough to avoid any threats to ER lifestyle for us due to this type of fraud. YMMV.

I want to be able to sleep again at night when I hear about a hack or data spill -- similar to the feeling when I first setup a credit security freeze ~ 15 years ago or so.

-gauss

 

[Jerry1]

Gauss,
We’re on the same page. I keep worrying about this but everyone says it doesn’t happen. Thanks for the link.

Not sure it will take ten separate accounts, but I think some brokerage diversification is warranted. I’ve even wondered if there’s a local bank or credit union that would take some of my money and not let it be distributed unless a person physically presents themselves.

 

[H2ODude]

This thread made me finally get the 2FA w Symantec from FIDO. I had to have a brief conversation with a rep, asked him at the end how many of their customers used 2FA, knowing he probably wouldn't. He didn't but for what it's worth he guessed it was a very low percentage. I felt better about having only now done it. I'm sort of surprised they don't require it. Assuming there's some liability there I'd think they would.

 

[CRLLS]

Gauss, I really don't know what the best solution is. Having my assets in 10 different firms increases my chances of someone getting into one of them is 10x greater, right. I do realize that not all would be lost though.

Some tough decisions for sure.

 

[jazz4cash]

The cyber heist Gauss linked in post #69 is shocking to me, but the custodian was Alight Solutions LLC (or something like that). Hopefully anyone that feels the need to spread their stash over 10 firms with stick with Fido, VG, Schawb, and similar firms. There are a zillion neverheardofthembefore outfits running 401k money along with various other employee benefit services. Stay away from them.

 

[BeachOrCity]

This is why I do a few things
1. I won’t go all e statements all accounts. Getting snail mail statements forces me to review them. More so than an email notification.

2. I won’t put all my investments with one custodian. I refuse to have all my money locked up while they investigate fraud. It also diversifies risk.

 

[tdv2]

I have been using the "Money Transfer Lockdown" feature from Fidelity for a little while now. You need 2FA to disable it....I use text message code. For me seems like a very secure feature which is easy to use.