How do you safeguard your accounts?

RetMD21 said:
I have a lot of passwords for various web sites like newspapers, facebook and forums. I have reformed and the all have unique passwords now but I just let the browser remember them.
Click to expand...
Bolded by me, I wonder how safe that is (?)
 
OldShooter said:
I have no idea what this even means.
Click to expand...
I believe that the poster means that a person has an account, but has never set up online access. If this is the case, it's much easier for some external party to gain access to your account if they know your personal information, as they can register new online access with your personal info and their new password. Then the hacker can set up alerts to go to their email or phone, and set up their own MFA; they can move $ out of the account in a few days or weeks, without you even knowing it, and can turn off paper (mail) statements. Perfect storm. I agree with others...setting up text and email alerts is the best way to go, as you'll have instant notification of anything happening with the account.
 
Katsmeow said:
I did a couple of threads that talked about using separate email accounts for financial accounts and whether to use a separate financial computer.

https://www.early-retirement.org/forums/f54/how-many-email-addresses-to-use-104265.html

https://www.early-retirement.org/forums/f54/financial-chromebook-104300.html

You might find those threads helpful as they discuss many of those issues.

In addition to what is in there. One thing that I do is that I usually log into my financial accounts on any business day. If someone has logged into my account and has a transaction pending then I will see it.

On the trade offs of different levels of protection see post number 40 by me in my Financial Chromebook thread where I discuss the possible protections.
Click to expand...

Kats did you actually buy the chrome book? As of 7/11 you had not gotten one. I'm thinking about canceling my landline and will lose my 25 YO email address and might as well think about account security now. Start from scratch with a dedicated email and chomebook. On the fence right now.
 
Last edited:
ivinsfan said:
Start from scratch with a dedicated email and chomebook. On the fence right now.
Click to expand...
I have gone back and forth on the issue of using a separate dedicated email for financial accounts only, there are pros and cons. I even set up a separate email and started using it for my financial accounts for a while but ultimately I decided that the cons outweighed the pros, especially since my Gmail account is enrolled in the advanced protection program...it is next to impossible for anyone to get access to my email account, even if they know my password.

Here are the disadvantages that caused me to stop using a separate email:

1) You may not check the private email as often as you check your primary email so there may be a delay in receiving important notifications regarding your financial accounts. For example, if you only check the private email at home, and you are away from home for a period of time, i.e. on vacation, you may miss important notifications while you are away and it's possible your account could be compromised without your knowledge. Yes, I am aware that you can forward the secondary email to your primary email, or with Gmail you can set up your secondary email to be accessed by your primary email, but ultimately that defeats almost all of the purpose behind maintaining a separate email in the first place because anyone with access to your primary email will see all of the emails sent to your secondary "private" email.

2) You will have to keep track of another email account and remember another password, including maintaining various account and security settings for multiple accounts. I find that to be a pain.

If you are concerned about account security and you also want the convenience of one email address, I recommend getting a Gmail account and enroll it in the Advanced Protection Program and use that email as your email for everything. Your email will have the highest level of security from hacking that is available to consumers today. Just remember that security and convenience are mortal enemies and you will lose some convenience in the name of security.
 
Last edited:
HNL Bill said:
I believe that the poster means that a person has an account, but has never set up online access. If this is the case, it's much easier for some external party to gain access to your account if they know your personal information, as they can register new online access with your personal info and their new password. Then the hacker can set up alerts to go to their email or phone, and set up their own MFA; they can move $ out of the account in a few days or weeks, without you even knowing it, and can turn off paper (mail) statements. Perfect storm. I agree with others...setting up text and email alerts is the best way to go, as you'll have instant notification of anything happening with the account.
Click to expand...
IIRC something like 90% of breeches are achieved by phishing attacks where a user is tricked into revealing his user ID and password. If one does not have an online account, then that trick is impossible. I think that phishing is probably a higher risk than the complicated sort of attack that you describe here. Nobody knows, of course.

The thing to remember is that none of the various tricks and levels of protection described in this thread have been proven statistically to work. No one knows whether they have been attacked a statistically significant number of times and the attacks have failed. That would be a vailid test. All most of us can say is that with whatever scheme we are using, we have never been hacked. Someone who chose to carry a rabbit's foot and used his mother's maiden name for all passwords might well be able to say the same thing.
 
OldShooter said:
The thing to remember is that none of the various tricks and levels of protection described in this thread have been proven statistically to work.
Click to expand...
That's not true. Google's Advanced Protection Program has been proven statistically to work. Google has stated that since the program began in 2017 no user who signed up for the program has been phished, even if repeatedly targeted...

Over the past three years, this enhanced security feature has prevented hackers from gaining access to any APP-protected Google accounts.

This has made APP a must-enable feature for Google users who are regularly the targets of advanced phishing attempts, like those carried out by state-sponsored hackers.

In a blog post today detailing Google's actions against state-sponsored operations, Toni Gidwani, a Security Engineering Manager for Google's elite hacker-hunting unit -- the Threat Analysis Group (TAG) -- said the APP has been extremely successful at stopping these advanced phishing attempts and the subsequent account compromises.

https://www.zdnet.com/article/google-says-no-app-users-have-been-phished-to-date/

https://blog.google/threat-analysis...government-backed-hacking-and-disinformation/

Also, the effectiveness of basic account hygiene has been studied and some practices have been shown to be effective against account hijacking.

https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
 
Last edited:
JustCurious said:
That's not true. Google's Advanced Protection Program has been proven statistically to work. Google has stated that since the program began in 2017 no user who signed up for the program has been phished, even if repeatedly targeted...
Click to expand...
Thanks. I'll research that a bit. But it's just limited to protecting Google accounts?
 
OldShooter said:
Thanks. I'll research that a bit. But it's just limited to protecting Google accounts?
Click to expand...
Yes, the Google Advanced Protection Program is limited to Google accounts. Note that when the program started in 2017 it was not available to all Google accounts, but they have sinced opened up the program to anyone with a Google account.
 
ut2sua said:
With so much identity theft going on and many hackers roaming the Internet, I am wondering how folks safeguard their retirement accounts. Do you change your passwd frequently, do you not change your passwd to avoid getting noticed (by hackers)? Do you make use of 2 step ID (using your phone and/or token ID)? Do you change your login user IDs from time to time? Anyone can move large sum of $ with a few clicks, and if your $ is not moved by you, that is a big concern. Also, what if the bank computer got wiped out overnight, do they have back up info to restore everyone account balances (the answer better be yes, but do we know for sure?).
I am not sure if this thread belongs here. Please move as appropriate. I am basically looking for best, proven practice.
Click to expand...

Fidelity Money Transfer Lockdown.
While activated, even I can't get to my money while logged into my account. Can only unlock with 2FA with text alerts and emails sent immediately every time it's done.

If you have a managed account they also offer complimentary enrollment in IDnotify, Experian's identity protection service including $2M to $5M of identity theft insurance, depending on the value of your account. They will notify you of any unauthorized access to your bank accounts, credit cards, phone numbers, email addresses, SS #, drivers license, passport, etc.
 
Last edited:
FIREd said:
I use 2-step ID on all of my accounts. I also check them often.
Click to expand...

Same here, I have two factor (one-time use text message codes) for all accounts that have it. I also try to use the app if they have one, instead of logging into via laptop's browser. In any case, with two factor, I'm less concerned than before, but still check my accounts frequently.
 
Ditto

atmsmshr said:
Last year I bought a basic computer used by DW and I only for credit union and Fidelity. No other browsing allowed on this stand alone computer. Accessed from home router. Separate email account.

I get text messages for any transfer greater than $1,000 from either.
Quarterly transfers from FIDO to CU account for checking and savings.
2FA for FIDO. I should also do the FIDO lockdown between transfers.
Check the accounts on my Iphone using face ID. Probably a bad habit.
No password manager. Anyone remember Kaspersky?
Click to expand...

I also use a dedicated laptop that only goes to my two banks. Don't check the weather, email, news or anything with this computer. With data loggers any virus can steal your password. I don't change my password as the odds of changing it after it has been stolen but before it is used is low. I don't worry about someone specifically targeting me and brute forcing my password. My password has nothing to do with me whatsoever.

There was a time when your password was key to your safety. I just don't believe thieves are targeting individuals anymore. It is big companies that lose huge amounts of data to these thieves and that is who they are targeting. So I feel very comfortable on my end but not so much from the institutions I deal with. I called up my main bank 6 years ago thinking about just doing telephone banking and ending my online account. They assured me that I am covered against fraud and pointed to some lines in my agreement. I don't think this covers me for real but I couldn't give up the convenience of online banking.
 
Zander Insurance ID Theft

SecondCor521 said:
Like another poster upthread, one of the things I do is have a lot of alerts set up on all of my credit cards. I may get lots of emails, but they're cheap to receive and delete, and if anything untoward happens I'm more likely to notice.

I note with interest that nobody on this thread has mentioned identity theft protection services. (I don't use LifeLock either.) Not sure if people don't think it's worth the money, or don't think it actually provides much real protection, or some other reason. But notable by its absence regardless of the reason(s).
Click to expand...
https://www.zanderins.com/identity-theft-protection
I use the ID Theft protection from Zander Insurance. It is the only one I've found that will actually replace stolen funds up to $1M ! and costs less than most at $6.75 month. It also does more than monitor - they provide experts to do all the legwork to restore your identity if it is stolen, which can be hundreds of hours, especially for a novice non-professional. My employer provides another ID theft coverage at no cost but I still subscribe to Zander for the $1M stolen funds protection.
 
A lot of good ideas here, and I do everything that JustCurious posted in the beginning of this post, but here are some more:
A credit freeze at all 3 is crucial.
A VPN is probably one of the most important things when accessing your financial accounts. I use expressvpn, it's insanely simple to set up and cost about a hundred bucks a year IIRC.
My son who works in the IT industry recently told me about Google authenticator, which is free and is more secure than two step authentication. I just started using it and it seems to work pretty well. BTW I used two step authentication every time I went to a financial institution , yes it's a pain, but the security is worth it.
Definitely make sure you set up alerts at all your financial institutions, I do both email and text, since the cellular signal at my home can be spotty sometimes...even though it's a little bit of a pain I would rather be notified immediately.
I use a simple rule to create passwords for my non-financial accounts and store them on my computer. But for my financial accounts the passwords are completely nonsensical, and are only stored in a secret place in my house.But bear in mind that does not protect you from malicious software with a keylogger or other scams like phishing. But if someone hacks my password list they will have a hard time figuring out my password rule, since I use hints only I would know: first three letters of my first dog plus the year that Ed was born (my great grandfather).
For PayPal, I set up a separate non-linked checking account at my bank, which only carries a low balance.
Use a credit card for payment whenever possible. Credit cards have the highest level of fraud protection, and in most cases you will pay zero.
Get those little envelopes for your credit cards that block RFID signals. My business partner had his credit card hacked while just walking through an airport a few years ago.
A separate computer that you only use for accessing financial institutions is a great idea. But if you are retiring an older computer that is going to be dedicated to this, make sure it stays up to date with all security patches.
 
Last edited:
^ If you eBank on your home network, how does a VPN help? I guess you could have a compromised system on your home network, but even then, they'd just be able to sniff the IP, but not the content. And if the bad guy was in your computer itself, the game is lost.

As mentioned, I think many of these theoretical attacks will remain theoretical because hackers have more effective ways to make illicit money.
 
sengsational said:
^ If you eBank on your home network, how does a VPN help? I guess you could have a compromised system on your home network, but even then, they'd just be able to sniff the IP, but not the content. And if the bad guy was in your computer itself, the game is lost.

As mentioned, I think many of these theoretical attacks will remain theoretical because hackers have more effective ways to make illicit money.
Click to expand...
Correct, a VPN is mainly to provide security over insecure networks, it does nothing to secure a computer. I set up a VPN through my home router that I only use when I'm on public wifi, such as a library, coffee shop, or hotel.

Not that I go any of those places now....:'(
 
Well, all home networks, especially if you use wifi, are essentially "insecure networks". Public networks and cellular netowrks too. So a VPN won't "secure" your computer itself or protect you from downloading malware. So if you download software that has a virus embedded, a VPN won't protect you.

But if you're logging on to your bank, it's another layer of security...essentially an encrypted connection between a secure server (like your bank) and your computer/network. It's like a private tunnel over the internet, and makes it much harder for hackers to get your data. Nothing is foolproof, heck even the US Government gets hacked, but it's another layer, and a very important one.
Google it!
 
Last edited:
ut2sua said:
With so much identity theft going on and many hackers roaming the Internet, I am wondering how folks safeguard their retirement accounts. Do you change your passwd frequently, do you not change your passwd to avoid getting noticed (by hackers)? Do you make use of 2 step ID (using your phone and/or token ID)? Do you change your login user IDs from time to time? Anyone can move large sum of $ with a few clicks, and if your $ is not moved by you, that is a big concern. Also, what if the bank computer got wiped out overnight, do they have back up info to restore everyone account balances (the answer better be yes, but do we know for sure?).
I am not sure if this thread belongs here. Please move as appropriate. I am basically looking for best, proven practice.
Click to expand...


I like to test the security of my accounts by pretending to be a hacker. I visit Hawaii every year to go surfing so I bring my notebook and try to access my accounts in Hawaii.

Most financial institutions will recognize that someone is trying to access my accounts using a computer that their server does not recognize. They would send a authentication code to my cell phone. Just about all my banks (Wells Fargo, Chase, Bank of America, etc) and my retirement investments (Vanguard, E*trade, etc) has this protection. Your cell phone is a security protection layer. If you lose your cell phone, then you have a security issue so you would need to contact all your financial institutions.

I did found out that two credit card companies did not have this protection so I cancel those two accounts as being less secure. The two credit card companies actually allowed access in Hawaii without sending me a authentication code to my cell phone. i suggest people should find which financial institutions that they have...that do not send you the authentication code the next time when you are on vacation.

I also have unique username and unique passwords for each account to make each account different from the other. I had to write the user names and passwords down in a college text book near my desk (never on my PC) but this inconvenience is necessary for my additional protection. I also NEVER using part of my email address as a user name. Hackers uses email address as a person's username. All of my user name on my accounts are all unique and not related to anything else.

Most bank computers have backup systems but my extra protection is my monthly paper statements in the mail. For my additional protection, I prefer paper statements and not electonic statements.
 
Last edited:
WiFi with guest access turned off and a strong password is not insecure.
There are other settings to examine in the router, of course. Like assign a strong password for the default admin access.
 
2FA with text is too easy to intercept and redirect. I recommend using an app like Authy or Symantec. They generate onetime 30 second codes that must be entered.

In order to hack, thieves would have to authenticate into both the physical gadget, the app, and know basic login and pw.

Unique tokens and dongles are the older way of doing this.
 
target2019 said:
WiFi with guest access turned off and a strong password is not insecure.
There are other settings to examine in the router, of course. Like assign a strong password for the default admin access.
Click to expand...

+1
Even guest access on my router can be as secure as the regular access, as long as I use a long random password for network access.

I do use a VPN on my computer and phone when away from home to access email, bank (rare), etc..

The cost of a good VPN can be very little if you don't use it a lot, I only use my for travel.
 
ut2sua said:
With so much identity theft going on and many hackers roaming the Internet, I am wondering how folks safeguard their retirement accounts. Do you change your passwd frequently, do you not change your passwd to avoid getting noticed (by hackers)? Do you make use of 2 step ID (using your phone and/or token ID)? Do you change your login user IDs from time to time? Anyone can move large sum of $ with a few clicks, and if your $ is not moved by you, that is a big concern. Also, what if the bank computer got wiped out overnight, do they have back up info to restore everyone account balances (the answer better be yes, but do we know for sure?).
I am not sure if this thread belongs here. Please move as appropriate. I am basically looking for best, proven practice.
Click to expand...
  • Use of long random passwords, 16 to 20 characters
  • These are generated by password safe apps like LastPass, Keypass, and others
  • You never type the password, you only copy/paste it, or the app fills it in for you
  • You need to remember one strong password to get into your password safe, which should be some sort of long nonsensical phrase that you can remember, with a few non-letter characters thrown in. It's critical - never forget this password and never write it down.
  • Use Two-Factor Authentication when available.
  • I also use then concept of an account firewall. My large accounts “know about” my “firewall” account, but it doesn’t “know about" them. I can transfer money in and out of the big accounts only through this account. It typically only has a few grand in it at any one time, but it’s a pass-thru to other accounts as needed.
I feel pretty safe with these practices; hope it helps.
 
RockLife said:
  • Use of long random passwords, 16 to 20 characters
  • These are generated by password safe apps like LastPass, Keypass, and others
  • You never type the password, you only copy/paste it, or the app fills it in for you
  • You need to remember one strong password to get into your password safe, which should be some sort of long nonsensical phrase that you can remember, with a few non-letter characters thrown in. It's critical - never forget this password and never write it down.
  • Use Two-Factor Authentication when available.
  • I also use then concept of an account firewall. My large accounts “know about” my “firewall” account, but it doesn’t “know about" them. I can transfer money in and out of the big accounts only through this account. It typically only has a few grand in it at any one time, but it’s a pass-thru to other accounts as needed.
I feel pretty safe with these practices; hope it helps.
Click to expand...

I am probably dense but not understanding the firewall account idea. Can you explain that in more detail? It sounds like a novel idea so I want to understand it. :)
 
You must log in or register to reply here.

Similar threads

Janet H
Forum Update - We're back! Ask your questions here.
4 5 6
Replies
133
Views
2K
skyking1
skyking1
S
Managing Withdrawals beyond writing a check
Replies
7
Views
727
steady saver
S
L
How do you plan for possibility of early death of a spouse in FIRE
2 3 4
Replies
87
Views
9K
1242Vintage
1
PaunchyPirate
Helping an elderly parent stay on top of their financial accounts
Replies
24
Views
935
1242Vintage
1
F
Do you guys use an accountant?
2 3 4
Replies
94
Views
6K
socca
S

Latest posts

Back
Top Bottom