Attempted Fraud at Fidelity

[luckydude]

Heard this rather alarming story from a friend yesterday:

She has a retirement account at Fidelity. Yesterday she got a call from Fidelity informing her that someone called with a request to liquidate her retirement account and wire the proceeds to a bank account. The caller was able to provide my friend’s SSN, address and birth date to Fidelity, and apparently the only reason Fidelity suspected fraud was because the individual was a male, whereas my friend is female.

My friend was naturally quite alarmed. She obtained the account number that the fraudster provided and tracked it to a bank. It turned out that the bank account was under a different individual’s name with a different SSN, and not hers, and yet aside from the gender mis-match, it appears that Fidelity was quite ready to wire the proceeds to any account number that the fraudster provided.

Subsequently my friend filed a police report, put a 90-day credit watch through Equifax, and requested Fidelity put a restriction on her account such that any redemption request must be made in person through a Fidelity branch.

I have a retirement account at Fidelity so I decided to call Fidelity and find out what verifications they perform for redemption requests. It turns out that other than SSN, address and birth date information, Fidelity really doesn’t do any other verification, which is more than a little disconcerting to me. So if a fraudster has someone’s SSN, address and birth date, he/she could conceivable just call up Fidelity and ask that an account be liquidated.

In this day and age where identify theft is rampant, it seems to me that Fidelity should at least have another layer of verification, such as a set of security questions. Vanguard for example has a set of security questions as an additional layer of verification, which is required for both web and phone access.

Your thoughts?

 

[Fishingmn]

Kinda scary.

My hope is that if Fidelity had approved it that they would have covered the loss. Kind of like a bogus credit card charge that you are not liable for.

 

[gauss]

I am under the understanding, but if anyone can confirm this I would appreciate it, that if Fidelity looses your money due to fraud, that they will be on the hook for it.

-gauss

 

[Senator]

I just did a larger wire transfer from Fidelity. I could not do it online, I had to call in. Also fill out some paperwork. It went to a mortgage with my name, and I thought quite a bit of hoops, which I appreciated.

You would think even Fidelity would be pressing changes. Typically, wires go overseas, and there is little anyone can do.

 

[clifp]

I have a verbal password on my Schwab account, which the reps ask for everytime I talk to them.

I did have to ask them for an additional layer of security.

I'm pretty cavalier about the rest of my online identity (except for routinely lying about my birth year.) But since Schwab has the bulk of my money I take it pretty seriously.

 

[eta2020]

I have a verbal password on my Schwab account, which the reps ask for everytime I talk to them.

I did have to ask them for an additional layer of security.

I'm pretty cavalier about the rest of my online identity (except for routinely lying about my birth year.) But since Schwab has the bulk of my money I take it pretty seriously.

Additionally you can get RSA secureid key which one needs to use in addition to password when login online.

I would not open account without RSA key and I know Fidelity will not give you one while Schwab will.

 

[marko]

Additionally you can get RSA secureid key which one needs to use in addition to password when login online.

I would not open account without RSA key and I know Fidelity will not give you one while Schwab will.

T R Price just introduced RSA keys. Its also a good idea to have your accounts (checking, savings, portfolio) set up with email notification on any notable transactions, so if something changes, you usually know within a few seconds.

 

[eta2020]

Plus if one has substantial amount of money I would maintain 2 brokerage accounts.

In a event of fraud I am quite certain one would get reimbursed but you may loose access to your money for few months before things get resolved.

It is like Asset Protection. Get it before you need it and most likely you will never need it.

 

[frayne]

I have a FIDO account with email verification/confirmation for any activity. In the past when I have been rebalancing I have gotten a call from Fidelity just to make sure it was me doing the changes.

 

[John Galt III]

Fidelity reminds me every so often that they want my email address. So far I have not given them one, since it seems like one more point of vulnerability for hackers to exploit.

 

[audreyh1]

For a normal withdrawal, transfer, liquidation, etc., Fidelity requires the receiving bank account to have the same name. And they spend some time verifying this too, which is why adding a linked account online usually takes 10 business days.

For a wire transfer (not a liquidation) to another entity you have to fax in a form and they at least compare to your signature on file.

 

[audreyh1]

Fidelity reminds me every so often that they want my email address. So far I have not given them one, since it seems like one more point of vulnerability for hackers to exploit.

That's how Fidelity notifies me of all activity right away. I think it makes me less vulnerable.

 

[MRG]

That's how Fidelity notifies me of all activity right away. I think it makes me less vulnerable.

+1
Any check I write to Fidelity or from them I get emails. Anything that changes. Yes the transfer agent would be liable. A better question how did someone aquire the needed information?

Sent from my SAMSUNG-SGH-I337 using Early Retirement Forum mobile app

 

[Corporateburnout]

+1 I get notified of every transaction with Fido via email.

Sent from my XT1058 using Early Retirement Forum mobile app

 

[Bestwifeever]

...I have a retirement account at Fidelity so I decided to call Fidelity and find out what verifications they perform for redemption requests. It turns out that other than SSN, address and birth date information, Fidelity really doesn’t do any other verification, which is more than a little disconcerting to me. So if a fraudster has someone’s SSN, address and birth date, he/she could conceivable just call up Fidelity and ask that an account be liquidated....

Did you close your account?

 

[prudent_one]

I'm shocked that the bank told your friend anything about the name and SSN (even if simply confirming it wasn't hers) of the other account.

 

[eytonxav]

For a normal withdrawal, transfer, liquidation, etc., Fidelity requires the receiving bank account to have the same name. And they spend some time verifying this too, which is why adding a linked account online usually takes 10 business days.

For a wire transfer (not a liquidation) to another entity you have to fax in a form and they at least compare to your signature on file.

Agree, something doesn't sound quite right about what OP's friend told him.

 

[MooreBonds]

+1
Any check I write to Fidelity or from them I get emails. Anything that changes. Yes the transfer agent would be liable. A better question how did someone aquire the needed information?

Just a copy of a driver's license will do (some states still automatically use your SSN as your default driver's license number) will do. It has your name, address, birthdate, and SSN! (and if you moved, it should be fairly easy with whitepages.com to find your possible new address, or even look it up on a real estate assessor's website for your county).

Sometimes people ask for your DL to verify age, or make a copy of it for their 'files'. Heck, even if you're standing in line at the TSA checkpoint with your DL between your fingers, a quick thinking thief could discreetly write down your SSN if it's visible and your name and state, and that alone could narrow down your address.

I'm shocked that the bank told your friend anything about the name and SSN (even if simply confirming it wasn't hers) of the other account.

+1.

 

[RunningBum]

Sometimes people ask for your DL to verify age, or make a copy of it for their 'files'. Heck, even if you're standing in line at the TSA checkpoint with your DL between your fingers, a quick thinking thief could discreetly write down your SSN if it's visible and your name and state, and that alone could narrow down your address.

I don't think I've ever been in a state where my SSN is on my license. My address is though. If the SSN was on there, a quick photo would be the way for someone to get it, because afterward they'd have more time to read zoom in on the photo and read the data.

Edit: I googled DL images and see that Missouri does put the SSN on. That's pretty stupid. Really stupid, because not only are you exposing it every time you check in at an airport, or at a bar (if you're somewhat young) or other places where ID is asked for, if you lose your wallet or it is stolen your identify is also at very serious risk.

I didn't check every state, but the 15 or so I did first didn't have it.

 

[audreyh1]

Agree, something doesn't sound quite right about what OP's friend told him.

I also don't see how the friend got the target bank account number.

 

[audreyh1]

I have a retirement account at Fidelity so I decided to call Fidelity and find out what verifications they perform for redemption requests. It turns out that other than SSN, address and birth date information, Fidelity really doesn’t do any other verification, which is more than a little disconcerting to me. So if a fraudster has someone’s SSN, address and birth date, he/she could conceivable just call up Fidelity and ask that an account be liquidated.

Your thoughts?

You would have to set up a bank account with the name, address, birthdate, and SSN before you called Fidelity for the transfer. So it's not quite as simple as just calling Fidelity and asking for a transfer. Not that an organized crime person could not set up such an account by forging a bunch of documents. But Joe Blow fraudster wouldn't be able to do that so easily.

 

[MRG]

I don't think I've ever been in a state where my SSN is on my license. My address is though. If the SSN was on there, a quick photo would be the way for someone to get it, because afterward they'd have more time to read zoom in on the photo and read the data.

Edit: I googled DL images and see that Missouri does put the SSN on. That's pretty stupid. Really stupid, because not only are you exposing it every time you check in at an airport, or at a bar (if you're somewhat young) or other places where ID is asked for, if you lose your wallet or it is stolen your identify is also at very serious risk.

I didn't check every state, but the 15 or so I did first didn't have it.

MO. offers a non-SSN number and suggests you do that. Been availble since last century. IIRC.

Sent from my SAMSUNG-SGH-I337 using Early Retirement Forum mobile app

 

[MooreBonds]

I don't think I've ever been in a state where my SSN is on my license. My address is though. If the SSN was on there, a quick photo would be the way for someone to get it, because afterward they'd have more time to read zoom in on the photo and read the data.

Edit: I googled DL images and see that Missouri does put the SSN on. That's pretty stupid. Really stupid, because not only are you exposing it every time you check in at an airport, or at a bar (if you're somewhat young) or other places where ID is asked for, if you lose your wallet or it is stolen your identify is also at very serious risk.

In MO, you have the option (which I use) to have a separate Driver's License number in lieu of SSN.

I didn't check every state, but the 15 or so I did first didn't have it.

From Social Security History

Use of the SSN in State drivers license systems is already authorized by Federal law, and 29 States currently use the SSN as the drivers license number or show it on the license. The 1996 immigration reform provision on improved identification-related documents requires the SSN to be included on State drivers licenses by the year 2000. Thus, the drivers license and Social Security card can both be used to verify the SSN.

 

[luckydude]

Did you close your account?

I did not because it's a 401(k) account with my current employer. But since I will FIRE early next year, I plan to roll the account into Vanguard.

I just didn't get the warm and fuzzy from the rep I talked to. Aside from verifying SSN, address and birth date, the rep told me that "we would become suspicious if, for example, we heard paper shuffling on the background as if someone is looking up the information." That's just not what I wanted to hear as a method of fraud detection.

 

[GrayHare]

An easy fix: either scratch out or put a sticker over the SSN.