Fidelity Account Hacked

[BeachOrCity]

2fa doesn’t protect you when the thieves also know how to port your mobile number. And I know now that I am retired I can sometimes go quite a while without an actual phone call on my mobile.
Sadly nothing is 100% but I do believe that spreading out assets to different custodians and keeping my major accounts paper statements protects me a bit.

 

[Alan]

2fa doesn’t protect you when the thieves also know how to port your mobile number. And I know now that I am retired I can sometimes go quite a while without an actual phone call on my mobile.
Sadly nothing is 100% but I do believe that spreading out assets to different custodians and keeping my major accounts paper statements protects me a bit.

That is why I don’t like text messages for 2FA, and prefer an authentication app. Vanguard don’t offer an app for 2FA but do offer landline spoken message, which may well be similarly vulnerable but at least it is not my mobile phone number.

 

[tdv2]

I understand Nothing is 100% bullet proof. To defeat text 2FA the thief would have to guess to my pin at my mobile carrier to gain access to my mobile number and port it over....that pin I have committed to memory.

 

[JoeWras]

I understand Nothing is 100% bullet proof. To defeat text 2FA the thief would have to guess to my pin at my mobile carrier to gain access to my mobile number and port it over....that pin I have committed to memory.

Probably. But not necessarily. Because mobile phone support is high touch with agents, there's been a lot of "inside jobs" for the SIM swaps. Also, some of those systems were done poorly and could be reset via cheap and easy questions ("What is your dog's name") which had socially engineered answers.

You should definitely turn on extra PIN support at your carrier if they offer it. And hopefully, it can't be reset with stupid questions.

 

[Alan]

I understand Nothing is 100% bullet proof. To defeat text 2FA the thief would have to guess to my pin at my mobile carrier to gain access to my mobile number and port it over....that pin I have committed to memory.

The SIM card fraud doesn’t rely on knowing the PIN, there are other methods such as “social engineering “ where they dupe the phone company customer service rep.

 

[JoeWras]

The SIM card fraud doesn’t rely on knowing the PIN, there are other methods such as “social engineering “ where they dupe the phone company customer service rep.

dupe or are paid off!

 

[Alan]

dupe or are paid off!

Either. I listened to a podcast last year where they played back the recorded conversation of a successful SIM swap. The lady making the call was very convincing pretending to be calling from an airport and sounded suitably stressed putting adding pressure on the rep since she couldn’t remember the answer to the security questions.

The guy being robbed only took a couple of hours to realise he had no signal and contact the phone company. 2 or 3 thousand £ were taken from his account. The bank refunded his money and the report didn’t say whether the bank sued the phone company. The phone company said it was retraining its staff.

 

[JoeWras]

Either. I listened to a podcast last year where they played back the recorded conversation of a successful SIM swap.

These are really good to listen to. I also suggest watching the first few episodes of the show "Mr. Robot." If you can stand the R-rated content, it really dives into social engineering methods in a very authentic way. For example, asking to borrow a phone for just a second due to an emergency, and then sucking up that number for future social engineering uses. Just one of many little methods Elliot used.

 

[JoeWras]

Funny this whole 2FA thing comes up. So out of the blue, I just got a random text from Google saying "Here is your verification code."

Don't know why. But I just went through and changed all my Google passwords.

 

[littleb]

So no real answers as to how the IRA account was set up. The Fraud department rep said it was set up online and confirmed again it was not done internally at Fidelity. I think it was tied to the IRA'S I set up earlier in 2019 and an IT glitch reactivated and changed the date to the end of December. Or it was done internally at Fidelity.

In the past week I ran credit reports, checked all credit card accounts and all accounts at other financial agencies. Nothing seems suspicious or strange. I also had new credit and debit cards issued to be on the safe side. All my user id and passwords have been changed twice. Ran virus scans, malware scans and rootkill scans. In the future I will be using VIP Access when signing into Fidelity. In the meantime Fidelity is changing all our account numbers.

Now I will need to spend the day cleaning up my Quicken account.

 

[gauss]

Maybe you could engage one of the reputable investigative journalist -- perhaps one that operates at a national level to look into this further.

If Fidelity is either unable or unwilling to disclose how it happened, a 60 minutes camera crew on their doorstep may motivate them to take this case more seriously.

In my view, this would give added weight to this such as when a lawsuit is moved over from an individual to a class-action status.

Fidelity won't care if one person leaves the firm due to unsatisfactory answers, but exposure on a national level may get their attention.

I realize that your immediate problems have likely been solved, but you seem to have documentation that could force change that others of us who are concerned about would not have.

-gauss

 

[CRLLS]

Funny this whole 2FA thing comes up. So out of the blue, I just got a random text from Google saying "Here is your verification code."

Don't know why. But I just went through and changed all my Google passwords.

Nobody asked you for this verification code? I had a similar email when someone was replying to stuff I had on Facebook Marketplace. He said it was to confirm my identity. It is actually used to setup a false Google Voice account with no true traceability by the other person.

 

[JoeWras]

Nobody asked you for this verification code? I had a similar email when someone was replying to stuff I had on Facebook Marketplace. He said it was to confirm my identity. It is actually used to setup a false Google Voice account with no true traceability by the other person.

Nobody asked. It was out of the blue. It is possible there was an email follow up that Google detected as malicious and deleted.

Another possibility is someone mistyped a phone number. I got no further requests, spam, etc.

BTW, I set up Google voice just a few months ago and the verification code there says: "0123456 is your Google Voice verification code. Don't share it with anyone else..."

The code I got out of the blue was: "G-0123456 is your Google verification code." Period. I got these since after I went through and changed all my security information, but I knew they were coming from me.

 

[COcheesehead]

Maybe you could engage one of the reputable investigative journalist -- perhaps one that operates at a national level to look into this further.

If Fidelity is either unable or unwilling to disclose how it happened, a 60 minutes camera crew on their doorstep may motivate them to take this case more seriously.

In my view, this would give added weight to this such as when a lawsuit is moved over from an individual to a class-action status.

Fidelity won't care if one person leaves the firm due to unsatisfactory answers, but exposure on a national level may get their attention.

I realize that your immediate problems have likely been solved, but you seem to have documentation that could force change that others of us who are concerned about would not have.

-gauss

A bit of an overreaction, no?

 

[foxfirev5]

Overreaction? IMHO not really. I'm beginning to question the quality of answers I'm getting everywhere.

 

[stephenson]

Hmmmm ... methinks Fidelity to dive deeper.

There is a trail ...

 

[Bongleur]

From what I've read, the facial recognition algorithm is constantly updating itself. So if you change to different glasses, add/subtract facial hair, get a new scar, etc., it may fail once or twice but then after you've entered your PIN it will learn your new appearance and work as normal. Based on my own experience, that does seem to be the case, and it's pretty darn good at it.

So that means that you do NOT have 2 independant security features. Anyone with the PIN can just add facial hair & glasses etc until it adapts to their face. Might have to find someone with similar features, but if the phone does not lock out after several fails -- hey hey, the gang's all here.

 

[audreyh1]

So that means that you do NOT have 2 independant security features. Anyone with the PIN can just add facial hair & glasses etc until it adapts to their face. Might have to find someone with similar features, but if the phone does not lock out after several fails -- hey hey, the gang's all here.

If the person has the PIN they already can completely bypass facial recognition which is only there as a convenience, not an independent security feature.

 

[MissMolly]

You only get one try at facial recognition. If it fails you are required to enter the PIN. So no, you don't get to keep adding glasses and makeup and hair and whatnot. One try.

 

[urn2bfree]

One level of protection that I believe I have has also been annoying to me at times, and it is not inexpensive, but it is another layer. I have a financial advisor on my accounts. (FLAT RATE- not AUM rip off, but let's not hijack this thread about that)
Nothing can be done with my funds at Fidelity without the financial advisor approving it. So the thief would have to know my advisor, contact him, get his ok (all via secure encrypted emails to my personal email account or my voice on my phone) I do not believe he would ok anything from a new phone or new email address without lots of confirmation.

(Also he gives good advice and portfolio management and access to DFA funds.)

 

[jollystomper]

I have worried about this for years, and I am not sure how many of you are following this, but there is an active case in the northern California Federal courts about a 401k that was emptied, apparently due to error by the service providers. The poor lady called them 28 times or so after she started to see the funds disappear in 3 different transactions. After the service provider completed their investigation, the response was basically - "yeah - we didn't recover any of the money and we are not going to reimburse you. Was their anything else I could assist you with today?". The victim has linked up with an employee benefits law firm and they have filed suit.

Here is a link to a media article describing the event.
-gauss

One interesting line from the article:

401k accounts are particularly vulnerable to fraud, because they are typically not accounts that account holders interact with frequently, according to Teresa Renaker, an attorney who is representing Ms. Berman in her case against Estée Lauder and Alight. “You don’t check your 401k every day or even every month,” she noted. Plans are only required to mail statements every quarter. “Indeed, participants are generally advised to leave their 401k accounts alone,” Renaker said.

I feel it strange to not check my account frequently. Even though I have alerts set up at all of the various institutions, I am still looking at the accounts almost every day. Only on my own wireless network of course - NEVER on a public wifi network.

This also raises a concern to me about using "account aggregators" like PersonalCapital, or even Quicken who use your account login credentials to access your account balances. I am seeing too much risk in doing that. I more comfortable with entering changes manually.

 

[Katsmeow]

I feel it strange to not check my account frequently. Even though I have alerts set up at all of the various institutions, I am still looking at the accounts almost every day. Only on my own wireless network of course - NEVER on a public wifi network.

I log in daily to my accounts -- well every business day except in rare instances. I do have Quicken and I thought long and hard about using it to update. In the end I did it, but I did not save my Vault password to the computer. I manually type it in each time I update.

 

[Tracer]

Another reason I like my managed accounts. I can't get my own money so I don't think the hackers will either.

I have to talk to a real person and they do the sales and transfers.

I have 2 managed accounts at Fidelity. And yes, I think it would be pretty hard for anyone can get at those. I have 4 other non-managed accounts with them. 3 of them are on "Lockdown". An optional feature available in their Security Center.

 

[samclem]

One level of protection that I believe I have has also been annoying to me at times, and it is not inexpensive, but it is another layer. I have a financial advisor on my accounts. (FLAT RATE- not AUM rip off, but let's not hijack this thread about that)
Nothing can be done with my funds at Fidelity without the financial advisor approving it. So the thief would have to know my advisor, contact him, get his ok (all via secure encrypted emails to my personal email account or my voice on my phone) I do not believe he would ok anything from a new phone or new email address without lots of confirmation.

I'm not seeing how this reduces your risk. If your FA is sloppy with his data security, then a hacker can get the credentials needed to get into your Fido accounts (just as if you were sloppy). And you've got an additional node where an "insider" can get access to your info (your FA's office).

And with another entity having access to your account, if there are any unexplained transfers/withdrawals, figuring out who is to blame could get a little more difficult.

Maybe it's normal, but I wouldn't want a setup where I couldn't call Fidelity and get access to my accounts.

 

[sengsational]

I have a feeling that the Alight Financial case will turn out to be something other than a foreign hacker with stolen credentials. The article says:

The suit does not mention the exact mechanism by which the fraudulent transfers happened. It is unclear whether the criminals responsible for it were relatives of the plan holder, insiders at the firm managing the 401k, cyber criminals acting from afar – or none of the above.

With 401k plans, it's harder for people to move to another custodian, but there are probably people who are using Alight by choice. I'd be the first one to leave if it turns out they let "cyber criminals acting from afar" to get away with it, or more precisely, leave the account owner holding the bag.