It's been 13 years but I'm back! Now how to protect our IRAs?

[just_hatched]

Hi! I joined the forum in 2005 and last posted in 2008, wow.

Anyway, our IRAs (DW and me) have grown at Vanguard in index funds
since then (thank you lengthy bull market) and now after my own
identity theft scare recently where someone fraudulently ported my
phone number (I finally got it back after 3 weeks), I'm starting to
wonder about cybersecurity and asset protection and all that jazz.

I wasn't able to find a post that discussed this (which is surprising, so
maybe something is wrong with my search) but has anyone been discussing
best practices for this kind of thing?

For example, here is an article from 2011 about this topic:
https://www.cbsnews.com/news/how-to-protect-your-retirement-savings-from-identity-theft-and-internet-fraud/

Thanks! I hope everyone is doing well!
-just_hatched

 

[RunningBum]

VG makes me type in a code they send by text or email if I log in from a new IP address, as someone who has hacked me is likely to do. Or you could set up for 2-Factor Authentication every time, where you'd have to do the same no matter where you logged in from.

I also try to log into my VG and other accounts at least once a week and look for any unrecognized transactions.

Don't use articles from 9 years ago on how to keep up with internet fraud. Tech has changed way too much since then.

 

[Sunset]

When someone fraudulently ports your number, they get 2-factor codes allowing them to change your password, etc..
It's VERY scary as everyone's security depends upon a store clerk earning minimum wage only porting when proper.

I'm amazed with OP that they were not cleaned out in the 3 weeks it took to get the number back.

I wish all financial institutions would use some type of key fob/RSA device. I don't want the phone as the device, because if someone ports your number, they can download all the backups to their device, so they then have all the security measures.

 

[Bruno]

Hi! I joined the forum in 2005 and last posted in 2008, wow.

-just_hatched

Where you been in JAIL.

 

[just_hatched]

Where you been in JAIL.

Close. I had 2 kids.

 

[Sunset]

Close. I had 2 kids.

And you kicked them out after 13 yrs

 

[RunningBum]

When someone fraudulently ports your number, they get 2-factor codes allowing them to change your password, etc..
It's VERY scary as everyone's security depends upon a store clerk earning minimum wage only porting when proper.

I'm amazed with OP that they were not cleaned out in the 3 weeks it took to get the number back.

I wish all financial institutions would use some type of key fob/RSA device. I don't want the phone as the device, because if someone ports your number, they can download all the backups to their device, so they then have all the security measures.

Yeah, good point. First thing I'd do if my phone # got ported would be to remove it from all accounts, starting with financials. That would force it to go to email. Likewise, if email got hacked I'd switch it to another email account I have.

 

[Aerides]

wb!

I think in your shoes I'd get a new number. You can get them from google very easily, and map that to any accounts, and toss the compromised one.

 

[SecondCor521]

Based on a friend's advice, I have very strong passwords on my email accounts. Logic being that if someone has access to my email account they can impersonate me, get a 2F code, etc.

I lost my cell phone the other day, and the first thing I thought of was my Vanguard accounts. I emailed fraud@vanguard.com (that's the proper email, but get it from Vanguard's website not me) with my concern and they were very helpful. They replied within an hour that no fraud had taken place and told me how to proceed regarding accessing my account again.

I also changed my email passwords and the passwords to a few of my most important accounts. I also disconnected my Google account from my cell phone. A day later I got a replacement phone and SIM card and ported my cell number via chat with my cell carrier. Fortunately I think I'm in the clear.

I monitor almost all my accounts daily via Quicken, and I have email alerts turned on for my credit cards for a lot of different things. 2F authentication turned on where I can. I check statements monthly too, but a fast moving criminal would be problematic for monthly checks.

Although I do both, I tend to think fast detection and remediation is a better strategy than trying to completely prevent an attack. At least for me.

Some people suggest not using strange Internet connections (like Starbucks wifi), but if I don't worry about that as long as I see https.

Oh, and I don't go to weird places on the Internet and I'm mindful to make sure I never download executables or anything similar from places that are not 100% trustworthy. With some computer knowledge in my background, I think I have a better than average chance of knowing whether or not to click on a button on my browser screen.

 

[Sunset]

B...... A day later I got a replacement phone and SIM card and ported my cell number via chat with my cell carrier. Fortunately I think I'm in the clear.

.....

That is what is scary, that someone could chat with support and get a number ported without physically standing there with various ID to prove identity.

 

[Sunset]

While fast detection is important, it's hard sometimes to notice the phone is not getting calls or text anymore, which is a sign it's been ported.
Especially if I'm sleeping

 

[SecondCor521]

That is what is scary, that someone could chat with support and get a number ported without physically standing there with various ID to prove identity.

Well, I did have to provide my passcode to my carrier before they would deal with me on my account. So there was some protection.

 

[lucky penny]

I've never heard of a phone number being "ported". From the comments I think I'm getting the drift of what it means but I'm not sure - can someone explain?

 

[SecondCor521]

I've never heard of a phone number being "ported". From the comments I think I'm getting the drift of what it means but I'm not sure - can someone explain?

The normal use for a port it's if you want to switch cell phone carriers - say, from AT&T to Sprint, or Sprint to T-Mobile. It used to be that if you switched carriers, you'd have to get a new phone number, which we decided was an impediment to switching and competition. So there was a law that got passed that said that cell phone carriers had to let you take your phone number with you. So if my Sprint phone number was (800) 555-1212, I could switch to T-Mobile and you could still call me at (800) 555-1212.

In my case, I stayed with the same carrier but switched the phone/SIM connected to my phone number from my lost phone/SIM to my replacement phone/SIM. So I'm using the term "port" sort of loosely.

Since a lot of 2FA codes are sent to a person's cell phone number, porting to a different phone could be helpful to a criminal.

 

[just_hatched]

Well, I did have to provide my passcode to my carrier before they would deal with me on my account. So there was some protection.

I already had a passcode with AT&T also, but when the number was ported to T-Mobile (within 48 hours), AT&T didn't tell me definitely whether the requester used the correct passcode or not. They were basically like "you must have given someone you know your passcode." But these were just frontline people because they won't connect you to any upper management to talk to. Otherwise I'd be like "play me the phone recording then."

Whoever the port requester was, AT&T and T-Mobile still haven't given me any definite details about how the port was accomplished. Did the person have the passcode? Did the person use a SSN instead? Over the phone? In-person at a store? How?
I did since change the passcode and online password on the AT&T account.
But that's why it took 3 weeks - nobody higher up at AT&T would come on the line and T-Mobile won't answer anything because I'm not their customer.
Even the local police said T-Mobile probably wouldn't tell them either.
AT&T kept saying they'd try to get the number ported back to me, but then they'd say "We need the T-Mobile account number."
(plug your ears for this part) I DON'T HAVE THE T-MOBILE ACCOUNT NUMBER!

 

[Retireby45ish]

This is a very very serious and scary problem. There is no real defense for it if you use 2FA. If someone ports your number it’s going to be a lot of work to untangle it.

I’ve heard some horror stories like the OPs. Wish there was a better way. But as someone said, oftentimes it’s an inside job by a min wage employee who is in on it or doesn’t care qnd gives up your number.

Very scary stuff.

 

[lucky penny]

The normal use for a port it's if you want to switch cell phone carriers - say, from AT&T to Sprint, or Sprint to T-Mobile. It used to be that if you switched carriers, you'd have to get a new phone number, which we decided was an impediment to switching and competition. So there was a law that got passed that said that cell phone carriers had to let you take your phone number with you. So if my Sprint phone number was (800) 555-1212, I could switch to T-Mobile and you could still call me at (800) 555-1212.

In my case, I stayed with the same carrier but switched the phone/SIM connected to my phone number from my lost phone/SIM to my replacement phone/SIM. So I'm using the term "port" sort of loosely.

Since a lot of 2FA codes are sent to a person's cell phone number, porting to a different phone could be helpful to a criminal.

Thank you

 

[donheff]

Yeah, good point. First thing I'd do if my phone # got ported would be to remove it from all accounts, starting with financials. That would force it to go to email. Likewise, if email got hacked I'd switch it to another email account I have.

This might be difficult if you couldn't get in because you couldn't get the 2FA. I would immediately call my financial institutions and ask them to freeze my accounts while I sort out the problem.

Porting does seem to be a big vulnerability. Of course, the bad guys also need your passwords.

 

[tenant13]

One way of protecting yourself from porting is to set additional PIN number/security question on the carrier website. With some carriers you can request for the porting to be executed at the physical store - where you have to show the ID before it happens.

Other things you can do: use password manager. I cannot stress how helpful, easy (after the initial setup) and important that is. You will never re-use the same password so any potential damage will be limited. I recommend bitWarden - open software, free (or you can pay $10/year for additional features; it goes towards development and maintenance) and very flexible.

Wherever possible use true 2FA, either physical (like YubiKey that you need to plug into your computer or phone) - that's if you're truly paranoid - or an app, like Authy (can be installed on 2 phones) or Google Authenticator. They generate random codes every 30 seconds and are much more secure than text messages. You can also use bitWarden for that.

Lastly, consider getting Google Voice number (free) and using that for 2FA wherever true 2FA is not available - ironically: big banks and financial institutions. GV may not always work since it's not a true mobile number - and banks don't like it - but because it's attached to your gmail it requires L/P and gmail can be secured with a true 2FA. One additional benefit of GV (besides it being free) is that it works everywhere in the world - convenient for expats. I'm using it with Chase, Schwab, Amex, PayPal and and a bunch of other services without issues.

 

[someguy]

Tenant's advice is good, including GV being useful internationally where SMS isn't always reliable.

With SMS-based secondary authentication, besides fraudulently porting your number thieves with enough technical capability could potentially temporarily spoof (take over) your number on the PSTN long enough to reset your account. Also, SMS is not encrypted, so again with enough technical capability they could see your SMS text's code in transit to your real phone.

SMS for 2FA is better than none, but the least good of the 2FA options.

 

[H2ODude]

Interesting and scary thread. As for carrier password, I've had same carrier for about 20 years, auto pay account, and have no idea what that password might be!

 

[smihaila]

One way of protecting yourself from porting is to set additional PIN number/security question on the carrier website. With some carriers you can request for the porting to be executed at the physical store - where you have to show the ID before it happens.

+1.
My VoIP provider also has a feature to port-lock a phone number, which basically disallows any porting requests until you unlock that feature yourself.

Lastly, consider getting Google Voice number (free) and using that for 2FA wherever true 2FA is not available - ironically: big banks and financial institutions. GV may not always work since it's not a true mobile number - and banks don't like it - but because it's attached to your gmail it requires L/P and gmail can be secured with a true 2FA. One additional benefit of GV (besides it being free) is that it works everywhere in the world - convenient for expats. I'm using it with Chase, Schwab, Amex, PayPal and and a bunch of other services without issues.

Indeed, it's too bad that GV numbers are not "recognized" by all financial institutions and they insist in their stupidity of accepting only "cell numbers" from "mainstream" cell providers.

 

[donheff]

This thread prompted me to go to Verizon to port lock our phones only to discover that I already did.

 

[JustCurious]

The best defense against someone porting your number is to get Google Fi. If you use Googe Fi as your phone service and you set up two step verification on your Google account, then no one, including you, can port or make changes to your phone number without having your Google password and your two step verification (e.g. a physical security key or security code).

https://support.google.com/fi/answer/9834243?hl=en

 

[The Cosmic Avenger]

Right, many carriers already require a PIN in addition to regular account access in order to port your number, but T-Mobile does not, which is why I added a port PIN years ago: https://www.thebalanceeveryday.com/prevent-your-mobile-number-from-being-ported-4160360