My Mom just had her phone number and email account stolen

engineernerd said:
Fidelity allows authenticator apps and Wells Fargo offers a hardware key of some kind, but what I understood from talking to customer service is that the option to sign in using their existing 2FA systems (text or call to your phone) is not removed. Hmmm
Click to expand...

From what I can tell with Fidelity that isn’t the way it works.

I logged in with ID and PW and you were taken to authenticator screen. There is no option to use another method.

I went back and tried to don’t remember ID and PW. It then asked name DOB and last 4 of SSN. If you get that right it takes you to the enter authenticator code from app. Again there is no visible option to use anything else. If you put in wrong code it says wrong code. If you click cancel you are taken back to the log in screen.

I tried Schwab. At the authenticator screen there IS a place to click use a different method. The choices there are the authenticator or to call Schwab on the phone. With Schwab you can set up specific 4 digit code for phone calls.

With the don’t remember ID option you are prompted for name DOB and zip code. Then you are taken to authenticator but you can choose another method. This time it does say text or call. If text you must enter the phone number. If correct a text is sent and you enter it. Then you must answer a security question that presumably you had set up. Hopefully one does that with a non sensical answer.
 
Last edited:
Sunset said:
But will they claim it's your fault if you "give away" the password to someone by being scammed ?

Or if the person just changes the password, by cloning the phone or getting email access, how do you prove you didn't authorize it (an impossible task).
Click to expand...
I believe these situations void any protections.
 
JBTX said:
I went back and tried to don’t remember ID and PW. It then asked name DOB and last 4 of SSN. If you get that right it takes you to the enter authenticator code from app. Again there is no visible option to use anything else. If you put in wrong code it says wrong code. If you click cancel you are taken back to the log in screen.
Click to expand...
So someone who gains access to my phone and/or authenticator app could access my Fidelity account without using the ID and PW if they know my name, DOB and last 4 of SSN (which is basically public knowledge now-a-days)?

Is there at least an email sent to confirm what the ID is and to reset the PW that was supposedly forgotten? I would hope this happens to alert me someone signed-in to my account without using the ID and PW.
 
Is there any reason to be concerned about Vanguard's password free login? I open the website on my laptop, scan the QR code and respond to the phone message with a finger print and I'm in. It seems too easy to be secure :)
 
MdaPetralia said:
So someone who gains access to my phone and/or authenticator app could access my Fidelity account without using the ID and PW if they know my name, DOB and last 4 of SSN (which is basically public knowledge now-a-days)?
Click to expand...
Yes. You should have your screen locked. Your authenticator app should have its own security. And if you are only using the "standard" 2-factor codes you should enable whatever protection your cell carrier offers against scammers stealing your phone number remotely via SIM swapping or port-out fraud.
MdaPetralia said:
Is there at least an email sent to confirm what the ID is and to reset the PW that was supposedly forgotten? I would hope this happens to alert me someone signed-in to my account without using the ID and PW.
Click to expand...
They send text and email alerts (unless you turn those off) when your contact information is changed or your password is reset. After the fact, not before.
 
RetMD21 said:
Is there any reason to be concerned about Vanguard's password free login? I open the website on my laptop, scan the QR code and respond to the phone message with a finger print and I'm in. It seems too easy to be secure :)
Click to expand...
I don't know how hard it is to spoof a fingerprint, found these articles online:

www.pcmag.com

Hacking Fingerprints Is Actually Pretty Easy—and Cheap

Kraken Security Labs demonstrates a way to hack someone's fingerprint with $5 worth of supplies.
www.pcmag.com www.pcmag.com
www.kaspersky.com

Faking fingerprints — doable, but hard

Researchers found a way to create fake fingerprints to fool many devices, although it took a lot of effort.
www.kaspersky.com www.kaspersky.com

According to the second article, a scammer would have to target you in person, unless your fingerprint is stored somewhere that is then compromised. So if Vanguard is the only entity that has your fingerprint it might be decent for now.

P.S. - biometrics for screen unlocking is a very bad idea, IMHO, bullies on both sides of the law can use your body parts against your will to unlock your phone.
 
Last edited:
engineernerd said:
I don't know how hard it is to spoof a fingerprint, found these articles online:

www.pcmag.com

Hacking Fingerprints Is Actually Pretty Easy—and Cheap

Kraken Security Labs demonstrates a way to hack someone's fingerprint with $5 worth of supplies.
www.pcmag.com www.pcmag.com
www.kaspersky.com

Faking fingerprints — doable, but hard

Researchers found a way to create fake fingerprints to fool many devices, although it took a lot of effort.
www.kaspersky.com www.kaspersky.com

According to the second article, a scammer would have to target you in person, unless your fingerprint is stored somewhere that is then compromised. So if Vanguard is the only entity that has your fingerprint it might be decent for now.

P.S. - biometrics for screen unlocking is a very bad idea, IMHO, bullies on both sides of the law can use your body parts against your will to unlock your phone.
Click to expand...
I heard about the bullies so I have a code for the screen lock but fingerprint for the apps. I don't think Vanguard has my fingerprint but my phone does
 
JBTX said:
From what I can tell with Fidelity that isn’t the way it works.

I logged in with ID and PW and you were taken to authenticator screen. There is no option to use another method.

I went back and tried to don’t remember ID and PW. It then asked name DOB and last 4 of SSN. If you get that right it takes you to the enter authenticator code from app. Again there is no visible option to use anything else. If you put in wrong code it says wrong code. If you click cancel you are taken back to the log in screen.
[snip]
Click to expand...
Thanks for this info! If you don't mind my asking:

Are you happy with your authenticator app? Which one did you choose? Was the setup adequately explained, including the safeguards/recovery protocols?
 
engineernerd said:
Thanks for this info! If you don't mind my asking:

Are you happy with your authenticator app? Which one did you choose? Was the setup adequately explained, including the safeguards/recovery protocols?
Click to expand...

I use Authy. It’s worked fine for me. I have a couple of dozen 2FAs on it between me my wife and my parents

A few years ago when I selected it the app was highly recommended. Since then it is less recommended compared to others because of some reasons I’m not sure I fully understand.
 
I've just learned that the screen-unlock security you have on your phone can be bypassed by someone who gains control over your physical phone. All they have to do is perform a factory reset of the phone, which can be done at start-up without entering any codes. The data on the phone is lost (including your screen lock), but the phone will still work for calls and texts.

Another vulnerability of 2FA by text or call.

How this works on Android phones:
www.zdnet.com

How to factory reset your Android phone without unlocking it first

Did you forget your Android PIN, pattern, or password? If you can't unlock your Android device, there's a way to get in, but you'll need to do a factory reset. Here's how.
www.zdnet.com www.zdnet.com
android.stackexchange.com

Will I lose my phone number and phone plan with factory reset?

Will I lose my phone number or phone plan if I reset my Android to factory settings? I know I will lose my pictures, contacts, and stuff but those I can get back.
android.stackexchange.com android.stackexchange.com
 
48Fire said:
In a matter of minutes, my Mom just had her phone number and email account stolen. By the time I woke up, had some coffee, tried to call my mom, it was all too late. Thankfully, I changed their large financial accounts to another email address six years ago. The hackers tried to break into that, but failed. By then we were able to freeze them. They have started to open credit cards, and who knows what else. Probably buying an island and a boat.

Four calls to AOL and they refuse to lock her account.

:cool:
Click to expand...
The second fraudsters take over a phone especially you have to contact every bank, financial institution, credit card, property tax in your county, and tell AOL you are abandoning them and start a Gmail acct for your mom. You are on it! Sorry for the loss of time but looks like that God there was no loss of assets! You’re a good son or daughter!!
 
Be careful not to download QR codes. When fraudsters manipulate them you are giving them access to take over your phone. This happened to my sister after she bought a new Epson printer and then read in the instructions to go to their website and Download the QR code so the printer could sync with her computer. At the Epson www site the QR code was hacked, yep you heard me correctly. Epson wasn’t aware ! And her phone was immediately taken over. Everything. They went into her Fidelity acct but she had locked down all accts for no transfers out so they couldn’t withdraw any money. And Fidelity sent her emails and texts that she got on her computer alerting her. She called them and they resolved the fraud, transferred all funds to new acct numbers and told her to take her computer and phone to a tech place to scrub them of the fraudulent links. When she did so the fraud experts told her to throw away her computer and phone as the fraud was so sophisticated and they could not guarantee that they scrubbed it all! What a fiasco. So when you go into restaurants that have no menus do not scan those QR codes on the table. Tell the server you need a menu! Or one recited to you! GLTA
 
engineernerd said:
I've just learned that the screen-unlock security you have on your phone can be bypassed by someone who gains control over your physical phone. All they have to do is perform a factory reset of the phone, which can be done at start-up without entering any codes. The data on the phone is lost (including your screen lock), but the phone will still work for calls and texts.

Another vulnerability of 2FA by text or call.

How this works on Android phones:
www.zdnet.com

How to factory reset your Android phone without unlocking it first

Did you forget your Android PIN, pattern, or password? If you can't unlock your Android device, there's a way to get in, but you'll need to do a factory reset. Here's how.
www.zdnet.com www.zdnet.com
android.stackexchange.com

Will I lose my phone number and phone plan with factory reset?

Will I lose my phone number or phone plan if I reset my Android to factory settings? I know I will lose my pictures, contacts, and stuff but those I can get back.
android.stackexchange.com android.stackexchange.com
Click to expand...
That is why everyone should have an Apple iPhone! Problem
Solved.
 
Additional info on passkey - I'm still figuring this out and I don't what to be my own IT person.
I used a search term "explain passkey vs password".

Consumer Reports: Passkeys or Passwords

PCMag Still using passwords?
2FA vs Passkey

The PCMag still using passwords article also mentioned some other nefarious ways to be aware of.

CautaServans said:
I'm sorry to hear about your mom's experience.

For some reason, this NYTimes article did not offer a gift link, but maybe they think it is important enough to make public. It's about passkeys:

www.nytimes.com

Passkeys Are the New Passwords. You Should Start Using Them Now.

Passkeys are supposed to replace passwords. Here’s why that matters — and why we recommend them.
www.nytimes.com www.nytimes.com

Let me know if you hit a paywall, and I will see if I can find the gift link.
Click to expand...
 
Please verify my answer but you have to know the passcode or facial recognition to get into the phone. Before reset.
 
HappilyRetired said:
Be careful not to download QR codes. When fraudsters manipulate them you are giving them access to take over your phone. This happened to my sister after she bought a new Epson printer and then read in the instructions to go to their website and Download the QR code so the printer could sync with her computer. At the Epson www site the QR code was hacked, yep you heard me correctly. Epson wasn’t aware ! And her phone was immediately taken over. Everything. They went into her Fidelity acct but she had locked down all accts for no transfers out so they couldn’t withdraw any money. And Fidelity sent her emails and texts that she got on her computer alerting her. She called them and they resolved the fraud, transferred all funds to new acct numbers and told her to take her computer and phone to a tech place to scrub them of the fraudulent links. When she did so the fraud experts told her to throw away her computer and phone as the fraud was so sophisticated and they could not guarantee that they scrubbed it all! What a fiasco. So when you go into restaurants that have no menus do not scan those QR codes on the table. Tell the server you need a menu! Or one recited to you! GLTA
Click to expand...
QR codes are a hackers gift.

In the "old" days a person would have to say go to: www site but now a hacker puts a QR sticker over a real one, and sends people to dangerous sites.

I've read stories where a hacker makes a fake parking site, and then puts QR codes on the parking meter.
 
engineernerd said:
I've just learned that the screen-unlock security you have on your phone can be bypassed by someone who gains control over your physical phone. All they have to do is perform a factory reset of the phone, which can be done at start-up without entering any codes. The data on the phone is lost (including your screen lock), but the phone will still work for calls and texts.

Another vulnerability of 2FA by text or call.

How this works on Android phones:
www.zdnet.com

How to factory reset your Android phone without unlocking it first

Did you forget your Android PIN, pattern, or password? If you can't unlock your Android device, there's a way to get in, but you'll need to do a factory reset. Here's how.
www.zdnet.com www.zdnet.com
android.stackexchange.com

Will I lose my phone number and phone plan with factory reset?

Will I lose my phone number or phone plan if I reset my Android to factory settings? I know I will lose my pictures, contacts, and stuff but those I can get back.
android.stackexchange.com android.stackexchange.com
Click to expand...

Of course, couldn't they thief just take the sim out of the phone and stick it in an unlocked phone, to get phone calls and texts immediately ?
 
So sorry this happened! My name, social, birthdate and email has been all over the dark web for years, thanks to breaches in the VA, Equifax, etc- and lack of any government response beyond public chest beating and 2-3 years of free security monitoring services. I recommend going to Equifax, TransUnion, and Experian and locking down your information, so your credit info cannot be accessed in order to open a new credit card- at a minimum put a fraud alert on them. I also have 2 email addresses: one I only use for banks and official business, and one I use for purchases and general correspondence. When online purchases require a phone number, I always use the same fake phone number in which I add 1 to my last two digits- after all, when was the last time a company ever called you?
 
Wow. This is great info. We have 7 people and all their devices on my Verizon plan. I just went in and activated Number Lock and SIM protection for each line. It was off for all of them. Yikes!
 
One of the things I think that is very important -- on smart phones you can go onto your phone app and toggle the silence unknown callers. I think in the latest update on iPhone IOS 26 it's not a slider anymore, it's a checkmark... at least it is on iPhone 16...

Silence unknown callers, they will still get the call, it will go straight through to voicemail. Anyone who needs to get in touch with them will leave a voicemail, scammers will not, they will just move onto the next person. You will have to update phone numbers and enter them into known contacts every once in a while. But at this point pretty much everybody I know, doesn't answer their phone anymore they answer voicemails.
 
HappilyRetired said:
That is why everyone should have an Apple iPhone!
Click to expand...

HappilyRetired said:
The second fraudsters take over a phone especially you have to contact every bank, financial institution, credit card, property tax in your county, and tell AOL you are abandoning them and start a Gmail acct for your mom. You are on it! Sorry for the loss of time but looks like that God there was no loss of assets! You’re a good son or daughter!!
Click to expand...
Thanks, son here 🙂 I spent some time with them yesterday. They're a mess. Mom cries a lot, says she thinks she's going to have a nervous breakdown. Dad passed out yesterday for 3 or 4 minutes, but after ambulance and ER, they sent him home.
 
You must log in or register to reply here.

Similar threads

S
Help me help my mom.
2
pb4uski
pb4uski
Kings over Queens
PSA - Zelle Scam
2
swakyaby
swakyaby
Amethyst
New hack tactic? Someone bought Amazon (electronic) gift cards using my Amazon credit card, and the cards went to me!
2 3
audreyh1
audreyh1
A
Locked out of account
2 3 4
almost there
almost there
NeilDH
Wire transfer scam via hack of contractor's email
Spock
S

Latest posts

Back
Top Bottom