Having an investment account drained by thieves is every investor’s worse nightmare. Thankfully, there are a lot of safeguards in place to prevent that from happening. Still, you never want to read a message like the one below recently posted on the Bogleheads forum.
The entire thread is approaching 400 messages. It looks like the story ends well and the money will be returned to the account. But how could something like this happen? It appears the perpetrator knew quite a lot of information about the compromised account and even made the call from the elderly father’s former place of employment.
Retirement accounts are often our biggest assets. The average American over 60 years old has $172,000 saved in a retirement account. That’s a lot of money to suddenly go missing. Can you imagine logging into your account and seeing a $0 balance staring back at you?
The recent Equifax breach should only heighten your concern.
Every investor concerned about identify theft should take steps to protect their investment accounts. As far as I’m concerned, if my brokerage offers a security feature, I want to turn it on.
Here’s a few things you could be doing to beef up security.
1) Make sure your contact information is accurate
Those annoying pop up messages constantly asking you to verify your address and phone number are ultimately for your benefit. It’s important that your financial institution has correct contact information because they’ll most likely reach out to you if there is unusual activity on your account, including something like a large withdrawal.
It’ll take you a few minutes to gather your accounts and log in to each but after that, it’s only a few seconds to make sure that your phone number and address are correct. This will ensure the financial institution keeps you in the loop when there are changes to your account. It could be the difference between catching a problem before something happens or catching a problem immediately after it happens, both of which are much better than finding out months later.
2) Use strong passwords
Logging into a financial institution with a password like “Oliver54” or “GoDodgers81” is no longer acceptable. It’s not strong enough to protect something that literally represents years of work.
There are two ways that you can move to significantly strong passwords. The first is to use a password manager like 1Password (which I personally use). When I want to log onto an account, I use a single password to unlock 1Password and then 1Password enters the crazy complicated password like “[email protected]$0xx”. I’d much rather be in a position where one day I lost access to 1Password and need to work with a financial institution to reset my password rather than finding out that somebody infiltrated my account by cracking my relatively weak password.
If you’re not willing to use a password manager, the other solution is to use a combination of four unconnected words that you can easily memorize. For example, a password of “horse-thailand-melon-tapestry” registers that it would take a computer 47 octillion years to crack. On the other hand, a human could easily remember that phrase without much trouble. If you don’t, expect that a sophisticated computer could crack your “Oliver54” password in about 2 hours.
Companies like 1Password put hours into developing secure methods for locking down your passwords. Letting them do the heavy lifting is an easy way to make your entire internet presence more secure. Whenever I run into someone not using a password manager, I always wonder how they keep it all in their head. 1Password is currently showing me I have over 500 accounts stored with the program. How do you keep it all in your head otherwise? Seriously, let me know in the comments.
3) Set up two-factor authentication
Two-factor authentication is based on the concept of accessing a site with “something you know” like a password and “something you have” like a phone. It’s becoming more prevalent and is offered by every major financial institution. After you sign up, when you log in to your account from a new computer you’ll be asked to input your password along with a code received via text message.
It’s important to remember that two factor authentication doesn’t mean that every time you log into your account that you’ll be faced with this double security layer. It means that every time you log into your account from a new device you’ll be asked to verify that you have both the “something you know” and the “something your have”.
This is perfect because it’s much less likely that someone is going to steal your phone and then guess your password to a financial institution as it is that someone in a remote part of the world is going to try and access your account.
4) Set up biometric verification
The latest round of security protection is using biometric information (like your voice) to verify your identity. Vanguard calls it voice verification while Fidelity calls it MyVoice. The technology is the same.
After you’ve enabled voice verification, when you place a call to Vanguard or Fidelity, rather than entering a PIN number during the security process, the computer system will ask you to repeat a phrase or will simply recognize your voice based on the steps you took in setting up the voice verification.
These extra layers of protection make it that much harder for someone to call in and make changes to account, even if they happen to know your mother’s maiden name and the mascot of your high school.
5) More security makes life easier for you
The ironic thing about taking all these steps is you’ll likely make it easier for yourself to access your account than it was before.
If you struggle to remember PINs and passwords, a password management program makes it a breeze going forward.
If you enable TouchID authentication on your iPhone, it won’t result in an extra layer of security but suddenly you can log into most accounts with just your thumbprint.
Now that you’re cruising along with a thumbprint, suddenly it’s not as big of a problem to ditch “NinjaTurtles80” and enable a seriously strong password and two-factor authentication on your account.
Make it harder on the intruders but easy for you.
Joshua Holt is a practicing private equity M&A lawyer and the creator of Biglaw Investor. Josh couldn’t find a place where lawyers were talking about money, so he created it himself. He spends 10 minutes a month on Personal Capital keeping track of his money. He's also exploring real estate crowdfunding platforms like Fundrise which are open to both accredited and non-accredited investors.
Two thoughts on 5 Steps to Protect Your Accounts
I like to think that I go to fairly great lengths to protect my financial accounts and sensitive personal information, but I still picked up a few new ideas from your post. In particular, I found the series of four random words to be an interesting concept and one I hadn’t thought of before. In most cases your password must include a capital letter, number, and a symbol – but those things are all easy to sprinkle into that four word combo. Definitely something I’ll put to use in the future as I generate new passwords or update old ones.
I used to forget my password to my 401K account so frequently that the customer service rep (I spoke to the same guy several times, and he remembered me) knew to expect my call every 3 months. I haven’t had to call once since I started using a password keeper. It’s made keeping track of everything much easier.