Jump to content

Recommended Posts

Posted (edited)

Hi all.

 

This is an important topic which I am sure some of you have grappled with so I'm hoping for some advice.

 

I have an outlook email address and all my investing accounts are registered to it.  My email must have been in a data leak because I can see from my recent activity that someone other than me is trying to access my outlook account - there have been numerous attempts in the past few days to break into my account but they have gotten the password wrong.

 

I have two-factor authentication on, so even if they did get my password they cannot access my email without an authentication code.

 

Does anyone have any recommendations on what I should do?

 

Should I change email account?  Is outlook the best email to link your account to or are there any more secure?

 

More generally, is there anything you do to keep your investing accounts secure?


Cheers

 

 

Edited by Sweet
Posted

Two factor authentication is your best defense.  When people get hacked, the ruse usually involves calling them and saying that caller is from Broker X and you have been hacked, and that we are sending a confirmation code to make sure we are speaking to the right person, and when they read it back, the scammer gets past the authentication.  But that's a human failure, not a tech failure. 

 

I don't do this (YET) but I heard an FBI guy say that you should false information on your social media (or multiple social media accounts with different information) so that when AI scrapes your profiles and tries to guess your password, or get past your security questions, using stuff you provided like birthdays, kid names, etc., it will have a lot of noise.  

 

If your brokerage allows longer passwords, try a pass phrase that is easy to remember but hard to guess.  "WhatWouldBuffettDo$2d@y"

Posted (edited)

I’ve seen it suggested to create an alternative email that is just for your investment accounts, dont put it on anything else. I dont know if that will help or not but it cant hurt. I’m also generally careful about logging in on unknown networks, although it can be tricky if you want to make a trade outside of home or office. 

 

I try to lock down everything that I can as much as I can, I had some card fraud a year or so ago, enough for them to offer me credit tracking/reporting for free, and frozen at the big three, so all my accounts are max protected that they can be that way, I dont care if they want multiple things and it takes me an extra second to log in, all credit reports are locked down so nothing can be opened, outside of limited unknown network usage and trusting the brokerage safeties in place, I dont know what else is possible to make it more secure, I’m looking forward to hearing what others have to offer 

Edited by Blugolds
  • Sweet changed the title to Advice for keeping online investing account secure
Posted

@Sweet

 

Once you change your password and passed your current concern, going forward use only your cellphone to log in with the new email, I think your banking account would be linked to your physical device, which checks you are who you say you are every time you log in. 
 

Also why is your email linked as a log in to your banking account. Your card number should be. Even if the person has your email, they need your card number to know your log in info, let alone the password and passkeys. 

Posted

I’ve had a similar issue in the past and have been using the proton suite of services including vpn pass for logins etc and email.. was a bit of a pain switching and changing password accounts etc but much more secure 

Posted

Thanks @Saluki I’m using two factor authentication so I have that layer of added protection.  They have to either get a code sent to my phone or use an Authenticator app.

 

@Blugoldsyes I think I’m probably going to change my email address and the accounts linked to it.   Something long and new and only at my for my investing should reduce visibility.

 

@Xerxes it’s my investing accounts, not my banking accounts.  Even if they get into my email there would still be a few hurdles to pass before they got into my investing accounts.

 

Yes @Ulti someone recommended me protonmail.  I read that it is better for privacy but I’m not seeing it more secure from getting hacked.  Do they have two-factor authentication etc?

Posted
1 hour ago, Sweet said:

Hi all.

 

This is an important topic which I am sure some of you have grappled with so I'm hoping for some advice.

 

I have an outlook email address and all my investing accounts are registered to it.  My email must have been in a data leak because I can see from my recent activity that someone other than me is trying to access my outlook account - there have been numerous attempts in the past few days to break into my account but they have gotten the password wrong.

 

I have two-factor authentication on, so even if they did get my password they cannot access my email without an authentication code.

 

Does anyone have any recommendations on what I should do?

 

Should I change email account?  Is outlook the best email to link your account to or are there any more secure?

 

More generally, is there anything you do to keep your investing accounts secure?


Cheers

 

 

 

 

Yes change your email and all the utilities you use it for.

 

____________________________________________________________________

 

Security is just layers so you can go as far as you want...

 

What I do: 

 

Email for Billing (utilities)

Email for Banking (Credit Cards, store cards, etc.)

Email for Investing (Brokerage accounts, retirement accounts)

Email for Online Shopping

Email for Entertainment accounts (Netflix, Hulu, Spotify etc.) 

 

eg: [email protected] 

Complex passwords - Change them every 6 months (keep a hard copy offline)

two-factor authentication

 

Recovery email for the above emails (only for recovery)

two-factor on the recovery email as well

 

Other things you could do:

Freeze your credit at all of the credit agencies (unique email for this as well) 

Have a chrome book dedicated to online shopping etc. (or a VPN for your home network)(setup a guest wifi network at home for IOT devices and guests. You would be amazed at how many IOT devices connect to servers in China for no "apparent" reason) 

Google Password manager (specific to each email account)

Don't use SMS two-factor authentication if you can help it (not applicable everywhere)...use an actual authenticator like Google authenticator.

 

 

Posted

There's a trade-off between security and practical usability.  Ideally, you have a separate machine that you do important transactions on, and don't do your everyday browsing on, but it's probably not very practical. 

 

I've heard about browser attacks where browser cookies have been acquired, and 2FA bypassed that way.  Some techniques to mitigate that is to always force 2FA during login (similar to what the US TreasuryDirect does), and uncheck those "remember login/don't ask for extra verification" boxes.  That avoids saving those authenticated logins in the cookies.

 

Using a separate browser profile for the important stuff adds more task-level segregation protection as well.

Posted

They have 2 step authentication as well as 5-10 word random generated passwords as well as just plain random generated up to 40 letters /syllables …  my IT team recommend it… you can also generate numerous alias emails….i would also recommend Google authenticator as a random 2 step verification process 

Posted (edited)
  1. I use only one email for almost all of my accounts, keeps it simple. For junkier accounts, I use an old email I don’t care about.
  2. I use Bitwarden, a password manager, to save 20-character long passwords for every account I own. The passwords are full of different symbols, digits, lowercase, and uppercase.
  3. I use 2FA for the most important accounts such as Apple ID, Gmail, brokerage, bank, etc.
  4. The master password for my Bitwarden account is a 4-word random passphrase. They are still secure but easier to remember than a normal password.
  5. Credit is frozen at all three bureaus.

 

The passwords I have are probably overkill. It would take 1.8 decillion combinations to brute force one. 1.8 decillion = 1,800,000,000,000,000,000,000,000,000,000,000,000,000

Edited by Blake Hampton
Posted

Also, don't use any free or open networks...even at hotels, etc.  I always turn my phone into an encrypted hotspot and connect to my own network.  I never log-in to any open networks or even secure networks with passwords...always my secured home, office, cell hotspot. 

 

I also use two factor authentication with tough passwords and even Q&A's.  I also don't use the same password for different brokerage accounts.  Those bank passwords also don't match any of my other passwords.

 

The one thing I wish my bank and brokerages would do is install a password before any transaction is approved.  If I do a trade, there should be a separate password to execute.  If I transfer funds, there should be a password to execute.  Don't know why this isn't available.  Cheers! 

Posted
1 hour ago, Parsad said:

Also, don't use any free or open networks...even at hotels, etc.  I always turn my phone into an encrypted hotspot and connect to my own network.  I never log-in to any open networks or even secure networks with passwords...always my secured home, office, cell hotspot. 

 

I also use two factor authentication with tough passwords and even Q&A's.  I also don't use the same password for different brokerage accounts.  Those bank passwords also don't match any of my other passwords.

 

The one thing I wish my bank and brokerages would do is install a password before any transaction is approved.  If I do a trade, there should be a separate password to execute.  If I transfer funds, there should be a password to execute.  Don't know why this isn't available.  Cheers! 


I don't quite understand why you shouldn't connect to free or open networks. What exactly is the risk?

Posted

Two factor authentication

Unique strong password for each account (I use Bitwarden to manage my passwords and can monitor if a password is hacked / released on the dark web)

Have several different brokerage accounts

 

Posted
3 hours ago, Parsad said:

The one thing I wish my bank and brokerages would do is install a password before any transaction is approved.  If I do a trade, there should be a separate password to execute.  If I transfer funds, there should be a password to execute.  Don't know why this isn't available.  Cheers! 

 

This is built in to interactive brokers for transfers of funds / deposits.

Posted
3 hours ago, Blake Hampton said:


I don't quite understand why you shouldn't connect to free or open networks. What exactly is the risk?

 

Anyone can hack your phone or computer if you are using free/open networks.  Not only can they hack them...it's so easy that in today's climate, it would be crazy to use them.  Even networks that provide you a password, but are open to all those users who have that password...puts you at great risk to be hacked by those on that network.

 

I only use my phone network...even if I have to use large amounts of data.  It's secure and encrypted.  Other than that, I'll only use the wi-fi in my home office, work office or my brother's house...they are all secure, encrypted with minimum amount of outside users.  I also have the blinds closed in my office as there is a hotel/office building next to ours...hackers can both visually and remotely track your keystrokes for passwords, etc. 

 

You also have to be extremely careful with any spam emails, spam calls, etc.  The bloody hackers are always just two steps behind the security providers, and once in a while ahead of them!  Cheers!

 

 

Posted
1 hour ago, Spooky said:

 

This is built in to interactive brokers for transfers of funds / deposits.

 

Thanks!  That's good to know.  Cheers!

Posted
4 minutes ago, Parsad said:

 

Anyone can hack your phone or computer if you are using free/open networks.  Not only can they hack them...it's so easy that in today's climate, it would be crazy to use them.  Even networks that provide you a password, but are open to all those users who have that password...puts you at great risk to be hacked by those on that network.

 

I only use my phone network...even if I have to use large amounts of data.  It's secure and encrypted.  Other than that, I'll only use the wi-fi in my home office, work office or my brother's house...they are all secure, encrypted with minimum amount of outside users.  I also have the blinds closed in my office as there is a hotel/office building next to ours...hackers can both visually and remotely track your keystrokes for passwords, etc. 

 

You also have to be extremely careful with any spam emails, spam calls, etc.  The bloody hackers are always just two steps behind the security providers, and once in a while ahead of them!  Cheers!

 

 


That's scary stuff, thanks for the response

Posted

One other thing I do is that any banking transactions...checking, savings, credit cards...I get a text alert on my phone.  You can set the limits as well...so for credit card it is anything over $20.  For my bank accounts...it's any transaction.  I really don't have too many transactions on my bank accounts, as I put everything on my credit card each month and pay the balance at the end of the month.  I do absolutely everything I can to avoid using my debit card as well.  Hackers can do anything they want in your account once they have that number and the password!  While the chances are low, skim machines are out there in a lot of places.  Cheers!

Posted
3 hours ago, Spooky said:

 

This is built in to interactive brokers for transfers of funds / deposits.

 

They also transfer funds only to your or another joint account holder account, which I like.

Posted

Physical card/key (physical two-factor authentication) > Mobile app (two-factor authentication) > Password > SMS

 

Anyone can steal your phone or phone number. Mobile apps and app stores are hacked/faked/unsecure. Password's can be reused/lost/stolen/leaked. Physical cards/keys can be left at home. Which way is safer? Two physical cards.

 

https://ibkrguides.com/securelogin/sls/twofactorauth.htm

https://ibkrguides.com/securelogin/sls/secure-login-with-dsc+.htm

https://www.yubico.com/works-with-yubikey/catalog/microsoft-accounts/#compatible-yubikeys

 

People always underestimate what they are capable of:

 

Quote

 

Human error is the #1 cause of breaches due to phishing

 

Yubico has you covered. The YubiKey is never fooled, even if the users are. Think past phishing-resistant authentication and start creating true phishing-resistant users.

 

 

https://www.yubico.com/

 

Not investment advice:

https://finance.yahoo.com/quote/YUBICO.ST/

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...