Sweet Posted November 13 Share Posted November 13 (edited) Hi all. This is an important topic which I am sure some of you have grappled with so I'm hoping for some advice. I have an outlook email address and all my investing accounts are registered to it. My email must have been in a data leak because I can see from my recent activity that someone other than me is trying to access my outlook account - there have been numerous attempts in the past few days to break into my account but they have gotten the password wrong. I have two-factor authentication on, so even if they did get my password they cannot access my email without an authentication code. Does anyone have any recommendations on what I should do? Should I change email account? Is outlook the best email to link your account to or are there any more secure? More generally, is there anything you do to keep your investing accounts secure? Cheers Edited November 13 by Sweet Link to comment Share on other sites More sharing options...
Saluki Posted November 13 Share Posted November 13 Two factor authentication is your best defense. When people get hacked, the ruse usually involves calling them and saying that caller is from Broker X and you have been hacked, and that we are sending a confirmation code to make sure we are speaking to the right person, and when they read it back, the scammer gets past the authentication. But that's a human failure, not a tech failure. I don't do this (YET) but I heard an FBI guy say that you should false information on your social media (or multiple social media accounts with different information) so that when AI scrapes your profiles and tries to guess your password, or get past your security questions, using stuff you provided like birthdays, kid names, etc., it will have a lot of noise. If your brokerage allows longer passwords, try a pass phrase that is easy to remember but hard to guess. "WhatWouldBuffettDo$2d@y" Link to comment Share on other sites More sharing options...
Blugolds Posted November 13 Share Posted November 13 (edited) I’ve seen it suggested to create an alternative email that is just for your investment accounts, dont put it on anything else. I dont know if that will help or not but it cant hurt. I’m also generally careful about logging in on unknown networks, although it can be tricky if you want to make a trade outside of home or office. I try to lock down everything that I can as much as I can, I had some card fraud a year or so ago, enough for them to offer me credit tracking/reporting for free, and frozen at the big three, so all my accounts are max protected that they can be that way, I dont care if they want multiple things and it takes me an extra second to log in, all credit reports are locked down so nothing can be opened, outside of limited unknown network usage and trusting the brokerage safeties in place, I dont know what else is possible to make it more secure, I’m looking forward to hearing what others have to offer Edited November 13 by Blugolds Link to comment Share on other sites More sharing options...
Xerxes Posted November 13 Share Posted November 13 @Sweet Once you change your password and passed your current concern, going forward use only your cellphone to log in with the new email, I think your banking account would be linked to your physical device, which checks you are who you say you are every time you log in. Also why is your email linked as a log in to your banking account. Your card number should be. Even if the person has your email, they need your card number to know your log in info, let alone the password and passkeys. Link to comment Share on other sites More sharing options...
Ulti Posted November 13 Share Posted November 13 I’ve had a similar issue in the past and have been using the proton suite of services including vpn pass for logins etc and email.. was a bit of a pain switching and changing password accounts etc but much more secure Link to comment Share on other sites More sharing options...
Sweet Posted November 13 Author Share Posted November 13 Thanks @Saluki I’m using two factor authentication so I have that layer of added protection. They have to either get a code sent to my phone or use an Authenticator app. @Blugoldsyes I think I’m probably going to change my email address and the accounts linked to it. Something long and new and only at my for my investing should reduce visibility. @Xerxes it’s my investing accounts, not my banking accounts. Even if they get into my email there would still be a few hurdles to pass before they got into my investing accounts. Yes @Ulti someone recommended me protonmail. I read that it is better for privacy but I’m not seeing it more secure from getting hacked. Do they have two-factor authentication etc? Link to comment Share on other sites More sharing options...
Castanza Posted November 13 Share Posted November 13 1 hour ago, Sweet said: Hi all. This is an important topic which I am sure some of you have grappled with so I'm hoping for some advice. I have an outlook email address and all my investing accounts are registered to it. My email must have been in a data leak because I can see from my recent activity that someone other than me is trying to access my outlook account - there have been numerous attempts in the past few days to break into my account but they have gotten the password wrong. I have two-factor authentication on, so even if they did get my password they cannot access my email without an authentication code. Does anyone have any recommendations on what I should do? Should I change email account? Is outlook the best email to link your account to or are there any more secure? More generally, is there anything you do to keep your investing accounts secure? Cheers Yes change your email and all the utilities you use it for. ____________________________________________________________________ Security is just layers so you can go as far as you want... What I do: Email for Billing (utilities) Email for Banking (Credit Cards, store cards, etc.) Email for Investing (Brokerage accounts, retirement accounts) Email for Online Shopping Email for Entertainment accounts (Netflix, Hulu, Spotify etc.) eg: CastanzaBilling@gmail.com Complex passwords - Change them every 6 months (keep a hard copy offline) two-factor authentication Recovery email for the above emails (only for recovery) two-factor on the recovery email as well Other things you could do: Freeze your credit at all of the credit agencies (unique email for this as well) Have a chrome book dedicated to online shopping etc. (or a VPN for your home network)(setup a guest wifi network at home for IOT devices and guests. You would be amazed at how many IOT devices connect to servers in China for no "apparent" reason) Google Password manager (specific to each email account) Don't use SMS two-factor authentication if you can help it (not applicable everywhere)...use an actual authenticator like Google authenticator. Link to comment Share on other sites More sharing options...
nsx5200 Posted November 13 Share Posted November 13 There's a trade-off between security and practical usability. Ideally, you have a separate machine that you do important transactions on, and don't do your everyday browsing on, but it's probably not very practical. I've heard about browser attacks where browser cookies have been acquired, and 2FA bypassed that way. Some techniques to mitigate that is to always force 2FA during login (similar to what the US TreasuryDirect does), and uncheck those "remember login/don't ask for extra verification" boxes. That avoids saving those authenticated logins in the cookies. Using a separate browser profile for the important stuff adds more task-level segregation protection as well. Link to comment Share on other sites More sharing options...
Ulti Posted November 13 Share Posted November 13 They have 2 step authentication as well as 5-10 word random generated passwords as well as just plain random generated up to 40 letters /syllables … my IT team recommend it… you can also generate numerous alias emails….i would also recommend Google authenticator as a random 2 step verification process Link to comment Share on other sites More sharing options...
Blake Hampton Posted November 13 Share Posted November 13 (edited) I use only one email for almost all of my accounts, keeps it simple. For junkier accounts, I use an old email I don’t care about. I use Bitwarden, a password manager, to save 20-character long passwords for every account I own. The passwords are full of different symbols, digits, lowercase, and uppercase. I use 2FA for the most important accounts such as Apple ID, Gmail, brokerage, bank, etc. The master password for my Bitwarden account is a 4-word random passphrase. They are still secure but easier to remember than a normal password. Credit is frozen at all three bureaus. The passwords I have are probably overkill. It would take 1.8 decillion combinations to brute force one. 1.8 decillion = 1,800,000,000,000,000,000,000,000,000,000,000,000,000 Edited November 13 by Blake Hampton Link to comment Share on other sites More sharing options...
DooDiligence Posted November 14 Share Posted November 14 (edited) I have a Mac and use keychain and 2FA. If Apple gets hacked I'm screwed. Edited November 14 by DooDiligence Link to comment Share on other sites More sharing options...
Parsad Posted November 14 Share Posted November 14 Also, don't use any free or open networks...even at hotels, etc. I always turn my phone into an encrypted hotspot and connect to my own network. I never log-in to any open networks or even secure networks with passwords...always my secured home, office, cell hotspot. I also use two factor authentication with tough passwords and even Q&A's. I also don't use the same password for different brokerage accounts. Those bank passwords also don't match any of my other passwords. The one thing I wish my bank and brokerages would do is install a password before any transaction is approved. If I do a trade, there should be a separate password to execute. If I transfer funds, there should be a password to execute. Don't know why this isn't available. Cheers! Link to comment Share on other sites More sharing options...
Blake Hampton Posted November 14 Share Posted November 14 1 hour ago, Parsad said: Also, don't use any free or open networks...even at hotels, etc. I always turn my phone into an encrypted hotspot and connect to my own network. I never log-in to any open networks or even secure networks with passwords...always my secured home, office, cell hotspot. I also use two factor authentication with tough passwords and even Q&A's. I also don't use the same password for different brokerage accounts. Those bank passwords also don't match any of my other passwords. The one thing I wish my bank and brokerages would do is install a password before any transaction is approved. If I do a trade, there should be a separate password to execute. If I transfer funds, there should be a password to execute. Don't know why this isn't available. Cheers! I don't quite understand why you shouldn't connect to free or open networks. What exactly is the risk? Link to comment Share on other sites More sharing options...
Sweet Posted November 14 Author Share Posted November 14 There are too many to mention but thanks to all that commented. Link to comment Share on other sites More sharing options...
Spooky Posted November 15 Share Posted November 15 Two factor authentication Unique strong password for each account (I use Bitwarden to manage my passwords and can monitor if a password is hacked / released on the dark web) Have several different brokerage accounts Link to comment Share on other sites More sharing options...
Spooky Posted November 15 Share Posted November 15 3 hours ago, Parsad said: The one thing I wish my bank and brokerages would do is install a password before any transaction is approved. If I do a trade, there should be a separate password to execute. If I transfer funds, there should be a password to execute. Don't know why this isn't available. Cheers! This is built in to interactive brokers for transfers of funds / deposits. Link to comment Share on other sites More sharing options...
Parsad Posted November 15 Share Posted November 15 3 hours ago, Blake Hampton said: I don't quite understand why you shouldn't connect to free or open networks. What exactly is the risk? Anyone can hack your phone or computer if you are using free/open networks. Not only can they hack them...it's so easy that in today's climate, it would be crazy to use them. Even networks that provide you a password, but are open to all those users who have that password...puts you at great risk to be hacked by those on that network. I only use my phone network...even if I have to use large amounts of data. It's secure and encrypted. Other than that, I'll only use the wi-fi in my home office, work office or my brother's house...they are all secure, encrypted with minimum amount of outside users. I also have the blinds closed in my office as there is a hotel/office building next to ours...hackers can both visually and remotely track your keystrokes for passwords, etc. You also have to be extremely careful with any spam emails, spam calls, etc. The bloody hackers are always just two steps behind the security providers, and once in a while ahead of them! Cheers! Link to comment Share on other sites More sharing options...
Parsad Posted November 15 Share Posted November 15 1 hour ago, Spooky said: This is built in to interactive brokers for transfers of funds / deposits. Thanks! That's good to know. Cheers! Link to comment Share on other sites More sharing options...
Blake Hampton Posted November 15 Share Posted November 15 4 minutes ago, Parsad said: Anyone can hack your phone or computer if you are using free/open networks. Not only can they hack them...it's so easy that in today's climate, it would be crazy to use them. Even networks that provide you a password, but are open to all those users who have that password...puts you at great risk to be hacked by those on that network. I only use my phone network...even if I have to use large amounts of data. It's secure and encrypted. Other than that, I'll only use the wi-fi in my home office, work office or my brother's house...they are all secure, encrypted with minimum amount of outside users. I also have the blinds closed in my office as there is a hotel/office building next to ours...hackers can both visually and remotely track your keystrokes for passwords, etc. You also have to be extremely careful with any spam emails, spam calls, etc. The bloody hackers are always just two steps behind the security providers, and once in a while ahead of them! Cheers! That's scary stuff, thanks for the response Link to comment Share on other sites More sharing options...
Parsad Posted November 15 Share Posted November 15 One other thing I do is that any banking transactions...checking, savings, credit cards...I get a text alert on my phone. You can set the limits as well...so for credit card it is anything over $20. For my bank accounts...it's any transaction. I really don't have too many transactions on my bank accounts, as I put everything on my credit card each month and pay the balance at the end of the month. I do absolutely everything I can to avoid using my debit card as well. Hackers can do anything they want in your account once they have that number and the password! While the chances are low, skim machines are out there in a lot of places. Cheers! Link to comment Share on other sites More sharing options...
UK Posted November 15 Share Posted November 15 3 hours ago, Spooky said: This is built in to interactive brokers for transfers of funds / deposits. They also transfer funds only to your or another joint account holder account, which I like. Link to comment Share on other sites More sharing options...
formthirteen Posted November 15 Share Posted November 15 Physical card/key (physical two-factor authentication) > Mobile app (two-factor authentication) > Password > SMS Anyone can steal your phone or phone number. Mobile apps and app stores are hacked/faked/unsecure. Password's can be reused/lost/stolen/leaked. Physical cards/keys can be left at home. Which way is safer? Two physical cards. https://ibkrguides.com/securelogin/sls/twofactorauth.htm https://ibkrguides.com/securelogin/sls/secure-login-with-dsc+.htm https://www.yubico.com/works-with-yubikey/catalog/microsoft-accounts/#compatible-yubikeys People always underestimate what they are capable of: Quote Human error is the #1 cause of breaches due to phishing Yubico has you covered. The YubiKey is never fooled, even if the users are. Think past phishing-resistant authentication and start creating true phishing-resistant users. https://www.yubico.com/ Not investment advice: https://finance.yahoo.com/quote/YUBICO.ST/ Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now