There’s a pretty frightening article over at MSNBC on people who have had their retirement accounts hacked into and their savings stolen. While bank accounts used to be the main targets, criminals have figured out that the automated fraud detection bar is a lot more lenient for brokerage accounts, which will allow them to transfer out more money before a red flag is thrown up:
“Hacker attacks on brokerage accounts make sense from a criminal’s point of view. Brokerage accounts tend to have higher balances, making them worthwhile targets. And while a six-figure transfer out of a checking account would surely trigger fraud pattern detection software, large transfers from brokerage accounts are fairly standard.”
The problem for you is that there is a different level of protection for brokerage accounts by law than for your bank account or credit card:
“Both credit card transactions and electronic account transfers, such as online banking payments, are governed by Federal Reserve regulations that strictly limit consumers’ losses from theft. Consumers who report credit card fraud are only liable for $50; liability for fraudulent checking account transfers is capped at $500 if the consumer reports the theft within 60 days. Refunds for checking account thefts must generally be issued within 10 days.
The regulations are designed to boost confidence in the systems. But the Federal Reserve doesn’t regulate investment firms, and the Securities and Exchange Commission doesn’t mandate any similar protections for brokerage accounts.”
The big question for you is what you can do about it. Here are a few suggestions:
1) Figure out both the policy of your investment firm on refunds and whether they have any insurance. Charles Schwab and E-trade have good guarantees according to the article. I have accounts with Fidelity and Vanguard and went to check out their web sites for information on it. Fidelity doesn’t say anything about insuring the accounts, but they have a “Customer Protection Guarantee” stating that:
“We will reimburse your Fidelity account for any losses due to unauthorized activity.”
The only problem is that the fine print gives them quite a bit more leeway. There are some vague statements about it being “through no fault of your own” and a statement that “it also does not cover unauthorized activities resulting from a breach of security in an employer or plan sponsor’s systems.”
So it’s a blanket guarantee blaring in bold at the top, but some inconsistent statements in the fine print that you could get caught up in. What if your password gets stolen from your computer by spyware? Are you at fault? And how are you supposed to control your employer’s computer security?
On Vanguard’s site I couldn’t find anything – no mention of insurance coverage for this, and while they had some advice about security precautions, there wasn’t any indication at all that they’d reimburse you. I’ve got an e-mail in to them to see what they say.
2) Update your computer’s anti-spyware software and anti-virus software. Spyware, for the non-geeks, is a program installed without your permission that can monitor what you’re doing online – things like typing in a brokerage password. It is often installed without you ever seeing anything by web sites you visit. A virus can also take control of your computer to send out information you’ve typed in to a hacker. For spyware, a good free program is AdAware, which you can download for free here. For viruses, Norton is probably the best (or at least a very good, trusted program). You can get it here – they sell an Anti-Virus program as well as what is called a “Firewall,” which is just a way to stop people from accessing your computer over the Internet without permission. It’s not free, but it’s pretty cheap.
3) Don’t log into your brokerage from a computer you don’t know is secure. This means no computers that other people can use (libraries, Internet cafes, etc.). It might mean the computers at your office, too, depending on where you work and how much you trust the security.
4) Write your passwords down on paper – not in a document on your computer. Those are much easier to steal and could be grabbed by anyone who gets access to it.
5) Don’t EVER log into any account from a web page you accessed by e-mail. ALWAYS go to your browser and then type in the address yourself. I don’t care if the e-mail looks legitimate – this is a very common scam, and you should never follow a link from an e-mail to a site where you’re going to have to type in a password. What people will do is fake a web site and send you a fake e-mail that looks like it is your monthly statement or that says you have a problem with your account. When you click to view it, you are taken to a web site whose sole purpose is to find out your password when you type it in.
6) If you’ve got a lot of money and aren’t satisfied with your brokerage’s reimbursement policy, call them up and ask them to confirm any withdrawals by phone with you. If you don’t think you’ll be taking any money out in the near future (or at least not regularly), ask them to restrict your ability to do so without confirmation. Not every brokerage may be able to do this, but it’s worth a try.
7) Don’t ever give anyone your password. This should be common sense – but don’t do it.
Discuss this on the Free the Drones Forums.