I was going to post this as a standalone thread but didnât want to dilute Wendyâs thread that has a better title. I suspect / hope that everyone reading here is pretty up to speed on security related to banking and online fraud in general but thought it might be useful to summarize some of this in a form you can share with family and friends who arenât so savvy or donât want to spend much time thinking about these issues.
Some of these suggestions are decades old, some are based on my own narrow-minded bigoted opinions from watching how customer portals get built from behind the scenes and mistakes that can be made that affect your account security. Normal disclaimers apply. Your mileage may vary. Not available in all states. Void where prohibited. Do not taunt Happy Fun Ball.
First some generalities, then details for a few specific banks and brokers will be provided.
Managing Contacts â Virtually all institutions should allow you to specify both a contact email and a contact telephone number for an account. Ensure you populate both so either can be used if you need to access the account and youâve managed to get locked out of the email (maybe because of fraud) or youâve lost control of the cell phone. And, if you HAVE a cell phone and are like most people now and donât really pay attention to incoming landline calls, use the cell phone as the contact telephone.
Managing Userids and Passwords â Many online applications use âsingle sign-onâ functions like OAuth to allow login access to their system using some other companyâs userid / email. For example, some companies that are NOT Google allow you to log into their system using joe.schmo@gmail.com and when you authenticate, you actually temporarily redirect to Google to authenticate, then reroute back to the other companyâs system. Thatâs actually smart. You donât have to create and manage extra online logins and your actual Google password is NEVER seen by those other providers.
Unfortunately, no financial institution that Iâm aware of uses that type of authentication process. They all require you to create a âloginâ into their unique system. Yet some may allow you to use your email address as their userid string. DO NOT GET CONFUSED ABOUT WHAT IS HAPPENING.
If a company uses ANOTHER companyâs âemail addressâ as their userid, they are just using that unique mailbox@domain.com string as a unique USERID but they have no idea what the actual PASSWORD is for that mailbox. You should NEVER actually USE that mailbox password as a password on any other system. Doing so will result in a hacker who compromises your mailbox also potentially compromising your other company portal account. And keep in mind if your email password has been compromised and you used that email as a contact for the online account, the hacker can see content in your inbox which likely includes notifications from that provider giving them a heads up they can probably visit https://myaccount.somecompany.com and login as joe.schmo@gmail.com with that same mailbox password and abuse that access as well.
In short, NEVER do this:
Company Userid Password
Google joe.schmo@gmail.com Lrbmm2pge!
VendorA joe.schmo@gmail.com Lrbmm2pge!
VendorB joe.schmo@gmail.com Lrbmm2pge!
VendorC joe.schmo@gmail.com Lrbmm2pge!
Instead, ensure the actual password of the actual email is NEVER re-used with any other system where you use the mailbox as the userid. Do THIS:
Company Userid Password
Google joe.schmo@gmail.com Lrbmm2pge!
VendorA joe.schmo@gmail.com Ddmcda944#
VendorB joe.schmo@gmail.com Ddmcda944#
VendorC joe.schmo@gmail.com Ddmcda944#
Or for better security, donât even re-use the password string across the different vendor accounts. Use unique passwords on each vendor system.
Company Userid Password
Google joe.schmo@gmail.com Lrbmm2pge!
VendorA joe.schmo@gmail.com Ddmcda944#
VendorB joe.schmo@gmail.com Tbpyoaboar%
VendorC joe.schmo@gmail.com Bmidftscot@
Most online portals for institutions invoke logic when customers set a password to enforce âcomplexityâ so you donât use something stupid like abc1234 which can be cracked in SECONDS by hackers using âdictionariesâ of commonly used passwords. However, setting a complex password is not enough. There are well known design patterns for building authentication systems about how passwords should be salted and cryptographically hashed prior to being written in a database so they donât exist in clear text for a hacker to steal. However, YOU cannot assume each institution is smart enough to follow those design guidelines. You also cannot assume the institution has not done something stupid like enabling detailed request logging somewhere that exposes your entered password in clear text prior to being salted and hashed for comparison against the saved credential.
This is the secondary argument for never re-using a password across multiple portals. If your (userid + password) combination is ever compromised in one vendor, you want to minimize the affected scope of that breach as much as possible.
Secret Questions / Answers for Account Recovery â Most company support portals have flows to allow recovery from a forgotten password, a password retry lockout or forgotten userid. Some of these flows may use what are called âsecret questions and answersâ that let the customer select 3-5 generic questions about personal trivia then supply answers to them. Actual security experts are not fans of this process because many of the questions involve information which is trivially easy to guess or find online in a Google search or via social media. For example, these are really BAD questions:
Make / Model of your first car?
Name of your elementary school?
Motherâs maiden name?
City in which you were born?
Name of your favorite band?
If a support portal uses a secret question and answer flow for account recovery, be VERY cautious about choosing your questions and the answers you provide. Most importantly, remember this. The company running the portal doesnât KNOW what the âcorrectâ answers are for you, and they donât care. They are just trying to collect some random strings that (in theory) only you know as additional passwords of a sort. If a portal only has weak questions, you can choose to supply answers to other questions. For example, instead of the actual answer to âmotherâs maiden name,â answer that question with the name of your favorite book or title of your favorite one-hit wonder from the 1990s. As long as you supply the same answer later when trying to use the account recovery flow, you can use any string you want.
Verifying Login Access â Access every online account at least once a year to verify you have current contact email and contact phone information configured and that access works with your last known-good userid and password. Companies may make back-office changes to their support portals which are not backward compatible with prior information previously collected. For example, they may enable additional password complexity rules without remembering to warn existing users with âweak passwordsâ and add logic which prevents logins with older âweakâ passwords. Youâd rather find problems like this in a routine check versus finding this problem when you NEED to get into the account.
Two-Factor Authentication / Recognized Devices â Most financial providers have implemented two-factor authentication (2FA) that prompts for a traditional (username + password) then additionally sends a one-time PIN code to a contact phone or email that has to be entered as well. Most also allow this extra check to be turned OFF from ârecognized devicesâ, meaning a browser on a PC or tablet or phone that has previously accessed the account and has a cookie set. I would suggest NEVER using this recognized device function. Leave 2FA enabled for ALL logins from ANY device at all times. Donât assume a login from your home is safe. What if a burglar enters your home five minutes after you leave for the day and comes across your PC still logged in with access to your account information, logins and passwords? If 2FA is disabled from âtrusted devicesâ, they have everything they need to compromise all of your accounts and clean out your balances.
Freeze Your Credit Scores â Every financial institution consults at least one of the three credit bureaus (Experian, Transunion, Equifax) any time they process a request to open a new account. (TECHNICALITY: With most banks, a certificate of deposit is technically an account but for security purposes, it is treated as a security. Buying a CD through Bank X using an existing account at Bank X would NOT trigger a credit check.). Unless you know you are days away from signing a lease for an apartment, applying for a car loan or home loan or home equity loan, you are MUCH safer enabling a âfreezeâ on your account information at all three credit bureaus. Most banks will halt any attempt to open a new account if they are blocked from querying the would-be ownerâs credit history. (TECHNICALITY: There is some evidence that some brokerages WILL allow new accounts to be created despite a credit freeze being applied â Vanguard being one proven example as of 2024.)
Freeze Transfers â Institutions support two types of fund transfers. The most common âtransactionalâ transfer would be used to (say) shift $5000 from your brokerage to your bank or to fund a CD you purchased at another bank. An ACATS (Automated Customer Account Transfer System) transaction is implemented to essentially close an account and transfer all funds and securities therein to another account. Institutions are legally required to interactively verify with the owner of an account being âdrainedâ by an ACATS transfer that the request is legitimate. If they fail to do so, a fraudulent ACATS transfer is solely the institutionâs fault. However, you still donât want it to happen since any such transfer can take days / weeks (months?) to correct.
Some banks and brokerages allow freezes to be imposed on inbound or outbound electronic transfers of funds including ACATS transfers. The generic term for this is a Money Transfer Lock (MTL). However, the granularity supported by such locks varies widely. In general, if you have some accounts that house your âbig moneyâ and involve less transactional needs, enabling a freeze on all transfers on those accounts likely makes sense. Once enabled, a freeze can be suspended for 1-3 days then re-enabled after performing any required transfer. On accounts used for more routine âfoldinâ moneyâ transactions, freezes can be skipped or, if supported, configured at levels above your normal transaction amounts. For example, I pay virtually all my bills (utilities, health insurance, groceries, internet, etc.) with a credit card so I have a monthly transfer from checking to my card vendor that is often over $2000. If an institution allows a configurable limit on transfers, a freeze on transfers above say $5000 would provide enough head room to allow this routine payment to take place without freezing / un-freezing the account every month.
NOTE: The exact logic of âmoney transfer locksâ is not totally clear. For example, an âoutboundâ transfer can be originated in one of two ways. A âpushâ transfer originates in the source bank, identifies the destination bank and âpushesâ the money out. A âpullâ transfer originates in the destination bank, identifies the source bank and account and âpullsâ the money out. Unless the process flow for disabling a money transfer lock requires a two-factor authenticated approval of the account owner to take effect, a hacker who has login access to the source account can simply disable any lock in place then originate a âpushâ and drain the account. Without enabling a lock then attempting to disable it, it isnât clear how tightly controlled this lock functionality is from vendor to vendor. In general, it is probably worth enabling.
Configure Alerts â Some institutions provide considerable flexibility in configuring alerts for various types of transactions. In general, if explicitly supported, these types of events should ALWAYS be configured to generate an alert to both your contact email and your contact cellphone:
- account login (new and âexistingâ devices)
- outbound electronic transfers
- change in account userid or password
- change in contact email or contact phone
- change in security secret questions and answers
Some institutions provide alerting for a wider list of events with configurable dollar thresholds. For example, Bank of America supports these types of alerts
- use of a debit / ATM card outside 50 states
- debit / ATM transaction online
- debit / ATM transaction above a dollar limit
- outgoing transfer exceeding a dollar limit
CAUTION: When enabling alerts and setting limits, there is a balance between information and overload that must be considered. If you enable all alerts with low dollar amounts, you can track every penny of your money as it bounces electronically through the world economy but the volume of alerts as routine bills get paid, etc. will lead you to tune out those alerts which defeats the purpose. The volume of incoming alerts should be low enough that they IMMEDIATELY get your attention as unusual and trigger sanity checks when they arrive. If they arrive at volumes that make you immediately delete them without reading them and following up, they provide zero protection for your accounts.
Verify Beneficiaries â While logging into each of your financial institutions to validate these security protections, it would be wise to also spend time verifying all of your accounts have beneficiary information filed. Any beneficiary designation on an account takes precedence over any language in a will so setting a beneficiary is the easiest way to ensure a desired heir gets access to an account as quickly as possible after you die. All they need is a copy of a death certificate which would typically be available within 30 days.
===============================
Here are some findings for specific institutions that may prove helpful. Again, support portals are altered and enhanced at unpredictable intervals so capabilities may change over time.
Bank of America â Alerting capabilities at Bank of America are quite robust and highly configurable. Alerts can be sent to as many contact emails and context cellphones as desired. For example, if helping an elderly parent manage their accounts, alerts can be sent to
- their contact email
- their contact cellphone
- your contact email
- hour contact cellphone
to keep both of you in sync as to what is going on. All of the following alerts are supported:
- check #____ has posted
- check deducted over $ _____ (minimum $100)
- debit card charge made online, by phone, or mail
- debit card transaction outside 50 states
- debit card / ATM deduction over $_____ (minimum $100)
- direct deposit to your account
- electronic draft over $_____ (minimum $100)
- balance below $______
- money transfer deducted over $______ (minimum $100)
Generally, Bank of America
- Bank of America does support multiple contact emails and contact phones
- Bank of America does support alerts for logins from new devices
- Bank of America sends alerts for profile / security setting changes (good)
- I could not find a setting to explicitly block electronic transfers, only alert on them
Bank of America has two additional security controls. When transferring amounts exceeding their normal daily limit, they have a Secured Transfer function that collects two-factor authentication to ensure the true account owner is originating the transfer. This requires US mobile phones and a second phone can be configured as a backup. They also support a USB Security Key function. This allows those without a US mobile phone to enable two-factor authentication by obtaining a cryptographic key, storing it on a USB flash drive (presumably one you would keep on a keychain on your person or in a secure location) and feeding that key off that USB as a second form of authentication for large transfers.
Merrill Lynch â Alert functionality at Merrill Lynch is not quite as capable as BoA, even though BoA owns Merrill Lynch. Alert types are grouped into balance related criteria :
- account balance changes by ___% over some term
- account balance rises above $ ______
- account balance drops below $ ______
- cash available to withdraw rises $ _____
- cash available to withdraw drops $ _____
- overdraft balance at the end of each day
and event criteria:
- outbound money transfer exceeds $ ______
- when these checks clear: ____, ____, ____
- new funds credited to this account
- new funds credited to this account exceeding $ ______
- new credit amount between $_____ and $ _____
- list of all electronic payments processed at the end of the day
In general,
- Merrill does support multiple contact emails and contact phones
- Meriill does support alerts for logins from new devices
- Merrill sends alerts for profile / security setting changes (good)
- I could not find a setting to explicitly block electronic transfers, only alert on them
Merrill supports a function called Authorized Account Access which is different than âTrusted Accountâ functionality described below for Schwab. At Merrill, an Authorized Account is given read only access to all account information including balances, investments, etc. but has zero ability to execute trades, originate transfers, etc. This can be useful to provide access to a family attorney, etc.
Fidelity â Alert capabilities at Fidelity are relatively limited. Their security center pages state that they generate alerts for various types of suspect activity their systems detect but they do not itemize those scenarios or provide explicit enable / disable settings for each type.
Fidelity does support Money Transfer Lockdown via its Lockdown feature. However, the functionality is fairly broad and provides no dollar limit thresholds. All of the following transfers are blocked:
- outbound money transfers (previously scheduled transfers are allowed)
- transfers between Fidelity accounts
- ACATS transfers of balances / shares to another institution
- individual withdrawals
Schwab â Alert capabilities at Schwab cover most event types but do not appear to support adjustable dollar amount thresholds.
- Schwab does support alerts for logins from new devices
- Schwab supports alerts for profile / security setting changes (good) - must be enabled
- Schwab supports alerts for transfers - must be enabled, thresholds not configurable
- Schwab can be configured to require 2FA on all logins (not just untrusted devices)
- I could not find a setting to explicitly block electronic transfers, only alert on them
Schwab also implements a capability they call Trusted Contact which allows the account owner to provide contact information for another party they authorize Schwab to contact in case
a) Schwab identifies signs of suspect activity on an account
b) Schwab attempts to contact the account owner and cannot reach them
c) Schwab wants to verify the health / safety of the account owner to guard against elder abuse, etc.
Designating a trusted contact doesnât give that party any control or visibility into the account. Instead, it essentially allows an account owner to delegate a decision to a named third party who can confirm to Schwab that it can take action on behalf of a customer to lock an account, etc. if the owner cannot be reached. The Trusted Contact is given no control or insight into the accountâs assets.
WTH