Canadian Money Forum banner

1 - 20 of 156 Posts

·
Registered
Joined
·
17,032 Posts
Discussion Starter #1
https://finance.yahoo.com/news/cybercrooks-targeting-retirement-accounts-theres-090008063.html

This is a US article that talks about dangers to investment accounts due to hacking crimes. If a criminal steals your identify (for example compromises the password or uses other stolen personal data to gain access to an account) they can draw money out of it. In the US, apparently it's very difficult to recover.

One thing I would add is that a "strong password" does not totally solve this problem. There are other methods an attacker can use to get into accounts by pretending to be you. So I wouldn't get overconfident just based on password strength.

I presume the only thing a person can really do is keep a close eye on brokerage accounts, log in and check every week or so that there aren't any strange transactions... what are your thoughts? I also spread my assets into two separate big bank brokerages, to "diversify" a bit.
 

·
Registered
Joined
·
10,188 Posts
I typically log on every day or two just to see what is 'happening'. What I have not done is see if brokerage accounts have some Alerts one can set up for an MMS text or email if there is a withdrawal (transfer out) of anything exceeding X or a change in an Alert or similar. Banks and credit card accounts have all kinds of alerts one can set up to be informed of activity.
 

·
Registered
Joined
·
4,652 Posts
^ I think what is scarier here in Canada is your investment accounts are linked to your bank accounts.

Since online banking is supposedly 100% guaranteed to be safe, then I would expect the same with the automatic linkage to our brokerage accounts. Moreover, many Canadian brokerages has a second security level where you are required to answer PVQs (personal verification questions).

As for the problem in the US, I think it is an inside job. Ie. the cybercrooks are working inside the banks to get such easy access given the lame response:

Asked about Bennett’s case, American Fund issued a statement: “Our mission is to help people save for a secure retirement. When one of our customers is the victim of identity theft, we hold ourselves accountable to immediately conduct a thorough examination of what happened and take appropriate action. We use instances like this to strengthen our practices and conduct additional staff training if needed. We have communicated to the customer that her savings, including any accrued dividends or appreciation, will be reinstated. We will work with law enforcement to aid in their investigation.”
 

·
Registered
Joined
·
4,652 Posts
I typically log on every day or two just to see what is 'happening'. What I have not done is see if brokerage accounts have some Alerts one can set up for an MMS text or email if there is a withdrawal (transfer out) of anything exceeding X or a change in an Alert or similar. Banks and credit card accounts have all kinds of alerts one can set up to be informed of activity.
... I'm no cybersecurity expert. Just taking a guess here ... couldn't Trojans be infused into these alerts? Working similarly along the lines of "I forgot my password" and then use your cell to reset and slip in?
 

·
Registered
Joined
·
17,032 Posts
Discussion Starter #5
I typically log on every day or two just to see what is 'happening'.
I think this is a really good idea. Look at transactions, poke around. I do the same thing and am trying to get my parents to log into theirs more often.
 

·
Registered
Joined
·
10,188 Posts
... I'm no cybersecurity expert. Just taking a guess here ... couldn't Trojans be infused into these alerts? Working similarly along the lines of "I forgot my password" and then use your cell to reset and slip in?
Maybe. I was thinking of simply a case where an alert, MMS or email, could be sent out whenever there is a withdrawal OR a change in alert notification and to where (cell number, email address). True, one's cell or email addy could have been compromised in addition, but something is better than nothing. A bulletproof password for email addy is probably one of the most important things in one's system of security. We already know agents of mobile providers can be duped and SIM credentials stolen.

For most online accounts of various kinds, I get notifications of password changes, email addy changes, security question changes, alert notification changes... with 'your X was changed. If this is not you, call us immediately'. Nor fail proof but as good as the passwords we use.
 

·
Registered
Joined
·
10,188 Posts
I think this is a really good idea. Look at transactions, poke around. I do the same thing and am trying to get my parents to log into theirs more often.
Of course, I only do this from secured WiFi, so when on vacation or traveling, that does not happen. That is acceptable risk I suppose.
 

·
Super Moderator
Joined
·
3,223 Posts
Maybe. I was thinking of simply a case where an alert, MMS or email, could be sent out whenever there is a withdrawal OR a change in alert notification and to where (cell number, email address).
That would be good IMO. Just a notification sent on specified changes/activities within your accounts.
 

·
Registered
Joined
·
17,032 Posts
Discussion Starter #9
An alert feature (SMS or email) on any transaction in/out of accounts would be a great feature. That should help alert someone to any unauthorized withdrawal.
 

·
Registered
Joined
·
10,188 Posts
That would be good IMO. Just a notification sent on specified changes/activities within your accounts.
FWIW, this is what I had previously set up in Scotia iTRade and it seems to cover most of what I need
Manage My Wealth & Brokerage Email Alerts
Send me an email alert to notify me when:

The status of my trade changes*

WARNING! As a security precaution and to keep you informed of activity in your account, we highly recommend that this option remains selected.

New Scotia eDocuments are available**

My Stock Alert has been triggered ***

New Issues are available at Scotia iTRADE

A deposit or transfer has occurred in my Scotia iTRADE account
The first and last one should be all I need to know about nefarious activity. Plus I would already get an alert if someone tried to change my email addy too.
 

·
Registered
Joined
·
967 Posts
I don't use my cell phone for any money or investing related activites. I stick to my home internet for all of that. As public WiFi never gets used for money related activities, these are the easiest way to be hacked. Especially at airports and locations like that.
 

·
Registered
Joined
·
4,579 Posts
Interactive Brokers provided a card with codes as a simple secondary form of authentication. Only recently have Canadian brokers started to implement SMS "2 step authentication" which is already known to be a poor version of 2FA

If you think about it your email account is the gateway to all accounts as you can reset most logins with your email account. I have 2FA setup on most accounts but I can't believe people who don't at least have true 2FA on their email
 

·
Registered
Joined
·
17,032 Posts
Discussion Starter #13
FWIW, this is what I had previously set up in Scotia iTRade and it seems to cover most of what I need

The first and last one should be all I need to know about nefarious activity. Plus I would already get an alert if someone tried to change my email addy too.
That feature looks nice, but I am not confident that it is properly (or thoroughly) implemented. For example, I also have the first and last checked.

Today I changed the brokerage email address on file, and there was no notification sent to the previous email. Note that there are two emails: what they call "primary" and a second one for brokerage notifications. I changed the second brokerage notification email, which is where you get your alerts. But I did not receive any email notification about changing the email address. I checked my spam folder too.

The second problem I've seen is that when I transfer cash from my chequing account into iTrade, I don't see any email alert for that, even though "A deposit or transfer has occurred" is checked. Again I would expect a notification for this. Maybe they are excluding it because it's a transfer from the same person's chequing?

However I do see email alerts for trade fills, as expected. So that part seems good.
 

·
Registered
Joined
·
17,032 Posts
Discussion Starter #14
This may be a bug, so I just sent them a secure message to inform them that changing the email did not result in an alert.
 

·
Registered
Joined
·
6,805 Posts
FWIW, this is what I had previously set up in Scotia iTRade and it seems to cover most of what I need

The first and last one should be all I need to know about nefarious activity. Plus I would already get an alert if someone tried to change my email addy too.
I think you list although incomplete is a good start. How about James complete a list of what he considers adequate and we can all write to,our brokers demanding protections with the list?
 

·
Super Moderator
Joined
·
3,223 Posts
Would be nice to get an email each time an account login occurs. That along with an email on any deposits/widthdrawals/transfers and account settings changes (e.g. password/email) would be good enough for me.
 

·
Registered
Joined
·
17,032 Posts
Discussion Starter #17
I think you list although incomplete is a good start. How about James complete a list of what he considers adequate and we can all write to,our brokers demanding protections with the list?
I can help come up with a list.

Unfortunately though the problem is also about the quality of the implementation. TD Direct Investing for example has a bug where they show an inaccurate last date/time of login. The concept is correct (we should be able to see the last time of login and ideally the IP address) but TD screwed it up and it's been broken for many months.
 

·
Registered
Joined
·
4,579 Posts
Questrade emails by default when a new device logs in and I get notifications from the Questrade app and windows. They show last login data at the top right next to logout along with browser, os and location. What Questrade lacks is true 2FA rather than sms 2 step

I've read accounts of email and sms getting hijacked to steal crypto. These are the gateways to all your accounts. The owners were notified of password changes but the damage is already done. Email and sms can be hijacked to access any account

On the plus side these people are going to target large crypto accounts before brokerage accounts because it's easier to transfer crypto out than to setup some elaborate trading scheme. It's advised to store crypto offline I'm not sure if anyone stores their stocks offline
 

·
Registered
Joined
·
10,188 Posts
Today I changed the brokerage email address on file, and there was no notification sent to the previous email. Note that there are two emails: what they call "primary" and a second one for brokerage notifications. I changed the second brokerage notification email, which is where you get your alerts. But I did not receive any email notification about changing the email address. I checked my spam folder too.
That seems problematic. Good on you to have it pursued.

The second problem I've seen is that when I transfer cash from my chequing account into iTrade, I don't see any email alert for that, even though "A deposit or transfer has occurred" is checked. Again I would expect a notification for this. Maybe they are excluding it because it's a transfer from the same person's chequing?
There is no reason to alert on incoming transfers to iTrade though I agree with you that is what the sentence says. Was the transfer from Scotia chequing? If so, I can see the reason for no alert on in-house transfers. If not, then it is a potential problem.
 

·
Registered
Joined
·
17,032 Posts
Discussion Starter #20
There is no reason to alert on incoming transfers to iTrade though I agree with you that is what the sentence says. Was the transfer from Scotia chequing? If so, I can see the reason for no alert on in-house transfers. If not, then it is a potential problem.
Yes it was in house. I agree there is nothing dangerous about that, but how about a withdawal from iTrade to chequing?

I would like to know about those. Do you recall if iTrade sends a notification upon withdrawal from iTrade, to your linked chequing account?
 
1 - 20 of 156 Posts
Top