High-tech thieves are trying to crack your nest egg. An incredible 88% of brokerages and 74% of investment advisory firms say that they have been targets of cyber attacks, in most cases involving malware or fraudulent e-mails, according to a recent SEC report.
In many of the attacks involving fraudulent e-mails, the financial firms were tricked into transferring to scammers amounts ranging from $5,000 to $75,000.
There are no laws requiring investment firms to compensate investors for cyber-theft losses, although in many cases the companies do. However, if a high-tech thief manages to transfer your life savings to his own offshore account, that money might be gone for good—even if it is your investment firm’s lax security that allows the crime to happen.
Investment companies are working to beef up their security. A recent survey by the consulting firm PricewaterhouseCoopers found that US financial services companies are rapidly increasing their cyber-security spending. Citigroup now spends more than $300 million per year. JPMorgan Chase plans to double its spending from $250 million to $500 million over the next five years, following a 2014 data breach that put 76 million JPMorgan customers at risk and a 2013 incident in which prepaid cards were accessed by hackers.
But while financial companies are spending huge amounts on cyber-security technology and staff, successful attacks remain common. Here’s why the firms remain vulnerable and what you can do to protect your money…
Two of the biggest vulnerabilities…
• Investment company employees fall for the same identity-theft tricks that trip up individuals. Investment companies warn their customers to be wary about clicking on links in e-mails or opening attached files—the e-mails might be from cyber-criminals trying to steal account information. However, employees at those companies sometimes fall for the same scam, accidentally giving cyber-criminals access to computers containing customer information.
• Account information is not always encrypted. If you ask an investment company whether it encrypts customer data, it likely will assure you that it does, then tell you about “128-bit Secure Sockets Layer (SSL)” encryption or something similar. But this means only that digital communications between your computer and the company are encrypted. Most companies don’t encrypt account information when it is stored on the company’s hard drives or used internally…or confirm that it is encrypted when it is shared with corporate partners or vendors.
If investment firms would practice end-to-end encryption, it wouldn’t be such a big deal when hackers break into their systems—the hackers would not be able to read the encrypted files.
Why don’t investment companies do this? Because end-to-end encryption is not only expensive, it also makes life more difficult for executives and employees. And even though end-to-end encryption can be useful, companies that use it often make mistakes that expose account information long enough for lurking hackers to pounce.
The daunting reality is that no investment firm or investment account is completely safe from cyber-criminals—but some are safer than others. Here’s how to tell whether your investment companies are doing everything possible to protect your assets and how to decide which of the security options they offer are worth the trouble…
• Can you get an extra security code sent to your phone? Roughly half of large financial companies now offer two-factor authentication. If you opt to get this protection, your investment firm will text a onetime-use code to your cell phone (or give you a key-fob-size “token” that displays a code) each time you try to log in. You must enter this code on the company’s website to access your account. This greatly improves account security—cyber-criminals are unlikely to have access to your phone (or token) even if they get their hands on your account information.
Firms that offer it: Bank of America, Charles Schwab, E*Trade, Fidelity, Goldman Sachs, Merrill Edge, T. Rowe Price, USAA, Vanguard.
Firms that don’t: Capital One ShareBuilder, Scottrade, TD Ameritrade.
Helpful: If you want the security of two-factor authentication without having to check a phone or token for a code each time you log in, find out whether the company offers the option of requiring authentication only when logging into the account from a computer other than the one you normally use, as many firms do.
• Is there a history of hacks? If your investment firm has had customer accounts breached repeatedly in recent years, it could be a sign that its cyber defenses are especially weak. If it has suffered any major breach in the past 12 months, it still might be in disaster-recovery mode—it can take a full year for a company to figure out exactly what happened and to confirm that hackers are 100% flushed from its systems.
The Privacy Rights Clearinghouse maintains an online database of known data breaches. At PrivacyRights.org, click “Data Breaches timeline since 2005,” then enter the financial company’s name into the box labeled “Search the entire database for a company or organization by name.” Examples: Morgan Stanley and Oppenheimer Funds both had breaches in the past 12 months.
• Will the company make good on cyber-theft losses? If investment companies cannot protect their customers from online criminals, they should at least repay any money that is stolen. An increasing number now offer online security guarantees that promise to do this, although these guarantees usually have limitations.
Examples: Ameriprise, Fidelity and TD Ameritrade promise to cover losses that occur “through no fault of your own.” Scottrade and Vanguard customers must follow a checklist of security procedures, such as using up-to-date security software, to remain eligible for reimbursement guarantees. Charles Schwab and E*Trade impose relatively few restrictions. Schwab asks customers to safeguard account-access information and to report unauthorized transactions as quickly as possible, while E*Trade asks them just to not share user IDs and passwords and to review statements and report unauthorized trades promptly. American Funds, Franklin Templeton, Pimco and T. Rowe Price do not currently have written cyber-security guarantees (though they still might compensate investors for cyber-crime losses if the customer is not to blame).
If you can’t find a cyber-theft guarantee on a financial company’s website, type the company’s name and the words “online security guarantee” or “online fraud policy” into a search engine…or call the company’s customer service department.
Helpful: See whether the company has cyber-theft insurance to compensate customers if there are large-scale losses.
Biometric security confirms your identity by scanning some characteristic of your body—such as your fingerprints, irises or the shape of your face—or by listening to your vocal patterns. Recent iPhones and iPads and some other devices already include fingerprint scanners, and a few investment companies have launched biometric-security programs—Vanguard offers voice verification, for example. Facial or iris scanners would use the cameras built into computers. There are problems, however…
The bad guys can beat biometrics. Biometric technology is improving, but for now, the face, iris and fingerprint scanners sometimes can be fooled with photos. Voice scanners can be fooled with voice recordings.
Biometric systems can be frustrating to use. A finicky biometric system might deny you access to your own account if, for instance, you have a cold that distorts your voice.
Some biometrics require additional hardware. Most of today’s computers and smartphones do not include fingerprint readers, for example.
You can’t change your biometric data if it’s stolen. If an investment company uses biometric security, it must store your biometric data in its computers. If that computer is hacked, the crooks might get their hands on details about your fingerprints, face, eyes or voice that they could use to invade accounts.
