Bank that Doesn't Offer Multifactor Authentication (MFA)
-
- Posts: 1576
- Joined: Wed Feb 05, 2020 8:27 am
Bank that Doesn't Offer Multifactor Authentication (MFA)
I have an account with a well-know bank. There appears to be no way to set up MFA for accessing their website. I just enter my username and password, and I'm in. This makes me a little nervous. I've asked them about it twice, and they pretty much say it isn't necessary with their advanced security. The last time they said, "We don't have that option for you to set up on your end due to our enhanced security."
Does this seem reasonable? In recent years, have any of you encountered this with a company that holds personal assets in accounts; e.g. banks, brokerages, investment companies etc.? I haven't. Should I be concerned?
Does this seem reasonable? In recent years, have any of you encountered this with a company that holds personal assets in accounts; e.g. banks, brokerages, investment companies etc.? I haven't. Should I be concerned?
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
There are many alternatives so it should not be an issue finding a bank that has the services you want AND MFA.
https://2fa.directory/#banking
https://2fa.directory/#banking
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
-
- Posts: 1576
- Joined: Wed Feb 05, 2020 8:27 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Yes, there certainly are. I probably wouldn't have set up accounts at this bank if I had known they don't offer MFA. I just assumed they would. Seems like virtually everybody else does. Unfortunately, I want to buy I-bonds soon, and it will probably take two weeks to a month to list a new account on Treasury Direct to draw money from.jebmke wrote: ↑Wed Dec 15, 2021 8:15 am There are many alternatives so it should not be an issue finding a bank that has the services you want AND MFA.
https://2fa.directory/#banking
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
No, it does not seem reasonable and yes you should be concerned. I would not do business with any financial institution that did not have two factor authentication, it's as simple as that. Any financial institution that does not offer 2FA is behind the curve when it comes to account security no matter what BS they tell you about "enhanced security."
What bank is this? It would be helpful to know so we can warn others.
What bank is this? It would be helpful to know so we can warn others.
Last edited by mptfan on Fri Dec 17, 2021 12:07 pm, edited 5 times in total.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Normally when I change banks I set up the new one and migrate things gradually anyway so you can always get started and then pull the plug after the iBonds purchase. Hopefully you can change the bank link on TD fairly easily (I don't use TD so I have no idea).OpenMinded1 wrote: ↑Wed Dec 15, 2021 8:20 amYes, there certainly are. I probably wouldn't have set up accounts at this bank if I had known they don't offer MFA. I just assumed they would. Seems like virtually everybody else does. Unfortunately, I want to buy I-bonds soon, and it probably take two weeks to a month to establish a new account for Treasury Direct to draw money from.jebmke wrote: ↑Wed Dec 15, 2021 8:15 am There are many alternatives so it should not be an issue finding a bank that has the services you want AND MFA.
https://2fa.directory/#banking
You have to assess the risk of loss over the short term, given the amount of assets. In my case, my transaction bank is typically low balance. Even if there are large transactions like tax payments, the money gets pushed into the bank a day or two before the debit so it isn't sitting there for long -- so even if my transaction bank didn't have 2FA the exposure would be brief.
Last edited by jebmke on Wed Dec 15, 2021 8:28 am, edited 1 time in total.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.
A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
“My opinions are just that - opinions.”
-
- Posts: 1576
- Joined: Wed Feb 05, 2020 8:27 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Thanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?Gaston wrote: ↑Wed Dec 15, 2021 8:27 am I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.
A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
-
- Posts: 1576
- Joined: Wed Feb 05, 2020 8:27 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Yes, similar situation here. I don't keep a lot of money in the accounts at this bank, at least not for very long. However, I wonder if I should be concerned that someone might exploit the linkage to other banks, brokerage firms, credit card accounts, bill paying etc. that the bank uses for electronic transfers. I'm not sure.jebmke wrote: ↑Wed Dec 15, 2021 8:26 amNormally when I change banks I set up the new one and migrate things gradually anyway so you can always get started and then pull the plug after the iBonds purchase. Hopefully you can change the bank link on TD fairly easily (I don't use TD so I have no idea).OpenMinded1 wrote: ↑Wed Dec 15, 2021 8:20 amYes, there certainly are. I probably wouldn't have set up accounts at this bank if I had known they don't offer MFA. I just assumed they would. Seems like virtually everybody else does. Unfortunately, I want to buy I-bonds soon, and it probably take two weeks to a month to establish a new account for Treasury Direct to draw money from.jebmke wrote: ↑Wed Dec 15, 2021 8:15 am There are many alternatives so it should not be an issue finding a bank that has the services you want AND MFA.
https://2fa.directory/#banking
You have to assess the risk of loss over the short term, given the amount of assets. In my case, my transaction bank is typically low balance. Even if there are large transactions like tax payments, the money gets pushed into the bank a day or two before the debit so it isn't sitting there for long -- so even if my transaction bank didn't have 2FA the exposure would be brief.
FYI: It's somewhat time consuming to change the link at TD. Complete a form with signature guarantee. Mail and wait 15 to 30 days before the change is completed.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
They don't offer at lease a security phrase with a new device?OpenMinded1 wrote: ↑Wed Dec 15, 2021 8:13 am I have an account with a well-know bank. There appears to be no way to set up MFA for accessing their website. I just enter my username and password, and I'm in. This makes me a little nervous. I've asked them about it twice, and they pretty much say it isn't necessary with their advanced security. The last time they said, "We don't have that option for you to set up on your end due to our enhanced security."
Does this seem reasonable? In recent years, have any of you encountered this with a company that holds personal assets in accounts; e.g. banks, brokerages, investment companies etc.? I haven't. Should I be concerned?
My major back doesn't offer text confirmation, but when setting up the account, they asked for security questions. They prompt me with one when I log in from a new device.
A couple of things you can do to help security.
Make sure the associated email address is protected with a unique password and has multifactor enabled.
Use a uniquified email address if you can. E.g. with Gmail addresses, you can put periods anywhere in your name and it will get to you. E.g. openm.inded1, op.en.mind.ed.1, and I think even o.penm..inded1 (consecutive dots will work.) This gives you unique email addresses per login.
Gmail also supports "+addressing", e.g., openminded1+bank name will also get to your primary Gmail account. Fewer sites support that format because their developers are idiots. (E.g. Home Depot.)
Now you've got a unique email address to supply to the bank.
If your bank has you use a separate username instead of using your email address, make sure that's unique, e.g. openminded1bankname. You'll probably have to abbreviate here, e.g. openmindbankX.
Finally make sure you're using a unique password for each bank.
Unless you're being specifically targeted, which is not likely, all of these attacks are automated. They get a list of user names, email addresses, and passwords and simply try them wherever. There isn't a human looking at these and saying "a-ha! openminded1 always adds the bank name to their user name."
If you want to be even more careful, have four independent email accounts. Set up one for high value use (banks, brokerages), one for sites that store your payment info (Amazon), and one for sites that require logins but don't have financial data (e.g. bogleheads.) The last one if your your personal use.
That's probably overkill, but it does get everything segregated into different "security zones". It's easier to do now than 10 years ago, since account aggregation is common on phones. It's probably more annoying on a computer with browser logins than on your phone. It wouldn't be bad on the computer if you used an email client.
-
- Posts: 1576
- Joined: Wed Feb 05, 2020 8:27 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Thanks for the information. I do a lot of that, but not quite all. No they don't ask for a security phrase.exodusNH wrote: ↑Wed Dec 15, 2021 8:44 amThey don't offer at lease a security phrase with a new device?OpenMinded1 wrote: ↑Wed Dec 15, 2021 8:13 am I have an account with a well-know bank. There appears to be no way to set up MFA for accessing their website. I just enter my username and password, and I'm in. This makes me a little nervous. I've asked them about it twice, and they pretty much say it isn't necessary with their advanced security. The last time they said, "We don't have that option for you to set up on your end due to our enhanced security."
Does this seem reasonable? In recent years, have any of you encountered this with a company that holds personal assets in accounts; e.g. banks, brokerages, investment companies etc.? I haven't. Should I be concerned?
My major back doesn't offer text confirmation, but when setting up the account, they asked for security questions. They prompt me with one when I log in from a new device.
A couple of things you can do to help security.
Make sure the associated email address is protected with a unique password and has multifactor enabled.
Use a uniquified email address if you can. E.g. with Gmail addresses, you can put periods anywhere in your name and it will get to you. E.g. openm.inded1, op.en.mind.ed.1, and I think even o.penm..inded1 (consecutive dots will work.) This gives you unique email addresses per login.
Gmail also supports "+addressing", e.g., openminded1+bank name will also get to your primary Gmail account. Fewer sites support that format because their developers are idiots. (E.g. Home Depot.)
Now you've got a unique email address to supply to the bank.
If your bank has you use a separate username instead of using your email address, make sure that's unique, e.g. openminded1bankname. You'll probably have to abbreviate here, e.g. openmindbankX.
Finally make sure you're using a unique password for each bank.
Unless you're being specifically targeted, which is not likely, all of these attacks are automated. They get a list of user names, email addresses, and passwords and simply try them wherever. There isn't a human looking at these and saying "a-ha! openminded1 always adds the bank name to their user name."
If you want to be even more careful, have four independent email accounts. Set up one for high value use (banks, brokerages), one for sites that store your payment info (Amazon), and one for sites that require logins but don't have financial data (e.g. bogleheads.) The last one if your your personal use.
That's probably overkill, but it does get everything segregated into different "security zones". It's easier to do now than 10 years ago, since account aggregation is common on phones. It's probably more annoying on a computer with browser logins than on your phone. It wouldn't be bad on the computer if you used an email client.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Doesn't the bank guarantee to make you whole if your account is hacked?
Just use a complex password, don't give the password out to anyone, and keep your computer secure.
My bank has started putting in a delay between password entry and account access, which would slow down multiple password entries. I suspect that they would also lock access if too many incorrect passwords were entered.
Just use a complex password, don't give the password out to anyone, and keep your computer secure.
My bank has started putting in a delay between password entry and account access, which would slow down multiple password entries. I suspect that they would also lock access if too many incorrect passwords were entered.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Not if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.OpenMinded1 wrote: ↑Wed Dec 15, 2021 8:30 amThanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?Gaston wrote: ↑Wed Dec 15, 2021 8:27 am I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.
A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
This is absolutely true, but unless you're being specifically targeted this is not a likely hack.vitaflo wrote: ↑Wed Dec 15, 2021 9:06 amNot if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.OpenMinded1 wrote: ↑Wed Dec 15, 2021 8:30 amThanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?Gaston wrote: ↑Wed Dec 15, 2021 8:27 am I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.
A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
The most likely scenarios for the overwhelming majority of people are that your email address and contact info is leaked along with your password or phishing. Keylogging is a distant third.
Once the creds are out there, bots spray those logins across the web and hope something sticks. Even something as simple as varying your username slightly per site is enough to prevent that attack.
- VictorStarr
- Posts: 746
- Joined: Sat Jan 04, 2020 9:13 pm
- Location: Washington
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
I would not use a bank that does not provide reliable and configurable 2FA. The absolute minimum is 2FA with SMS (support for Google Voice number is a big plus), better option is 2FA with authenticator app or hardware key. There is no excuse for not support 2FA by any financial institution.OpenMinded1 wrote: ↑Wed Dec 15, 2021 8:13 am I have an account with a well-know bank. There appears to be no way to set up MFA for accessing their website. I just enter my username and password, and I'm in. This makes me a little nervous. I've asked them about it twice, and they pretty much say it isn't necessary with their advanced security. The last time they said, "We don't have that option for you to set up on your end due to our enhanced security."
Does this seem reasonable? In recent years, have any of you encountered this with a company that holds personal assets in accounts; e.g. banks, brokerages, investment companies etc.? I haven't. Should I be concerned?
It is hard to find mainstream bank that offers 2FA with authenticator app or hardware key without fallback to SMS. Two exceptions are Charles Schwab bank and Fidelity CMA. Both Schwab and Fidelity provide support for authenticator app (without fallback to SMS).
- quantAndHold
- Posts: 10141
- Joined: Thu Sep 17, 2015 10:39 pm
- Location: West Coast
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
My credit union doesn’t have 2FA. I called them and found out that their CS rep understands what 2FA is better than their IT department does. Which made me very nervous.
I kept the account open so that I still have a local banking account, but transferred all but a token amount of money elsewhere.
I kept the account open so that I still have a local banking account, but transferred all but a token amount of money elsewhere.
-
- Posts: 1576
- Joined: Wed Feb 05, 2020 8:27 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
I seem to hear over and over that one should at least have 2FA set up to access their email accounts. On my Macbook laptops there is an icon on the bar at the base of the screen. It links to what is usually referred to as Apple Mail or Mail. You can just click on this icon, and it brings your email up without any logging in. It can be set up, so it brings up email from multiple email service providers. For example, a person might have Google and Yahoo mail, and it will bring those up just by clicking that icon. I don't think it's actually an email service. It's more of an email manager. Is this relatively safe/secure? I don't think it offers 2FA? There is no logging in involved. Like I said, you just click on the icon, and it brings all your email up. You do have to enter password and other information when setting it up.vitaflo wrote: ↑Wed Dec 15, 2021 9:06 amNot if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.OpenMinded1 wrote: ↑Wed Dec 15, 2021 8:30 amThanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?Gaston wrote: ↑Wed Dec 15, 2021 8:27 am I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.
A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
You had to have authenticated at some point, it can't just grab your mail. You either did it when you first got the Mac or you have your credentials in you iCloud account (from an iPhone or iPad) and it applied them to your Mac.OpenMinded1 wrote: ↑Fri Dec 17, 2021 9:37 amI seem to hear over and over that one should at least have 2FA set up to access their email accounts. On my Macbook laptops there is an icon on the bar at the base of the screen. It links to what is usually referred to as Apple Mail or Mail. You can just click on this icon, and it brings your email up without any logging in. It can be set up, so it brings up email from multiple email service providers. For example, a person might have Google and Yahoo mail, and it will bring those up just by clicking that icon. I don't think it's actually an email service. It's more of an email manager. Is this relatively safe/secure? I don't think it offers 2FA? There is no logging in involved. Like I said, you just click on the icon, and it brings all your email up. You do have to enter password and other information when setting it up.vitaflo wrote: ↑Wed Dec 15, 2021 9:06 amNot if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.OpenMinded1 wrote: ↑Wed Dec 15, 2021 8:30 amThanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?Gaston wrote: ↑Wed Dec 15, 2021 8:27 am I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.
A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
-
- Posts: 1576
- Joined: Wed Feb 05, 2020 8:27 am
-
- Posts: 1576
- Joined: Wed Feb 05, 2020 8:27 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Yes, we have other apple products, and like I said I had to enter some information when I set Apple mail up. But now I just click on the icon and all my email comes up. I wonder if this somehow increases the chances I will get hacked versus just going to the email website and logging in using 2FA.vitaflo wrote: ↑Fri Dec 17, 2021 9:57 amYou had to have authenticated at some point, it can't just grab your mail. You either did it when you first got the Mac or you have your credentials in you iCloud account (from an iPhone or iPad) and it applied them to your Mac.OpenMinded1 wrote: ↑Fri Dec 17, 2021 9:37 amI seem to hear over and over that one should at least have 2FA set up to access their email accounts. On my Macbook laptops there is an icon on the bar at the base of the screen. It links to what is usually referred to as Apple Mail or Mail. You can just click on this icon, and it brings your email up without any logging in. It can be set up, so it brings up email from multiple email service providers. For example, a person might have Google and Yahoo mail, and it will bring those up just by clicking that icon. I don't think it's actually an email service. It's more of an email manager. Is this relatively safe/secure? I don't think it offers 2FA? There is no logging in involved. Like I said, you just click on the icon, and it brings all your email up. You do have to enter password and other information when setting it up.vitaflo wrote: ↑Wed Dec 15, 2021 9:06 amNot if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.OpenMinded1 wrote: ↑Wed Dec 15, 2021 8:30 amThanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?Gaston wrote: ↑Wed Dec 15, 2021 8:27 am I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.
A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Yes, because it saved your credentials. Same if you logged into gmail or facebook, etc. If you log in once it remembers that device and lets you use the app without having to log in again. You don't have to reauth every time you use the app. This is pretty common for most apps outside of finance.OpenMinded1 wrote: ↑Fri Dec 17, 2021 10:04 amYes, we have other apple products, and like I said I had to enter some information when I set Apple mail up. But now I just click on the icon and all my email comes up.vitaflo wrote: ↑Fri Dec 17, 2021 9:57 amYou had to have authenticated at some point, it can't just grab your mail. You either did it when you first got the Mac or you have your credentials in you iCloud account (from an iPhone or iPad) and it applied them to your Mac.OpenMinded1 wrote: ↑Fri Dec 17, 2021 9:37 amI seem to hear over and over that one should at least have 2FA set up to access their email accounts. On my Macbook laptops there is an icon on the bar at the base of the screen. It links to what is usually referred to as Apple Mail or Mail. You can just click on this icon, and it brings your email up without any logging in. It can be set up, so it brings up email from multiple email service providers. For example, a person might have Google and Yahoo mail, and it will bring those up just by clicking that icon. I don't think it's actually an email service. It's more of an email manager. Is this relatively safe/secure? I don't think it offers 2FA? There is no logging in involved. Like I said, you just click on the icon, and it brings all your email up. You do have to enter password and other information when setting it up.vitaflo wrote: ↑Wed Dec 15, 2021 9:06 amNot if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.OpenMinded1 wrote: ↑Wed Dec 15, 2021 8:30 am
Thanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?
-
- Posts: 1576
- Joined: Wed Feb 05, 2020 8:27 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
I can't log into Facebook (Meta) or gmail on my computer without entering a username and password. Sometimes it (the device) will ask me if I want it to remember them, and I always say "never." I appreciate your efforts to explain. I have quite a bit of experience using comps, but wasn't practically born with one in my hand like some of the younger Bogleheads.vitaflo wrote: ↑Fri Dec 17, 2021 10:06 amYes, because it saved your credentials. Same if you logged into gmail or facebook, etc. If you log in once it remembers that device and lets you use the app without having to log in again. You don't have to reauth every time you use the app. This is pretty common for most apps outside of finance.OpenMinded1 wrote: ↑Fri Dec 17, 2021 10:04 amYes, we have other apple products, and like I said I had to enter some information when I set Apple mail up. But now I just click on the icon and all my email comes up.vitaflo wrote: ↑Fri Dec 17, 2021 9:57 amYou had to have authenticated at some point, it can't just grab your mail. You either did it when you first got the Mac or you have your credentials in you iCloud account (from an iPhone or iPad) and it applied them to your Mac.OpenMinded1 wrote: ↑Fri Dec 17, 2021 9:37 amI seem to hear over and over that one should at least have 2FA set up to access their email accounts. On my Macbook laptops there is an icon on the bar at the base of the screen. It links to what is usually referred to as Apple Mail or Mail. You can just click on this icon, and it brings your email up without any logging in. It can be set up, so it brings up email from multiple email service providers. For example, a person might have Google and Yahoo mail, and it will bring those up just by clicking that icon. I don't think it's actually an email service. It's more of an email manager. Is this relatively safe/secure? I don't think it offers 2FA? There is no logging in involved. Like I said, you just click on the icon, and it brings all your email up. You do have to enter password and other information when setting it up.vitaflo wrote: ↑Wed Dec 15, 2021 9:06 am
Not if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
I notice when I authenticate GMail on a new browser that the 2FA pops up in my GMail app on iPhone. I assume that the GMail app, now that it has authenticated on the phone is acting as an authentication app for the purposes of authenticating other devices. This would seem to be inherently safer than SMS -- is that a fair interpretation.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
It is, because the authentication in that instance is tied to your physical device, whereas with SMS, someone can steal your phone number remotely via "SIM swap" and intercept your SMS 2FA codes.jebmke wrote: ↑Fri Dec 17, 2021 11:48 amI notice when I authenticate GMail on a new browser that the 2FA pops up in my GMail app on iPhone. I assume that the GMail app, now that it has authenticated on the phone is acting as an authentication app for the purposes of authenticating other devices. This would seem to be inherently safer than SMS -- is that a fair interpretation.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Yes, and many non-finance apps can be setup that way as well. One example is Amazon.anon_investor wrote: ↑Fri Dec 17, 2021 12:10 pm Many finance apps can be set up so they require 2FA for every login. For example my Fidelity app requires a code from my Symantec VIP authenticator app for every login.
-
- Posts: 1576
- Joined: Wed Feb 05, 2020 8:27 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Thanks. That's helpful.anon_investor wrote: ↑Fri Dec 17, 2021 11:54 amIt is, because the authentication in that instance is tied to your physical device, whereas with SMS, someone can steal your phone number remotely via "SIM swap" and intercept your SMS 2FA codes.jebmke wrote: ↑Fri Dec 17, 2021 11:48 amI notice when I authenticate GMail on a new browser that the 2FA pops up in my GMail app on iPhone. I assume that the GMail app, now that it has authenticated on the phone is acting as an authentication app for the purposes of authenticating other devices. This would seem to be inherently safer than SMS -- is that a fair interpretation.
-
- Posts: 1029
- Joined: Tue Sep 21, 2010 9:13 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
FYI - I've been having an ongoing issue with Ally about setting up 2FA. viewtopic.php?f=2&t=362768mptfan wrote: ↑Wed Dec 15, 2021 8:25 am No, it does not seem reasonable and yes you should be concerned. I would not do business with any financial institution that did not have two factor authentication, it's as simple as that. Any financial institution that does not offer 2FA is behind the curve when it comes to account security no matter what BS they tell you about "enhanced security."
What bank is this? It would be helpful to know so we can warn others.
After lots of research, I find that Ally, Discover, Marcus, and Lending Club Bank do NOT offer consistent 2FA codes when logging in. This is a dealbreaker for me.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Yes, it's federal law actually. There's a seemingly simple requirement to meet re: timely reporting. So it's not clear to me that there is any REAL risk of uncompensated loss. Not to mention all the other restrictions and delays banks put in place even for legitimate transfers to external accounts.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
I think it is more about inconvenience and potential impact if you do not have immediate access to your funds. Personally, I think it makes sense to have at least some money in more than one location. If your bank account got hacked, even if you were made whole later, you still have to pay current bills, etc. I doubt any bank is going to be able to make you whole in only a few days. I think there is an argument to be made that everyone should have at least 1 months of expenses at 2 separate financial instituations for this reason.Tamales wrote: ↑Fri Jan 21, 2022 9:04 amYes, it's federal law actually. There's a seemingly simple requirement to meet re: timely reporting. So it's not clear to me that there is any REAL risk of uncompensated loss. Not to mention all the other restrictions and delays banks put in place even for legitimate transfers to external accounts.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
All good points. But judging from the sheer volume of "pants on fire" threads and posts about 2FA, I get the impression some think there is naked and unrecoverable loss potential, so it seems useful to point out that's not the case in general.anon_investor wrote: ↑Fri Jan 21, 2022 9:09 amI think it is more about inconvenience and potential impact if you do not have immediate access to your funds. Personally, I think it makes sense to have at least some money in more than one location. If your bank account got hacked, even if you were made whole later, you still have to pay current bills, etc. I doubt any bank is going to be able to make you whole in only a few days. I think there is an argument to be made that everyone should have at least 1 months of expenses at 2 separate financial instituations for this reason.Tamales wrote: ↑Fri Jan 21, 2022 9:04 amYes, it's federal law actually. There's a seemingly simple requirement to meet re: timely reporting. So it's not clear to me that there is any REAL risk of uncompensated loss. Not to mention all the other restrictions and delays banks put in place even for legitimate transfers to external accounts.
It would be useful if people nit-picked the strengths and weaknesses of the existing law as a protection mechanism (no law is perfect), but I've never seen a thread do that. I guess that's not as exciting as discussing the various flavors and views on 2FA.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Push comes to shove you can pay a lot of things with a credit card and get cash advances with your credit card.anon_investor wrote: ↑Fri Jan 21, 2022 9:09 am
I think it is more about inconvenience and potential impact if you do not have immediate access to your funds. Personally, I think it makes sense to have at least some money in more than one location. If your bank account got hacked, even if you were made whole later, you still have to pay current bills, etc. I doubt any bank is going to be able to make you whole in only a few days. I think there is an argument to be made that everyone should have at least 1 months of expenses at 2 separate financial instituations for this reason.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
I was thinking more like mortgage and CC bill payments. The mortgage payment is harder to deal with.rkhusky wrote: ↑Fri Jan 21, 2022 9:50 amPush comes to shove you can pay a lot of things with a credit card and get cash advances with your credit card.anon_investor wrote: ↑Fri Jan 21, 2022 9:09 am
I think it is more about inconvenience and potential impact if you do not have immediate access to your funds. Personally, I think it makes sense to have at least some money in more than one location. If your bank account got hacked, even if you were made whole later, you still have to pay current bills, etc. I doubt any bank is going to be able to make you whole in only a few days. I think there is an argument to be made that everyone should have at least 1 months of expenses at 2 separate financial instituations for this reason.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Some of the planning also depends on how easy it would be to open another bank account or whether the bank would still let you transact while they are investigating. Most of my money is at Vanguard, so I need a way to transfer to a bank (I have some old Vanguard checks, but I don’t know if they work anymore).anon_investor wrote: ↑Fri Jan 21, 2022 10:09 am I was thinking more like mortgage and CC bill payments. The mortgage payment is harder to deal with.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
I don't think that is a fair impression. I know that there is not a "naked and unrecoverable loss potential" so long as I timely report unauthorized activity, but the inconvenience and hassle factor involved in trying to fix things is worth enough to me to take extra steps to protect my account.
-
- Posts: 1029
- Joined: Tue Sep 21, 2010 9:13 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Agreed. The experience I had with Ally has soured me to any financial institution that doesn't offer 2FA. It's the very least they can do. As I've mentioned in another thread, I wouldn't have thought much about the importance of 2FA, except that my daughter, who is a systems architect, said she would never use any bank that doesn't offer it at the very least. She has set me up with 2FA/SMS and/or Authy (https://authy.com/) for all of my online accounts. I've been with Ally for years, but after the run-around and all the frustration in dealing with them, and STILL no 2FA, I am transferring all my savings from Ally to Bank of America, where I have a business checking account and a very good relationship with my banker. I'm happy to give up the interest at Ally to feel better about the bank I'm dealing with. I've called Ally, Marcus, Discovery, Lending Club, and none of them offer 2FA consistently when the customer logs in. It's some consolation that my purchase of I-Bonds in 2021 and 2022 will more than make up for the interest at Ally. No regrets.mptfan wrote: ↑Fri Jan 21, 2022 11:14 amI don't think that is a fair impression. I know that there is not a "naked and unrecoverable loss potential" so long as I timely report unauthorized activity, but the inconvenience and hassle factor involved in trying to fix things is worth enough to me to take extra steps to protect my account.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
I assume if you had to pay your mortgage from Vanguard there would be a way to wire it directly to the mortgage company.rkhusky wrote: ↑Fri Jan 21, 2022 10:29 amSome of the planning also depends on how easy it would be to open another bank account or whether the bank would still let you transact while they are investigating. Most of my money is at Vanguard, so I need a way to transfer to a bank (I have some old Vanguard checks, but I don’t know if they work anymore).anon_investor wrote: ↑Fri Jan 21, 2022 10:09 am I was thinking more like mortgage and CC bill payments. The mortgage payment is harder to deal with.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
I would look into that if I had to.anon_investor wrote: ↑Fri Jan 21, 2022 11:39 amI assume if you had to pay your mortgage from Vanguard there would be a way to wire it directly to the mortgage company.rkhusky wrote: ↑Fri Jan 21, 2022 10:29 amSome of the planning also depends on how easy it would be to open another bank account or whether the bank would still let you transact while they are investigating. Most of my money is at Vanguard, so I need a way to transfer to a bank (I have some old Vanguard checks, but I don’t know if they work anymore).anon_investor wrote: ↑Fri Jan 21, 2022 10:09 am I was thinking more like mortgage and CC bill payments. The mortgage payment is harder to deal with.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
But I could see a problem for the "one-stop-shop" folks if your account was compromised and you lost access to ALL of your money...rkhusky wrote: ↑Fri Jan 21, 2022 11:52 amI would look into that if I had to.anon_investor wrote: ↑Fri Jan 21, 2022 11:39 amI assume if you had to pay your mortgage from Vanguard there would be a way to wire it directly to the mortgage company.rkhusky wrote: ↑Fri Jan 21, 2022 10:29 amSome of the planning also depends on how easy it would be to open another bank account or whether the bank would still let you transact while they are investigating. Most of my money is at Vanguard, so I need a way to transfer to a bank (I have some old Vanguard checks, but I don’t know if they work anymore).anon_investor wrote: ↑Fri Jan 21, 2022 10:09 am I was thinking more like mortgage and CC bill payments. The mortgage payment is harder to deal with.
-
- Posts: 1029
- Joined: Tue Sep 21, 2010 9:13 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Interesting article that addresses which banks do and do not hold you up if you've been hacked and there's an investigation pending:
https://www.mybanktracker.com/news/most ... protection
Next-Day Cash Reimbursement
When disputes are being settled (such as fraud), some banks offer next-day cash reimbursement so their customers have that money in the meantime, instead of waiting months before they get their cash back.
Bank of America and Chase are two big banks that do this, and Discover and Citibank send their customers emergency money if customers' cards are lost or stolen while traveling.
https://www.mybanktracker.com/news/most ... protection
Next-Day Cash Reimbursement
When disputes are being settled (such as fraud), some banks offer next-day cash reimbursement so their customers have that money in the meantime, instead of waiting months before they get their cash back.
Bank of America and Chase are two big banks that do this, and Discover and Citibank send their customers emergency money if customers' cards are lost or stolen while traveling.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Similarly, I opened an account at a bank that doesn't allow transfer on death, because I just assumed it would.OpenMinded1 wrote: ↑Wed Dec 15, 2021 8:20 amYes, there certainly are. I probably wouldn't have set up accounts at this bank if I had known they don't offer MFA. I just assumed they would.jebmke wrote: ↑Wed Dec 15, 2021 8:15 am There are many alternatives so it should not be an issue finding a bank that has the services you want AND MFA.
https://2fa.directory/#banking
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
What about the inconvenience and impact of wasting time every time you log in? It seems like there's a market here for 6-factor authorization. Some people would love to have to receive a text, receive an email, enter a 27-digit password, retinal scans, play 7 captcha games in order to get in to your own account. No thanks. I'll take these "unsecure" websites (with their FDIC protection) any day.anon_investor wrote: ↑Fri Jan 21, 2022 9:09 amI think it is more about inconvenience and potential impact if you do not have immediate access to your funds.Tamales wrote: ↑Fri Jan 21, 2022 9:04 amYes, it's federal law actually. There's a seemingly simple requirement to meet re: timely reporting. So it's not clear to me that there is any REAL risk of uncompensated loss. Not to mention all the other restrictions and delays banks put in place even for legitimate transfers to external accounts.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
It is always a trade off between convenience and security. I feel like the minor inconvenience of 2FA is worth it for the added security, better safe than sorry. If you do not check your accounts constantly, it should not be that big of a hassle.grogu wrote: ↑Fri Jan 21, 2022 12:51 pmWhat about the inconvenience and impact of wasting time every time you log in? It seems like there's a market here for 6-factor authorization. Some people would love to have to receive a text, receive an email, enter a 27-digit password, retinal scans, play 7 captcha games in order to get in to your own account. No thanks. I'll take these "unsecure" websites (with their FDIC protection) any day.anon_investor wrote: ↑Fri Jan 21, 2022 9:09 amI think it is more about inconvenience and potential impact if you do not have immediate access to your funds.Tamales wrote: ↑Fri Jan 21, 2022 9:04 amYes, it's federal law actually. There's a seemingly simple requirement to meet re: timely reporting. So it's not clear to me that there is any REAL risk of uncompensated loss. Not to mention all the other restrictions and delays banks put in place even for legitimate transfers to external accounts.
-
- Posts: 1029
- Joined: Tue Sep 21, 2010 9:13 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
FDIC insurance doesn't protect our funds from hacking. It protects our funds if the bank fails.grogu wrote: ↑Fri Jan 21, 2022 12:51 pmWhat about the inconvenience and impact of wasting time every time you log in? It seems like there's a market here for 6-factor authorization. Some people would love to have to receive a text, receive an email, enter a 27-digit password, retinal scans, play 7 captcha games in order to get in to your own account. No thanks. I'll take these "unsecure" websites (with their FDIC protection) any day.anon_investor wrote: ↑Fri Jan 21, 2022 9:09 amI think it is more about inconvenience and potential impact if you do not have immediate access to your funds.Tamales wrote: ↑Fri Jan 21, 2022 9:04 amYes, it's federal law actually. There's a seemingly simple requirement to meet re: timely reporting. So it's not clear to me that there is any REAL risk of uncompensated loss. Not to mention all the other restrictions and delays banks put in place even for legitimate transfers to external accounts.
https://www.fdic.gov/resources/deposit-insurance/
https://finance.yahoo.com/blogs/hot-sto ... 39974.html
This is an interesting link that shows which banks do and don't allow us to still use our money right away in case of a hacking and pending investigation:
https://www.mybanktracker.com/news/most ... protection
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
You can identify your device as a trusted device so that you do not need to use your second factor everytime. Problem solved.
I rather err on the side of taking an extra step to login sometimes to keep my account safe. You may choose differently and that's ok.
-
- Posts: 1967
- Joined: Sat Apr 09, 2016 5:06 pm
- Location: NYC
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
It's definitely a balance between convenience and security. Basic 2FA is important, but worrying about SIM hacks, using a Yubikey, having multiple "clean" email addresses, etc. is too extreme for me.
Even if someone did access your bank account, what could they realistically do? Transfer between checking and savings, pay a bill, see your balance? It's not like they could instantly set up an ACH transfer to their account and drain my funds. My bank e-mails me whenever there is a new log-in from an untrusted computer, or a new bank is added for external transfers (and even that takes a few days to do). If I saw an email, I could just call them and lock it out. Also, banks have very sophisticated AI software that looks for security issues. If all of a sudden someone from the Philippines is trying to log into your account when you just used your debit card in Manhattan an hour ago, it will likely flag it and lock the account.
I think you are at a bigger risk of losing money from a stolen check or compromised debit card.
Even if someone did access your bank account, what could they realistically do? Transfer between checking and savings, pay a bill, see your balance? It's not like they could instantly set up an ACH transfer to their account and drain my funds. My bank e-mails me whenever there is a new log-in from an untrusted computer, or a new bank is added for external transfers (and even that takes a few days to do). If I saw an email, I could just call them and lock it out. Also, banks have very sophisticated AI software that looks for security issues. If all of a sudden someone from the Philippines is trying to log into your account when you just used your debit card in Manhattan an hour ago, it will likely flag it and lock the account.
I think you are at a bigger risk of losing money from a stolen check or compromised debit card.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Informative discussion. Have high respect for hacker’s creativity. With VPN, someone overseas can appear as calling or accessing from USA. Same for phone calls- Area code of US city appears but the call originates overseas. There are various reports that use of a password manager may be a reason for a bank to deny reimbursement due to hacking. Eg if you give the account password to someone else, and it is used to access your account, the bank has a rationale to not reimburse losses. Seems this varies by bank. Would not stop use of password managers vs recognize the needs for prudence in any security setup
-
- Posts: 1029
- Joined: Tue Sep 21, 2010 9:13 am
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
Agreed. I never store any passwords in Bitwarden for my financial institutions.advice789 wrote: ↑Sat Jan 22, 2022 4:00 pm Informative discussion. Have high respect for hacker’s creativity. With VPN, someone overseas can appear as calling or accessing from USA. Same for phone calls- Area code of US city appears but the call originates overseas. There are various reports that use of a password manager may be a reason for a bank to deny reimbursement due to hacking. Eg if you give the account password to someone else, and it is used to access your account, the bank has a rationale to not reimburse losses. Seems this varies by bank. Would not stop use of password managers vs recognize the needs for prudence in any security setup
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
I'd argue the technical reality that I didn't give the password manager company my password. I gave them a long complicated (i.e. encrypted) number to store for me. The password itself never left my computer, aka "local only encryption".
OTOH, the password companies declaim liability in their ToS.
Re: Bank that Doesn't Offer Multifactor Authentication (MFA)
I just want to verify something related to these 2FA threads. The main issue seems to be (if I may make up a shorthand reference) the threat of a successfully executed "Quickie Hacker Liquidation" or QHL, right? In other words, similar to home burglaries, in and out in a few minutes.
And the QHL concern is limited to bank checking/savings accounts holding pure cash (not something 1 or 2 steps removed from cash like money market mutual funds or CDs), is that correct?
Taking that one step further in the portfolio hierarchy, it seems a QHL of one's retirement accounts (even if they are 100% cash) is not even feasible. Legitimate versions of such external transfers take days or weeks to complete, often involving much time navigating the website for forms and sometimes requiring calls to the firm to have them send you forms, sometimes requiring physically signed/mailed forms or checks for at least one side of the transaction.
Setting aside the question of 2FA on or off for retirement accounts, am I correct that a QHL of a retirement account has a probability of zero for all intents and purposes? If that's not right, can you please explain with specifics, because at the moment I'm not seeing how it would be possible. Maybe there are distinctions between tIRA, 401k, and other retirement account categories, as far as a QHL is concerned?
How about an after-tax brokerage account? Is the only real concern in such an account for a QHL of the pure cash portion of your balance? In other words a bit more concern than a retirement brokerage account, but not a real concern for a QHL transferring stock/bond positions?
Thanks for any insights.
And the QHL concern is limited to bank checking/savings accounts holding pure cash (not something 1 or 2 steps removed from cash like money market mutual funds or CDs), is that correct?
Taking that one step further in the portfolio hierarchy, it seems a QHL of one's retirement accounts (even if they are 100% cash) is not even feasible. Legitimate versions of such external transfers take days or weeks to complete, often involving much time navigating the website for forms and sometimes requiring calls to the firm to have them send you forms, sometimes requiring physically signed/mailed forms or checks for at least one side of the transaction.
Setting aside the question of 2FA on or off for retirement accounts, am I correct that a QHL of a retirement account has a probability of zero for all intents and purposes? If that's not right, can you please explain with specifics, because at the moment I'm not seeing how it would be possible. Maybe there are distinctions between tIRA, 401k, and other retirement account categories, as far as a QHL is concerned?
How about an after-tax brokerage account? Is the only real concern in such an account for a QHL of the pure cash portion of your balance? In other words a bit more concern than a retirement brokerage account, but not a real concern for a QHL transferring stock/bond positions?
Thanks for any insights.