Your possible solution might be a step in the right direction, BUT these days most systems allow you to log in to the sending institution to confirm your account. This bypasses your system completely. If a hacker has access to your name, DOB, SSN, address AND account number, they quite likely have access to one or more of your passwords, too. Since most people re-use passwords or minor variations of one password, the hacker can easily verify account info and off they go. With online security, much like physical security, almost any system can be overcome with enough determination, time and effort. The best one can do is institute the most secure system you can live with, then hope the hacker gets discouraged enough by your systems so he/she moves onto the next mark.Dirghatamas wrote: ↑Sun Jul 03, 2022 12:14 am OK this ruined my evening run!
I thought I had all the standard security stuff nailed: 2FA, Symantec and YubiKey, Credit Freeze at the 3 reporting agencies + Bank account freeze using Chexx...but this seems to be a simple and very dangerous loophole that affects all brokerages (not just fidelity) and seems impervious to basic security steps one can take. There seem to be trivial security additions brokerages could do ( same as ACH noted below) but apparently none have. This is concerning. During my run, being an engineer, I payed a mental war game of how many ways a bad guys could attempt this and how could I proactively stop it. It seems to be damn difficult without making the brokerage acct very inconvenient.
ACH vs. ACATS security: Let's say you (good guy) have an acct with Institution A (brokerage or bank doesn't matter). Let's say the bad guy opens an acct at Institution B under your name. They just need your SSN, DOB and maybe your address which are all easily available nowadays after Equifax and other breaches. Now the security case of transferring money (ACH or wire) is very different from transferring stocks/bonds/ETF/mutual funds. To actually transfer money, the institution B, when it receives a request, will first deposit a couple of tiny amounts to the Institution A acct using ACH. Then it will ask the bad guy to enter those amounts. As long as the bad guy doesn't have the Userid + password + 2FA of your acct with Institution A, they will fail to link for money transfer (brokerage or bank is irrelevant).
For ACATS transfer/link, they could potentially do the exact same thing: do a trial deposit to make sure you actually are the owner of the other acct you are trying to transfer from..they apparently haven't done so. This seems to be a trivial and dangerous omission. All brokerages and banks already have this security feature implemented so why not enable it? Doesn't make any sense.
2FA and strong passwords: Some posters have talked about 2FA but that is irrelevant for this loophole. The bad guy doesn't need to get into your acct. They don't need to know your exact dollars in the acct or even what stocks/funds etc you own. If they try a "full acct transfer", the system will typically NOT ask for such details. The last time I transferred a full acct to Vanguard (maybe 7-8 years ago), the transfer was electronic, needed no paper mail or paper signatures and involved NO email or any notification from the other brokerage. So the bad guy doesn't need to get into your acct in order to drain it I haven't tried a full acct transfer recently so don't know what steps the brokerage takes.
Credit and bank freezes: I always have my credit frozen and bank acct also frozen (using Chexx). Unfortunately, neither will help. First, you don't need your credit unfrozen to start a brokerage acct. I personally did this perhaps 5 years back and didn't need to unfreeze. I haven't done so recently so don't know if brokerages have become more security conscious and won't start an acct if credit is frozen.
For bank accts, I believe Chexx will contact you if some one tries to open a bank acct in your name (if you freeze it), but there is an easy work around. I have no idea why the bad guys in the OP case opened a bank acct. There is no need. Brokerages have wire transfer service. So, the bad guy could have transferred securities from A to B using ACATS, then sell all of it at B and wire transfer the resulting money to say a bank in Russia or some other shady place. You don't need a bank acct in USA to do that. So how does the Chexx system freeze (which is USA only) help?
Possible solutions: I think an ACH like trial deposit scheme mentioned above would be quite good. Because that doesn't seem to exist today for ACATS, we are basically on our own. I went ahead and locked my Fidelity acct but that will be quite inconvenient as I use check writing. I also sold my house recently and wire transferred the proceeds to Fidelity. Had to give the title company the acct number..so brokerage acct numbers exist in many places with questionable security. Don't think there is a solution at Schwab. Vanguard does have a solution (using snail mail) but that seems very cumbersome as it locks the whole acct and not easy to reverse... scary stuff!
Wrench