Here's a statement of the obvious: The opinions expressed here are those of the participants, not those of the Mutual Fund Observer. We cannot vouch for the accuracy or appropriateness of any of it, though we do encourage civility and good humor.
Support MFO
Donate through PayPal
Are the risks of Financial Account Aggregation really worth it?
A hack of Yodlee is no different than a hack of LastPass. Using stolen credentials the attacker can liquidate your portfolio and move money out of the brokerage account. For example if your Robinhood account got hacked, an attacker can buy crypto and transfer it to their wallet within a matter of minutes.
OK , will someone step forward & give me their password & account # & I'll see if I can remove a "few" grand. Then we'll have an idea of how hard it's to hack your account. I promise to return your funds . Just joking, Derf
@stayCalm : I don't have a google TV , But a Google email address that I don't use. So if I google something on my PC , they have the link ability to my PC then to my brokerage accounts ? Thanks for your time, Derf
I can't make out if your post is sarcasm or not but I'll assume it is not.
To answer your question in broad strokes, anytime you are online, regardless of whether you have a @gmail address or not, the site you are visiting has the technical means to figure out your identity. Does not mean that every site out there does it but it can technically be done.
That said, there is pretty big difference between a site figuring out your identity and stealing brokerage account credentials sitting on your PC. The former while not trivial is certainly not technically complex but the latter requires a hacker to break into your PC, figure our where your passwords are stored and relay them externally. Or a hacker needs to lure you to a site where you willingly hand over your credentials (usually achieved by phishing). There are many other ways to steal credentials but my broader point here is that figuring out your identity as you traverse the internet is routine business for Google, Facebook, data brokers and the internet ad industry but hacking into your machine for purposes of theft or extortion is the realm of the rogues.
Over this weekend I'll post a few links about how data brokers operate, that should make for some interesting conversations!
Literally every single physical and digital entity that you interact with is selling the data that comes from that interaction. Epsilon, Acxiom, Oracle etc.. have 10,000 data points on more than 200M Americans
Forget about brokerages that you do business with, data brokers know more about you than your family.
I am the opposite of uninformed in this area, actually, and again I ask you to spell out exactly how the account depletion would go. Step by step. Not a matter of belief.
You don't have to be diplomatic.
If you like, after you are done enlightening all of us as to the actual threat and the mechanisms of theft, you can go on and point to all of the times it has happened. You say google, so give a link or two.
I have zero interest in educating you on how brokerage accounts can be hacked, how your account can be wiped and writing an instruction manual on the topic.
I'm not offended if you choose to not believe anything I've stated here but I encourage you to get familiar with e-mail account hack, forgot password, change of registered phone number, SIM hijack, change of address, online submission of wire forms and wire turn around times. Also encourage you to get educated on concepts around crypto, wallets, crypto transfer, speed of crypto transfer, crypto wallet anonymity, Coinbase, how Coinbase works and how to buy crypto within a brokerage.
So you know, I am a pretty heavy user of PersCap so I've accepted the risk. Do tell me your motivation in denying what a brokerage account hack can result in when the topic can be easily researched on Google and when even the SEC issues guidance on the topic and associated dangers.
Nothing you list contributes to a "hack" (whatever you think that means) resulting in account draining.
Now. If I aid and abet; am gulled; permit someone effectively to be me, ... ah, well, that's not the same thing, is it?
Thanks for links. The poor reddit guy is useless, taking the same handwaving tack you have. Note the dates !!
\\\ My Schwab account was hacked and about 84,500 was wire transferred to a bank in India. First transfer started on the 8th of this month for 50k, then another for 21k on the 10th and then another for 15k or so on the 13th. They also tried to pull 50k from my bank into Schwab ... I contacted Schwab yesterday ... I never shared my password with anyone and I had a complex password, I also had a pin for my app on my phone.
This is not only good patter but high comedy. As they say, details, please.
And did you read your second link? Seriously? Whose point are you making??
@stayCalm- Definitely not wanting to engage in any hostilities, but I'm wondering about your comment regarding being a "pretty heavy user of PersCap". Is PersCap some sort of aggregation setup? And if it is, do you think that the hacking risk is acceptable?
I just eliminated all of my aggregation accounts at Schwab, and I guess that the next step would be to change the passwords on those accounts because it's likely that some residual information will still be at Schwab's aggregator.
This has all turned out to be a very interesting question, and I'm really surprised that in all of the many years at MFO apparently we haven't discussed this before.
PersCap is Personal Capital which provides free account aggregation as a hook to get you to subscribe to their paid services.
It's a fantastic product (by far the best aggregation service I have seen and I have used 5+) but not zero risk by any stretch of imagination no matter what anybody states.
A hack of Yodlee is no different than a hack of LastPass. Using stolen credentials the attacker can liquidate your portfolio and move money out of the brokerage account.
I guess that I'm unclear on the exact definition of "credentials". When I originally initiated my account aggregation at Schwab, during the setup the aggregator required my account number and password. That seemed reasonable, as without that the aggregator wouldn't be able to interact with the accounts.
Is that information the "credentials" that we're talking about, or are credentials something else again?
You need to remove the cobwebs and emerge into the light a la Rip Van Winkle.
Reddit isn't TikTok for starters -- it is used by much more than teens, $85K isn't chump change, that's a lot of money for the vast majority of the population. Teens also typically don't carry those kind of brokerage balances.
Look up what a keylogger is and what it can do.
Dude, you're embarrassing yourself by continuing to pretend that your brokerage account cannot be wiped if your credentials leak. Or pretending that your credentials can never leak and your email and SIM cannot be hijacked.
How about you post your credentials here and we find out? Even better than that, how about you post your credentials on social media like Twitter, FB etc.. and challenge the world to drain your account. Put your money where your mouth is big guy and this topic can easily be resolved.
Credentials is a commonly used synonym in InfoSec circles for anything that can be used to login to an account. That includes userid/pswd but can also include other things like hard and soft tokens, 2FA, MFA, pictures, retina scan, fingerprints, etc..
Come on, don't deflect, and don't project. Email and sim hacks and all that are trivially easy to prevent. Send me $500 and I will explain. I will post the explanation here, too.
So ... Robinhood alone has pisspoor access and authentication control? That alone is a major story.
Inside job? But that would not meet your scare criteria.
I am going to google to see if I can find out what actually happened w poor old Nate Heard.
The last six CNBC paragraphs are shocking, writer-firable for their slop and laziness. Also preposterous as factual narrative reporting.
And while I expect that you are not a working editor, did you notice that CNBC leads with speaking to 4 people but then can list only 3? yoohoo, editors!?
Again, can you recount for all of us the steps for a bad actor to, out of nowhere and without operator error, access and drain a Vanguard (or ML or Fidelity or Schwab ...) investment account?
Boy you love to bluster and also change the goalposts I see. Inspired by the current soccer World Cup?
So we went from "show me how a brokerage account can be wiped, post some links" to "without operator error, how can an account be wiped" and "CNBC does not have competent editors" because strangely enough this became an exercise not about commenting on the substance of the issue but about CNBC citing 3 sources when they pinkie promised 4 at the top of the article.
I take it then you're an InfoSec guru + writing wizard. Any other skills you'd like to dazzle us with? Why do you spend time on this forum with us uneducated folks when you could be monetizing your genius and be consulting with CNBC, Cloudflare and the like. InfoSec is hot David, you are severely underutilizing your skills. Google, Mandiant and Microsoft will pay you top $$ I assure you.
On the topic of how your PC can be hacked without operator error, I suppose Microsoft and Google are both being run by rubes because they keep issuing OS and Chrome browser patches all the time coz -- hey they got nothing better to do. They also offer big bucks for zero-day exploits because hey tech companies have a lot of moolah to burn. Meanwhile users who haven't updated Chrome or Windows for more than 6 months wonder how in the hell trojans and worms got onto their machine.
While Lapsus$ can directly breach Microsoft, they don't stand a chance of breaching David's system. If I didn't know any better I would have thought Pegasus is just a mythical stallion and not also the name of a product that can hack into a phone without any action needed from the owner of the phone. Egads, can't happen. All humbug. The entire Khashoggi story is all urban legend. Also humbug is all of the stuff that Edward Snowden described in great detail in his book as to what the NSA was capable of more than 10 years back. Because technology and hacking sophistication move backward, not forward. With the passage of time and exponentially more powerful CPU's (that can brute force password cracks) hacking actually gets more difficult.
Hackers also reduce in number and age out even as world population grows and rewards for hacking (including new pathways for hacking such as crypto) grow ever larger. Meanwhile we all scratch our heads and wonder why when Windows, Chrome, Android etc.. are becoming impenetrable why companies and talent in cybersecurity are fetching top $$. All of the breaches mentioned at --> https://www.upguard.com/blog/biggest-data-breaches-us all baloney, all operator error. Had Mr. Moran been the CISO at all these places, none of this would have occurred.
But all of this to no avail to our (super)man Moran. If there ain't a written manual, it ain't true.
Snippet below from a Dec 14, 2022 post is a figment of imagination from both Krebs and Microsoft. They both have overactive imaginations. You have been warned.
-- The security updates include patches for Azure, Microsoft Edge, Office, SharePoint Server, SysInternals, and the .NET framework. Six of the update bundles earned Microsoft’s most dire “critical” rating, meaning they fix vulnerabilities that malware or malcontents can use to remotely commandeer an unpatched Windows system — with little to no interaction on the part of the user. --
Meanwhile you on the other hand are purportedly not writing fiction but have yet to provide a single substantive rebuttal.
Fwiw, changing the goalposts and whining about CNBC citing 3 sources vs. promising 4 would not pass muster even in a middle school debate competition.
You appear to be having difficulty connecting the dots -- any device can be hacked, ergo nothing is off limits. The krebs site even describes how SMS messages can be forwarded by malware. So much for SMS based 2FA being indestructible.
Hey btw you accused me of fearmongering and asked me what my angle was but didn't address the same question I asked you. What is your angle around your ridiculous stance that logins cannot be hacked and that using account aggregation is 100% safe. Are you shilling for an account aggregator service?
Cheers and I wish you happiness and joy in your beliefs and angles.
I don’t think you even read the zero-click article, which is about compromised devices. You don’t just keep moving goalposts , you jump fields and stadiums and sports, when once upon a time you were talking about drained accounts, drained magically. Anyway, done here.
Wow, I would not have guessed there would be so much drama regarding account aggregation! This wasn't a controversial investing topic like active vs. passive or domestic vs. foreign. ¯\_(ツ)_/¯
The notion of account aggregation services being 100% safe based on the collection of beliefs below is .... [fill in the blank]
- There isn't a detailed hack manual - There aren't in the public domain dozens of published cases - Published RH hacks don't count - Hacks can only happen due to user error, hacks can never happen otherwise - Large organizations like Microsoft, Experian, Capital One, etc.. can be hacked at scale but account aggregators cannot be hacked - 2FA cannot be hacked
Whether the probability of a hack is 0.1% or 1% or 10% I have no idea but I know it isn't zero risk.
Comments
Not always true if you have other authentication needed, (code) sent to your phone !
To put it diplomatically, based on the questions you are asking on this thread you are grossly uninformed.
You don't have to believe anything I state, Google is your friend unless you believe that is nonsense too
@Derf
2FA can be hacked, Google is your friend.
I promise to return your funds .
Just joking, Derf
Thanks for your time, Derf
I can't make out if your post is sarcasm or not but I'll assume it is not.
To answer your question in broad strokes, anytime you are online, regardless of whether you have a @gmail address or not, the site you are visiting has the technical means to figure out your identity. Does not mean that every site out there does it but it can technically be done.
That said, there is pretty big difference between a site figuring out your identity and stealing brokerage account credentials sitting on your PC. The former while not trivial is certainly not technically complex but the latter requires a hacker to break into your PC, figure our where your passwords are stored and relay them externally. Or a hacker needs to lure you to a site where you willingly hand over your credentials (usually achieved by phishing). There are many other ways to steal credentials but my broader point here is that figuring out your identity as you traverse the internet is routine business for Google, Facebook, data brokers and the internet ad industry but hacking into your machine for purposes of theft or extortion is the realm of the rogues.
Over this weekend I'll post a few links about how data brokers operate, that should make for some interesting conversations!
Literally every single physical and digital entity that you interact with is selling the data that comes from that interaction. Epsilon, Acxiom, Oracle etc.. have 10,000 data points on more than 200M Americans
Forget about brokerages that you do business with, data brokers know more about you than your family.
You don't have to be diplomatic.
If you like, after you are done enlightening all of us as to the actual threat and the mechanisms of theft, you can go on and point to all of the times it has happened. You say google, so give a link or two.
What do you get, @stayCalm, from fearmongering?
https://danielmiessler.com/images/acxiom-data-profiles.jpeg
I have zero interest in educating you on how brokerage accounts can be hacked, how your account can be wiped and writing an instruction manual on the topic.
I'm not offended if you choose to not believe anything I've stated here but I encourage you to get familiar with e-mail account hack, forgot password, change of registered phone number, SIM hijack, change of address, online submission of wire forms and wire turn around times. Also encourage you to get educated on concepts around crypto, wallets, crypto transfer, speed of crypto transfer, crypto wallet anonymity, Coinbase, how Coinbase works and how to buy crypto within a brokerage.
So you know, I am a pretty heavy user of PersCap so I've accepted the risk. Do tell me your motivation in denying what a brokerage account hack can result in when the topic can be easily researched on Google and when even the SEC issues guidance on the topic and associated dangers.
https://www.reddit.com/r/Schwab/comments/po5d39/my_schwab_brokerage_account_got_hacked_84500_sent/
https://www.investorfraudlaw.com/has-your-brokerage-account-been-hacked
Come on, @stayCalm.
Nothing you list contributes to a "hack" (whatever you think that means) resulting in account draining.
Now. If I aid and abet; am gulled; permit someone effectively to be me, ... ah, well, that's not the same thing, is it?
Thanks for links. The poor reddit guy is useless, taking the same handwaving tack you have. Note the dates !!
\\\ My Schwab account was hacked and about 84,500 was wire transferred to a bank in India. First transfer started on the 8th of this month for 50k, then another for 21k on the 10th and then another for 15k or so on the 13th. They also tried to pull 50k from my bank into Schwab ... I contacted Schwab yesterday ... I never shared my password with anyone and I had a complex password, I also had a pin for my app on my phone.
This is not only good patter but high comedy. As they say, details, please.
And did you read your second link? Seriously? Whose point are you making??
Do better. Show some substance.
I just eliminated all of my aggregation accounts at Schwab, and I guess that the next step would be to change the passwords on those accounts because it's likely that some residual information will still be at Schwab's aggregator.
This has all turned out to be a very interesting question, and I'm really surprised that in all of the many years at MFO apparently we haven't discussed this before.
Thanks- OJ
It's a fantastic product (by far the best aggregation service I have seen and I have used 5+) but not zero risk by any stretch of imagination no matter what anybody states.
Is that information the "credentials" that we're talking about, or are credentials something else again?
OJ
Carry on with your belief that brokerage accounts cannot be wiped.
Interesting to note that you did not provide any substantive response at all to the other points I made -- e-mail hijack, SIM hijack etc..
The CNBC link within the 2nd link I posted had a pretty good amount of solid detail but hey, you know and believe otherwise so carry on.
You need to remove the cobwebs and emerge into the light a la Rip Van Winkle.
Reddit isn't TikTok for starters -- it is used by much more than teens, $85K isn't chump change, that's a lot of money for the vast majority of the population. Teens also typically don't carry those kind of brokerage balances.
Look up what a keylogger is and what it can do.
Dude, you're embarrassing yourself by continuing to pretend that your brokerage account cannot be wiped if your credentials leak. Or pretending that your credentials can never leak and your email and SIM cannot be hijacked.
How about you post your credentials here and we find out? Even better than that, how about you post your credentials on social media like Twitter, FB etc.. and challenge the world to drain your account. Put your money where your mouth is big guy and this topic can easily be resolved.
Credentials is a commonly used synonym in InfoSec circles for anything that can be used to login to an account. That includes userid/pswd but can also include other things like hard and soft tokens, 2FA, MFA, pictures, retina scan, fingerprints, etc..
https://www.cnbc.com/2020/10/14/brokerage-log-ins-for-sale-on-dark-web-robinhood-sees-highest-prices-.html is inexcusably weak, detail-free, fright reporting.
Like so much of the financial press.
So ... Robinhood alone has pisspoor access and authentication control? That alone is a major story.
Inside job? But that would not meet your scare criteria.
I am going to google to see if I can find out what actually happened w poor old Nate Heard.
The last six CNBC paragraphs are shocking, writer-firable for their slop and laziness. Also preposterous as factual narrative reporting.
And while I expect that you are not a working editor, did you notice that CNBC leads with speaking to 4 people but then can list only 3? yoohoo, editors!?
Again, can you recount for all of us the steps for a bad actor to, out of nowhere and without operator error, access and drain a Vanguard (or ML or Fidelity or Schwab ...) investment account?
Boy you love to bluster and also change the goalposts I see. Inspired by the current soccer World Cup?
So we went from "show me how a brokerage account can be wiped, post some links" to "without operator error, how can an account be wiped" and "CNBC does not have competent editors" because strangely enough this became an exercise not about commenting on the substance of the issue but about CNBC citing 3 sources when they pinkie promised 4 at the top of the article.
I take it then you're an InfoSec guru + writing wizard. Any other skills you'd like to dazzle us with? Why do you spend time on this forum with us uneducated folks when you could be monetizing your genius and be consulting with CNBC, Cloudflare and the like. InfoSec is hot David, you are severely underutilizing your skills. Google, Mandiant and Microsoft will pay you top $$ I assure you.
On the topic of how your PC can be hacked without operator error, I suppose Microsoft and Google are both being run by rubes because they keep issuing OS and Chrome browser patches all the time coz -- hey they got nothing better to do. They also offer big bucks for zero-day exploits because hey tech companies have a lot of moolah to burn. Meanwhile users who haven't updated Chrome or Windows for more than 6 months wonder how in the hell trojans and worms got onto their machine.
While Lapsus$ can directly breach Microsoft, they don't stand a chance of breaching David's system. If I didn't know any better I would have thought Pegasus is just a mythical stallion and not also the name of a product that can hack into a phone without any action needed from the owner of the phone. Egads, can't happen. All humbug. The entire Khashoggi story is all urban legend. Also humbug is all of the stuff that Edward Snowden described in great detail in his book as to what the NSA was capable of more than 10 years back. Because technology and hacking sophistication move backward, not forward. With the passage of time and exponentially more powerful CPU's (that can brute force password cracks) hacking actually gets more difficult.
Hackers also reduce in number and age out even as world population grows and rewards for hacking (including new pathways for hacking such as crypto) grow ever larger.
Meanwhile we all scratch our heads and wonder why when Windows, Chrome, Android etc.. are becoming impenetrable why companies and talent in cybersecurity are fetching top $$. All of the breaches mentioned at --> https://www.upguard.com/blog/biggest-data-breaches-us all baloney, all operator error. Had Mr. Moran been the CISO at all these places, none of this would have occurred.
But all of this to no avail to our (super)man Moran. If there ain't a written manual, it ain't true.
Peace
Any device connected to the internet can be hacked. To pretend otherwise is naivete that will not serve you well.
And yes any really means any -- PC, phone, Xbox, lightbulb, thermostat, car, garage door opener, etc.. I repeat in case you missed it -- any.
Snippet below from a Dec 14, 2022 post is a figment of imagination from both Krebs and Microsoft. They both have overactive imaginations. You have been warned.
--
The security updates include patches for Azure, Microsoft Edge, Office, SharePoint Server, SysInternals, and the .NET framework. Six of the update bundles earned Microsoft’s most dire “critical” rating, meaning they fix vulnerabilities that malware or malcontents can use to remotely commandeer an unpatched Windows system — with little to no interaction on the part of the user.
--
https://krebsonsecurity.com/
https://www.csoonline.com/article/3660055/zero-click-attacks-explained-and-why-they-are-so-dangerous.html
Meanwhile you on the other hand are purportedly not writing fiction but have yet to provide a single substantive rebuttal.
Fwiw, changing the goalposts and whining about CNBC citing 3 sources vs. promising 4 would not pass muster even in a middle school debate competition.
You appear to be having difficulty connecting the dots -- any device can be hacked, ergo nothing is off limits. The krebs site even describes how SMS messages can be forwarded by malware. So much for SMS based 2FA being indestructible.
Hey btw you accused me of fearmongering and asked me what my angle was but didn't
address the same question I asked you. What is your angle around your ridiculous stance
that logins cannot be hacked and that using account aggregation is 100% safe. Are you shilling for an account aggregator service?
Cheers and I wish you happiness and joy in your beliefs and angles.
I don’t think you even read the zero-click article, which is about compromised devices. You don’t just keep moving goalposts , you jump fields and stadiums and sports, when once upon a time you were talking about drained accounts, drained magically. Anyway, done here.
This wasn't a controversial investing topic like active vs. passive or domestic vs. foreign. ¯\_(ツ)_/¯
- There isn't a detailed hack manual
- There aren't in the public domain dozens of published cases
- Published RH hacks don't count
- Hacks can only happen due to user error, hacks can never happen otherwise
- Large organizations like Microsoft, Experian, Capital One, etc.. can be hacked at scale but account aggregators cannot be hacked
- 2FA cannot be hacked
Whether the probability of a hack is 0.1% or 1% or 10% I have no idea but I know it isn't zero risk.
I think it is possible for a hacker to impersonate your phone SIM card and break the two factor authentication.
I use LastPass but not for financial sites.
Does anyone knw any more about LastPass hack? second time this year but company says no passwords were compromised.
Anybody think 1Password etc any better? Anyone other than @Observant1 have experience with KeePass?