Here's a statement of the obvious: The opinions expressed here are those of the participants, not those of the Mutual Fund Observer. We cannot vouch for the accuracy or appropriateness of any of it, though we do encourage civility and good humor.
Support MFO
Donate through PayPal
Are the risks of Financial Account Aggregation really worth it?
I use BitWarden for my corporate accounts and LastPass for personal. Will probably switch out of LP soon.
My prior references to SIM hijack was an attacker taking control of your phone number through the port process, not emulation.
2FA can also be hacked with malware on your phone that surreptitiously forwards SMS.
RoboForm used to be an excellent offline password manager, no idea if the company is still around.
I've also used the open source VeraPass which was really good but no idea if still around.
The most secure means of password mgmt is portable USB or fob based (RoboForm had a specific To Go product for that) but it is not convenient in the world of smartphones. If one is a heavy PC user, nothing can beat the security of encrypted passwords on a USB disk.
I did that for many years, very secure. Pop the portable USB fob into machine, RoboF pops up, I go through 2 different passwords-- first decrypt the disk and then the password to RF itself. Super secure but less convenient than LastPass.
@sma3, unless your phone is compromised with malware, the unique IMEI # associates with your phone/SIM card could be at risk. Breaking the 2FA is not that trivial as it made out to be. The user gets to choose what the other factor is in order to identify themselves.
For security, I seldom use cell phones for financial transaction. I much prefer to use my Mac and Linux computers with a VPN service. No i have not use any of those apps you mentioned.
Quick search of usual tech sites ( Ton's hardware/Tom's guide, Wirecutter from NYT, PCMAG) for recommendations after Dec 1 Lastpass hack
1Password and Dashlane are top choices, with Bitwarden best for free
KeePass gets good reviews, and seems to be the only manger that still supports saving PW only on local computers, but is technical and somewhat complex to set up. Transferring access across platforms requires storing PW vault in DropBox, Google Drive etc, which obviously could also could be hacked
I don't even need to know any of these details. It is frightening, and should be illegal, all the stuff these various outfits can "mine" about us all. Given the potential catastrophic results of a hack, I just will not even contemplate aggregating my accounts. Even on a stand-alone basis, the risk is there, whenever I use an online log-in. And this is all true regardless of any particular variation of a definition of "hack."
Wow, I would not have guessed there would be so much drama regarding account aggregation! This wasn't a controversial investing topic like active vs. passive or domestic vs. foreign. ¯\_(ツ)_/¯
For sure... me too. BTW, I just learned something new about emoticons. Thanks.
Comments
My prior references to SIM hijack was an attacker taking control of your phone number through the port process, not emulation.
2FA can also be hacked with malware on your phone that surreptitiously forwards SMS.
RoboForm used to be an excellent offline password manager, no idea if the company is still around.
I've also used the open source VeraPass which was really good but no idea if still around.
The most secure means of password mgmt is portable USB or fob based (RoboForm had a specific To Go product for that) but it is not convenient in the world of smartphones. If one is a heavy PC user, nothing can beat the security of encrypted passwords on a USB disk.
I did that for many years, very secure. Pop the portable USB fob into machine, RoboF pops up, I go through 2 different passwords-- first decrypt the disk and then the password to RF itself. Super secure but less convenient than LastPass.
For security, I seldom use cell phones for financial transaction. I much prefer to use my Mac and Linux computers with a VPN service. No i have not use any of those apps you mentioned.
1Password and Dashlane are top choices, with Bitwarden best for free
KeePass gets good reviews, and seems to be the only manger that still supports saving PW only on local computers, but is technical and somewhat complex to set up. Transferring access across platforms requires storing PW vault in DropBox, Google Drive etc, which obviously could also could be hacked
I neglected to mention that KeePass is used only on my PC.
I do not use KeePass (or any password manager) on my mobile devices.