Here's a statement of the obvious: The opinions expressed here are those of the participants, not those of the Mutual Fund Observer. We cannot vouch for the accuracy or appropriateness of any of it, though we do encourage civility and good humor.
Krebs' piece observes that "Countless websites and online services use SMS text messages for both password resets and multi-factor authentication." That said, he warns about the risk of using a mobile phone for password resets.
Lose the phone (or number) to a hacker and you have no protection with password resets because the phone is used as the sole authentication method. In contrast, with true two factor authentication, you're not left unprotected with a SIM swap. You're effectively reduced to one factor authentication - not great, but better than nothing.
you should do whatever you can to minimize your reliance on mobile phone companies for your security. ... Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS ... If you haven’t done so lately, take a moment to inventory your most important online accounts, and see how many of them can still have their password reset by receiving an SMS
I'm not suggesting that one should disregard the risks inherent in using mobile phones as an authentication method regardless of the number of authentication factors used. It's just that the biggest risks, the ones Krebs is writing about, come from single factor authentication methods (here, password resets) and from using a relatively unsecure authentication method (mobile phone).
For security, one wants to use two (or more) factor authentication and keep the authentication methods as secure as possible. The number I have at financial institutions is my landline number. Hard for someone to gain access to, and many places can now send security codes by voice rather than by text.
I checked Schwab’s website but could find no other method of authorization than text and a phone call, or a notification to your mobile app. The first two are vulnerable to this SIM spoofing, as eevn if they send the code by voice, it will still go to your mobile. The mobile app requires you enter your pin, which is an advantage as it would block the SIM spoof.
The choice of login method is by the person logging in. I dont see anyway that you can eliminate the less secure methods.
They used to have a security token but I dont see that as an option anymore. The also went to great links to authenticate your voice, but that seems to have dissolved too.
At Schwab, I use Semantec VIP app. Every minute, it generates a 6-digit code (copy-and-paste OK) that has to be appended to the password. With Schwab Mobile, I have to be fast - to enter user ID, password+VIP code, all under 1 minute.
A limitation I found is that when I try to use Semantec VIP for other sites, that wants to overwrite existing the Semantec VIP data. So, I haven't used it for anything other than Schwab.
Multifactor authentication uses two or more different types of authentication, e.g. (1) what you know (login/password), (2) what you have (a physical token), or (3) what you are (biometrics). https://csrc.nist.gov/glossary/term/multi_factor_authentication
A mobile phone's (i.e. "what you have") degree of security varies depending on how you "prove" that you have it in your possession. The problem with relying on its phone number is that the number can be swapped (SIM-swapping) or spoofed. Swapping is the transferring of a number to different device; spoofing is using a different device to mimic the number without transferring it.
Using an application such as Semantec VIP turns a computing device (mobile phone, tablet, computer) into a virtual physical key ("what you have"). Like a true physical key, it is as secure as the device itself. A desktop computer is going to be more secure than a mobile phone because you don't carry it around with you and risk theft or accidental loss.
I use Semantec VIP with Fidelity. On my laptop it changes every 30 seconds. That doesn't matter though. Once I capture the number it remains usable even after the 30 seconds have expired. Maybe Schwab is being extra paranoid? Should I fail a couple of times, the Fidelity authentication asks me to enter two consecutive numbers - capture one, wait 30 seconds, and capture the next one.
I'm curious about what "overwriting" existing data means. What data? Perhaps you are saying that one can't run two different applications (with two distinct credential IDs) on the same device? Or for some reason you can't use the same credential ID at two different sites? I've not tried to do that.
I use it on a computer (downloaded from Symantec, not from App store). No problems.
Looking at the complaints for the mobile phone app, they seem to be concentrated on failure to install correctly (a one-time event, I didn't have a problem), transferring to another phone (N/A), or ease of use (numbingly simple on a computer - just read off the numbers, same as with a hardware token).
If you don't like the app, or want something more secure:
you can actually use a hardware token for Symantec VIP. The hardware token isn’t connected to the Internet. Malware on your phone can’t read it. You’re not taking the hardware token with you everywhere you go. You won’t lose it if you lose your phone. You won’t have to change your credential when you upgrade your phone.
I've used Symantec VIP to access Fidelity via my desktop computer for several years. I haven't experienced any issues with this two-factor authentication app.
Note: I never access personal financial accounts via any mobile devices.
I use Fidelity's Full View (eMoney). I'm comfortable handing over some external account information to Fideltiy. If you're not, then as The Finance Buff notes, "You can also choose to always add your account manually if you aren’t comfortable entering your password in eMoney."
I don't really use the budgeting/spending features of eMoney. It tries to classify your expenses according to what shows up on your credit cards (if you link them in), you can enter your own budgets, etc. And the asset reporting (what is held in which accounts) is a bit rudimentary. What I use Full View for is simply as an aggregator.
It does have a bit of difficulty in dealing with Treasury Direct. Every several weeks Treasury Direct wants the link verified with a security code that it emails. Then one needs to go to Full View and "repair" the link. Not a big deal, and the security code seems to remain active for days (you don't have to catch it at 3AM or whenever it shows up). Otherwise, the connection problems it has with outside accounts seem similar to those using Yodlee - most of the time they work but not always.
As The Finance Buff notes, detailed analysis is a feature of the Fidelity website called GPS. It just sources the data from Full View. I still prefer M*'s portfolio X-ray (premium), though that may be more familiarity than key differences. And since the M* service is expected to vanish soon, I'll wind up using Fidelity GPS more.
Consumers can be severely impacted by errors and misrepresentations made by the three major credit bureaus (Equifax, Experian, TransUnion). A laborious effort may be required to remediate problems caused by these credit bureaus. Equifax, Experian, and TransUnion should be held accountable for their actions.
As a follow up to the MoveIT etc breach, we have been hacked twice more since this summer. Our Utility was hacked with out info and an old employer of mine (2019) was hacked.
Both offered us two years of "IDEX" credit and email address monitoring, but when I called them, they said the only way they can monitor your credit accounts is without a credit freeze. So I am supposed to unfreeze my credit reports ( so I could become an identify theft victim? ) so these turkeys can monitor it and then tell me I was a victim of identity theft?
Comments
Lose the phone (or number) to a hacker and you have no protection with password resets because the phone is used as the sole authentication method. In contrast, with true two factor authentication, you're not left unprotected with a SIM swap. You're effectively reduced to one factor authentication - not great, but better than nothing. I'm not suggesting that one should disregard the risks inherent in using mobile phones as an authentication method regardless of the number of authentication factors used. It's just that the biggest risks, the ones Krebs is writing about, come from single factor authentication methods (here, password resets) and from using a relatively unsecure authentication method (mobile phone).
For security, one wants to use two (or more) factor authentication and keep the authentication methods as secure as possible. The number I have at financial institutions is my landline number. Hard for someone to gain access to, and many places can now send security codes by voice rather than by text.
The choice of login method is by the person logging in. I dont see anyway that you can eliminate the less secure methods.
They used to have a security token but I dont see that as an option anymore. The also went to great links to authenticate your voice, but that seems to have dissolved too.
Has anyone used this?
A limitation I found is that when I try to use Semantec VIP for other sites, that wants to overwrite existing the Semantec VIP data. So, I haven't used it for anything other than Schwab.
https://csrc.nist.gov/glossary/term/multi_factor_authentication
A mobile phone's (i.e. "what you have") degree of security varies depending on how you "prove" that you have it in your possession. The problem with relying on its phone number is that the number can be swapped (SIM-swapping) or spoofed. Swapping is the transferring of a number to different device; spoofing is using a different device to mimic the number without transferring it.
Using an application such as Semantec VIP turns a computing device (mobile phone, tablet, computer) into a virtual physical key ("what you have"). Like a true physical key, it is as secure as the device itself. A desktop computer is going to be more secure than a mobile phone because you don't carry it around with you and risk theft or accidental loss.
I'm not enthralled with voice ("what you are") authentication because that too can be spoofed.
https://www.biometricupdate.com/202307/phd-student-uses-deepfake-to-pass-popular-voice-authentication-and-spoof-detection-system
I use Semantec VIP with Fidelity. On my laptop it changes every 30 seconds. That doesn't matter though. Once I capture the number it remains usable even after the 30 seconds have expired. Maybe Schwab is being extra paranoid? Should I fail a couple of times, the Fidelity authentication asks me to enter two consecutive numbers - capture one, wait 30 seconds, and capture the next one.
I'm curious about what "overwriting" existing data means. What data? Perhaps you are saying that one can't run two different applications (with two distinct credential IDs) on the same device? Or for some reason you can't use the same credential ID at two different sites? I've not tried to do that.
The reviews of Symantec VIP on App store are not great especially recently.
Have you had any trouble with it?
Looking at the complaints for the mobile phone app, they seem to be concentrated on failure to install correctly (a one-time event, I didn't have a problem), transferring to another phone (N/A), or ease of use (numbingly simple on a computer - just read off the numbers, same as with a hardware token).
If you don't like the app, or want something more secure: https://thefinancebuff.com/security-hardware-fidelity-schwab-vanguard.html
I haven't experienced any issues with this two-factor authentication app.
Note: I never access personal financial accounts via any mobile devices.
Thanks for the advice. The article is especially interesting with the link to the eMoney discussion.
Has anyone used eMoney at Fido?
I don't really use the budgeting/spending features of eMoney. It tries to classify your expenses according to what shows up on your credit cards (if you link them in), you can enter your own budgets, etc. And the asset reporting (what is held in which accounts) is a bit rudimentary. What I use Full View for is simply as an aggregator.
It does have a bit of difficulty in dealing with Treasury Direct. Every several weeks Treasury Direct wants the link verified with a security code that it emails. Then one needs to go to Full View and "repair" the link. Not a big deal, and the security code seems to remain active for days (you don't have to catch it at 3AM or whenever it shows up). Otherwise, the connection problems it has with outside accounts seem similar to those using Yodlee - most of the time they work but not always.
As The Finance Buff notes, detailed analysis is a feature of the Fidelity website called GPS. It just sources the data from Full View. I still prefer M*'s portfolio X-ray (premium), though that may be more familiarity than key differences. And since the M* service is expected to vanish soon, I'll wind up using Fidelity GPS more.
https://thefinancebuff.com/fidelity-full-view-gps-track-portfolio.html
https://finance.yahoo.com/news/1-us-regulators-fine-credit-141314874.html
made by the three major credit bureaus (Equifax, Experian, TransUnion).
A laborious effort may be required to remediate problems caused by these credit bureaus.
Equifax, Experian, and TransUnion should be held accountable for their actions.
Both offered us two years of "IDEX" credit and email address monitoring, but when I called them, they said the only way they can monitor your credit accounts is without a credit freeze. So I am supposed to unfreeze my credit reports ( so I could become an identify theft victim? ) so these turkeys can monitor it and then tell me I was a victim of identity theft?
What a scam
The fact they are so delinquent in implementing credit freezes is appalling.
Fortunately I know our freezes are in place because every time I tried to get another insurance quote on our house the agent said it couldn't be done
https://ybbpersonalfinance.proboards.com/post/1213/thread