The only class action lawsuit I want from Fidelity is that they have to improve security. A monetary award is most likely going to hurt the customers more than any other group. I don't want a check for $50 (or whatever) only to have them raise commissions and fees to make it up.
@@jlog7395 My first idea: Design a National ID (or system) to use in place of social security numbers, for use as a unique identifier in cases like financial companies, employment, and background checks (for things like renting). One of the reasons the tech companies want to use passkeys is because if a passkey is stolen in a hack, it's useless to the hacker as a password. Now, we probably can't use public key cryptography directly for a national ID, but I'm reasonably certain a consulting company can design something better than SSNs as a National ID.
Only protection available is monetary or encryption. Sadly quite a few companies do not use safe encryption methods and some don't use any whatsoever...
There should be HUGE government penalties for companies that allow SSNs to get breached. I know it sounds like punishing the victim but many of these companies try to pinch pennies on IT and then get away with nothing more than handing out a useless subscription to a credit fraud protecting service. Either that or the government is going to have create an ephemeral SSN system like many credit cards have.
Financial service providers need to start offering stronger two factor options. SMS messages are easily hacked. Very few companies support an authenticator app or hardware keys. It's time these companies upgraded their security.
Agree! Authenticator and Passkey are minimum required. SMS should be completely phased out, even if it's used as a backup alternative -- it's still considered a weak link. At the best, it should allow using Yubikeys / WebAuthN.
Schwab and Fidelity do offer symantec VIP. if folks start to move funds away from less secure providers that would go a long way to get better protection for all
Some are starting to. One issue is that many of these are regulated, and changes have to be vetted, and approved by regulators. If we could get to MFA via apps, it would reduce SMS dependency
@@thaddeus46 You should always keep it frozen unless you're entering a transaction or opening an account. And then, you should refreeze it after it's completed.
You should freeze your credit regardless of this. 77K out of the many customers they have is very small. THose other huge data hacks were much larger with hundreds of millions of data breaches.
ah, our friends the credit reporting agencies. The Great Equifax Hack of 2017, where they lost the data of 147 M Americans. Nowadays they have the nerve to try and SELL you Credit Monitoring!!
I’m worried about retirement planning and I want to ensure a comfortable future. I’ve worked hard my entire life and I want to enjoy the fruits of my labor without financial stress. I’m really concerned about whether I’ve saved enough and invested wisely.
I Hit 110k today. Thank you for all the knowledge and nuggets you had thrown my way over the last months. Started last month 2024. Financial education is indeed required for more than 70% of the society in the country as very few are literate on the subject. thanks to Brooke Grace Miller for helping me achieve this
She is my family's personal broker and also a personal broker in many families I'm United States, she's a licensed broker and a FINRA AGENT in United states
Just some FYI on the role of Massachusetts; I retired a couple of years ago so if things are still the same, MA is a key player in data breaches because they have some of the harshest penalties. Because of that, the firms I worked with would normally approach the AG in Massachusetts first and work to negotiate a settlement before dealing with other states. The reason for this is that numerous other state AGs basically have adopted a stance of accepting the same or similar terms that Massachusetts has agreed to with the breached company. It just saves time and resources and therefore legal dollars to do it that way.
Best comment! Might as well you get paid for it if someone is going to pay for it. Some years ago, my brother had some hacker try like 16 times to take out credit and loans in his name by stealing his identity. The bad guy finally gave up because my brother's credit rating was so bad at the time, none of the attempts succeeded. Only time I ever heard of where it paid off to have bad credit.
Sadly identities aren't actually worth much without yourself. You can however look for job postings for interview sitting. They have it people that use you as the face and they hack the companies you get hired for and send you the money
Correct. You have to assume you are compromised and go from there. With everything. Everywhere. 2FA on ALL accounts. Credit freezes should be the default posture, for everyone, no exceptions.
I’m 55 from southeastern Ohio but worked overseas all my life. I have savings of $1,000,000 and I'm ready for retirement, only concerned about the soaring inflation. Is this enough to retire comfortably, or do I need some sort of money management?
@arlenehill4ril bravo! I've worked in real estate for over 25 years and have neglected a major stock portfolio, but I need a different plan now... mind if I look up the professional guiding you please?
To be honest, one million to retire is not enough. I have that and still like to work continuously, I am 56 years old and paid off my house. One million nothing in these days
If someone dies, leave their email/cellphone/cellphone plan active until it is no longer needed for two factor authentication in order to get into the deceased account(s).
this is strictly prohibited by most brokers. both Fidelity and Vanguard have procedures to set up financial power of attorney (while you are living), and beneficiaries.
Correct- in Texas- I know from first hand experience, ensure you have access to their email and phone. My 50 yr old, tech naive sister passed and while not good, she fortunately never used a lock screen code on her phone. It took weeks to get her simple will approved by the probate court and formally appoint me her executor. During that time, there were all sorts of admin things that could not wait, especially since I had to travel and overnight in her city. There are funeral arrangements, had to access her facebook and iphone contacts to share the news of her passing, login to turn off cable service, gym membership etc. This stuff cannot wait for probate or charges continue to post. Needed the phone to go in and freeze her big three credit accounts/reports, etc. All this and she was a simple estate, single, no children, with no assets. It was emotionally and administratively exhausting and I’m a business professional. long story short- encourage all loved ones, if not you, to at least ID sowmeone or store somewhere the code to your smart phone. And having a pre-setup financial power or attorney is often not enough, in some jurisdictions, it has to still be endorsed bu the probate court. So your cell service provider is not going to help you (and they don’t store iphone lock screen codes- you’ll need the NSA for that!!) so if your family has 2FA using SMS, you’ll be in for a long, long, long, complex process to try and get access to accounts and email. Me having my sisters phone saved me literally three months and mountains of paperwork. It’s scary but put somewhere somehow safely yours or loved ones phone lock screen code for emergencies. It’s a new age people and the security steps are great but there’s a massive payback in other areas.
We will never know. Just guessing, one of three of the most common security holes were exploited: inside job, unpatched or new VTM/CVE (NIST) in open source code / API, and weak security breach / intrusion monitoring & detection. They obviously had security monitoring, as they detected breach in two days. Should have happened in minutes, not hours, or days. Also, they should have all PI data encrypted, both in flight & at rest, so what ever data the bad actors stole would be useless.
You answered a question that I'd asked my self for a while now and came up again in your "Simplifying Accounts" videos. Why not just have one brokerage like Fidelity to hold all your assets. A really bad idea when these companies can be hacked. Thanks for digging into this.
I use Fidelity for most of my investing. I do keep a tranche of I-bonds for emergency/bond allocation and pay all my bills from a separate bank account. Also, like Rob I set up a separate email account for all financial accounts. This ensures I always have access to several years worth expenses if there is an issue.
Thanks for that last little nugget about keeping retirement accounts separate. I've had a rollover IRA with Vanguard for years and recently opened a cash management account with Fidelity (partially because of a couple of your videos!), and I was thinking that if I like Fidelity I may go ahead and move my IRA over to them as well. But I think what you said is a great idea and I will just keep it with Vanguard.
Class action isn't doing it. But government fines will force companies to spend money on actual IT people (not outsourced idiots) to build systems much harder to breach than their competitors so hackers will move to the competitors. Then the govt gives the competitors and that's how we can mitigate it to the point of not seeing so much of this.
Thanks, Rob, I hadn't heard of this - but I'm not in any of the states mentioned. I froze my credit a number of years ago and it has helped a lot (in my thinking), recently I also froze my social security number! It's a tiny bit of a pain to set it up at first, but it is easy and quick to unlock/lock it again if it is needed.
@@cello5-q2j Ah, Minnesota! One of the better places to be regarding climate resiliency! Although I think the winters would be brutal. I don't handle the heat and humidity well in the summers here in Delaware, but I also don't think I'd handle the brutal winters either. I'm kind of surprised I haven't seen any mention of the breach on the Fidelity site. I'm on it quite often, I will have to go searching...
Great video and. Very well timed as we consider moving our money to Fidelity! I’m wondering if it makes sense to keep our money with multiple companies instead of one? What would be the downsides of this?
Yeah, sometimes these hacks end up sitting for while before that data is acted on, depending on who it is sold to and what they can actually leverage with that data.
I put a lock (not sure what it’s exactly called) on with one investment provider and no money can come out unless I contact them and my advisor then approves.
One of my favorite features of Interactive Brokers. It was annoying they required it at first, but since it's through their app it works very well. And now the logic for it is clear.
But they can also hack your phone sim card and if they do that then their phone will ring and receive texts as yours. Getting out there I agree but possible.
2FA is a completely different thing. It's like trying to make the lock to your vault harder to pick, while a data breach is like thieves taking all the data out from a massive hole in the back of your vault. Only the institution can prevent that...
I think most of us are getting 3-4 notifications each year informing us of hacks. It's getting ridiculous. I guess it's cheaper for companies to deal with problem rather than institute REAL fixes so they don't happen.
Fidelity has been a nightmare lately. My buying power keeps disappearing. I call, it comes back. It’s happened 3 times now. It’s infuriating. It’s my cash! Obviously I’m in Massachusetts. The worst part, they never mentioned a hack. Will be transferring my accounts Monday!
That's nice... since I moved abroad they don't actually have my real current address or driver's license. I guess I will however have to check with family to see if they got a letter saying my data was compromised. Isn't this an argument to keep your accounts at a single broker, to minimize spreading your personal data?
I dig the credit freeze idea but what about a fraud alert? Seems nicer to me, where creditors have to verify your identity before moving forward. Thanks for your videos!
That’s exactly the reason I sold part of my portfolio at end of 2023, bought annuity to payout 5 years after retirement. Along with government benefit & company pension will cover all my expenses except extra traveling money. In Canada, annuity payment is guaranteed for $5k/month per contract. Also has laddered 5 years GIC starting my retirement.
These are beneficial to corporations. So many are hacked it’s a schedule, but you have no way to identify which company gave up your data. Second, occasionally an announcement that the company in question lost more information on more people than it has customers. I conclude that they have lost data they bought from the data brokers.
Using Google for any multifactor authorization defeats the purpose. Google has everything there is to know about you. Adding MFA just increases your exposure
4:09 "using two customer accounts that they had recently established" What??? I wish there was more information.. .Setting up two customer accounts leads to them having access to records of 77 thousand people??
My account was drained. It was an account I have never used ever. Very scary. Nobody seemed concerned. I had to do everything. Fidelity should do more. If I didn't watch this account I wouldn't have been reimbursed. Where is the government oversight? FYI I have full security. They have stolen your debit card info it doesn't matter what YOU do
Crap! I'm tired of all these companies lying to you, saying how safe they are and they can never be hacked. I'm seriously thinking about closing all my accounts and just keeping the money in a safety deposit box or install a safe at home.
All customer data should be encrypted including SSN numbers as it sits in Fidelity databases so when there is a data breach the information cannot be read.
As I understand it, if the email is only used with financial institutions it should not be shared unless some sort of hack/data breach occurs. So if you start getting spam or suspect emails to that email account that would alert you to a problem. My only concern is whether these financial institutions would share your contact info with their affiliated companies and from there who knows…
The video in which Fidelity was recommended over Vanguard was interesting, given there's a key difference: Vanguard is client-owned, right? And Fidelity is not. Meaning the unique structure of Vanguard would seem to favor the ordinary worker saving for retirement, although Fidelity may make more sense for active traders or have a more agreeable user interface.
Not to add to your To Do List but I would like to hear your opinion on long term investing in floating-rate funds or bank loans in this current environment. Always appreciate and value your content.
And use unique passwords for every site that are randomly generated by the password manager. Make them long and complex. Secure your password manager using MFA with a long pass phrase.
@@loupasternak LastPass had a security breach in 2022. Details are easily found online. You are correct, if you grant a bad actor access to your computer, it’s game over - watch the movie “The Beekeeper” with Jason Statham.
Why do these organizations even expose themselves to data theft liability by harvesting data they DO NOT NEED! Drivers license number? SSN? And other ancillary PII they DO NOT DIRECTLY ABSOLUTELY NEED for operation of their business relationship with that customer. The Government has long warned NOT TO USE SSNs for identification!
Let's hear some recommendations of secure aggregating tools so we can use multiple brokerages yet personally manage with one portal. Having multiple brokerages is perhaps the only way to safeguard a server side attack like this one.
Agreed, use 3rd party 2FA apps, Google or via your own password manager. Also, use a random username AND password. I randomize both username and password at least twice a year. A good password manager is worth the small annual fees. I loved that he first started off with... "use a dedicated email address for your financial accounts." Perfect.
@@ricomajestic There are several well known legit password managers. Research on CNET, Wirecutter, Consumer Reports, PCMag. Same “Top 10” come up. I have been using a password manager for over 10 years. Started with free version and upgraded to paid version, as more robust security enhancements were made only to paid version. Money well spent.
@@grwbt8703 I don't know. And, most that do support the key, allow you to log in without using the key, so why have it in the first place if it can be by passed by choice? I never get a good answer but I found out then don't want the expense of product support as they think many will call in complaining they are locked out because they lost their key or whatever. I did find one place that you absolutely must use the key to get in , not way around it, and that place is PayPal.
It isn't your passwords that are the problem. No one is trying to hack you individually. Today, they go after companies, and they steal millions of account data at one time. It's likely that there are insiders at the hacked companies that work with these data thieves.
I’d be wary of using VPNs. TLS offers you decent protection as long as your local machine isn’t compromised. VPNs allow man in the middle to snoop on your information and effectively can break TLS. I’m not a fan of all these random companies and TH-cam influencers pushing VPNs as a security thing.
Changing your passwords, unique passwords etc, none of that works. I've seen enough of those cases to know. Because a hacker don't care about your password they hack the authentication system to spoof their way in. How your transaction behaves is what companies need to focus on. And all these people commenting on freezing your credit report that will do nothing to prevent a hacker from transferring your fortune out.
@@TransConBrillianceYou need some evidence for that claim. If your claim is true, no secure transaction can happen. We can't even trust your account. It is probably hacked.
So sick of the all the money companies and insurance companies not being able to be willing to pay cyber security IT people enough money to work for them and keep everyone’s assets protected instead of hiring third-party vendors as cheap as possible, and getting hacked all the time. These companies should be liable for all of the money that cost everyone because of them.
- They say when AI and quantum computing take over passwords will become irrelevant. That should be fun. I’m sure companies and banks are busy getting ready for that challenge (sarcasm intended).
I absolutely never use my cell phone for any kind of identification or authentication. Phones are extremely vulnerable. They can be lost, broken or stolen. I do NOT want my identity connected to it.
What email provider is good these days. My Gmail and msn email addresses are just full of spam. Is it easy to change all bank accounts to a different email account when that email address is also the username?
I want to do a backdoor Roth IRA for my spouse. We file married filing jointly. She does not work. My income is under 100K. I can contribute 7K to a Roth IRA in her name. Can I also contribute 20K to a non-deductible IRA in her name and then immediately do a Roth conversion of the 20K to her Roth IRA for a total of 27K?
My broker always requires a voice confirmation call they originate to us on any significant change in withdrawal or transfers request. If I send them an email saying hey we want to change our standing orders and we need 30k, they call both my wife and me on the numbers of record.
@@nfb1000 except my cell can't be cloned and they can't take over my phone number. I've blocked sim swap, devices change and number port. The brokerage calls me to confirm any transaction request outside our monthly withdrawal or change in standing order for destination account. If they can't take over my cell and the cell is the numbers they call, they can't use AI voice. My wife I can only answer our cellphones.
@@tomcavanaugh5237 If you go to a site that has undetected malware, the browser can be convinced to give out all stored passwords. Plus of course if someone gains access to your physical device
Because if the computer/phone/device on which the browser is used gets hacked, the hacker has your browsing history plus the passwords for those sites.
The disclosures are not required by any federal law. This is a huge oversight today with everything on the internet. Be aware there are probably hundreds of more companies that don't have to tell us anything. Have separate passwords for your accounts and enable 2fa or more secure login options where offered.
Just ASSUME that ALL of your personal data has been hacked by some bad guys and deal with it that way......FREEZE your CREDIT........period...............END OF STORY>
@@nashtrucker I have a VP CFP at Fidelity who I meet with every quarter at no additional cost. She called me personally. I also received a letter in the mail 3 days later.
@@nashtrucker I asked a Fidelity rep about "calling me" this morning and he said they do both. If you are affected by a data breach or something nefarious with your accounts they will send a letter and call you.
@ I’m still waiting on mine too. I’ve been on the waitlist since it started lol. I heard some states haven’t been approved yet like NJ where I’m at. Still a good brokerage regardless. I like the 3% match.
Oh boy, a class action lawsuit! I can’t wait to get my $0.49 check!
So true. The plaintiffs' attorneys will split millions, while the victims will each get cents.
You won't even get that you're just going to get a temporary identity protection
The only class action lawsuit I want from Fidelity is that they have to improve security. A monetary award is most likely going to hurt the customers more than any other group. I don't want a check for $50 (or whatever) only to have them raise commissions and fees to make it up.
try a few years.
😂
I work in IT and these are almost a daily occurrence. We as consumers should have more protections in place especially when companies get "hacked"
What kind of protections do you recommend?
@@jlog7395 My first idea: Design a National ID (or system) to use in place of social security numbers, for use as a unique identifier in cases like financial companies, employment, and background checks (for things like renting).
One of the reasons the tech companies want to use passkeys is because if a passkey is stolen in a hack, it's useless to the hacker as a password. Now, we probably can't use public key cryptography directly for a national ID, but I'm reasonably certain a consulting company can design something better than SSNs as a National ID.
Like what? Every institution I have contact with has been hacked so far. It's endless. It's also frustrating, tiresome, and scary.
Only protection available is monetary or encryption. Sadly quite a few companies do not use safe encryption methods and some don't use any whatsoever...
There should be HUGE government penalties for companies that allow SSNs to get breached. I know it sounds like punishing the victim but many of these companies try to pinch pennies on IT and then get away with nothing more than handing out a useless subscription to a credit fraud protecting service. Either that or the government is going to have create an ephemeral SSN system like many credit cards have.
Financial service providers need to start offering stronger two factor options. SMS messages are easily hacked. Very few companies support an authenticator app or hardware keys. It's time these companies upgraded their security.
Totally agree! SMS nor emails are secure at all!
Agree! Authenticator and Passkey are minimum required. SMS should be completely phased out, even if it's used as a backup alternative -- it's still considered a weak link. At the best, it should allow using Yubikeys / WebAuthN.
They don’t care, they don’t want to spend money on countless customer service tickets from people locked out.
Schwab and Fidelity do offer symantec VIP. if folks start to move funds away from less secure providers that would go a long way to get better protection for all
Some are starting to. One issue is that many of these are regulated, and changes have to be vetted, and approved by regulators. If we could get to MFA via apps, it would reduce SMS dependency
Freeze your credit with the credit reporting companies
That's exactly the correct action. Regards.
@@thaddeus46 You should always keep it frozen unless you're entering a transaction or opening an account. And then, you should refreeze it after it's completed.
You should freeze your credit regardless of this. 77K out of the many customers they have is very small. THose other huge data hacks were much larger with hundreds of millions of data breaches.
ah, our friends the credit reporting agencies. The Great Equifax Hack of 2017, where they lost the data of 147 M Americans. Nowadays they have the nerve to try and SELL you Credit Monitoring!!
I tried by the credit reporting agency couldn't verify me when I tried to freeze my credit.
All these companies do just send out data breach letters and hopefully people do nothing. And they don't inform you until 3-6 months later!
I’m worried about retirement planning and I want to ensure a comfortable future. I’ve worked hard my entire life and I want to enjoy the fruits of my labor without financial stress. I’m really concerned about whether I’ve saved enough and invested wisely.
I completely understand. Ensuring financial security in retirement is crucial. Have you considered consulting a financial advisor?
Yes I have. But I don’t know who exactly yo trust to provide the right advices and guidance for me.
True. I have been in contact with a CFA that specializes in retirement planning. Her expertise can help optimize your savings and investments.
Who’s this CFA? And how can I reach out to her?
She’s a CFA with strong track record and you can research more about her online and also get to leave her a mail to reach out to her.
I Hit 110k today. Thank you for all the knowledge and nuggets you had thrown my way over the last months. Started last month 2024. Financial education is indeed required for more than 70% of the society in the country as very few are literate on the subject. thanks to Brooke Grace Miller for helping me achieve this
I'm surprised that you just mentioned and recommended Brooke Miller, I met her at a conference in 2018 and we have been working together ever since.
The very first time we tried, we invested $1000 and after a week, we received $5500. That really helped us a lot to pay up our bills.
She is my family's personal broker and also a personal broker in many families I'm United States, she's a licensed broker and a FINRA AGENT in United states
I'm new at this, please how can I reach her?
+138
Just some FYI on the role of Massachusetts; I retired a couple of years ago so if things are still the same, MA is a key player in data breaches because they have some of the harshest penalties. Because of that, the firms I worked with would normally approach the AG in Massachusetts first and work to negotiate a settlement before dealing with other states. The reason for this is that numerous other state AGs basically have adopted a stance of accepting the same or similar terms that Massachusetts has agreed to with the breached company. It just saves time and resources and therefore legal dollars to do it that way.
Anyone know how I can sell my identity for a good price before it’s stolen?
Best comment! Might as well you get paid for it if someone is going to pay for it. Some years ago, my brother had some hacker try like 16 times to take out credit and loans in his name by stealing his identity. The bad guy finally gave up because my brother's credit rating was so bad at the time, none of the attempts succeeded. Only time I ever heard of where it paid off to have bad credit.
I feel the same way. It seems futile, no matter what I do. I've had hack letters from every organization I deal with almost monthly. 🥺🥺
Sadly identities aren't actually worth much without yourself. You can however look for job postings for interview sitting. They have it people that use you as the face and they hack the companies you get hired for and send you the money
All your information is already out there and has been for years probably.
Correct. You have to assume you are compromised and go from there. With everything. Everywhere.
2FA on ALL accounts. Credit freezes should be the default posture, for everyone, no exceptions.
Seems like a get notified about my data being leaked about once a month
Exactly....100% its all already out there. Just freeze your credit...
Yup. Due to a ton of company breaches.
Thanks so much, Rob! Always keeping us in the know about important updates. Looking forward to that Vanguard video!
I’m 55 from southeastern Ohio but worked overseas all my life. I have savings of $1,000,000 and I'm ready for retirement, only concerned about the soaring inflation. Is this enough to retire comfortably, or do I need some sort of money management?
You’re only 55. I would get money management just in case... truth is, many people live well into their 80s without such amount
@arlenehill4ril bravo! I've worked in real estate for over 25 years and have neglected a major stock portfolio, but I need a different plan now... mind if I look up the professional guiding you please?
To be honest, one million to retire is not enough. I have that and still like to work continuously, I am 56 years old and paid off my house. One million nothing in these days
Can't answer question unless you know your annual spending budget.
Yes I like everyone advertising they have a million bucks. That way the hackers of TH-cam accounts can go in and trace you down.
If someone dies, leave their email/cellphone/cellphone plan active until it is no longer needed for two factor authentication in order to get into the deceased account(s).
this is strictly prohibited by most brokers. both Fidelity and Vanguard have procedures to set up financial power of attorney (while you are living), and beneficiaries.
Thanks, good to know.
Correct- in Texas- I know from first hand experience, ensure you have access to their email and phone. My 50 yr old, tech naive sister passed and while not good, she fortunately never used a lock screen code on her phone. It took weeks to get her simple will approved by the probate court and formally appoint me her executor. During that time, there were all sorts of admin things that could not wait, especially since I had to travel and overnight in her city. There are funeral arrangements, had to access her facebook and iphone contacts to share the news of her passing, login to turn off cable service, gym membership etc. This stuff cannot wait for probate or charges continue to post. Needed the phone to go in and freeze her big three credit accounts/reports, etc. All this and she was a simple estate, single, no children, with no assets. It
was emotionally and administratively exhausting and I’m a business professional. long story short- encourage all loved ones, if not you, to at least ID sowmeone or store somewhere the code to
your smart phone. And having a pre-setup financial power or attorney is often not enough, in some
jurisdictions, it has to still be endorsed bu the probate court. So your cell service provider is not going to help you (and they don’t store iphone lock screen codes- you’ll need the NSA for that!!) so if your family has 2FA using SMS, you’ll be in for a long, long, long, complex process to try and get access to accounts and email. Me having my sisters phone saved me
literally three months and mountains of paperwork. It’s scary but put somewhere somehow safely yours or loved ones phone lock screen code for emergencies. It’s a new age people and the security steps are great but there’s a massive payback in other areas.
Per the Fidelity letter, I wonder how “setting up two new customer accounts” allowed the hackers to access other people’s data?
You are absolutely correct
We will never know. Just guessing, one of three of the most common security holes were exploited: inside job, unpatched or new VTM/CVE (NIST) in open source code / API, and weak security breach / intrusion monitoring & detection. They obviously had security monitoring, as they detected breach in two days. Should have happened in minutes, not hours, or days. Also, they should have all PI data encrypted, both in flight & at rest, so what ever data the bad actors stole would be useless.
You answered a question that I'd asked my self for a while now and came up again in your "Simplifying Accounts" videos. Why not just have one brokerage like Fidelity to hold all your assets. A really bad idea when these companies can be hacked. Thanks for digging into this.
I use Fidelity for most of my investing. I do keep a tranche of I-bonds for emergency/bond allocation and pay all my bills from a separate bank account. Also, like Rob I set up a separate email account for all financial accounts. This ensures I always have access to several years worth expenses if there is an issue.
Thanks for that last little nugget about keeping retirement accounts separate. I've had a rollover IRA with Vanguard for years and recently opened a cash management account with Fidelity (partially because of a couple of your videos!), and I was thinking that if I like Fidelity I may go ahead and move my IRA over to them as well. But I think what you said is a great idea and I will just keep it with Vanguard.
Phones can be hacked too, SIM swap is an example used by hackers to get your MFA information.
You should also keep your credit frozen at all 3 main credit agencies.
Use a separate email and bank account only for investments. Plus all credit freezes previously mentioned.
None is immune to hacks, none!
Class action won't help any of us
It will help some lawyers.
It just means Fidelity will raise their fees, and we'll all be worse off.
Class action isn't doing it. But government fines will force companies to spend money on actual IT people (not outsourced idiots) to build systems much harder to breach than their competitors so hackers will move to the competitors. Then the govt gives the competitors and that's how we can mitigate it to the point of not seeing so much of this.
Thanks, Rob, I hadn't heard of this - but I'm not in any of the states mentioned. I froze my credit a number of years ago and it has helped a lot (in my thinking), recently I also froze my social security number! It's a tiny bit of a pain to set it up at first, but it is easy and quick to unlock/lock it again if it is needed.
Any chance that a hacker got it before you froze your ss number?
I am in Minnesota and am part of the 77,000 victims. I suspect each state has it's reporting requirements
@@cello5-q2j Ah, Minnesota! One of the better places to be regarding climate resiliency! Although I think the winters would be brutal. I don't handle the heat and humidity well in the summers here in Delaware, but I also don't think I'd handle the brutal winters either. I'm kind of surprised I haven't seen any mention of the breach on the Fidelity site. I'm on it quite often, I will have to go searching...
How do you freeze your SS number? And what, exactly, does that mean?
Great video and. Very well timed as we consider moving our money to Fidelity! I’m wondering if it makes sense to keep our money with multiple companies instead of one? What would be the downsides of this?
No assets compromised..........YET!
Yeah, sometimes these hacks end up sitting for while before that data is acted on, depending on who it is sold to and what they can actually leverage with that data.
@@BrewReview Yup. They wait. Then strike when the dust settles. Ask me how I know! Now I'm locked and frozen, and not sure that's enough.
Not true my friend did lose money during a Fidelity hack about a month ago.
I put a lock (not sure what it’s exactly called) on with one investment provider and no money can come out unless I contact them and my advisor then approves.
Fidelity has the same feature which I have done as well. It at least protects your assets from being moved out of the account.
What about syncing data like mint and bolden and venmo. Very weary of this.
it would be nice for brokerages to allow alias accounts with strictly read-only access for syncing and view aggregation.
Is the risk in this hack that personal data was extracted or that accounts could have been accessed?
I agree, Two-Factor Authentication *all your accounts* that allow it. Especially email and financial institutions.
One of my favorite features of Interactive Brokers. It was annoying they required it at first, but since it's through their app it works very well. And now the logic for it is clear.
But they can also hack your phone sim card and if they do that then their phone will ring and receive texts as yours. Getting out there I agree but possible.
The app can be set to open with biometrics.
@@thud9797a pin added to your carriers account will make that much harder to do. I added a pin this week.
2FA is a completely different thing. It's like trying to make the lock to your vault harder to pick, while a data breach is like thieves taking all the data out from a massive hole in the back of your vault. Only the institution can prevent that...
If your personal or financial data hasn't been hacked you're just lucky despite any security precautions.
My friend called and told me her Fidelity account was hacked and they took $40k. She lives in Pa.
I think most of us are getting 3-4 notifications each year informing us of hacks. It's getting ridiculous. I guess it's cheaper for companies to deal with problem rather than institute REAL fixes so they don't happen.
The small company responsible for the largest breach of social security numbers this year just went bankrupt
Rob QR codes are being compromised as well. You have to be careful of where the QR code takes you.
Fidelity has been a nightmare lately. My buying power keeps disappearing. I call, it comes back. It’s happened 3 times now. It’s infuriating. It’s my cash! Obviously I’m in Massachusetts. The worst part, they never mentioned a hack. Will be transferring my accounts Monday!
That's nice... since I moved abroad they don't actually have my real current address or driver's license. I guess I will however have to check with family to see if they got a letter saying my data was compromised. Isn't this an argument to keep your accounts at a single broker, to minimize spreading your personal data?
But Fidelity does not work with hardware (ex. Yubikey or RSA) unless you have a PhD in Computer Science to hack it (literally) together.
Just an FYI that Yubikey has been hacked recently! It may not get to an individual level but chance is there!
I dig the credit freeze idea but what about a fraud alert? Seems nicer to me, where creditors have to verify your identity before moving forward. Thanks for your videos!
That’s exactly the reason I sold part of my portfolio at end of 2023, bought annuity to payout 5 years after retirement. Along with government benefit & company pension will cover all my expenses except extra traveling money. In Canada, annuity payment is guaranteed for $5k/month per contract. Also has laddered 5 years GIC starting my retirement.
These are beneficial to corporations. So many are hacked it’s a schedule, but you have no way to identify which company gave up your data. Second, occasionally an announcement that the company in question lost more information on more people than it has customers. I conclude that they have lost data they bought from the data brokers.
Using Google for any multifactor authorization defeats the purpose. Google has everything there is to know about you. Adding MFA just increases your exposure
yes
I was one of those hacked and got a call from them and I’m in Illinois.
Oh wow. I wonder if I was hacked and got a call but didn’t ever answer 🤔😩😳
@@leesh2684the only calls i get from fidelity are from their wealth management team trying to peddle their services😂
Didn't realize Fidelity supported auth apps. Must have happened pretty recently. Thanks.
I believe it was around August 2024, I found just a few days ago on Reddit
Do you use 2 factor even when using a known computer? 2 factor can be set up only for unrecognized computers or phones.
Change your password regularly and do two step authentication. Also, money lockdown is a great idea too!
4:09 "using two customer accounts that they had recently established"
What??? I wish there was more information.. .Setting up two customer accounts leads to them having access to records of 77 thousand people??
My account was drained. It was an account I have never used ever. Very scary. Nobody seemed concerned. I had to do everything. Fidelity should do more. If I didn't watch this account I wouldn't have been reimbursed. Where is the government oversight? FYI I have full security. They have stolen your debit card info it doesn't matter what YOU do
Crap! I'm tired of all these companies lying to you, saying how safe they are and they can never be hacked. I'm seriously thinking about closing all my accounts and just keeping the money in a safety deposit box or install a safe at home.
In that case inflation steals your money without ever having to touch it.
All customer data should be encrypted including SSN numbers as it sits in Fidelity databases so when there is a data breach the information cannot be read.
Can someone give an example of how a single financial-dedicated email account would be a good idea/safer?
That's my question; seems like it's just another email account just like all the rest.
As I understand it, if the email is only used with financial institutions it should not be shared unless some sort of hack/data breach occurs. So if you start getting spam or suspect emails to that email account that would alert you to a problem. My only concern is whether these financial institutions would share your contact info with their affiliated companies and from there who knows…
What are some tools to aggregate your accounts?
The video in which Fidelity was recommended over Vanguard was interesting, given there's a key difference: Vanguard is client-owned, right? And Fidelity is not. Meaning the unique structure of Vanguard would seem to favor the ordinary worker saving for retirement, although Fidelity may make more sense for active traders or have a more agreeable user interface.
Not to add to your To Do List but I would like to hear your opinion on long term investing in floating-rate funds or bank loans in this current environment. Always appreciate and value your content.
Thank you for sharing this important information.
For email do you use Gmail or something like Proton mail?
Rob, just wanted to express my condolences for the Buckeyes loss to the superior Duck team! 😎
Tip: Use a password manager so you can generate and use strong passwords without having to remember them.
And use unique passwords for every site that are randomly generated by the password manager. Make them long and complex. Secure your password manager using MFA with a long pass phrase.
Even a weak password as long as it's not qwerty123 is good enough. All the broker has to do is prevent multiple tries and no one can hack it .
What happens when that gets hacked?
@@MOstix13 Very unlikely a good pw manager gets hacked . If they take control of your computer, then all bets are off.
@@loupasternak LastPass had a security breach in 2022. Details are easily found online. You are correct, if you grant a bad actor access to your computer, it’s game over - watch the movie “The Beekeeper” with Jason Statham.
I asked Schwab to disable the outgoing wire functionality, and they said they could not - thx Schwab for enabling fraudulent activity.
Why do these organizations even expose themselves to data theft liability by harvesting data they DO NOT NEED! Drivers license number? SSN? And other ancillary PII they DO NOT DIRECTLY ABSOLUTELY NEED for operation of their business relationship with that customer. The Government has long warned NOT TO USE SSNs for identification!
And this is how fraudulent tax returns are filed; using the Socials of the victims.
Get a federal pin
Why isn’t that data encrypted?
Let's hear some recommendations of secure aggregating tools so we can use multiple brokerages yet personally manage with one portal. Having multiple brokerages is perhaps the only way to safeguard a server side attack like this one.
I second the motion.
Hakers are haking google accounts.does that make google athunticator dangerous or google pay?
Agreed, use 3rd party 2FA apps, Google or via your own password manager. Also, use a random username AND password. I randomize both username and password at least twice a year. A good password manager is worth the small annual fees. I loved that he first started off with... "use a dedicated email address for your financial accounts." Perfect.
How do you know the password manager is legitimate?
@@ricomajestic There are several well known legit password managers. Research on CNET, Wirecutter, Consumer Reports, PCMag. Same “Top 10” come up. I have been using a password manager for over 10 years. Started with free version and upgraded to paid version, as more robust security enhancements were made only to paid version. Money well spent.
Fidelity doesn't support usb security keys.
Why not?
@@grwbt8703 I don't know. And, most that do support the key, allow you to log in without using the key, so why have it in the first place if it can be by passed by choice? I never get a good answer but I found out then don't want the expense of product support as they think many will call in complaining they are locked out because they lost their key or whatever. I did find one place that you absolutely must use the key to get in , not way around it, and that place is PayPal.
Thank you for the info! Appreciate this video
Shocking how frequently this happens!
Use a vpn, different passwords (as strong as possible) on every site, enable 2fa…that’s what I do.
Be safe, all!
It isn't your passwords that are the problem. No one is trying to hack you individually. Today, they go after companies, and they steal millions of account data at one time. It's likely that there are insiders at the hacked companies that work with these data thieves.
How is your VPN protecting you?
I’d be wary of using VPNs. TLS offers you decent protection as long as your local machine isn’t compromised. VPNs allow man in the middle to snoop on your information and effectively can break TLS. I’m not a fan of all these random companies and TH-cam influencers pushing VPNs as a security thing.
Changing your passwords, unique passwords etc, none of that works. I've seen enough of those cases to know. Because a hacker don't care about your password they hack the authentication system to spoof their way in. How your transaction behaves is what companies need to focus on. And all these people commenting on freezing your credit report that will do nothing to prevent a hacker from transferring your fortune out.
@@TransConBrillianceYou need some evidence for that claim. If your claim is true, no secure transaction can happen. We can't even trust your account. It is probably hacked.
Thanks, a very helpful article!
I'm in Minnesota and was informed I was part of the breach
This pairs very intriguingly with the "Leaving My Bank For Fidelity Cash Management" video that TH-cam is helpfully suggesting as well.
To be fair, your bank is likely on that list too.
Thanks, Rob!
Can't believe they are hold some of my fund transfers for 3 weeks. Not transferring anymore funds in Fidelity for now.
So much hacking… This makes me want to stick with precious metals in a fireproof safe…
I literally just opened an account with them right now, should I be worried?
Has anyone seen any info on if passwords were compromised?
So sick of the all the money companies and insurance companies not being able to be willing to pay cyber security IT people enough money to work for them and keep everyone’s assets protected instead of hiring third-party vendors as cheap as possible, and getting hacked all the time. These companies should be liable for all of the money that cost everyone because of them.
5:06 “what do we do to protect ourselves”
- They say when AI and quantum computing take over passwords will become irrelevant. That should be fun. I’m sure companies and banks are busy getting ready for that challenge (sarcasm intended).
It took 2 months to notifying us. Isn’t it too late already?
I absolutely never use my cell phone for any kind of identification or authentication. Phones are extremely vulnerable. They can be lost, broken or stolen. I do NOT want my identity connected to it.
What email provider is good these days. My Gmail and msn email addresses are just full of spam. Is it easy to change all bank accounts to a different email account when that email address is also the username?
I live in PA and my advisor called me to notify me.
Missouri was in the list
Pulled our investments early on.
Last I knew fidelity only accepts their authenicator and not third party.
/wave goodbye to horse
/close barn doors
I want to do a backdoor Roth IRA for my spouse. We file married filing jointly. She does not work. My income is under 100K. I can contribute 7K to a Roth IRA in her name. Can I also contribute 20K to a non-deductible IRA in her name and then immediately do a Roth conversion of the 20K to her Roth IRA for a total of 27K?
My broker always requires a voice confirmation call they originate to us on any significant change in withdrawal or transfers request. If I send them an email saying hey we want to change our standing orders and we need 30k, they call both my wife and me on the numbers of record.
With AI, your voice can be imitated as well. Physical key is the only way I feel comfortable about my money not being stolen.
@@nfb1000 except my cell can't be cloned and they can't take over my phone number. I've blocked sim swap, devices change and number port. The brokerage calls me to confirm any transaction request outside our monthly withdrawal or change in standing order for destination account. If they can't take over my cell and the cell is the numbers they call, they can't use AI voice. My wife I can only answer our cellphones.
I got a phone call and letter from Fidelity saying I was one of them and I live in Indiana!!
Do you have 2FA setup using an app or SMS before this happened?
@@xaxb4178that does not help if they got the social security number.
Fidelity has been on fire lately (not the good way).
Don’t let your browser save your password! Ever!
What can happen if a browser saves a password?
Why not?
@@tomcavanaugh5237 If you go to a site that has undetected malware, the browser can be convinced to give out all stored passwords. Plus of course if someone gains access to your physical device
Because if the computer/phone/device on which the browser is used gets hacked, the hacker has your browsing history plus the passwords for those sites.
Stuff like this is why I will never use those all in one password storers like lastpass. Its just waiting for a hack.
The disclosures are not required by any federal law. This is a huge oversight today with everything on the internet. Be aware there are probably hundreds of more companies that don't have to tell us anything. Have separate passwords for your accounts and enable 2fa or more secure login options where offered.
This must be why they removed third party integrations for almost a year
Just ASSUME that ALL of your personal data has been hacked by some bad guys and deal with it that way......FREEZE your CREDIT........period...............END OF STORY>
Welcome back Rob!
Good tips. Thanks.
Fidelity could've avoided this sort of problem by using the unhackable software used by the voting machines.
My wife's DATA was breached/stolen in this hack. Fidelity called me to inform us. We live in Florida.
I doubt Fidelity would call instead they would send a letter. You should call Fidelity directly
@@nashtrucker I have a VP CFP at Fidelity who I meet with every quarter at no additional cost. She called me personally. I also received a letter in the mail 3 days later.
@@nashtrucker I asked a Fidelity rep about "calling me" this morning and he said they do both. If you are affected by a data breach or something nefarious with your accounts they will send a letter and call you.
@@nashtrucker- Fidelity did call some customers directly before the letters were sent out.
Maybe the hackers can do something with my portfolio
Robinhood is better, yeah I said it.
hELL NO, i'M STILL WAITING FOR MY DAMN GOLD CARD...LOL
@ I’m still waiting on mine too. I’ve been on the waitlist since it started lol. I heard some states haven’t been approved yet like NJ where I’m at. Still a good brokerage regardless. I like the 3% match.