Cyber security with online brokers

I just want to forward an extremely interesting thread from MMM:
http://forum.mrmoneymustache.com/investor-alley/how-to-keep-my-brokerage-account-save/

my personal conclusion from it is, besides all the obvious (latest updates, rules on passwords, …)

  • create a non-admin user on my computer that is exclusive for accessing the online broker
  • create an email account exclusively for the broker, with Two factor authentication
  • set up your broker account with 2 factor authentication

keep a hard copy, not a digital copy of the usernames & passwords

keep your stash safe!

-nugget

1 Like

Thanks for sharing the article. Another advice I’ve found useful after reading it:

  • Keep paper & digital copies of your broker statements should their database be deleted/corrupted (intentionally or not) and impossible to recover.

A lot of banks only keep statement for a limited time on their ebanking platform. Never forget to download all your statements.

I would also advise to set up notifications by email or SMS.

I just got on the phone that CornerTrader is working on 2-Factor-Authentification, and the want to release it within the next 3 months. If they do, I’ll probably open my account there.

I do, I assume pretty normal security

  • trustworthy DNS (DNS spoofing risk)
  • no public WiFi ever, no exception. Including ‘just’ mobile use, get local SIM/network.
  • 2factor auth, no SMS, but authenticator based.
  • secondary email for financial products, separate from ‘normal’ email
  • never use sms for 2FA, avoid services with sms only auth.
  • secure one main account (IB). Treat secondaries (bank acc) as dumb and with little value (<10k)

I don’t do yet/atm

  • separate own user with 2FA for actual trading for same account. Secondary user for normal usage. No withdrawal rights and other limitations. Account owner user for reporting and withdrawal operations, granting rights. Separate auth device which is secure.
  • bank/broker sub-account separate with different users - holding vs trading account
  • bank safe with hard copy details (not auth tokens) in case of death
1 Like

Can be mitigated by using VPN. I‘m using NordVPN with auto-connect when using unknown wifi (any wifi which is not mine)

I am not doing this yet, but I am considering buying a second phone that I keep in a secure location with all 2FA / banking apps (for accounts with significant amounts) installed. Not only because of cybersecurity, but also because of physical security: If someone points a gun at your head (might not be a huge risk in Switzerland, but definitely when travelling, as this happens regularly in other countries) you have your “bait accounts” with little money in them. For all of the accounts with larger amounts, there is no trace on your main phone, so no way for an attacker to even know that you have them.

1 Like

Hidden name is security by obscurity. The wifi ist still broadcasted and visible/discoverable by network scanners and just hidden in consumer devices.

Besides the mentioned hidden SSID, I consider home wifi secure. I use a second SSID which is broadcast but use for guests. With a limited access (internet only, separate vlan, etc) and rate limited. Also same wifi for devices you dont trust (much) - nintendo switch, hoover robot with maps stored in china, wifes phone :rofl: /s on the last one :wink:

1 Like

I bought a second phone that is turned off all the time, and I turn it on only to use the authenticator to IBKR.

1 Like

When I was with Schwab, I found their security a bit scary. Max 8 letter password. No 2FA. :open_mouth:

I use a Keepass with a separate database only for Banking. This is database is only kept locally and can be opened only with a keyfile (on USB stick) and password. The database and keyfile are not stores on my cell phone. If I need to setup 2FA with an App, like with IBKR, I type in the huge password by hand. Then I activate the finger print. But I will not have trading access on my phone. With IBKR, you would need to enter the password again for that

1 Like

I thought about this, too. But would you not be interested if some hacker found out your password? You would get a push message from the mobile app. If you have the phone turned off, you’ll not realize, until you turn it on.

Also, try non SMS based 2FA. Otherwise you might be hit with SIM swapping attacks: https://www.fastcompany.com/91017079/the-simple-way-that-hackers-took-over-the-secs-x-account

I use Bitwarden to store my accounts and passwords. I obviously use different passwords for my different accounts, as well as a “master” password for Bitwarden which is also unique.
I activate 2FA on all applications if available.
I only use one phone, but I’ve activated the erasure of all data on it if the password is entered 10 times wrong. I’ve also activated the latest anti-theft measure available since the iOS 17.3 update.

Around 2019-ish 1234567890

1 Like

image

4 Likes