What does it take to reset the password to your email account? What happens next if someone hacks into your email?
Log out of your email and try the “forgot password” link. If it takes a security code sent by SMS text message to your cell phone, consider upgrading your security setting.
I read this report on the Bogleheads investment forum: $250k lost in unauthorized wire fraud – experience/advice? An elderly couple lost $250,000 because thieves got into their email account by resetting the password. It can happen to you too.
Password Reset Attacks
Fraudsters fooled the couple’s cell phone company to transfer their cell phone number to another company. One break-in then led to another. They used the security code sent to that number (now under their control) to reset the password to the couple’s email account. They logged in and looked in old emails for where the couple had bank accounts. Access to the email account and security codes sent to the cell phone number gave these criminals access to the bank accounts. They requested wire transfers from three banks.
Two banks stopped a pending wire when the couple reported unauthorized access within 24 hours. A third bank promised to freeze the account but they sent out a wire later on a fraudulent request anyway. It took more than a month for the bank to finally return the money to the elderly couple. The couple almost had to sue the bank to get their money back.
Secure Your Email Account
It isn’t clear whether the bank paid lost interest. If not, the lost interest on $250k is well over $1,000, and think about the aggravation for over a month! You don’t want this to happen to you.
Try the “forgot password” link for each of your financial accounts and see what it takes to reset your password. If access to your email is part of the process, for example, to receive a password reset link, you should secure your email account with something stronger than SMS text messages sent to a cell phone number.
I wrote about using security hardware to protect investment accounts in this blog post: Security Hardware for Vanguard, Fidelity, and Schwab Accounts. The Yubikey security hardware mentioned in that post can be used to secure email accounts by GMail, Microsoft (Hotmail, Outlook), Apple iCloud, Yahoo, and AOL. It costs $50-60 to buy two Yubikeys but it’s worth the peace of mind.
Use a Better Bank
Which bank failed to freeze the couple’s account after getting a report of fraud and then dragged their feet for over a month to return the money? This is totally unacceptable. The poster only said it was an online bank headquartered in Utah. Does the name start with the letter A?
If you have an account with an online bank headquartered in Utah, maybe consider using a different bank. You can search for a bank’s headquarters by its name or web address on this FDIC web page.
Say No To Management Fees
If you are paying an advisor a percentage of your assets, you are paying 5-10x too much. Learn how to find an independent advisor, pay for advice, and only the advice.
Bob says
Hi Harry, I got the Yubikeys and turned off text based 2 factor at Vanguard but now people (online) are saying that if you use the Iphone app Vanguard will offer to set up text based 2 factor to any number you choose. I am concerned.
Harry Sit says
That happens only if someone already has your password and you don’t have it already set to a number. You can further preempt that attack if you set to deliver the security code to a Google Voice number. See the linked post about securing Vanguard accounts.
SMSNoThanks says
As a cybersecurity professional, I can tell you that the issue isn’t the front door as much as the back door. By that, I mean that many, many companies using Microsoft 365 (for instance) to offer email services to retail customers refuse to disable the SMS text code feature, even after you register a FIDO key or an authenticator app. This is the single most frustrating issue we face. So, if you go the route of a hardware key or authenticator app, be sure to verify that you can print some one-time recovery codes and then disable the SMS feature. Note that Microsoft allows disabling of the SMS method, but each lessee of their platform (GoDaddy, etc.) makes their own decision about the configuration).
One more thing: even if you are able to disable the SMS feature to avoid the SIM-swap attack, you have a good chance that the email provider will still fall victim to an urgent request for an attacker to re-enable SMS (“I lost my phone with the authenticator app”) and you will be out of luck again. Until legal penalties are enforced against the providers, this will not change, sadly.
RobI says
I have set up an extra layer of account verification security on my AT&T account to verify any plan or account changes on my number. (I did this after someone tried to take my number for a new phone). Does this help address the SIM swap risk?
SMSNoThanks says
Any extra hurdles you place in the way of an attacker definitely can help. Just like with an alarm on your home or an alarm sign in your yard, you’re trying to make them go away (somewhere else) — they are not going to stop being evil. Whether a representative will honor your extra verification request during a number porting (SIM Swap) request is hard to say, but it is definitely not going to hurt to have the extra authentication order in place.
Good on you.
GeezerGeek says
I’ve tried to avoid SMS 2FA but, as noted, many companies offer it as the only alternative. I also got my cell phone account and SIM locked with a PIN so that provides another obstacle for hackers. One additional thing I do is that I set up an email account that I only use for financial and other high security accounts, such as password manager and encrypted cloud storage (zero knowledge). As such, it is a lot less likely that the hackers know the email address associated with my high security accounts. Still, I’m vigilant, monitoring account transactions daily by downloading account activity in Quicken. I use several credit monitoring services provided free by several of my financial accounts and they also included dark web monitoring for email addresses, data breaches, and SS number. I try to keep my visibility on the web low by getting my data removed from any data broker who I know has my data. Still, this country needs better data privacy laws and no company should be allowed to have personal data on individuals unless that individual has specially granted permission. Selling personal data should be a crime. Personal data is all a hacker needs to start finding access to an individual’s accounts.
Jim says
According to the Microsoft page linked to in this article, using security keys to access Microsoft accounts requires use of the Edge browser. Does anyone have experience using a Yubikey to log into Outlook on other browsers (Firefox, Chrome, etc)
Harry Sit says
I don’t use Outlook for email but I use other Microsoft services (OneDrive, OneNote, …). I added Yubikeys to my Microsoft account and I log in using Chrome.
RobI says
Does anyone have luck using Google Voice number for Bank of America? I added such a number but their 2FA doesn’t want to offer that # as a choice. Maybe need to wait a few hours.
This is all temporary until the ordered keys arrive. BOA says they do support them on their site.
Thanks for the PSA nudge to get me going on addressing this!
Harry Sit says
Bank of America supports Google Voice numbers. It’s also one of the few banks that support Yubikey. It takes time for a new number to be eligible for 2FA (days, not hours).
RobI says
Thanks Harry. Makes sense to have a delay or it would be all to easy to setup alternate verification numbers
Steve says
I read that only iPhone 7 or higher will work with Yubikeys. I have an Android, so it appears that no Yubikeys for me.
always_gone says
You often don’t need a Yubikey compliant mobile device to be able to make use of Yubikeys. I use FastMail (with Yubikey) instead of Gmail, but back in my Gmail days, I used the Gmail app on my iPhone even with the Gmail account locked down with a Yubikey. Same with places like Vanguard.
1) After securing your Google account with a Yubikey and backup codes, log into your Gmail app on your phone
2) If your phone won’t accept a Yubikey, use a backup code to get in. You can then stay logged into your account via your app. Have a strong passcode on your phone.
3) Go back and print off/save 10 new backup codes, and store those codes in your password manager, so you have 10 fresh chances to get back in without your Yubikey(s).
Cheers.
Harry Sit says
That’s not true. My wife’s Google Pixel 3a from 2019 on Android works with Yubikeys. Reasonably recent Android phones with NFC all work.
Steve says
That’s good to hear. The Yubikey FAQs page is not helpful and needs to be updated. It refers only to iPhones. There is no mention of Android compatibility.
Kevin says
Original Bogleheads link doesn’t seem to work. Here’s a work-around link:
https://www.bogleheads.org/forum/viewtopic.php?t=408388&start=0