When you first start putting money into the stock market, your investment accounts may not seem to be that valuable. But over time, those accounts may very well be the lifeblood of your entire financial life.
That’s the case for us nowadays. We’ve been fortunate enough to build up a solid net worth over the years that now funds our early retirement.
That’s all well and good, but that makes it a little scarier that if one of those investment accounts were to be hacked, we could lose everything.
Sure, it’s possible that the financial institution would ensure we’re made whole again. However, did you ever read the terms? Depending on the circumstances and whether or not you’ve done your due diligence beforehand, the company could very likely just shrug its shoulders and say, “Sorry about your luck.”
I’ve come to realize that the idea of hoping for the best and planning for the worst is almost always the most ideal way to do things.
So, I’ve taken some steps to ensure my investment accounts are more bulletproof than most. I’d never say anything is 100%, but I do feel dramatically better after making these changes.
Be aware that the bulk of our wealth is at Vanguard and I also have my Health Savings Account (HSA) at Fidelity. These are the main ones that I made the changes with, but the principles should be the same, or very similar, for other financial institutions.
Set up a passkey (in addition to other login security)
I was going to leave out the “other login security” part of this just because I initially felt like everyone should already be on top of it. That said, I really don’t think most people are, so I’ll reiterate this real quick:
Set up a complex password
If your password for one of the most important accounts in your life is your dog’s name, you almost deserve to be hacked. Seriously, people, if you’re not stepping up your passwords by now, you’re just asking for it… and you will get hacked. It’s not a matter of if, it’s a matter of when.
Use a password manager. This should be security 101. I’m not thrilled with the password managers built into your internet browsers, but at least it’s something. Instead, I use Bitwarden as do my wife and daughter. It’s easy to use with extensions for all the major browsers, works great on the phone, it’s open source, and it’s free (though there is a premium version if you need it or just want to support the company).
My passwords for all my accounts (not just my investment accounts) are 16 characters long and full of fun symbols, letters, and numbers, and each might look something like this:
spYFcM!D7nN@6y
How do I remember a password like this? I don’t have to! That’s the whole point. The password manager can generate a password like this and then enter it automatically on the login site. Easy peasy!
Implement two-factor authentication (2FA) / multi-factor authentication (MFA)
I’m not going to delve into this too much (see my note at the bottom of this section for more info), but setting up two-factor authentication (2FA) can be one of the best ways to stop the bad guys. That’s when you log into your account and then need to enter a code from a text, email, or a 2FA app. Or some apps will just prompt you on your phone with a “is this you?” type of notification to answer.
Of those, the 2FA apps and the app notifications are the most secure, followed by email. The SMS 2FA (text message code) is not secure at all and definitely not recommended when other choices are available. There are also hardware choices like YubiKeys, which are even better, though that’s a little out of scope here and probably not something most readers here would use.
I’m currently using the free and open source app, Ente Auth, for 2FA. It works great and I like it a lot, but there are plenty of other good reputable apps out there as well if you find another you prefer.
Passkeys
Ok, onto the real point of this section. By now, most solid financial institutions should support passkeys because they’re easily one of the best ways to thwart hacking. These are so much better than passwords, and they’re essentially the technology that should put passwords to the grave eventually.
In a nutshell, a passkey is a simpler, more secure way to log in that replaces your password with the same face, fingerprint, or PIN you already use to unlock your phone or computer. Instead of you having to remember a password, your device talks directly to the website to prove it’s really you, making it nearly impossible for hackers to steal your login info.
They work with most operating systems and password managers and provide a nicer, more secure flow for logging into a site. I prefer using them with my password manager, Bitwarden, because they’re synced, so I can then use them from any browser that I have Bitwarden installed on (including my phone).
Read more about passkeys in the recommended guide in my important note at the end of this section.
Unfortunately, a lot of financial institutions don’t support passkeys yet, and that’s a real shame. However, where they’re supported, they should be used. And eventually, once users become more comfortable with them, you’ll start to see passwords disappear completely.
In this case, Vanguard does support passkeys. So, I created a passkey for logging into my investment accounts there and I’m a much happier camper. Now, when I log in with my username and password, I get prompted for my passkey, which opens in Bitwarden and I just need to click the entry there and I’m done.
To set this up for your own investment account at Vanguard (and to knock out other security tasks as well), you can log into your account and then go to your Security Profile page.
I’m disappointed that Fidelity and Schwab have not added support for passkeys yet. With your entire investment accounts being on the line, this is something these companies need to get on the ball with implementing. Until they do, please make sure you have a long, complex password and 2FA enabled for these financial institutions or any others you might be using.
IMPORTANT: If you’re not well-versed in digital security, I truly hope you read my post, Privacy and Security: The Essential Guide to Reclaiming Your Digital Life. It’s a great guide for getting your online security and privacy in check, if I do say so myself. And honestly, most of the steps should only take you a few minutes here and there to implement.
Remove your voice as a password
“At Vanguard, my voice is my password.”
That was something that was pushed from Vanguard I believe as far back as 2014. They had you say that a few times and then when you’d call in later, you would say it and it would authorize that it was you. Voice biometrics… pretty cool convenience… until it’s not.
Artificial Intelligence (AI) voice cloning has made voice imitation much easier. It’s so easy that with even just a small clip of someone’s voice, any amateur can use online software to clone your voice in just a few minutes.
That’s a big deal. That gives anyone easy access to leverage AI so they can make a phone call and act as though they’re you.
Although this might have been futuristic and cool years ago, it’s not anymore.
I called Vanguard and had this removed from my account probably a year or so ago. I did the same with Fidelity and Schwab.
There’s no doubt that you should do the same. AI fascinates me in both good and bad ways, but this is one of the bad ones. Don’t let voice cloning be the reason everything in your investment accounts disappears overnight.
Set up an enhanced security password
I don’t remember where I first heard about this, but Vanguard offers something called an “enhanced security password.” It’s not mentioned in the security section of their website, but it is a thing, and I like it a lot better than the voice biometrics.
This is simply a password that will be asked for by a rep when you call in on the phone before anything can be done on your account. This is not the same as your login password. And if the caller doesn’t know the password, nothing can be done on the account. This can stop an impostor right in their tracks.
If you forget your security password, there is a reset process… and it’s kind of a pain (which is a good thing!). It involves calling Vanguard and verifying your identity or using a notarized reset form that must be mailed in. A user in the Bogleheads forums said the only way to unlock it was a notarized form, with the reset turnaround taking about 5-7 business days.
The good news is that it won’t be a problem for me because that password is stored in the notes of my Vanguard entry in Bitwarden (my password manager)… and I’m sure that you’re in the same boat, right?
I like this because social engineering is a big threat. You might have all your defenses lined up to take care of hackers trying to break in online, but it could all crumble with one phone call from someone with just enough information about you. The enhanced security password puts another blocker in that path.
Set up ACATS Lock
I’m a loyal listener of the Clark Howard podcast. It’s at the top of my podcast list on my Resources and Recommendations page. His advice is the most sound and practical you’ll hear anywhere. He’s also very down-to-earth and easy to understand, even if you’re not a big personal finance nerd.
On a podcast episode a few months ago, Clark talked about ACATS (Automated Customer Account Transfer Service). I was unfamiliar with that term, but the gist is that it’s the system used by brokerage firms to move your money from one firm to another. If you decide to leave one of the banks that charge stupidly high fees for your investment accounts (that’s most of them) to go to somewhere where the air is a lot nicer (like Vanguard, Fidelity, or Schwab), ACATS is how your money would get moved from Company A to Company B.
Simple enough, right?
The problem Clark talked about is that ACATS wasn’t designed with good security. Because of that, criminals get your information, open a new shell investment account under your name, and then initiate an ACATS transfer of your money to their shell account. And just like that, all your hard-earned money is gone in an instant.
Here’s an article he wrote on the subject shortly after the podcast: Why You Need To Lock Your Brokerage Account Today.
His suggestion to protect your investment accounts is to set up an ACATS Lock. In other words, an unauthorized transfer can’t be done while this is in place. He compares that to doing a SIM lock on your phone (you’re already doing that, right?).
So I jumped right on that. I called Vanguard in December to make this happen. The rep had to do an additional security check (he sent me a text message to verify the SMS code), and then he submitted this to take effect for all my accounts. I did this for my wife’s and daughter’s investment accounts as well. The whole process took just a few minutes on the phone.
Handling this at Fidelity was even better since it could be done easily online. You just log into your account, go to “Profile”, and then to “Security”, and you can just toggle it on in the “Money transfer lock” section:
My understanding is that Schwab doesn’t have anything in place for this yet, but they’re working on it. For investment accounts elsewhere, you’ll want to contact your financial institution to find out if they have something in place for this and how to implement it.
Although the good guys have become much better at protecting your investment accounts, the bad guys have gotten better at trying to get into your investment accounts. And with AI, it’s like both sides are moving exponentially faster.
Remember, when it comes to security, there’s no foolproof way to stop someone from trying to get to your stuff.
Your objective, though, needs to be to put up the best roadblocks you can and hope that the attacker just moves on to easier prey instead.
With that said, I’m pretty happy with what I have in place. What about you?
Sign up here to hear more about money, travel, and financial freedom. And I’ll even throw in some cool freebies as a welcome gift, too!
Plan well, take action, and live your best life!
Thanks for reading!!
— Jim
Nice kick in the backside, needed periodically. I’ve finally started using NordVPN password manager but haven’t migrated everything to it yet. My question is what happens when I don’t renew Nord? There renewal is pricey, so I turn it off. Then I get good pricing offers. But it is annoying to do this every couple of years.(I know, 1st world…) If I do not renew am I locked out of accounts with a Nord password? My other securitg suggestion is to change your username so it is not your email. Just one extra step for a bad actor, but still…
Hey Kev – I learned the hard way more than once a long time ago to never go into something that’s going to take a lot of time without having a way to get out of it easily later. In the case of password managers, you want to make sure that you can export out your data later if you decide to go elsewhere so you can just import it into a new password manager.
The good news is that NordPass has a free version, so you can always continue to use it later if you want to continue without using whatever you’re currently paying for. And I have used NordPass before, but my understanding is that even in the free version, you can export out your accounts to a .csv file. That’s perfect because then you can always import that .csv into another password manager like Bitwarden or whatever if desired later.
Great call on the username not being your email! Such a smart move! A lot of companies are making users do this now anyway, but yeah, why give hackers 50% of the keys to the kingdom, right?
For me, I have a username convention that keeps it ambiguous, both so it’s not identifiable to me by itself, but also so it’s not the same as other sites. So I have different usernames on almost every site now. I made that change on each account when I moved everything to email aliases… not the ends most people will go to, but it made me feel better.
thanks for the information on ACATS. I have never heard of it. Fidelity added it without any notification to account holders and I suspect anyone with a 401k who is not at the point of withdrawals should be in default “on” for this lock. I have an HSA and unfortunately there is no way to limit the lock, ideally I could set an annual or monthly ceiling or even better, pre register the account I do transfers to and lock everything else. Hopefully they will add that option later, I asked… For passkeys, they are great, but often can be bypassed by username/password, so it is better, but still not as good as it should be. Biggest headache for me has been forcing the passkey on creation into my password manager, since every browser and especially windows fights to put them there instead. very easy to “lose” them, even if you identify the passkey manager as the primary passkey location in the browsers and OS. So easy enough for a techie, but awful for anyone less vigilent. As far as yubikeys, I learned about them, then bought 4 of them last year, only to find that samsung galaxy doesn’t really support them. they only allow using google as the passkey manager, the NFC is completely broken, and you can only access a single google account on the phone. The bugs have been known by samsung for over 2 years. and this is their flagship brand. Based on some other sources, it seems like the cheaper phones might actually work better. But buyer beware on yubikeys. They can be very secure for limited account use, but not ready for primetime until the rest of the world catches up.
I never thought about the HSA transfers that some people do regularly. Yeah, that would add the extra step in there. For now, it’s good though that Fidelity makes it easy and something you can toggle on or off without needing to call them… not perfect, but I guess it is what it is.
Yeah, passkeys are still having some growing pains while big tech all gets on the same page. Still worth it though. My understanding is that Microsoft is supposed to be coming out with a “fix” for how passkeys are handled so it doesn’t try to intercept password managers from handling them. I know exactly what you’re talking about and it’s pretty annoying for sure!
As far as the usernames and passwords go, this will be a slow transition and might actually take a few years, but you’ll start to see companies that have username/passwords and passkeys slowly start to phase out the username/password side of things. So you’re right, that fallback still leaves us with password being a target. But that’s why it’s still critical to use strong passwords and two-factor authentication wherever possible… along with the passkeys. We’ll all get there eventually! 🙂
I didn’t know that about Yubikeys. I never had one, but that’s just silly. With Samsung being such a big player, that shouldn’t happen. Ugh, sorry to hear that, Wayne.
Great comments on everything!!