In the aftermath of the National Public Data breach, my name, DOB, address, phone, email, and SSN are now on the Dark Web. Also, because I have given lectures which are posted online, and I have no ability to take them down (it’s marketing content posted by a former employer - I don’t control it), threat actors can create AI voice deepfakes of my voice to circumvent Fidelity MyVoice voice ID.

I don’t see what’s in place at Fidelity to keep the highly motivated threat actor from completely taking over my accounts. They know all my basic data, they can deepfake my voice in real time (our CIO gave a demo of this at our company during a seminar on IT security). They can spoof the Caller ID to look like me. Theoretically, I could be totally screwed.

Schwab does ONE THING Fidelity does not do. At Schwab, you can set up a verbal passphrase. Example: “porkbelly jambalaya titanium”.

Someone calls into Schwab, and the rep asks, “What is your passphrase?”. If the caller can’t deliver it (“porkbelly jambalaya titanium”), they get hung up on. That’s not going to be in ANY public database.

I have further stipulated, which is an even higher security option under their program, that no one can change the verbal passphrase over the phone… they have to come in to a Schwab office with a government issued photo ID in order to change it. They have a scan of my driver’s license on file. The threat actor has no ability to circumvent this requirement. This is simple, effective security.

This National Public Data thing is so enormous, and Kroll has been sending me tons of alerts this past week about exactly what is on the Dark Web, and it’s absolutely everything.

I like Fidelity Cash Management, HSA, and Fidelity Charitable, and the Rewards 2% cash credit card. I would keep those. I would also keep enough in Fidelity Brokerage in case something terrible happens with Schwab… enough to pay the bills for months, even as long as a year.

Does avoidance of AI deepfake voice takeovers seem like enough of a reason to move my IRAs back to Schwab? I know it’s a low probability event, but very severe in terms of potential impact. (I’ve never needed seatbelts - I always used them).

It’s just tough to push the ACATS buttons and move over my IRAs all at one go. It feels scary. I’d get the sad calls from Fidelity, “please we love you, don’t go!” I really like my free CFP Advisor there. I know I would instantly be entitled to a free CFP Schwab Advisor, but breaking those human bonds is tough.

Another idea would be to just change my mobile phone number. We have a totally new area code in our city starting in 2025. I could get a fresh never-used number, and only use it for a handful of Financial Institutions - kind of like Clark’s Financial Chromebook concept. Everyone else would get my Google Voice number, or my Ooma number. So if someone were to spoof the wrong phone number when calling Fidelity (or any other FI) that would be the tell.

I have a couple of comments about this.

First “the passphrase is not in any public data base” would be correct, until it isn’t. Just as the Social Security info was not public, until it was. Willy Sutton said he robbed banks, because that is where the money is". Hackers go after data that is not public and make it so.

However I agree with the voice recognition issue you bring up. I think I relayed the following storey a while back having to do with a certain major cable company. I am the I.T. support but my name was not on record as being verified. A cable modem died, I went to the local store and waited perhaps an hour and they finally called my name. I neede to swap out the modem to restore service. Because my name was not on the account (even though I was swapping equipment and not effecting billing at all), even though I also had a copy of the current moths bill with the passcode number on it, they could not halp me; I had to be on the account.

I went to a telephone, called the toll free number, bypassed the “would you like to record your voice to make it easier to log in next time?” question. The call taker asked me my name and I said the name of the account holder, and gave the passcode. I then added myself to the account as a verified person on the account. I could then go into the store and swap the equipment.

So when I told the truth who I was AND had documention, I was refused help. It was only when I lied that I was given the “keys to the kingdom” (so to speak).

It is not unlike when you call in with an account holder as a helper. They ask the person who says he is the account holder if it is alright for them to speak to the helper. By the way, both of these people may be scammers.

"First “the passphrase is not in any public data base” would be correct, until it isn’t. "

The Schwab pass phase is only in use at Schwab. It’s useless anywhere else. If there is a Schwab breach, I would hope that Schwab would tell us customers about it (they are obliged to) and then lock the accounts, and I’d drive over to their office, and get the pass phrase changed, after they fix the leak.

It’s in a totally different league compared to name, SSN, DOB, address, mobile phone, email, which are widely used across society (except now I use email aliases so I’ve closed off that avenue or attack entirely).

PS - I can define phone aliases now too.

Well here is what’s happening at Fidelity. First it was “the Chase money glitch”, now it’s “Fidelity money glitch”.

I was asked to do the voice imprint by the Fidelity rep when I created an account as an extra security measure. I declined, citing that AI can fake this, to which the rep said not a problem to decline it. Are you concerned that if you ask them to deactivate it that this increases your exposure?

Honestly I don’t know what’s the best route. But I am definitely going to move assets back to Schwab because of their extra security pass phrase which can only be changed in person at a branch. I think this makes telephone security better than with Fidelity.

The verbal pass phase is not Schwab voice ID… it’s not hackable by AI. It’s basically another password, but only transmitted verbally, and it’s only for securing a phone call.

Going to try to keep this short. As someone mentioned, “pass phrases” aren’t public until they are public. So, if a company relies on “pass phrases” and their database gets hacked, they may not know if weeks, months or years until after the fact. Therefore, they can’t send you a notice they were hacked until it’s discovered in the dark web. Of course, they may discover the hack via internal forensics. So, in the meantime, your pass phrase may be circulating around well before it’s known that it’s exposed. There have been past breaches where it’s been years before it became public knowledge. Secondly, the IRS tried this and made it a requirement as part of their process. And the Treasury Department required a “known” picture only known to the user. Both have dropped this as a security measure since it wasn’t deemed a secure mechanism since - once again, if a company stores the answer onsite, it can be compromised and made publicly available.

Pass Phrases are kind of - but not exactly, the same as security questions, i.e.: “What’s the maiden name of your mother?”, “What was your first pet?” … etc. etc. When I must fill out these questions, I don’t respond with the correct answer. I substitute with a pass phrase that is unique for each site that asks me these questions. So, for example: if a site requires a security question such as “What’s the maiden name of your mom?”, my answer would be something like “bullish-4Bucket-mere-Grandma”. It’s not her maiden name but something that is unique to that security question to that site and no other site. Fortunately, security questions appear to be phasing out.

Right now, the best option are probably “passkeys”. They are not stored on the companies server / database. It’s something your computer sends to the company that confirms who you are. So, for example, I have 3 different passkeys hardware mechanisms: 1) fingerprint, 2) retina / eye scanning and 3) Yubico Security key. So, when I visit a website from a nontrusted device, I have to perform some form of a physical security check, i.e.: I have to physically touch my security key, or do a fingerprint scan or an iris scan. The site doesn’t ask for a password. I have to physically perform an action on my desktop / laptop / smartphone to get access. Again, this information isn’t stored on the company server. So, not every site has passkeys … but to name a few: Google, Microsoft, The Home Depot (funny enough), plus a few other online websites I deal with.

In saying that … even if a company doesn’t employ passkeys, they typically have a lot of measures in place to ensure you are who you are - especially government / financial entities. For example, as you try to log in, a lot of rules are processed in the background including password such as devices you login from, operating systems you use, browsers you use and they try to stitch as much of this information about you even if you travel, use multiple devices, etc. to ensure you are who you say you are. But this is not failproof either. Just noting that it’s not uncommon that sites that require high security requirements, employ other background checks before letting you in.

To move money from Fidelity to Schwab simply due to a “pass phrase” doesn’t make sense to me (personal opinion). Fidelity manages a lot of money, manages high stakes retirement plans for companies such as Bank of America. So, I don’t think that since Fidelity doesn’t have a “pass phrase” measure in place, makes it a company I don’t want to do business with. As a note, I have accounts with both Fidelity and Schwab.

And I failed keeping this short.

Yes, I was saying that a database is not public until someone makes it public, as in posting it on the dark web.

I just received a notice that my email and other information was hacked on CafePress. I used that website once, maybe a decade ago.

I also see where Oracle sold my personal data.

Google used tags of photos to be able to identify you in other photos.

You know those "click on the bicycle in this photo’ things? They are using us to qualify items in photos so when you do a search for bicycles, the photos we all identified as a bicycle will return as a result. WE are the A.I. for photo recognition.

Interesting discussion. One question would be how much of a risk is this overall? Fidelity has over 40 million customers and Schwab over 30 million. Bad actors would not likely come after you personally. They’d rather gain access to large numbers of accounts. Sort of like someone breaking into your house instead of one of your 39 million neighbors’ houses.

We can’t seem to get security down to absolute zero risk. So as Clark has mentioned many times, get your financial statements on paper and keep them on hand (maybe in a fire-resistant box in your house with copies in a safety deposit box).

Set up an account with a company such as Monarch that tracks all of your finances so you can quickly spot any discrepancies. Freeze your credit. Don’t write down passwords unless you’re sure your house is 100% secure (and that any visitors, even friends and family, aren’t able to snoop around and find them).

I’m curious why anyone would even call these companies? I never do, and I have accounts with both. No reason to call them. An AI copy of your voice would still be useless if you avoided phone communications. Try doing your transactions directly on their websites using a secure computer. Or their chat function or email. And instead of driving to a Schwab office just to change your password, if you’re tempted to call them, just go to the office and speak to a human!

What is Fidelity doing about this? I like Fidelity’s services as far as having my investments there and the features but they are a privately held family company worth $$$$$. Surely, they will step up and act?

Been in IT 30+ years, every year the risk to consumers gets worse. Burden on honest people increases while the cyber crooks rule, untouched by law enforcement or government. Since 2017 I’ve had free credit monitoring due to all the breaches I’ve been impacted by.

(Sorry, this reply is long and goes all over the various issues with data security and recovery)

A major issue is that it seems many companys have no clue about security, disaster recovery or planning. A company could be hacked or perhaps a disaster could hit. Many things could take a system down or reveal customer data. Having passwords or personally identifiable data and not encrypting it is crazy.

Decades ago I was meeting with HP’s external auditors about the security of our many mainframe computers (the computer room was about 1/2 the size of a football field, so we had quite a few machines :-).

They asked me a leading question, something like “Are your computers secure?”. My answer kinda surprised them because most people would have answered yes or of course. I said “No computer is totally secure, so my answer is ‘no’. What I can tell you is that we constantly search for deficiencies. We review logfiles and investigate any item which look out of place. We test our systems with both externally created security programs and internally created processes. We also test our ability to recover from simple or massive outages such as a hurricane taking out this computer room. The worst thing we could do is assume that we are 100% secure and to sit back and not worry.”.

During a recent 6.9 earthquake a few miles from town, all local AM and FM radio stations went off because none of them had emergency generators. We don’t have local TV stations, we were forced to find AM stations hundreds of miles away. During major quakes power is automatically shut down to protect the grid. I assume that these days solar will help us, but I don’t know.

Here in Hawaii a couple of years ago we had a hack of the Radiology group that seems to run most of the clinics across the islands. They were down for weeks. Flash forward and guess who has been hacked again? Their systems are again down for weeks. I guess they didn’t learn anything. Right now you can’t get copies of your records, they don’t answer the phones or emails. If you need scans you have to go to the few hospitals we have. Imagine if a financial organization or bank was to get hacked and it took weeks to try to cash a check or get into your account to sell a stock as the market was swinging wildly.

When we were testing systems recovery for our massive computer systems, disaster recovery was a critical process for us. Many people do not understand the intracies and it is not just restoring data. You must protect the data and have an orderly recovery. In a large company the first systems to be brought back online have to be Payroll. If your employees are not getting paid, they will worry about bills due and being able to afford to get to work to help fix things. Contact your payroll processor (or the bank) and have them rerun the lasr payroll tape they have. That will get perhaps 90% of your employees paid. Yes, some will get a different amount than they should have, but they will get paid. You can then manuall handle the 10% or employees who should have been paid but didn’t, etc.Then a second system to recover is Accounts Receivable. Get money in so the company can afford to address costs in the recovery. One of the last processes to bring back online is Accounts Payable. Remind your vendors of your efforts to get the systems recovered as quickly as possible so they can get paid. Most vendors will understand.

In the case of storing data, you need to have critical data stored offline where a virus cannot effect it. It needs to be ‘write protected’ so to speak. Simple things like a printed list of emergency contacts (not kept on a system which can be lost along with the data).

Precisely that has happened with Fidelity. My mother just opened a new Cash Management account on Fidelity.com. I had heard that check deposits now had delays on such accounts, so had her try depositing a check from me. It took 5 weeks to the day before the money was available for withdrawal. At least in the interim it was earning interest, and could even have been used to purchase investments, but could not be withdrawn. FWIW, I have had a Fidelity Cash Management account for some time myself, and this doesn’t happen with mine. Really hope they get this sorted out soon, but the chatter on Reddit about it indicates that it’s been going on for months.

Seen today on reddit. Pretty sad. It’s happening to many people at Fidelity. I’ve very glad I’ve limited the damage they can do to me! I’m using their Cash Management still, but if it breaks I’m not hamstrung.

r/fidelityinvestments

Necessary_Beat_8746

Fidelity Froze my Funds for 20 days OVER CHRISTMAS!

Maybe I’m being hyperbolic, but here’s the deal.

On December 8, 2024 I initiated a transfer of $250,000 from my BofA account into my Fidelity Joint WROS account. The transfer was completed December 10, 2024. The transfer was well and truly completed because the funds left the Bank of America checking account on that day.

I saw on 12/10/24 that the funds would be unavailable for withdrawal until the next calendar year - January 1, 2025. This, from an account that Fidelity markets as a replacement for a checking account – complete with writeable checks and ATM privileges. On December 10, 2024, Bill Malloy in Fidelity’s Denver call-in office told me that the reason for the extended duration of the hold relates to uptick in fraud that started back in in August. Bill kindly acknowledged that I have a longstanding account in good standing; that I had been properly verified and vetted when I called in; and he has no reason to suspect fraud in this instance. However, he was absolutely unable to assist me, or direct me to anyone who could. Except only that he told me I could send snail mail to Fidelity’s complaint’s department.

MORE TODAY FROM ANOTHER FRUSTRATED FIDELITY USER… the beatings will continue until morale improves.

CMA Debit card restriction for over 2 weeks

Wanted to know if anyone with a cash management account has encountered restrictions on their debit card?

In the app it says:

For your protection, a restriction is in place on this card. Please contact us at X. From outside the US, call collect at X.

I’ve called over 5 times and they say the fraud team needs to complete their review before they can unblock anything (not timeline given). Which I get but I got no notice via email, text, phone of this restriction and had to find out by not being able to use my debit card.

Has anyone had this happen? How long do these reviews take?

For context I do not deposit checks which I know I’ve seen could trigger this restriction

I have received the same kind of “can’t tell you much” responses from customer service reps at Fidelity that people report on Reddit, just that “there had been a large amount of check fraud earlier this year”. Can find no official announcements about any of the recent restrictions. Silence is hardly an appropriate response when they still tout the Cash Management Account as an alternative to a regular bank…