There is a growing threat to your retirement savings, and you probably are not aware of it. Thieves increasingly are targeting individual 401(k) accounts by impersonating the account owners so the crooks can steal thousands — or even hundreds of thousands — of dollars.
You might think that the 401(k) plan itself would be responsible for reimbursing the funds it released in these situations. But that’s not necessarily the case. As the WSJ reports, federal law is murky about who is responsible for losses associated with cybertheft. While custodians generally pledge to reimburse such fraud, some may include slippery language in their terms that can leave you in the lurch.
Even a company as respected as Vanguard says, “if there’s evidence you neglected to reasonably safeguard your account, further investigation may be necessary to determine whether we can issue a reimbursement.”
So, what can you do to protect yourself? The following steps will go a long way toward keeping your retirement savings safe.
Create ridiculously strong passwords
How strong is strong? Eight characters? How about 10 characters?
Try at least 16 to 25. That’s what the folks at LMG Security — which provides cybersecurity and digital forensics services — recommend. Other experts agree.
LMG says its penetration testers can break down an eight-character password hash — a scrambled version of the password — in anywhere from less than eight hours to about seven days, depending on the nature of the hash.
It would take a bit longer to crack a 16-character password hash — up to more than 147 trillion years, although LMG notes that “well-funded malicious actors” likely could do so more quickly.
Use password managers carefully
Password managers provide a great service, and they have a solid reputation for keeping your information secure. But a detail in the WSJ story might give you pause when considering whether to use a password manager.
Alight Solutions, a 401(k) plan record-keeper, says 401(k) plan participants who give passwords to third-party services that aggregate passwords or financial-account data might not be reimbursed if “our investigation determines that a fraud event is traceable” to such a service, the WSJ reports.
(Alight Solutions is the 401(k) plan record-keeper that allegedly released Bartnett’s $240,000 to the fraudster who attacked her account.)
That means you might be out of luck if a data breach that led to the theft of your identity can be traced back to your password manager. So, at the very least, you should choose a password manager very carefully.
Don’t use text-based verification
Two-step verification, also referred to as two-factor authentication, adds a layer of security to your online accounts. Instead of providing just a username and password to access your account, you must also provide another piece of information you have, such as a code sent to your phone via text message or an authenticator app.
This extra step makes it harder for a crook to access your retirement account or any other account for which you set up two-step verification. But if you have verification codes sent by text message, it’s possible for a fraudster to bypass this security measure.
The scammer does this by calling your cellphone company, pretending to be you and asking the provider to change the SIM card associated with your phone number to a SIM card in a phone that is in the scammer’s possession.
Think it can’t happen to you? It happened to former Twitter CEO Jack Dorsey when a crook took over Dorsey’s Twitter account.
For this reason, security experts recommend two-step verification that relies on an authenticator app over verification via text messages. Examples of such apps include Microsoft Authenticator and Authy.
Use a separate, secret phone number
This is tough — but necessary — medicine.
Just as a crook who knows your phone number can impersonate you and convince your cellular provider to make changes to your cellular account, a crook could call a financial services provider and impersonate you in an attempt to access your retirement account.
One way to thwart this type of identity fraud is to give your financial services provider a different phone number that you keep secret by not using it for anything else. Sound like overkill? Remember, a good chunk of your life savings could be at stake if someone is able to dip into your retirement account and clean it out.
Set up an online account with your plan provider
Ben Taylor, a consultant at investment-consulting firm Callan, tells the WSJ that by exercising the option to set up an online account, you beat the crooks to the punch. As he puts it, “unclaimed online accounts are easier for impersonators to take control of.”
In other words, if you have the option to set up an online account and you take advantage of it, an identity thief can’t open an account in your name and then take control of it.
Consider spreading retirement money across multiple providers
There are good reasons to keep all of your retirement funds with a single financial services provider. Not only is it more convenient, but many providers will cut you a break on fees or offer other perks as you accumulate more money with them.
But there is also a risk: If all of your money is with one provider and a fraudster gets hold of that account, you could be wiped out, even if the money loss is just temporary.
By having some of your retirement money — say, your individual retirement account and health savings account funds — with a separate provider, you will at least reduce the risk that you could lose your life savings overnight and have to scramble to pay your bills while waiting to get your money back.
By Chris Kissell for Money Talks News©
Source: 6 Ways to Stop Hackers From Emptying Your Retirement Accounts (msn.com)