6 Ways to Stop Hackers From Emptying Your Retirement Accounts

There is a growing threat to your retirement savings, and you probably are not aware of it. Thieves increasingly are targeting individual 401(k) accounts by impersonating the account owners so the crooks can steal thousands — or even hundreds of thousands — of dollars.

© Nicoleta Ionescu / Shutterstock.com

You might think that the 401(k) plan itself would be responsible for reimbursing the funds it released in these situations. But that’s not necessarily the case. As the WSJ reports, federal law is murky about who is responsible for losses associated with cybertheft. While custodians generally pledge to reimburse such fraud, some may include slippery language in their terms that can leave you in the lurch.

Even a company as respected as Vanguard says, “if there’s evidence you neglected to reasonably safeguard your account, further investigation may be necessary to determine whether we can issue a reimbursement.”

So, what can you do to protect yourself? The following steps will go a long way toward keeping your retirement savings safe.

Create ridiculously strong passwords

How strong is strong? Eight characters? How about 10 characters?

Try at least 16 to 25. That’s what the folks at LMG Security — which provides cybersecurity and digital forensics services — recommend. Other experts agree.

LMG says its penetration testers can break down an eight-character password hash — a scrambled version of the password — in anywhere from less than eight hours to about seven days, depending on the nature of the hash.

It would take a bit longer to crack a 16-character password hash — up to more than 147 trillion years, although LMG notes that “well-funded malicious actors” likely could do so more quickly.

Use password managers carefully

Password managers provide a great service, and they have a solid reputation for keeping your information secure. But a detail in the WSJ story might give you pause when considering whether to use a password manager.

Alight Solutions, a 401(k) plan record-keeper, says 401(k) plan participants who give passwords to third-party services that aggregate passwords or financial-account data might not be reimbursed if “our investigation determines that a fraud event is traceable” to such a service, the WSJ reports.

(Alight Solutions is the 401(k) plan record-keeper that allegedly released Bartnett’s $240,000 to the fraudster who attacked her account.)

That means you might be out of luck if a data breach that led to the theft of your identity can be traced back to your password manager. So, at the very least, you should choose a password manager very carefully.

Don’t use text-based verification

Two-step verification, also referred to as two-factor authentication, adds a layer of security to your online accounts. Instead of providing just a username and password to access your account, you must also provide another piece of information you have, such as a code sent to your phone via text message or an authenticator app.

This extra step makes it harder for a crook to access your retirement account or any other account for which you set up two-step verification. But if you have verification codes sent by text message, it’s possible for a fraudster to bypass this security measure.

The scammer does this by calling your cellphone company, pretending to be you and asking the provider to change the SIM card associated with your phone number to a SIM card in a phone that is in the scammer’s possession.

Think it can’t happen to you? It happened to former Twitter CEO Jack Dorsey when a crook took over Dorsey’s Twitter account.

For this reason, security experts recommend two-step verification that relies on an authenticator app over verification via text messages. Examples of such apps include Microsoft Authenticator and Authy.

Use a separate, secret phone number

This is tough — but necessary — medicine.

Just as a crook who knows your phone number can impersonate you and convince your cellular provider to make changes to your cellular account, a crook could call a financial services provider and impersonate you in an attempt to access your retirement account.

One way to thwart this type of identity fraud is to give your financial services provider a different phone number that you keep secret by not using it for anything else. Sound like overkill? Remember, a good chunk of your life savings could be at stake if someone is able to dip into your retirement account and clean it out.

Set up an online account with your plan provider

Ben Taylor, a consultant at investment-consulting firm Callan, tells the WSJ that by exercising the option to set up an online account, you beat the crooks to the punch. As he puts it, “unclaimed online accounts are easier for impersonators to take control of.”

In other words, if you have the option to set up an online account and you take advantage of it, an identity thief can’t open an account in your name and then take control of it.

Consider spreading retirement money across multiple providers

There are good reasons to keep all of your retirement funds with a single financial services provider. Not only is it more convenient, but many providers will cut you a break on fees or offer other perks as you accumulate more money with them.

But there is also a risk: If all of your money is with one provider and a fraudster gets hold of that account, you could be wiped out, even if the money loss is just temporary.

By having some of your retirement money — say, your individual retirement account and health savings account funds — with a separate provider, you will at least reduce the risk that you could lose your life savings overnight and have to scramble to pay your bills while waiting to get your money back.

By Chris Kissell for Money Talks News©

Source: 6 Ways to Stop Hackers From Emptying Your Retirement Accounts (msn.com)

Apps removed for secretly collecting data from millions – Delete them now

There are tons of mobile apps available, all with different functions and capabilities. Tap or click here for five great apps for iOS and Android. No matter which apps you download, you have a reasonable expectation that they will work as promised.

© Provided by Komando

While it is neat to discover hidden tools, you never want to learn that apps are collecting more data than needed. This exposes your information to criminals and rattles the app store’s authenticity.

Unfortunately, a swath of apps did just that. Read on to see which applications Google removed from the Play Store and what you can do about it.

Researchers from UC Berkeley and the University of Calgary discovered that a company linked to a Virginia defense contractor paid numerous developers to insert data harvesting technology into their apps.

According to the Wall Street Journal, Measurement Systems targeted weather, prayer and highway radar apps, and QR scanners. After disclosure to Google and federal law enforcement, the apps were removed from the Play Store. It’s estimated that the apps had as many as 60 million downloads.

Based on the report, the offending apps include:

  • Speed Camera Radar
  • Al-Moazin Lite (Prayer Times)
  • WiFi Mouse(remote control PC)
  • QR & Barcode Scanner
  • Qibla Compass – Ramadan 2022
  • Simple weather & clock widget
  • Handcent Next SMS-Text w/ MMS
  • Smart Kit 360
  • Audiosdroid Audio Studio DAW

The embedded software can “without a doubt be described as malware.” However, in a statement to the WSJ, Measurement Systems said the allegations “about the company’s activities are false.”

What you can do about it

The software could collect data such as your location, email address, phone number, what Wi-Fi network you are on, or text copied to your phone’s clipboard. But while the apps might be gone from the store, that doesn’t mean they automatically disappear from your phone. 

Here’s how to check if the apps are on your device and remove them:

  • Open your mobile phone’s Settings app.
  • Scroll down and tap on Apps & notifications.
  • Tap on the See all apps options to view a complete list of applications on your phone.

To remove a specific app, tap on it and select Uninstall. Remove any of the apps on this list to protect privacy.

Article by Charlie Fripp, Komando.com

Source: Apps removed for secretly collecting data from millions – Delete them now (msn.com)