Came across an interesting issue and would like some opinions.
My (and yours) brokerage accounts can easily be accessed without knowing the complex 15-20 letter/number/symbol password. How, you ask?
If someone has access to my phone number + easy to discover tidbits of information about me (name, date of birth, social security number, and home zip code). They can get my username, reset password, log in to the account, and conduct business as normal. Is that true? Yes, I have tried it myself (and maybe you should give it a try too).
So... the phone is really the key to the kingdom, isn't it? Which sounds fine, because normally I am in possession of my phone the entire time. So what's the problem, you say?
The problem is that SIM swapping attacks are growing these days. That's when someone calls my mobile provider (Verizon Wireless, AT&T, T-Mobile, several MVNOs like Mint), pretends to be me who has lost their phone, and asks for my number to be ported to a new phone that they possess.
Now the entire security of my brokerages rests in the hands of the mobile customer service rep. Who, by the way, 1) probably makes $15-20/hour 2) probably has a two year associates degree or less, and 3) could easily be having a temporary moment of lapse (such as working from home with a noisy infant in the background). If they succeed in convincing the mobile customer service rep that it's really me, they will have access to my brokerages as described above. And similarly have access to my phone and email alerts.
The phone rep is literally the only one standing between a malicious person and my (and your) brokerages. I tried searching for clear and cut policies for SIM transfers for lost devices (where the mobile provider can't simply offer to text a PIN to the current line), but did not find much. Is it security through obscurity? Can't anyone quickly learn the policy by attempting a transfer, I ask?
TL;DR: Security of your brokerage rests in the hands of the customer service rep of your cell phone provider.
My (and yours) brokerage accounts can easily be accessed without knowing the complex 15-20 letter/number/symbol password. How, you ask?
If someone has access to my phone number + easy to discover tidbits of information about me (name, date of birth, social security number, and home zip code). They can get my username, reset password, log in to the account, and conduct business as normal. Is that true? Yes, I have tried it myself (and maybe you should give it a try too).
So... the phone is really the key to the kingdom, isn't it? Which sounds fine, because normally I am in possession of my phone the entire time. So what's the problem, you say?
The problem is that SIM swapping attacks are growing these days. That's when someone calls my mobile provider (Verizon Wireless, AT&T, T-Mobile, several MVNOs like Mint), pretends to be me who has lost their phone, and asks for my number to be ported to a new phone that they possess.
Now the entire security of my brokerages rests in the hands of the mobile customer service rep. Who, by the way, 1) probably makes $15-20/hour 2) probably has a two year associates degree or less, and 3) could easily be having a temporary moment of lapse (such as working from home with a noisy infant in the background). If they succeed in convincing the mobile customer service rep that it's really me, they will have access to my brokerages as described above. And similarly have access to my phone and email alerts.
The phone rep is literally the only one standing between a malicious person and my (and your) brokerages. I tried searching for clear and cut policies for SIM transfers for lost devices (where the mobile provider can't simply offer to text a PIN to the current line), but did not find much. Is it security through obscurity? Can't anyone quickly learn the policy by attempting a transfer, I ask?
TL;DR: Security of your brokerage rests in the hands of the customer service rep of your cell phone provider.
Statistics: Posted by pennsylvania211 — Thu Aug 01, 2024 6:18 pm — Replies 61 — Views 3099