In a previous career, I used to work in cyber security. There was a phrase we often said back then: “Access or security, pick one.” It was an acknowledgement that every step you take to make security better restricts even legitimate users’ ability to access the resource. However, increased security also makes your account less likely to be hacked.
Cyber security gravitates toward the low-hanging fruit of novice users. Even taking a few steps can greatly protect your accounts.
Security is a critically important concern in the financial world. Schwab allows but does not require several security measures which can increase your security when calling Schwab or logging into their systems.
They also have protocols in place such that if there is doubt in your identity or you are trying to do something which requires a higher level of security, Schwab may require additional verification. This is especially true for wire transfers of money. Wire transfers are not reversible and require additional security.
Schwab currently has a Schwab security guarantee. They cover 100% of any losses in your Schwab accounts due to unauthorized activity. But they warn:
The highest levels of security are only possible when we work together. To ensure your protection under this guarantee, it is your responsibility to safeguard your account access information. If you share this information with anyone, we’ll consider their activities to have been authorized by you. Report any unauthorized transactions to us as quickly as possible. If you suspect you are a victim of fraud, please contact us immediately at 888-372-4922.
For that reason, it is important that you do everything possible to ensure that your accounts are as secure as possible.
Logging into Schwab
Hardware and Software
You should never save passwords on your computer.
In your browser settings, uncheck “Remember passwords for sites.” If your computer has been in use for some time, also open “Saved Passwords” on your browser and choose “Remove All.”
Saving passwords in this way saves time, but anyone with access to your computer would then have access to all of your passwords. That is not secure.
You should also have anti-virus and anti-spyware security installed on your computer.
Keep your browser and operating system up to date with the latest protections by turning on automatic updates.
Be careful about installing software on your system. Some software that claims to be removing viruses actually installs them. Other downloads can put keystroke recorders on your computer, gaining access to your secure passwords.
We recommend using a unique password on every site. We also recommend having a password vault such as KeePass, LastPass, or 1Password. A password vault makes it easier to have difficult unique passwords on every site. Assuming that you have your password vault open, you can easily copy your user id and password into sites. It makes having passwords such as -YH!js@kq^ooHk(u88vgh*!R as easy to remember as Fluffy.
If you use the same password on multiple sites, you are giving every website access to your most secure websites. If you use the same username and password everywhere, the website that requires a login to download a free PDF would have the user id and password to your online banking.
Many sites want your information for marketing, but a few fraudulent sites want to try that user id and password on every bank and social media site in order to see who was stupid enough to give them the keys to your finances.
While unique passwords make fraud more difficult, it is still possible that your password was captured by your computer getting hacked. Two-factor authentication makes fraudulent logins more difficult.
Schwab implements two-factor authentication by device. When logging in, you can choose to trust a device. When you trust a device you are authenticating that browser on your computer and no longer have to go through two-factor authentication. This is done by means of cookies on your browser. While it adds convenience, it defeats much of the security of two-factor authentication. It is better to have to go through two-factor authentication each time you log into Schwab.
In order to remove these cookies and reset not trusting your computer, remove all your cookies for the schwab.com site. For Firefox you accomplish this under “Options”, “Privacy & Security”, and under “Cookie and Site Data” choose “Manage Data.” Search for “schwab.com” and then “Remove all Shown.” This restores your computer to asking for two-factor authentication each time you log in.
Two-factor authentication using soft or hard token
The highest level of security is implemented by means of a soft or hard token. A hard token is implemented by means of a key fob that shows a number which refreshes every 30 seconds. The 6-digit number must be put at the end of your password in order for the password to be accepted. This is better than two-factor authentication because even if your computer is compromised and your keystrokes are recorded, in 30 seconds your computer is secure again. Since the token’s unique six digit number is always changing, the device is required in order to log in to your account.
Schwab wants to encourage you to choose the soft token which is a software simulation of the key fob. They have experienced casual users misplacing or losing their key fob. But I believe that the physical key fob is more secure than the soft token. Assuming that you put the software on your computer or your phone, you are likely exposing it to the same methods of being hacked. As a Schwab Institutional user, we have been using physical key fobs to keep client accounts secure for years. Schwab also allows the same device which we use on the Institutional side to be used on the retail side.
Calling into Schwab
Three pieces of information
When you call into Schwab, Schwab uses three factors in order to verify your identity. These factors may include something like current approximate balances of your accounts, your mother’s maiden name, the name of your employer, a bank account connected to your Schwab account, your login id, or your email addresses on file. These factors are not very secure. Many of these factors are easily guessed or the information is available on the internet.
Additionally, many legitimate Schwab users may not find this information easily accessible.
For additional security, Schwab allows voice authentication. Voice authentication can be established on an account by saying something like, “At Schwab, my voice is my password.” Schwab records the intonation of the recording and then compares future recordings to the recording on file. Assuming that the two recordings match significantly enough, you are verified as though you have answered three pieces of information. For security reasons, voice authentication cannot be set up on a day when other password changes have been made.
On a positive note, voice authentication is more difficult to fake than three pieces of information.
We have had voice authentication fail to authenticate a client’s voice. They were trying to make a large wire transfer while calling from an international phone filled with static. The client also could not remember three pieces of information, so Schwab denied the request. Even though this was inconvenient for the client, we think Schwab kept their security safe when they denied the request.
Voice authentication also doesn’t verify well when you have a bad connection or if you have a cold.
We recommend implementing voice authentication when you are well and able to speak on a clear line.
The highest level of security Schwab can place on a phone call is a verbal password. If there is a verbal password on your account, Schwab will ask for it every time. This is much more difficult for scammers to get or guess. If your verbal password is “Waffles” you must remember your verbal password. Schwab will not give you any hints about what your verbal password might be. A verbal password works best if it is not used on any other website. Using your verbal password on more than one site or with more than one company defeats much of the benefit of having a verbal password.
The downside of a verbal password is that you have to remember it. If you forget your verbal password, it requires that you sign a notarized form or visit a Schwab location in person.
Finally, Schwab encourages you to check your monthly statements to make sure that the account activity is legitimate. Report any fraudulent activity to Schwab immediately 24/7 at at 888-372-4922 or 1-800-435-4000.
Photo by Dan Nelson on Unsplash