If I run the Symantec VIP on my phone, and the phone is lost or stolen, I would get a new phone with phone number ported to it (legitimate SIM swap) and call Fidelity support to configure the Symantec VIP 2FA. Assuming I am not missing anything, the sms is less secure. They will then be able to get your sms 2fa code and change password. You will then enter your name, dob, and ssn. If you had sms, then they could sim swap attack, and follow the same step to reset password. To disable it, you have to answer some security question. I was under the impression that as long as vip is active you cannot bypass it to do something like change password unless you disable it. If they did a sim swap attack they still won’t have access to the vip code. The hacker would need access to your phone. The next step would prompt you for the vip number. To elaborate, let’s say you want to reset password, you would fill out your name, dob, and ssn. My original point was not that one's account would be compromised if using Symantec VIP, but just that it is not much stronger than cell phone SMS in this instance due to social engineering attacks. Fortunately, that does not seem to be the case. That would not protect against 2FA being compromised if that were true. I keep cash spread around at 2 or 3 other financial institutions, enough in total to let me live my life for 3-6 months uninterrupted, while I dealt with whatever fallout happened from such a security incident. While possible scenarios like this don't keep me up at night, I acknowledge the possibility of something like this happening at any financial institution and why I don't use any place as a one stop shop. Again, I have all the alerts setup via email and SMS to be notified if anything happens in my account, so if something nefarious happened, I expect I'd be able to contact Fidelity before funds actually left the (virtual) building, but even still, it would be 100% on Fidelity to make me whole as they would of allowed this to happen, not me. Plus, it takes time to sell stock, CD's, Treasury Bills, etc, have them settle and become available for withdrawal. Having made changes over the years I know when changing personal information Fidelity sends message to both your old AND new contact points when that happens (old and new email, old and new SMS, old and new address, etc). Similarly if they logged in, changed my email address, phone number, added banks, etc. If someone was able to gain enough information about me to get a Fidelity rep to replace my current VIP token, well, I expect I'd get a flurry of emails and text messages from my alert settings and I'd deal with it accordingly. When it comes to someone trying to do a "VIP swap" via social engineering at Fidelity, I've turned on all the security settings and alerts Fidelity supports. Also, it's not like you can pick up the phone and call 1-800-Google1 and speak to a human, so little chance of social engineering there to wrest away my GV number. My GV number is locked in my Google account to prevent porting, and my Google account requires a 2FA hardware token to access, so I am not worried about someone hacking my Google account to try and port my GV number out. I've never had a problem with Fidelity and not getting SMS alerts or codes when needed over the years from Grand Central / GV. In my experience, I've hit 2 or 3 banks that don't support VOIP phones for SMS, the most notable recommend on this forum being Ally (where voice calls to GV number work for 2FA code, just not SMS). I've used GV since it was Grand Central, so going back to the mid 2000's and have had it registered as my contact phone with most of the banks I've dealt with for over the last 15+ years, including Fidelity. When I set it up, SSN and SMS code were the sum total authentication.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |