By Tracey Thomas
The other day, I got a dividend statement from a company I have stock in. The statement said that I could manage my stock online, and it listed a web address (URL). Having no prior knowledge of the online account, I went to the website to see what was there.
The website lets you manage your brokerage account, including buying, selling, and transferring stock. The website is not run by the company I have the stock in. It is run by the brokerage firm where my shares are held in book entry.
This online portion of my brokerage account was set up "for my convenience" by the brokerage firm without any initiative from me, and what's worse, to my knowledge, without any notification that such an account had been set up. I did not become aware of the online account from the brokerage. I was made aware of it incidentally by a company I have stock in. I have no idea how long this account has been set up "for my convenience."
The first time you go to the site, you have to activate your account. You do this by entering your SSN and zip code on a web form. Once you bypass this "authentication", then you can pick a password that is used for future logins. No other verification is necessary to activate the account.
This brokerage firm's security is perhaps the worst security I can imagine. The initial safeguard against unauthorized access is a Social Security number (SSN) and a zip code. These two pieces of information, especially SSNs, have become so widely available and misused that they are anything but secret.
To use this as a secure barrier against unauthorized access is absurd. Even though you can pick a password, thus "securing" your account, if you forget your password, you can go to a web page, or call customer service and provide your SSN and your zip code, and then you can pick a new password. So, even after I set up and "secure" my account, anyone who wants to gain unauthorized access to it only needs to know my SSN and zip code.
What is even worse is that the website login is your SSN. I happened to be using a browser that was having trouble with the website, so I called customer support. A customer support person for the website answered the phone and immediately asked me for my SSN. I told him I didn't want to give it to him, and he said that without it, he couldn't help me with my problem! So, now I am being asked to provide my sensitive data to someone who I don't want to have it, who shouldn't need it, and all for a "service" that I never wanted or asked for.
I asked the customer support person if I could use a login ID for the website that was NOT my SSN. He said I could not. Then I asked if I could change the two questions of authentication so that they are not my SSN and zip code. He also said I could not.
My next action was to close the brokerage account and move my stocks to a different broker, one who has better security and concern for its customers.
Why can I foresee identity thieves all over the country capitalizing on the fact that these accounts are created and in many cases, never set up, used, or monitored! If I were interested in committing identity fraud, I would go around to every online brokerage and bank that I could find, looking for accounts that were easily compromised. I think the latest fiasco of the busboy from New York should be more than enough to convince us that online brokerage systems are anything but secure!
There is a concept in business of "push" vs. "pull". A pull is when a consumer wants something, and it asks a business for it. A push is when the business tries to determine who might want something and sends it to the consumer without the consumer asking for it.
This "push" type business practice has cropped up everywhere in the past 50 years in many forms. From catalogs to junk mail, to advertising, to pre-approved offers of credit, products and services are pushed at us constantly. Sometimes the "push" is nothing more than an annoyance, like making people sift through volumes of junk mail. Other times, it is much more than an annoyance. It is downright dangerous to the consumer, as it is with pre-approved offers of credit.
"Services" like this brokerage account take the idea of push business a horrifying and dangerous step further. It didn't simply push to me the knowledge that an opportunity was out there. It pushed the opportunity itself to me!
I am fairly technologically savvy. I have access to the Internet and I use it. What horrifies me is when I think of parents or grandparents who don't use the Internet. If notified of an online service, they would likely assume that it didn't apply to them and ignore the account's existence. For this reason, accounts like this one may be turned on and vulnerable for months or longer!
Push business practices have gone WAY too far when they automatically sign us up for new services without us asking for them. Business would be a whole lot wiser to simply "push" us the knowledge that new services exist, and give people the option to sign up for them.