Last week Equifax announced a security breach that put the Social Security numbers, birth dates, and addresses of 143 million Americans at risk. Our clients’ trust is our top priority, so we wanted to take a moment to discuss our views on security and privacy.
Equifax recommends consumers with questions visit www.equifaxsecurity2017.com or contact them on 866-447-7559. However, many people have pursued those channels and are still not certain if they have been compromised. To help, we’ve identified a helpful article from journalist Brian Krebs that helps explain what happened and answer a number of questions that have arisen in the wake of the breach.
What We Do For You
Wealthfront uses a number of services to validate a client’s identity, as required by federal law. Equifax is one of the providers we use, and they have advised us their recent data breach did not affect the system we use for identity verification. But because times like these make many concerned about the safety of their assets, we wanted to help explain a number of the important steps we take at Wealthfront to keep your accounts safe:
• We look for anomalous behaviors related to transactions and fundings. For example, if you open or add a new external account our system evaluates the risks associated with that action and escalates to our Brokerage Operations team if human review is deemed necessary.
• Our internal systems are designed following best practices for “least privilege” to reduce their attack surface.
• Wealthfront has an internal security team who evaluate risks across our company and platform. We actively monitor numerous security sources, and vendor security notifications for newly discovered security vulnerabilities and weaknesses, and remediate based on their severity and potential impact to our platform.
• We utilize external security firms to perform testing and validation of our security controls, both in our platform and internal systems, to complement our internal security program, and ensure we are incorporating the latest in industry best practices.
• Additionally, Ernst & Young annually audit Wealthfront’s policies, procedures and processes surrounding changes, privileged access, and our Broker Dealer operations.
What You Can Do For You
According to research from Pew, roughly two-thirds of Americans have experienced some sort of data theft. Thus, the most effective way to ensure your accounts are secure is to take an active role. We encourage everyone to evaluate and adopt the security measures they feel best reduces their risks. Here are a few basic recommendations to help you practice good security hygiene, in general and specific to Wealthfront:
Protect your email account. Because people typically use their main email address across most accounts, your email account essentially becomes “patient zero” when it comes to account compromises, as this journalist with news site Wired witnessed in 2012 . Thus it’s important to have a secure password and two-factor authentication in place. Also, don’t keep photos of your driver’s license, passport, or social security number in your inbox unless you absolutely have to.
Keep your computer and mobile device up to date. It is recommended to automatically update your operating system and applications whenever possible. This can easily be enabled on desktop computers running Apple’s MacOS or Microsoft Windows and mobile devices running iOS and Android. Many updates contain important security fixes, so enabling automatic updates reduces your susceptibility to bugs and ensures your devices are protected as soon fixes become available.
Make sure your passwords are strong. Creating unique and secure passwords is a pain, but just like fastening your seatbelt it’s critical for your safety. If you use the same password across multiple accounts you’re giving an attacker a free pass to compromise multiple accounts at the same time. Remember: Wealthfront will never ask for your password over the phone or by email.
Don’t keep passwords on your computer. It can be hard to keep track of so many passwords, but keeping them stored on your computer on your desktop or listed in an email draft isn’t the answer. Cybersecurity experts generally recommend password management software, like 1password, as the safest and most secure way to track and maintain strong and unique online passwords.
Use two-factor authentication (2FA). This is an important additional layer of security that confirms a user’s identity by utilizing a combination of two different components: something you know (your password) and something you have (your cell phone). Wealthfront has offered two-factor authentication for clients since 2015 and we provide a step by step guide to enable 2FA in our Help Center. A recent article by The Verge outlined the ways you can set up 2FA for all of your online accounts.
Avoid suspicious links, websites, phone calls, and text messages. Over the past decade fraudsters have evolved their methods of deceiving people, so it’s important to exercise caution when your personal information or finances are at stake. A “phishing” scam may involve an email with a link to a copycat website that prompts you to enter your username and password. Phone scammers try various tactics to elicit your information, using lottery winnings to “technical support” as carrots. You should never give personal or financial information over the phone unless you’ve initiated the call, and if you receive a robocall just hang up. There has also been a recent surge in the use of text messages and private messaging on social networks. You can protect yourself by carefully checking a link’s destination before you click, verifying the internet address of any website requesting your username or password.
Check your account activity. Most financial institutions allow you to verify when your account has been accessed. For your Wealthfront account, you can view this in Account Settings, under the Security section, where you can review your Login History. Occasionally the location may be inconsistent with your expectations, and we explain this in our Help Center.
Keep track of your accounts. This one is easy, especially since most financial institutions offer a app for your phone. Also, most credit cards offer real time alerts on your phone via text or push notifications. You can setup alerts at certain thresholds, such as transactions more than $250.
Keep track of your credit. Because credit monitoring has become commoditized, there are several free options, such as Credit Karma, where you can select to be notified via settings whenever a new account is opened in your name.
Consider fraud alerts. A fraud alert is a free service provided by all the major credit agencies. You just need to go online to the three credit bureaus — Equifax, TransUnion and Experian — and fill out the appropriate form. The service lasts for 90 days, but can be renewed free of charge. However, this also means any new applications you make will be flagged, so be sure to review the process before pursuing a fraud alert as an option.
Understand credit freezing. For a longer term lock you can put a security freeze on your credit report, but you should understand how it works and when is the best time to do it. A freeze makes it more difficult for someone to open an account in your name, but it also makes it more difficult for you to do things like open a new account or rent an apartment. If you are considering opening a Wealthfront account and have a credit freeze on your report a manual review of your application will be initiated, and we may require you provide additional documentation as part of the account opening process.
Don’t forget the kids. Identity thieves may use your child’s Social Security number to apply for benefits, bank accounts, credit or utility services, so it is advisable to check for a credit report to see if your child’s information is being misused. The FTC Consumer Information website has a page dedicated to understanding and recovering from child identity theft.
The Bottom Line
We take your privacy and security seriously at Wealthfront, but we can’t do it without your efforts. The reality is we live our lives online, but just because it feels secure doesn’t mean we’re immune from cyber crime. So just as we take precautions to remain safe in the physical world, it’s imperative to develop the same good habits in the digital world.
Nothing in this communication should be construed as an offer, recommendation, or solicitation to buy or sell any security. Wealthfront’s financial advisory and planning services, provided to investors who become clients pursuant to a written agreement, are designed to aid our clients in preparing for their financial futures and allow them to personalize their assumptions for their portfolios. Additionally, Wealthfront and its affiliates do not provide tax advice and investors are encouraged to consult with their personal tax advisors.
All investing involves risk, including the possible loss of money you invest, and past performance does not guarantee future performance. Wealthfront and its affiliates rely on information from various sources believed to be reliable, including clients and third parties, but cannot guarantee the accuracy and completeness of that information.