• Confidentiality: access to data should be limited to the appropriate parties.
• Integrity: your data is accurate and has not been tampered with.
• Availability: you have access to the data when you need it.

When most of us think of cybersecurity, confidentiality is primarily what we’re thinking about, but integrity and availability are mission-critical also.

For many people, using a password manager is going to be an upgrade in all three categories, relative to what they’re currently doing.

Confidentiality

Just think of all the different accounts you have, which you would really not want accessed by a malicious party:

• Email accounts,
• Bank accounts,
• Brokerage accounts,
• Credit cards, mortgage lender, or other financial services,
• Credit bureaus,
• MyChart (or other patient portals) for your health care system(s),
• Login.gov,
• Venmo,
• Your providers of health insurance, car insurance, homeowners/renters insurance, umbrella insurance, etc.

The list just goes on and on. And there are probably 100+ other websites with less critical information, but which you’d still prefer somebody else not to access.

For anybody with normal memory capabilities, it’s impossible to remember a unique password for each of those websites.

So, many people resort to one password that gets reused across a bunch of different accounts. This is a train wreck waiting to happen. Credential stuffing is a common form of cyberattack, in which thieves use previously stolen credentials (username/password) on various other accounts. Once your password is stolen, it will be tried on a very long list of other websites. If you reuse the same password on many websites, you now have thieves accessing a whole bunch of your accounts all at once. This is an entirely avoidable scenario, so please don’t let it happen to you.

Alternatively, many people resort to short, easy to remember passwords (e.g., Boglehead123 for their Vanguard account or MagellanLynch1 for their Fidelity account). The problem is that easily remembered passwords are often easily guessed passwords.

The reality that you have to accept at this point is that you aren’t supposed to be able to remember all of your passwords. If you’re still trying to remember them all in your brain, you are almost certainly making major security compromises in order to make that happen.

A password manager allows you to create strong (lengthy and randomly-generated) passwords for each account, which are unique to each account, and it remembers them for you.

Another benefit with respect to confidentiality: a password manager will usually not offer to fill your password if the domain doesn’t match exactly. For instance, if you have a saved username/password for Schwab.com, and someday you accidentally find yourself on a different domain, which is designed to look exactly like Schwab’s website (and thus collect and maliciously reuse your credentials after you enter them), your password manager should not offer to fill your password (because it doesn’t see a saved password associated with the domain you’re currently on).

Integrity and Availability

Some people’s approach to password security is to record all of their passwords in a physical notebook, which is kept in their home. Assuming that the notebook is kept secure, that can do a reasonable job with respect to confidentiality. But that approach often falls short with respect to data integrity. At some point, ink becomes smeared. Or passwords get crossed out with new ones scrunched into the spare space nearby. Legibility declines and we can no longer read the password in question. Or something physically happens to the notebook itself: there’s a fire or natural disaster, or more likely, a beverage is spilled directly onto the notebook.

I’ve also seen that approach fail with respect to availability: whoops, we forgot to bring the notebook with us on vacation. Or your spouse just can’t read your handwriting.

Similarly, I’ve seen people take a post-it note approach to password management (i.e., just sticking post-its on or near their computer with various important passwords). While that approach has confidentiality problems if anybody else ends up near your computer, that approach also can easily fail the availability test if a post-it falls off and gets thrown away.

With a password manager, your passwords will be synced across your devices. As long as you can sign into your password manager, you will have access to your passwords. And no need to worry about your or your spouse’s handwriting.

Password Sharing

Password managers also allow for secure sharing between multiple people (e.g., two spouses on a shared family plan), which has benefits for confidentiality, integrity, and availability.

• Confidentiality: sharing passwords via a password manager is much more secure than sharing them with each other by text, for example.
• Integrity: if one of you updates the password, it will be automatically updated for the other.
• Availability: you can be in different physical locations, while both still having access to your shared passwords.

Which Password Manager?

I’m not going to officially recommend one password manager as opposed to another. Most all-Mac households seem to be happy with Apple’s built-in password manager (known as Apple Passwords on newer devices). 1Password or Bitwarden are also popular and well respected.

LastPass was also very popular, but due to a major breach in 2022, many of the top experts in the field recommend using a different provider. (And if you were using LastPass at the time, you should change every password that was stored in your vault. And if you are still using LastPass even after that breach, you should absolutely change your master password as well.)

As far as the password managers built into Chrome and Edge, opinions vary. Many people consider them to be somewhat of a tradeoff, providing convenience but less security (and fewer features) than a dedicated password manager. Other people argue that the latest versions are meaningfully improved and now essentially as secure as 1Password or Bitwarden.

If you go looking for comparisons of one password manager to another, I’ll just make two observations:

• Many of the articles you’ll find are actually sales pitches in disguise. Many password managers offer “affiliate programs,” whereby they pay a commission to a referring party for each new customer that signs up. If somebody can publish an article that ranks well in search results for “best password manager” or “password manager comparison” — and then the article gets many people to sign up for one of the providers that pays a commission, that can be a substantial revenue stream.
• Among cybersecurity enthusiasts, “should I use Bitwarden or 1Password” is akin to “should I tilt to small-cap value” for Bogleheads. They can talk about it forever, and there are ardent supporters on either side. There are real pros and cons of each. But the key thing to recognize is that either is a heck of a lot better than what many people are doing with their passwords.

Staying Secure with a Password Manager

I want to be clear that simply using a password manager doesn’t in itself make you much safer. Password managers make it convenient to use strong passwords, but if you have existing weak passwords and/or passwords that are reused at a bunch of different places, you have to take the step of updating those passwords to new passwords that are stronger and unique. (The password manager should have a password generator to easily create strong passwords for you.)

It’s also extremely important to recognize that, with a bunch of passwords stored in one place, that one place becomes absolutely mission critical. You need to keep malicious parties out of it. And you need to make sure that you will not be locked out of it.

That means that for your password manager, you want to:

• Use a very strong master password.
• Turn on multi-factor authentication.
• Only use strong methods of multi-factor authentication. (The safest would be a hardware security key such as a YubiKey, of which you have multiples. Hardware security keys will be a topic for another day. But as noted previously, an authenticator app is generally a safer option than MFA by email or SMS.)

When using a password manager, device security becomes even more critical than it would otherwise be. For example, if you take your laptop around with you, and you normally keep yourself signed into your password manager on that device (e.g., via a Bitwarden or 1Password browser extension), you have a very big problem if somebody else gets their hands on that device. For devices that leave your home (or even for devices kept at home, if other people are around on a regular basis), I recommend using a very short screen-lock time, as well as configuring the password manager to lock (thus requiring your master password to be reentered) when the screen locks or the device goes to sleep.

And with respect to not getting yourself locked out, it’s important to recognize that if you forget your master password, many password managers cannot recover it for you. You would be permanently locked out. That’s by design. It’s one part of what makes the system secure. But it means that you should probably have that master password written down on paper somewhere, such as a fireproof safe or in a safe deposit box.

Similarly, your recovery code (which serves as a backup if your normal MFA method is unavailable) should be printed on paper and kept somewhere safe.

If your recovery code and master password are both printed out and kept together in a safe deposit box, this would provide you (or your heirs, when the time comes) with a way to sign into your account.

Password Managers and Passkeys

As discussed previously, passkeys are generally an improvement over traditional passwords, for a variety of reasons (e.g., they’re more resistant to phishing). And your passkeys will generally be stored in a password manager, to be synced across your devices.

As I noted in previous articles though, it’s hard to explain exactly how that works in practice, because it will vary depending on what combination of technology you’re using (i.e., which operating system(s), which browser(s), which password manager(s), and whether or not you’re using hardware security keys such as YubiKey). There are too many possible combinations to give a complete set of answers for everybody.

• Apple Passwords can store passkeys on all Apple devices — and sync them across Apple devices.
• Google Password Manager can store passkeys on any device browsing with Chrome (and sync across all such devices).
• Edge Password Manager can store/sync passkeys on any devices browsing with Edge.
• Third party password managers (e.g., Bitwarden or 1Password) can store passkeys and sync them across devices on which the software is installed (or accessible via an installed browser plugin).

Imagine for instance that you have two devices: a Windows desktop on which you browse exclusively with Chrome and an iPhone on which you browse exclusively with Safari. And you don’t use a third-party password manager. In that case, it would be Google Password Manager storing the passkeys on your desktop and Apple Passwords storing them on your iPhone. And they would not “see” each other’s passkeys. (But even that is okay, because you can just set up multiple passkeys for each website.)

Conversely, if in the above situation you browsed with Chrome on both devices, then Google Password Manager would be syncing the passkeys across the two devices.

Or let’s say you have a desktop Mac and an iPhone. And you use Chrome on both. Then either Apple Passwords or Google Password Manager could be used to store and sync your passkeys. Google Password Manager seems to try to make itself the default when browsing with Chrome, but you can adjust your settings to turn that off (and thus use Apple Passwords) if desired.

And in any of the above cases, if you have a third party password manager (e.g., Bitwarden or 1Password) that you use on all devices, that password manager could instead be used to store/sync passkeys.

But the key things to know are that:

1. It’s okay if you have some passkeys stored in one place and others stored in another place (as in the first example), because you can have multiple passkeys for each website.
2. Anywhere you are storing passkeys and/or passwords should be kept as secure as possible (i.e., using a strong password that is not used elsewhere and using strong multi-factor authentication).

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

As far as how they work behind the scenes (the public key/private key topic), that’s not something that you need to understand deeply (or at all, really) in order to use them and in order for them to improve your security. I simply included it because I know that many of the people who read this blog are the type who do want to understand the mechanics of how things work.

As far as what it’s like (from a user interface perspective) to actually use passkeys, it’s hard to explain universally what the process looks like, because it varies somewhat by website. (For example, when signing into Amazon with a passkey, they still send a 6-digit code by text, whereas most websites will not do so.) And it varies significantly based on what devices/browsers you’re using, as well as based on whether you’re using a separate password manager. For example:

• If you’re an Apple-only household, you browse only with Safari, and you use Apple Passwords to store your passwords, the whole thing will feel pretty seamless, with Apple Passwords storing your passkeys as well.
• If you’re on macOS, browsing with Chrome, and you use Bitwarden password manager, then Apple Passwords, Google Password Manager, and Bitwarden will each want to be the thing that stores your passkeys.

I would encourage you, next time you encounter a website that a) offers the option to use a passkey and b) is a low-stakes website for you so that it does not feel scary, create a passkey and then use that passkey to sign in going forward. Get used to using a passkey on one single website before trying to implement them more broadly.

For me personally, that would be something like target.com or walmart.com. Both of those websites have my name, email, shipping address, and my (not very lengthy nor particularly privacy-sensitive) order history. But neither has stored payment information, neither has my SSN, neither is linked to any financial accounts, etc.

Other Recommended Reading

• The Fallacy of Investing Based on Forecasts from Allan Roth
• An Asset-Liability Mismatch from Ben Carlson
• Dimensional Grafts Vanguard’s Tax-Busting Model Onto Mutual Fund from Katie Greifeld
• What’s Middle Class in NYC? from Ben Carlson
• Private Credit’s Angry Investors Are Showing Its Limits from Paul Davies
• The Best Strategies for Consistent Retirement Spending from Amy Arnott
• How do frontier AI agents perform in multi-step cyber-attack scenarios?
• Banks Are (Trying to Become) Bulwarks for Vulnerable Seniors from Paula Span (NYT)
• The Biggest Benefits Come from Consistency, Not Complicated Programs from the American College of Sports Medicine’s Updated Guidelines for Resistance Training

Thanks for reading!

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

A very short summary is that when signing in with a passkey, the authentication happens on your own device. So if I’m signing in via passkey, my device essentially asks, “hey user, prove to me that you’re the person who is allowed to unlock this device.” Once I do that (e.g., by PIN or fingerprint), the message the device sends to the other institution is basically, “this device has verified the user, and they have access to the passkey for this account.” So it has benefits such as:

• No reusable secret information is being transmitted.
• The institution doesn’t have to store any secret information (i.e., password).
• It has the potential to eliminate the risk of somebody guessing/stealing your password, because somebody would have to be in possession of your device and be able to convince the device that they’re you.
• It’s resistant to MFA-code phishing (such as in the John/Rachel example), because there’s no code to share in the first place.
• It’s also resistant to fake-website phishing attempts (e.g., somebody buying Vamguard.com and putting a site up that looks exactly like Vanguard, with a login page to collect login credentials), because passkeys are tied to a specific domain, so they won’t work on look-alike sites like Vamguard.com.
• It’s (usually) easier to sign in with a passkey than with a password, and passkeys eliminate the hassle of resetting passwords due to forgetting.

How Do Passkeys Work?

When trying to understand how passkeys work, it’s helpful to keep in mind the goal. The goal is to have a system in which a user can sign into a website or app without having to transmit any secret information. All of the secret stuff lives on the user’s own device. And everything that gets transmitted, and any login-related info that’s stored on the website’s server is safe if anybody else sees it.

But how can you log into a website without sending them your password or some other secret information? That is, if you don’t have to transmit any secret information to the website (i.e., if only “public” information is necessary), how can the website make sure that nobody else can sign into your account? To create a system that works in such a way requires fundamentally rethinking the entire process.

And that’s what passkeys do. They solve those problems.

And broadly, the idea is that the “proving you’re who you say you are” process happens locally, on your own device.

We’ll go through it step-by-step (i.e., what happens when you create a passkey, and then what happens when you use that passkey to log in).

But first we have to start with one piece of jargon.

What is a “Challenge?”

In order to understand passkeys, you have to understand what a “challenge” is.

You can think of a challenge as a formalized “who are you, and please prove it” request.

An “unsigned challenge” is what the server sends to you. For example, if you’re on your bank’s website and you click “log in with a passkey” or if you’re already signed in and you click a link to create a new passkey, your bank will send an unsigned challenge to your browser.

And what your device will eventually send back to the server is a “signed challenge” (along with some other information). We’ll get to how a challenge is satisfied (“signed”) in a moment.

For now, one thing to know about a challenge is that each one has a unique identifier (e.g., challenge #203SNA30DNDQ), and each challenge is one-time-use-only. This is a critical security feature. It means that if somebody managed to spy on your transmission (and were thus able to view the signed challenge that you send to the server in order to log in), they would not be able to simply copy that signed challenge and send it to the server themselves in order to log into your account. The server would say, “sorry, this challenge has already been used,” and the fraudulent login attempt would be rejected.

Magic Pen and Magic Magnifying Glass

With “challenge” defined, let’s take a brief detour for an analogy, to explain the other major parts of the passkey ecosystem.

Imagine you have a magic pen. It writes in normal-looking ink. But you also have a magic magnifying glass. When this magic magnifying glass is used to examine something that was written with your magic pen, the ink glows sparkly purple. When it looks at anything written with any other ink (i.e., not written by your magic pen) the ink just looks normal.

There’s no way to “reverse engineer” the magic pen from the magic magnifying glass. In other words, if somebody were to have the magnifying glass, there’s no risk that they could create a copy of your magic pen.

So you give magic magnifying glasses to all of your friends. That way, any of them can see whether a message was really written by you, with your magic pen. Fun! And you can give out as many of these magnifying glasses as you want, because again, nobody can recreate your magic pen just by having one of these magnifying glasses.

What Happens When You Create a Passkey

When you’re signed into a website or app, and you choose to create a new passkey, the server will send your device a new unsigned challenge.

Your device takes that unsigned challenge and creates three new things:

1. A private key.
2. A corresponding public key.
3. A credential ID. This is just a public identifier for the passkey (e.g., your new passkey is passkey #22093948310930).

The private key is the secret thing. The private key lives on your device (or is synced securely across your devices via your Apple/Google/Microsoft account) and is never sent to the server. The private key is your magic pen, and it can be used to sign a challenge.

The public key is unique and linked to the private key. The public key is the magic magnifying glass. It’s essentially a testing tool. When somebody has the public key, they can use it to test the signed challenge to see if it was signed with the private key (magic pen) that corresponds to that public key (magic magnifying glass).

An important point here is that there is no way for somebody to look at a given public key and determine the corresponding private key. So it’s absolutely no problem if somebody were to intercept your public key. Just like with the magnifying glass, you could give out your public key to as many parties as you want, with no security risk.

After your device creates these three things (private key, public key, credential ID), it uses the newly-formed private key (magic pen) to sign the challenge. And it sends the public key, the credential ID, and the signed challenge back to the server. It does not send the private key to the server.

The server then stores the public key and credential ID and associates them with your specific user. (Remember, you’re already logged in before beginning the process of creating a passkey, so it already knows who you are.)

So at this point:

• You have a private key (magic pen) stored on your device.
• And the server has a public key (magic magnifying glass) and a credential ID, both of which are now associated with your user.

What Happens When You Log in with a Passkey

When you initiate the process to log in with a passkey, your device first checks: “Do I have a passkey saved for this app/website?”

This step is itself a valuable security measure. It means that if you ever accidentally visit a fake website (e.g., you fell for the first part of a phishing attempt, clicked the link in the email, and are now on usbamk.com rather than usbank.com), your device will immediately stop the process. It doesn’t have a passkey associated with this domain. Disaster averted. (Though seriously, please don’t click that link in the first place.)

If your device sees that it does have a passkey for the website/app in question, the website/app sends an unsigned challenge to your device.

Your device then goes through some process to satisfy itself that you are you. This might be entering your device PIN or providing some biometric identifier (e.g., fingerprint).

Once your device is satisfied that you are you, it uses the stored private key to sign the challenge.

And your device then sends the signed challenge, the credential ID, and your username to the server. Again, it does not send the private key. (Also note: your PIN/fingerprint is never transmitted to the server either.)

The server then:

1. Checks that the username provided exists in the system,
2. Checks that the credential ID a) exists in the system and b) is linked to the username in question, and
3. Uses the stored public key (magnifying glass) that’s associated with the credential ID in question to test the signed challenge, to make sure that it was signed by the appropriate private key (magic pen).

If all three of those things proceed happily, you’re signed in.

Passkey Limitations

An important issue to be aware of is that, at least as of right now, when websites let you use passkeys, they usually let you sign in using the passkey or a password. So the weak password/stolen password path of attack still works. Ideally we’d see websites that let you implement passkeys and then make it impossible to sign in with a traditional password. But so far, that sounds scary to many users because passkeys are unfamiliar. Hopefully that changes over the coming years as more and more people use them.

In addition, there’s messiness where everybody wants you to use their passkey ecosystem. So if you’re browsing on Chrome on an iPhone, and you visit a website for which you already have a passkey set up (via Apple), Chrome might prompt you to create a new one — which can feel very confusing. Fortunately, you can usually create a bunch of passkeys for the same website, so you can have one for each device/browser combination, for each website.

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

1. At one of the spectrum are strategies that spend a certain dollar amount (or more often, a certain dollar amount, which is then adjusted for inflation each year). The classic “4% rule” strategy is in this category. Strategies like this provide for predictable spending but allow for potential portfolio depletion if investment returns are poor (especially in the early part of retirement).
2. At the other end of the spectrum are strategies that spend a percentage of the portfolio each year. Strategies in this category are safer in the sense that they cut spending when portfolio performance is poor and thus reduce/eliminate the possibility of depleting the portfolio. But they can result in dramatic volatility in spending from year to year.

And so there are also hybrid strategies. In an article for Kitces, Michael Woloch recently discussed a “modified RMD” spending strategy. Basing spending on RMDs is a percentage-of-portfolio strategy (though itself a specific subcategory, because the percentage increases each year with age). But here the “modification” is that rather than basing spending on a percentage of the portfolio balance on the final day of the previous year, it’s based on the average portfolio balance of the final days of the last three years, with the result being that spending is less volatile from one year to another.

• Reducing Retirement Income Volatility With The Modified RMD Safe Withdrawal Method from Michael Woloch

Other Recommended Reading

• 10 Rules for Dealing with Uncertainty from Ben Carlson
• Preparing without Predicting from Ben Carlson
• ‘Exploit Every Vulnerability’: Rogue AI Agents Published Passwords and Overrode Anti-virus Software from Robert Booth
• Municipal Water District Loses $3 Million to Phishing Scam from Jack Thurston
• Older Workers Embrace Job Hopping – and It’s Good for Their Retirement Prospects from Geoffrey Sanzenbacher
• The Government Is Trying to Rein in Medicare Advantage Costs. Will It Work? from Alicia Munnell
• IRS Proposes Regulations for Trump Accounts, Pilot Program from Martha Waggoner
• Signal Collapse and the New Proof of Work from Nick Maggiulli
• His Father Lost His Life Savings in a Scam. A Fake Lawyer Offered to Help. from Tara Siegel Bernard (NYT)

Thanks for reading!

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

• Email
• SMS (text)
• Authenticator app

Of the three, using an authenticator app is definitely the most secure approach. (Hardware authenticators such as a Yubikey will be a topic for another day.)

The Problem with Email as MFA

Email as the multi-factor authentication method is pretty bad. Just think of how many websites you visit where:

1. Your username is your email address, and
2. When you click the “forgot password” link, they just send an email with a reset password link.

If #1 and #2 are true and you use your email as the multi-factor method, if a thief gets into your email account, they can now access any of those other accounts as well.

Granted, a thief getting access to your email account is extremely bad news as it is. We want to take serious precautions to avoid that scenario. But there’s no reason to make that scenario any more disastrous than it needs to be.

SMS (Text) Isn’t Secure

Using SMS (text) as the multi-factor method is not ideal either.

CISA (the Cybersecurity and Infrastructure Security Agency, which is a component of the United States Department of Homeland Security) put out a document in December 2024 that encouraged people to “migrate away from SMS-based MFA.” They note that “SMS messages are not encrypted — a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them.” They also note that SMS is not phishing-resistant (see the John/Rachel example).

SIM-Swap Fraud

Another problem with SMS at the multi-factor authentication method: SIM-swap fraud.

Mobile providers can easily “port” a phone number from one device to another. This is commonly done when a customer switches to a new phone (e.g., to upgrade or because the previous device was lost).

In a SIM-swap fraud:

• The thief gathers personal information about the target. As we’ve discussed, a lot of information is simply purchasable. Other assorted information can often be gathered via social media or online searches (e.g., mother’s maiden name may be findable via an obituary posting).
• The thief then contacts the target’s mobile provider and, with clever conversational skills and a bunch of personal (ostensibly private) information, convinces the company to transfer the target’s phone number to the thief’s device.

And now the thief has access to any MFA codes that come in via text. And again, as discussed recently, in many cases that code is all they need, in order to access various critical accounts.

Your mobile provider probably offers a SIM-swap protection feature. Verizon, T-Mobile, and AT&T all provide it free of charge, but it isn’t activated by default. I would definitely encourage you to turn it on.

Even with SIM-swap protection activated via your mobile provider though, SMS is still not the ideal method for multi-factor authentication, because SMS is not encrypted.

Authenticator Apps

Authenticator apps are more secure than SMS or email as the multi-factor method. The authenticator app is installed on your phone and cannot be accessed remotely (short of your phone itself being infected with malware). To get an MFA code from an authenticator app on your phone, the thief would have to:

• Be in physical possession of your unlocked phone, or
• Convince you to give them the code (which is also a potential failure point of email or text-based MFA). And again this is why we have to be super careful with these codes.

Authenticator apps take a bit of time to get used to, but once you’re used to using one, it’s quite easy. I have found Google Authenticator to be easy to use, but there are many other options as well (e.g., Microsoft Authenticator or Authy).

If you’re new to it, do not worry, regardless of which authenticator app you pick, there will be a ton of intro/walk-through videos on YouTube.

When setting up app-based multi-factor authentication, the website may give you the option to store some backup codes. These codes are to be used in case you lose your phone, so do store them somewhere. But of course make sure it’s somewhere safe (e.g., printing them out and storing in a safe or secure filing cabinet).

Removing Less-Secure MFA Methods

After activating multi-factor authentication by app, you may have to manually turn off multi-factor authentication via SMS/email. For many websites, the default behavior is that, if you already had some other method of MFA set up, after setting up MFA via authenticator app, that previous method will still remain as an option. And we usually don’t want that, because it leaves you vulnerable to exactly the types of attacks discussed above.

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

With this software, the user (a would-be thief) types in a URL of a genuine website, and when a target visits a selected scam URL, the software loads up an invisible browser window to collect, in real-time, all of the genuine website’s information, which it then passes through to the victim’s browser window. In other words, from the victim’s perspective, everything looks exactly right, because it is literally the same thing showing in your browser.

But it gets crazier from there. Much crazier. The software also passes every keystroke and action from the victim back to the original website — including the MFA code. So from the victim’s perspective, everything is operating as normal, including all of the functionality after logging in, so as not to set off any mental alarms. But the software is collecting all of that information for the thief. And the thief is now logged in as well.

The software also has a full collection of other features, such as URL masking (i.e., making a fake link look genuine).

And it comes with customer support, regular software updates, and a community forum for users.

The takeaway, again: unless you yourself directly typed the appropriate URL into your browser (e.g., vanguard.com, schwab.com, chase.com, etc.), you might not be on the genuine website.

• Phishing Software as a Service (Complete with Customer Support) from Callie Baron and Piotr Wojtyla

Other Recommended Reading

• Retirees: Should You Take RMDs Early in the Year or Wait? from Christine Benz
• Better Conditions Did Not Yield Better Results for Active Managers in 2025 from Bryan Armou
• Some Things That Didn’t Happen from Ben Carlson
• Can You Live Off Your Dividends? from Ben Carlson
• Fear-Based Frugality Can Harm Your Financial Wellbeing from Rick Kahler
• The Truth About 529s and Financial Aid from Ann Garcia
• This Form of Mental Exercise May Cut Dementia Risk for Decades from Jon Hamilton
• Meta AI Alignment Director Shares her OpenClaw Email-Deletion Nightmare from Hendry Chandonnet
• The Rise of Bratty Machines from Elizabeth Spiers (NYT)

Thanks for reading!

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

I recently received a very clever phishing attempt by email. (In hindsight, I wish I had taken screenshots prior to deleting it.)

Here’s what it looked like in my inbox:

• From: Vanguard Brokerage Services
• Subject: Your Vanguard statement is ready

Looking at the email via my desktop browser, it was very easy to see that it was a phishing attempt.

Looking at the email on my mobile device, however, there was no immediately obvious sign that the email was not legit. Based on everything immediately visible via my mobile mail app, it looked exactly like a genuine Vanguard email.

Looking at the “From” Field

When I viewed the email on desktop, the “from” field was a dead giveaway. While the “name” of the sender was “Vanguard Brokerage Services,” the email address of the sender was complete gobbledygook. Something like “senderx34x3@xyzpayments.info.” Clearly, that’s not actually Vanguard.

On mobile though, the sender’s email address does not appear immediately (at least not on most mobile mail apps). You just see the name. When viewing the email, there will be somewhere you can tap to display the sender’s email address. But you have to go out of your way to actually do that. And of course the percentage of people who do that with every single email is vanishingly small.

Body of the Email

The text of the email was a character-for-character copy/paste of the real statement-notification emails that Vanguard sends, complete with the appropriate images, branding, etc. Everything looked exactly as you’d expect.

The only thing about it that was wrong is that the links that appeared to point to Vanguard’s login page actually pointed to a scam URL. (That is, the “anchor text” of the link was the appropriate URL, but that’s not where the link actually pointed.)

In other words, it was something like this:

https://vanguard.com/

If you look only at the text of the link itself (the “anchor text”) you’ll think the link is going to take you to Vanguard. But it doesn’t. The link points to ObliviousInvestor.com. On desktop, you can see that easily by hovering over the link. Your browser (usually in the bottom corner) will show you where the link points. (Though even this can be spoofed. So as with the email address, if it looks suspicious, it definitely should not be trusted. But if it looks normal, that doesn’t necessarily tell you that it’s genuine.)

On mobile, however, “hover over” isn’t an option. You can tap a link and hold your finger down, in order to see where the link points. But how many people actually do that for every link they consider tapping? Also, there’s the risk that you tap the link and accidentally take your finger off the screen too early — and now you’ve visited the scam link rather than activating the “preview” functionality.

Browser Location on Mobile

Of course, I did not visit the links in the spam/phishing email. But if I had, I’m confident that the destination page would look exactly like Vanguard’s real login page. Except, of course, it wouldn’t have actually been Vanguard. It would have been a fraudster’s website, set up to collect people’s usernames and passwords as they entered them.

On desktop, at the top of your browser window, you easily see the full URL of the page you’re on. That makes it at least somewhat easier to recognize whether you’re on a legitimate website or not.

On mobile, depending on your browser and device, you often don’t. You might see the first several characters or the last several characters. But you might, for example, have accidentally visited:

vanguard.com-payments-us-vanguard.com

If you only see the beginning or end of that URL, you might think that you’re on Vanguard’s website. But that’s not Vanguard’s website. The actual domain in that URL is “com-payments-us-vanguard.com”, which any old fraudster could have purchased. (The “vanguard” at the start of the URL is a subdomain.)

What To Do

There are a handful of ways to avoid falling for this sort of thing.

Firstly, it’s helpful to actually look at the email address of the sender, even if it’s not immediately displayed in your mobile app. But even that can be spoofed. So while a spammy email address tells you it’s spam, a legit-looking email address does not necessarily tell you it’s genuine.

Secondly, it’s helpful to generally be aware when using mobile that 1) you aren’t seeing as much information as you would via desktop and 2) sometimes the information that you’re not seeing would have been a clear red flag.

Thirdly, if you did end up falling for the email and visiting the link in question, you’d be in better shape if you use passkeys or a password manager (both topics for another day, which we’ll get to). Your passkey would not work on the fake domain. And a password manager would recognize that the domain in question was not actually Vanguard.

But the most effective way to avoid falling for this? It’s the same exact rule that we discussed in the first article in this series! (I promise I’ll move on to other topics soon. But I just want to drive home how critical and valuable this rule is.)

If you receive any inbound communication (whether email, text, or phone call) that purports to be from a company with which you have any sort of account:

• Do not reply.
• Do not give them any information whatsoever.
• Do not click on any links.

Essentially, don’t interact with inbound communications. Instead, if you think it might be genuine and require some sort of response, reach out directly, via trusted means (i.e., either typing the company’s URL directly into your browser or calling the number on the back of your credit/debit card) and ask the company in question about it.

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

Morningstar’s Amy Arnott recently shared the results of her research, together with other Morningstar colleagues, discussing which strategies would be expected to maximize total spending through retirement.

• Here’s How You Can Spend More During Retirement from Amy Arnott

Other Recommended Reading

• Iceberg Crashes from Ben Carlson
• The Midlife (Spending) Crisis from Ben Carlson
• You Should Quit Social Media for Good from G. Elliott Morris
• Why You Can’t Time the Market (Even When You Know the Future) from Nick Maggiulli
• Is Inflation Higher Than We Think? from Nick Maggiulli
• You Aren’t Giving Enough Money to Your Kids and Grandkids from Elliott Appel

Thanks for reading!

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

A long-time Oblivious Investor reader recently wrote in to share that he and his spouse had fallen victim to a fraud that resulted in a theft from one of their IRAs at Fidelity (which, as discussed below, was not reimbursed). The total loss was “only” about $4,000. But it absolutely could have been much worse.

Here’s how it played out.

John and Rachel (not their real names) had just returned from a trip abroad. Rachel received the following text:

If you can’t see the image, the conversation reads as follows:

Incoming text:
Fidelity ®: Did You Attempt A Transaction of $374.52 At MODERN FEMME FASHIONS 12/02/2025 (EDT).
Reply (YES) if Recognized.
Reply (NO) if Unauthorized, A Call Will Be Generated To You Momentarily

Outbound text:
No

Incoming text:
Fidelity ®: Thank you for confirming. Please hold for the next available agent to assist you.

After that text exchange, Rachel received a phone call as indicated. At the outset of that call, the agent said that, in order to confirm her identity, Fidelity was going to send her a 6-digit code and asked her to please read it back to them. Rachel received the code and read it back to the agent on the phone.

And that was it. As of that moment, the fraudster was able to access her Fidelity account.

The thief promptly initiated a few money transfers out of the account. Fortunately, John promptly noticed what was going on and contacted Fidelity. Fidelity was able to recover one of the transfers, but the other two (totaling ~$4,000) were not recovered. And because the theft involved the victim unintentionally sharing login information with the thief, Fidelity did not reimburse John and Rachel for the theft.

Why was it only $4,000 that was stolen, when there was much more in the account? (Even the cash balance at the time far exceeded $4,000.) I’m not entirely sure. I think the thief must have intentionally chosen a low amount to hopefully not trigger any alerts on Fidelity’s end. But the situation clearly could have been much worse.

How the Fraud Worked

When we log into an account (if not using a passkey, which is a topic for another day), we provide username, password, and the multi-factor authentication (MFA) code. So we might think of all three as being necessary.

But the thief didn’t need Rachel’s username or password at all. All they needed was the six-digit MFA code.

If that sounds surprising to you, take a look at the password-reset forms for any number of financial institutions. (Here’s Vanguard’s for instance. Here’s Fidelity’s.) Take a careful look at the information they ask for. For many financial institutions, the form requires:

• Name,
• Date of birth,
• Social Security number (or last 4 digits of Social Security number), and
• Zip-code.

After you enter that info, they send you a 6-digit code. And after entering that code, they let you reset your username and/or password, or perhaps they display your username on the screen in plain text and allow you to pick a new password.

And, unfortunately, for most of us, all of that information is available for purchase on the dark corners of the internet, due to large-scale security breaches that have already happened. In the 2017 Equifax breach alone, approximately 147 million Americans had their name, DoB, SSN, home address, and phone number stolen. That’s roughly 43% of the U.S. population in just one data breach. And there have been tons of other breaches.

In other words, for most of us, a thief has everything they need to get into our accounts, other than a 6-digit multi-factor authentication code.

We deal with MFA codes so often that they feel commonplace, mundane, disposable. But they’re the keys to the kingdom. It’s not an exaggeration to say that MFA codes should be guarded more closely than your Social Security number.

“We’re Contacting You About Fraud” Is Itself a Red Flag for Fraud

The readers targeted in this incident are not at all the only people to fall victim to fraud, via a fraudster pretending to be the financial institution, warning them of fraud. It’s a very common tactic. Here are two other examples, if you’re interested in similar stories:

• Imposters Stole $8,000. How ‘Money with Katie’ Got Scammed
• How My Coinbase Account Was Almost Stolen

“We’re contacting you about a suspected fraud” is itself a great way to defraud somebody, for two reasons.

Firstly, it gives the fraudster a plausible reason for the initial contact to the targeted person.

And secondly, it puts the targeted person in a mindset of wanting to take prompt action, in order to stop the supposed fraud — thus making it easier for the fraudster to get the target to follow instructions. It might even be effective enough to generate a panic/fear response in the target, thereby inhibiting clear thought.

What To Do When You’re Contacted

When a financial institution with whom you have a relationship reaches out to you (whether about a suspected fraud or about anything else):

• If it’s a phone call, take down whatever information they give you. (Or frankly just don’t answer the phone if it’s from a number you don’t know. Just listen to the voicemail, if they leave one.)
• Regardless of method of contact, do not give them any information. No information whatsoever. Not your date of birth. Not your Social Security number. And absolutely not a multi-factor authentication code. Give them nothing. Truly, nothing. If it’s a text, do not reply. If it’s an email, do not reply to the email.
• If it’s an email, do not click on any links in the email.
• Then reach out to a trusted phone number that you already have for that financial institution. If it’s your bank, call the number on the back of your credit/debit card. Or directly type in schwab.com (or whatever is the applicable website), and find the applicable phone number there. And once you know you’re actually in contact with the right organization, ask them for details on the situation.

To summarize:

• Don’t respond to any inbound messages that appear to be from financial institutions. Don’t give them any information.
• Separately reach out to a phone number that you know is genuine, to ask about what’s going on.
• Treat multi-factor authentication codes with the utmost security and caution. If you accidentally give one to a thief, that’s quite possibly all they need to get into your account.

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

First was a discussion of estate planning and Roth conversions, for the Advice-Only Podcast, which is hosted by Sarah Sprague Gerber of the Advice-Only Network.

• Mike Piper on Estate Planning Realities and Roth Conversion Strategies

Next was a discussion of Social Security, for the Ben with Benefits podcast, which is hosted by Ben Carlson of Ritholtz Wealth. (Ben also writes the blog A Wealth of Common Sense, which I frequently feature here.)

• Is Social Security Going Bankrupt? (interview by Ben Carlson for the Ben with Benefits podcast)

Other Recommended Reading

• How to Prevent Aging Parents and Relatives From Making Financial Mistakes from Paulette Perhach (NYT)
• Stop Chickening Out (regarding retirement spending strategies) from Jordan Grumet
• IRS Releases FAQs on Qualified Overtime Pay Deduction Under H.R. 1 from Martha Waggoner
• Preventing Double Grief: A Relocation Guardrail for Surviving Spouses from Kathleen Rehl
• Affordable Housing Requires Tackling Insurance Costs from Bloomberg News Editors
• Treating Hearing Loss With Hearing Aids for the Prevention of Cognitive Decline and Dementia from Lachlan Cribb et al.
• Intelligence Explosion: Navigating the High-Stakes AI Revolution from Darrow Kirkpatrick
• S&P 500 and Total Stock Market Funds Meet Technical Definition of “Non-diversified” from Jeff Sommer (NYT)

Thanks for reading!

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).