48

I try to follow account security best-practices (strong random passwords, password manager, multi-factor authentication, etc.) but I still find myself worried about potential compromises to my accounts, in particular financial accounts (e.g., banks, investments) or accounts that could lead to financial account access (e.g., email, phone). It got me thinking. For people who's net worth is on the order of $10M or $100M or $1B, what additional precautions should they take? Special arrangements with financial institutions? Payments to security specialist firms to monitor/manage all accounts?

This question is related, but the asker didn't understand basic security precautions so the answers tended to be rather basic. One of the comments points out that some rich people completely disregard their security:

Worked for a guy once, owned a decent sized company (and a bunch of smaller ones), with a personal worth of mid-nine figures, and his password for everything was 'bob'. Three guesses what his first name was.

Which is why I'm asking what should high net worth individuals do to secure their financial account access? I'm assuming there must be something given they're a much larger target than Ye Olde Pleb.

Googling around, it seems that some financial institutions offer RSA SecurID. The obvious risk to that is still a phone call to their support team saying you lost it, but it's something.

Bonus question: How much do those extra security measures cost? I.e., at what point in my Inevitable-Rise-to-be-Richer-than-God do I seek out such precautions?

Community
  • 1
Logical Fallacy
  • 715
  • 8
  • 12
  • 2
    I don't get your problem with 2FA via token (like SecurID). If you tell support you lost it, they'll send you a new token and the new PIN separately to your postal address - so an attacker would have to be able to intercept two snail mail sendings. Also most investment accounts work with an linked reference checkings account (transactions work only to and from the reference account). So the checkings account must also be hacked additionally to the investment account for any money to be stolen. – s1lv3r Jul 27 '16 at 21:43
  • 19
    Would be nice to have a list of banks with actually decent security features. Not that I'm a millionaire, but I'd love to be able to use anything stronger than a 6-digit password to log into my bank's site. – André Borie Jul 28 '16 at 03:50
  • 4
    Are you e.g. imagining Bill Gates has a $1B account in Bank of America? – user541686 Jul 28 '16 at 09:58
  • 8
    Regarding financial issues I think you are missing a big detail: banks can and *will* revert fraudulent transfers. Moreover you can always go to a bank in person, tell them that you have a problem (e.g. someone managed to enter your account, stole your credit card and change passwords etc.) and make them fix everything plus reverting all actions in the last x hours/days. You risk more with small losses that may go unnoticed. Then you have the fact that an attacker may simply want to know how much money you have, how you are using etc. – Bakuriu Jul 28 '16 at 12:46
  • Most people are richer than God. God doesn't need money. (I know "need" and "have" are different, but...) And the answer to your bonus question: As soon as possible (in theory at least.) – wizzwizz4 Jul 29 '16 at 19:51
  • @Mehrdad: Dear Mr. Gates, With our new high interest rate of 0.000003%, you have earned $2.12 on your account last quarter. Congratulations! Would you like us to reinvest that money? Sincerely, BoA. – Ralph Aug 03 '16 at 12:23

9 Answers9

65

The best security measure is quite simple. Don't use accounts that allow your money to be easily stolen via the Internet. Happily, high-net worth individuals have used systems like this since before the Internet was a thing, and are in fact particularly likely to choose them regardless. While banks certainly aren't perfect at protecting money from theft, historically, they do a massively better job of it than the individuals who have money to protect, high net-worth or otherwise.

First of all, when you're a billionaire, your money is not in a checking account. Most of it, in fact, isn't liquid at all. It's ownership of corporations, real estate, things that are difficult if not impossible to steal in any but the most convoluted ways.

For the assets that are somewhat liquid, the vast majority of them are still going to be investments. And there's not going to be in an E-Trade account with a web login. They're going to be held by an investment bank that caters specifically to high net worth individuals, managed by private bankers whose job is it to know what's in your portfolio and how its performing at all times. It simply isn't accessible to outside threat actors.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
Xander
  • 35,525
  • 27
  • 113
  • 141
  • 4
    I guess it's only the first few hundred K at risk...:) – Neil McGuigan Jul 28 '16 at 04:42
  • What accounts allow money to be "easily stolen via the Internet"? How is it stolen (international wire, cash withdrawal at an ATM...)? I think you're on point that people don't leave millions of dollars in a DDA, but I'm not convinced that doing so is a security risk. – thunderblaster Jul 28 '16 at 15:54
  • 3
    @thunderblaster The types of accounts that allow money to be transferred out through the use of a web portal with user credentials as the only safeguard. Anything that might be vulnerable if your machine is infected with a banking trojan, in other words. Examples would be the the sort of account management tools you see used to plunder small businesses in the U.S. regularly, or online brokerage accounts. While not a large risk, avoiding these platforms and using more traditional offline banking eliminates them entirely. – Xander Jul 28 '16 at 16:04
  • "Transferred" - do you mean ACH? Wire? Most web portals for checking accounts I'm familiar with do not allow consumers to initiate either of those transactions, unless it's to a bill pay vendor (which the bank has the account information for, the consumer is not able to enter it.) Typically for brokerage accounts (for ACH), they make two deposits under $1 to verify ownership, which takes a while. Also, ACH is rather reversible and doesn't leave the consumer out the money. – thunderblaster Jul 28 '16 at 16:08
  • @thunderblaster Yes. Consumer accounts do in fact in many cases allow for such transactions. My very large bank, for instance, allows me to initiate wire transactions via the web. There are other, more interesting attacks against brokerage accounts. One that was repeatedly used a decade or so ago was to leverage stolen brokerage accounts for pump-and-dumps. – Xander Jul 28 '16 at 16:20
  • 3
    In the UK for business banking with my 2FA setup I can initiate and immediately transfer a reasonably large amount of money. Corporate banking systems are even higher. Criminals have adapted to try and compromise these systems precisely because they do allow for relatively large fast transfers to overseas locations (e.g via SWIFT) – Rory McCune Jul 28 '16 at 19:52
25

I have a less technical answer but it does play a big role in how they protect themselves. Working at a bank I noticed a trend among our more wealthier customers. The trick to protecting their wealth was dividing it up and investing it.

A typical setup for an account of say a several million dollars worked like this.

  • For starters they likely had multiple banks. This would let them have multiple accounts under their name and completely isolate assets from each other. In some cases they would use both banks the same or bank 1 would be their spending bank and bank 2 would be their savings and investment bank. If full account access was breached with one bank the other bank would likely still be safe. And since some banks also only insure up to a certain amount this helps get around this limitation.
  • With the occasional exception of a checking account the customer would always opt out of online banking. So if transactions were to take place between accounts they would need to deal directly with the bank.
  • Most banks have some sort of hard block on transfer limits. If the transfer is over a certain amount you even have to do extra work to appease the IRS. So while someone might be able to steal $1-2k there is no way they can digitally steal more short of hacking the bank or social engineer against real employees at the bank.
  • Then they would have a slightly modest checking account. Possibly two per a bank. In there they would have anywhere from $10,000 - $50,000. If they had a debit card or check book it would only link to a single account. It wouldn't link to multiple and it definitely wouldn't be linked to their savings accounts. If your card accesses the bulk of your wealth then it is much easier to take more from you.
  • Then they would have savings accounts that total around $100,000 to $200,000. While this may seem high keep in mind they are multi-millionaires. Sometimes, especially if they were more frugal they would have $10,000 - $50,000 in total among savings accounts. I made mention of multiple savings accounts. You might be wondering what is the point if they can do a single account. This actually enhances security. These funds can only be moved by working directly with the bank. They would need to know the account numbers and two additional security questions of every account they wish to access.
  • The last step and most important step is investing in CDs, IRAs or some other form of investment with their bank. Very rare does a customer need a million or so dollars instantly. This makes the money harder to take out and it also makes them money. If they are buying a 2 or 10 million dollar mansion they could literally have only 5-10% in checking savings but still be approved for a loan due to the investments. So investing unused funds is usually a no brainer.
  • Additionally they might have a trust fund set up. It could be a charitable remainder unitrust where funds could payout to a charity as the beneficiary. This could give the customer a considerable tax deduction. Or it could be a living trust or marital trust to help one our more beneficiaries in the event of the customers death.
  • Any more money is likely as Xander explained not in direct liquid assets. It might be in a company in their name, investments outside the bank, stocks and shares, material items, etc. Large amounts of unused money is just as bad as wasted money if you don't need it.
  • Most millionaires have financial advisors. Most of the above I explained is not always a result of the customer's thinking but acting on the advice of their advisor. As a result the above actions are not only a pretty common trend but they have someone focused solely on protecting and maximizing their assets for them.

While this might not cover the technical aspects you wished to read these steps are paramount in protecting their money.

Bacon Brad
  • 3,340
  • 19
  • 26
  • 2
    I think this is a great answer. Additionally I would say that the reasoning for the multiple accounts at ~$200,000 is to stay within the FDIC insurance policy. – random_answer_guy Jul 28 '16 at 19:41
  • 2
    @random_answer_guy Actually, [the FDIC limit is $250,000 per **depositor** per bank](https://www.fdic.gov/deposit/deposits/faq.html), not per account, so having a whole bunch of different accounts at a bank won't help you with that limit. The purpose of having that money in savings account(s) rather than checking accounts is as an additional barrier against unauthorized use (money in a savings generally cannot be directly spent, but would need to be transferred into a checking account first, making it easier to monitor for and prevent fraud/theft). – HopelessN00b Jul 30 '16 at 02:38
9

Step Zero: Talk to your banker and ask to speak to the security department and ask for their advice. They may have special programs for you.

Use a dedicated computer for financial transactions

This protects you from malware caught from visiting unsavoury sites.

Buy a new laptop (preferably a mac, because they're nice, and you're rich). Buy a safe if you don't have one. Keep the laptop, mouse, power supply in the safe.

Use this machine for only for financial transactions, and don't do financial transactions on other machines.

Have a trusted expert set your firewall to only allow sites you use for finances. Have them block these sites on your regular computer.

Uninstall Java and Flash, and disable JavaScript if your banking sites don't require it

While you're at it, use an anti-phishing DNS service.

Dedicated Email with U2F keys

Your email is the last stand for password resets and account change notifications. You need to protect it.

Have a dedicated email address for your financial transactions, and watch that account closely. Use Gmail and use the Chrome browser. Buy two Yubikeys. Setup both with Google Accounts, and then put one in a safe-deposit box. Don't keep these in the safe :)

ACH

If you need ACH on some accounts, have an "incoming", "outgoing" and "real" account. Only give the incoming account to people that are going to pay you, then move the money to the real account after receipt. Same for outgoing.

Oddly enough, if you give someone any ACH access, they have in/out privileges on that account.

Neil McGuigan
  • 3,379
  • 1
  • 16
  • 20
  • 4
    "Oddly enough, if you give someone any ACH access, they have in/out privileges on that account." While generally true for consumer accounts, it's worth noting that this is generally *not* the case for commercial accounts. If the OP were to set up a business account, they could take advantage of ACH debit filters and ACH positive pay. – thunderblaster Jul 28 '16 at 00:57
  • 6
    The belief that Apple's computers are more safe and virus-free is what is making the users of those machines more vulnerable to attacks. A Mac won't protect you from a malicious redirect or a MITM attack. – T. Sar Jul 28 '16 at 12:49
  • 3
    @ThalesPereira: Agreed. [Relevant xkcd](https://xkcd.com/934/) – thunderblaster Jul 28 '16 at 13:17
  • *"Have a dedicated email address for your financial transactions"* Wait... *what?* Eight-to-ten digits dollars wealth, and *e-mail* even remotely related to your financial transactions?! Using a dedicated computer (**iff done right**) is a cheap protection against some relevant threats, but **e-mail should *never* be trusted for anything sensitive.** I don't care how many layers of authentication you pile on top of it to log in to your webmail provider; Internet/SMTP ***e-mail is inherently insecure.*** In a banking context, the most that e-mail should be used for is *general notifications*. – user Jul 28 '16 at 14:28
  • (And when I say *general notifications*, I mean something like a message saying "you have received a notice in our online banking; log in to online banking to read it", with *no links*. Never train users that e-mailed anything is safe for banking purposes.) – user Jul 28 '16 at 14:31
  • @MichaelKjörling every bank I've ever used uses email for notifications. How would you avoid this? – Neil McGuigan Jul 28 '16 at 18:25
  • @NeilMcGuigan You would avoid it exactly as I said in my follow-up comment (posted that way because I ran out of comment space): send a nondescript e-mail telling the customer that they need to log in to online banking to review a message, and (to reduce user training for phishing) don't include any convenience links in that e-mail. That way, the most any eavesdropper can readily figure out is that there was *some* kind of account activity. – user Jul 28 '16 at 18:29
  • @MichaelKjörling sure that's what a *bank* should do, but we're talking about the customer's point of view here – Neil McGuigan Jul 28 '16 at 19:51
  • @ThalesPereira mac is the most user-friendly system that let's you run the excellent pf firewall, so ya, it is better – Neil McGuigan Jul 31 '16 at 03:43
3

Delegate

As with most things, if a "high net worth individual" wants to have something done well, the appropriate solution is to have someone else do that for them. They can do that properly and worry about all the things that need worrying, so you don't have to - and all that for a (not so) modest fee that you can easily afford.

For direct examples from other posts:

"Check the balance often" - yes, your financial manager/accountant/etc should do that.

"Use a dedicated computer for financial transactions" - yes, your financial manager/accountant/etc should do that. Why would you be handling the details of entering transactions?

"Enable all alerting" - it's called a private banking advisor in your bank. They will receive those alerts and handle them according to your wishes, know when to call you and when not to call you.

"Use 2FA" - your accountant will use 2FA when handling your bills, you on the other hand will be personally known and identified by your private banking advisor or however each of your banks (you will use multiple) will call them. There will be proper ID procedures, but it's not like you'll ever need to use a mobile or internet banking app unless you really want to - for big deals, they'll come to you in person; for small deals you just call the banker and tell them what needs to be done. If new agreements are needed, your attorney will handle them.

Do note that much of your finances will technically be "not your" finances as an individual but finances of various legal entities - businesses, shell companies, companies as vessels for real estate or other investments, trust funds, etc.

Peteris
  • 8,369
  • 1
  • 26
  • 35
3

Disclaimer: This answer refers to banks in the US only

Consumer online banking is not really a security risk.

Let's look at how you can move money out of your account:

  • Bill Pay: It's an obvious choice if they have access to the online banking, really. Unfortunately, trying to pay an individual through Bill Pay results in a paper check getting mailed to a US mailing address. The check can have a stop payment placed in transit or be returned after the fact. In any case, bill payment checks created through online banking are a Reg E covered transaction, so the consumer's liability is limited to $50 (as long as it's reported within a few months of the transaction.)

  • P2P: Hey, bad guys are smart. Who has time to wait for the mail? P2P transactions are easily accessed online and are sent via ACH. Unfortunately, they're not going to send an IAT, so the bad guy is going to have to provide a legit routing number and account number, which makes the whole thing pretty traceable. Oh yeah, also covered by Reg E, also liability limited to $50.

  • Internal transfer: The other thing you can do in online banking. The bad guy could transfer between your checking and savings accounts all day. But that doesn't help him get the money.

  • Check: If they're in your online banking, they probably have your account number. Routing numbers are public information, so they can forge a check. They need to negotiate it, which likely means cashing it at a branch where there are cameras, or depositing it into their account, creating a trail to themselves. Either way requires some cojones. This isn't covered by Reg E as it's not electronic, and the Office of the Comptroller of the Currency says the consumer could sometimes be liable for this. However, every person you pay by check has your account number (as well as your signature!), so online banking doesn't increase this risk much.

  • Debit card: A classic, really. Get the PAN and expiration, create a plastic and go wild. Unfortunately, you won't find card numbers in online banking. Also unfortunately, our friend Reg E comes into play and the consumer is only liable for up to $50 ($0 if it's a MasterCard or Visa branded card, which most are.)

  • Wire transfer: Ha! Log into your consumer online banking. Try to do a wire. I'll wait... Yeah, not gonna happen.

  • Cash withdrawal: Maybe this guy has real cojones. He's got a name and account number, so why not forge an ID and take money from a teller? He's running the risk that you're a regular at the branch and tellers know you, also he's got his face on camera again. Don't forget, if he's withdrawing more than $10,000.00, the bank is filing a CTR and will likely look into the transaction more heavily. In this case, I'm honestly not sure where the liability lies, but this is also just as much a risk without online banking and just writing checks as it is with online banking.

Moral of the story:

You should worry about your money, especially if you have a lot. And I'm not saying you should just give out your password. But the reason American banks are relatively lax on online banking access is because it's not as big of a concern as the 5 o'clock news makes it out to be. Most fraud is stealing card numbers from merchants, corporate account takeover leading to wires (likely out of the country), or issuing consumers bad checks and telling them to wire funds. Online banking hacking just doesn't get those results for the criminals. Your time is better spent worrying about other risks.

thunderblaster
  • 317
  • 2
  • 10
  • 1
    While interesting, this doesn't actually answer the question, and some pieces of information (like the point that you can't do wire transfers in consumer online banking) are simply wrong. – Xander Jul 28 '16 at 16:27
2

Keeping strictly to the technical aspects of your question and not focusing on the investment risks the simplest advice is do not keep everything in one account and maximize the security options offered to you.

There are several reasons for this (they are unlikely to be attacked at the same time and the institutions are unlikely to have all the same vulnerabilities at the same time).

Consider trying to pursue a strategy of not having more money in a given account than an individual institution, or FDIC like organization, is willing to insure. This reduces your loss exposure.

Work with an attorney. Understanding how courts handle cases involving banks losing money in your area due to cybercrime is interesting. Depending on the type of loss financial institutions and insurance companies sometimes don't pay for losses due to clients having bad password choices. Not maximizing security options given to you by a financial institution is a choice given to you which may make it very hard for you to sue a bank for your losses. The bank can simply say they offered you something like two-factor authentication and you didn't use it so it's not their fault. Don't ever allow yourself to be in this position. Always maximize the security controls offered to you.

Ideally you want to only use services which offer two-factor authentication via an authenticator (not simply delivering the multi-factor authentication token via SMS). Obviously using a long unique password helps too. For a list of banks using two factor authentication you can visit this website keep in mind many banks, credit unions, and financial services not yet on this list do provide these services.

If you can minimize the number of transactions on all of your accounts other than the primary one it makes it easier for the banks/institutions to monitor these additional accounts for fraud.

Read, or have an attorney read, the terms and conditions of your accounts and most importantly know that using a mobile banking application may completely change the terms of your agreement and may in some cases use of these products may void some or all of your insurance coverage for assets held in these accounts.

Some organizations can work with you to either not allow wire transfers or not allow International wire transfers.

Enable all alerting that the bank allows for movement of money.

Use a dedicated computer for banking if possible, and never do web surfing from this system. Secure this system as much as possible if it's an option.

Finally. Check the balance often. Don't allow too much time to pass if something gets taken.

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
1

It's been hinted at in other answers, but honestly the best way to preserve large sums of money is to invest it in real estate.

  • Nobody is going to steal it out from under you. Buying and selling land is a very intensive process and there is nothing remotely close to an E-Trade for property.

  • You can rent out your property and get a return from it. If you don't want to manage the property yourself, there are many many rental companies that would be happy to manage your property in return for a management fee. That way you can make a profit and pay for:

  • Insurance. If someone burns down your property or there's some other kind of freak accident, insurance can cover you.

  • It's (relatively) easy to hide your ownership behind shell corporations. There is a reason that property in luxury markets like Vancouver and Miami is red-hot, and that's largely driven by wealthy individuals from confiscatory countries like Russia and China who want a safe space to store their money where it can't be touched.

  • Storage. If you're the paranoid type (as we all should be) you can store valuables at some of your more inconspicuous properties. The more you have, the more you can diversify. So if you're a Ron Swanson type, you could have a safe in a basement at one location, a hole in the woods by a cabin you own, and even an offshore, underwater storage container a few miles out from an ocean home (or just do the same with an inconspicuous lakehouse in nowheresville, Minnesota).

  • Fewer eggs in one basket. Even if something catastrophic were to occur at a property, like being confiscated by the government, or you get framed for insurance fraud, you still have other properties to fall back on and sell if times get really dire. Even $1 billion dollars in a single company's stock could be worthless if something shocks the stock market.

Good answers here overall, but it's worth my two cents to make the case to buy real estate. Nobody is gonna hack your house away. And even if they literally do, that's what insurance is for.

rm -rf slash
  • 137
  • 5
1

For people with a lot of assets the key is diversity. "Don't put all your eggs in one basket."

  • Land holds its value very well compared to inflation. Although in many places you have to pay property tax, it is also possible to lease the land and earn rent to turn somewhat of a profit on it.
  • Diamonds, other gems, valuable artwork, precious metals (gold, silver) and other collectibles are more volatile but overall tend to keep their value versus inflation. The problem is keeping them from being stolen.
  • Other real property such as houses, etc. will keep their value as long as they are well maintained. The maintenance is a cost but if you also live there or stay there on vacation it's not such a big deal.
  • Stable stocks and bonds will earn certain returns and can be sold without much delay, and should maintain their value versus inflation if correctly chosen.
  • Treasury bonds from governments are an option. Depending on the governments' need for cash and their credit rating, the promised rate of return may or may not exceed inflation.
  • And lastly, having some amount of liquid cash on hand is important at any level of wealth.

These types of assets and more offer varying levels of liquidity, but most of them should approximately keep their value as compared to inflation in a stable country. Some are harder to steal than others.

wberry
  • 624
  • 3
  • 6
1

Since you're asking I'll assume you're already better off than Bob, but maybe you'd like to help Bob get better. Lets assume you're working with Bob to improve his security:

  • Set Bob up with a password manager so it's easy not to re-use passwords
  • Lock the password manager with a non-trivial password. (have a ten minute chat, come up with some ideas make sure he understands why: no dictionary words or names, certainly not ones anyone can guess just by knowing him.)
  • Turn off autofill in said password manager (a malicious site can query the password manager and dump all passwords).
  • Set up 2fa at the financial institution
  • Set up a dedicated email account for financial business (with 2fa enabled)
  • Protect the computer against malware (buy bob a Chromebook? Otherwise turn on automatic updates on his Mac. Bob sounds he doesn't take security seriously enough to safely use a Windows machine)
  • Ask your financial institution to implement login abuse protection/monitoring to alert and block if anyone's are using password dumps from other sites or attempting to guess login info for specific users on their site.

You might also work through the 2fa reset process to test security protocol. Call the financial institution claiming to be Bob and say you've lost your token. Prepare a list of publicly available verification info and don't provide anything else. Be nice but dumb. See how far you get. If anyone's willing to disable or reset 2fa simply because you call and say you lost your fob, escalate and get that person more security training. (And then hand off the verification project to said manager and give a deadline for completion.)

You'd be surprised how often people fall for stupid social hacks. A spoofed email requesting a transfer, a phone call purporting to be from the account holder.

jorfus
  • 441
  • 3
  • 6