A recent Globe and Mail article featuring a Questrade client who lost $70k from their investment account due to unauthorised access caught my eye. The article is behind a paywall, but I’m a subscriber and can gift you a link if you’re curious¹.

This didn’t seem like a garden-variety incident; the victim seemed reasonably well-educated concerning cyber-security best practices, and the hack may have involved a compromised device. But there are steps we should all take to make it harder to fall victim to an attack.

Use Strong, Unique Passwords²

Don’t reuse them. Don’t think that by adding a random character to an existing password buys you safety. The best way to avoid reusing passwords is to not know any of them. You do this by using some sort of password manager³ that can generate long and complex passwords. Even a notebook in a locked cabinet is better than using “password”⁴.

Use Two Factor Authentication (2FA)

Most online brokers have some sort of two factor authentication you can enable, but it may not be mandatory. Turn it on. This is a second step added after you enter your password to make sure it’s you, since it’s based on something you have. Most brokers I’ve dealt with use SMS as a 2nd factor, but both Questrade and Wealthsimple offer the use of a separate authenticator app like Google Authenticator, Microsoft Authenticator, or Apple’s Passwords app. I prefer authenticator apps because they work with or without cell phone coverage. And the experts don’t much like SMS as an authentication method because it’s not that difficult to hack for the determined criminal.

Don’t “trust” devices

While it will considerably speed up the login process to your online broker if you “trust” a given device, I never do this. Trusting a device typically does things like render 2FA unnecessary, which becomes very dangerous indeed if the device itself has somehow become compromised.

Know how to contact your provider over the phone

Store their contact number so you can call them directly if you are at all suspicious of anything. This is far safer than absent-mindedly clicking a link received in an email or text message. And if you do get a call/voicemail from your provider, follow up quickly.

Add a Trusted Contact Person (TCP) to your account

The TCP is someone your provider is authorised to call if they have concerns about your account. I don’t know under what circumstances “concerns” are raised, but having one seems to me a better idea than not having one. A quick primer on TCP here. Your broker will have a process by which they can add a TCP, take advantage of it.

Got other tips for staying safe while investing? Drop me a line!

1. Just drop a line to comments@moneyengineer.ca. ↩︎
2. Or, if supported, use passkeys instead; I don’t know of any Canadian broker using them. ↩︎
3. I use Apple’s native Password app but in my working life used Bitwarden. ↩︎
4. The 4th most common password used, findable by brute force methods in less than a second, per https://nordpass.com/most-common-passwords-list/ ↩︎