The Motley Fool Discussion Boards
Financial Planning / Thrift Savings Plan (TSP)
|Subject: TSP Website security||Date: 2/24/2007 7:06 AM|
|Author: kdewalt||Number: 40 of 83|
My wife recently retired from the Navy. We've been contributing to her TSP since they first offered it to active duty folks.
Now that she's retired, I've considered moving her TSP into a traditional IRA. Unfortunately the F-fund has lower fees than the comparable bond ETF AGG that I would be buying.
I say unfortunately because the website security at TSP horrifies me. It is an invitation to hackers for two reasons:
-Your Id is your SSN. Incredibly easy to find.
-Your pin is a 4 DIGIT NUMBER. In an era where everyone is moving to stronger authentication such as one-time-passwords (E*trade), I cannot believe our government is so irresponsible.
I am not at all surprised to see the following on the login splash screen:
We were able to identify approximately two dozen participants who had relatively small amounts withdrawn from their accounts and electronically forwarded to fraudulent accounts. Although we are working with the financial companies involved for the return of the funds, the total amount of loss involved is approximately $35,000. All affected participants have been notified.
We emphasize that the account information for these participants was not improperly obtained from the TSP record keeping system. External penetration testing has demonstrated that our system has not been breached. There is no evidence of any successful attacks against the system to identify a PIN and thus obtain access.
We have concluded that the personal information was compromised when keyloggers monitored each keystroke made by these participants while they entered their TSP information into their own computer. We are working with the U.S. Secret Service, which has found that such personal information is increasingly available on keylogger lists that are for sale through criminal networks.
WHAT???!!! This is horribly irresponsible of them. IF THEY HAD STRONGER SECURITY YOU WOULDN'T BE ABLE TO GUESS AND REUSE THE PASSWORDS.
This would not happen with my E*trade account.
The TSP is not responsible for losses resulting from use of a compromised computer.
Can I translate? "You're on your own"
Of course if they were taking the same measures as corporate america, I could forgive them. They are not.
Fortunately I don't plan on logging into the web site any more. For those of you who are stuck with the system, I would suggest changing your password regularly, using the website sparingly and absolutely only from a computer with upgraded firewall and virus scanning software. Only login from a computer which you and your family can access. Close all browser windows immediately after concluding your session. If you need to check your account status, do so via the quarterly paper statements.
|Copyright 1996-2015 trademark and the "Fool" logo is a trademark of The Motley Fool, Inc. Contact Us|