transcript
Speech-to-text transcription can look a little quirky. Please excuse any grammar or spelling errors.
Episode #547 - Steps To Secure Your Personal Information
Roger: The show is a proud member of the Retirement Podcast Network.
Welcome to the show that is dedicated to helping you not just survive retirement, but to have the confidence because you're doing the work to really lean in and rock it. My name is Roger Whitney by day. I'm a practicing retirement planner with over 30 years’ experience, founder of Agile Retirement Management, and for the last 10 years or so, we've hung out and noodled on how do you actually do this thing called retirement planning? So, you can go off and create a great life with confidence.
A lot of things are going on today. We have open enrollment in the rock retirement club. We'll talk about that in a minute.
Today on the show, we have one of my favorite people in the world, Tanya Nichols on to help answer some of your questions so you can take a baby step towards rocking retirement.
In addition to that, after we talk with Tanya, we're going to have a cybersecurity expert who works from a major financial institution on to help walk through what proactive steps you and I can take to better protect our identity.
We put these into layer one table stakes, layer two, moderate steps and layer three more advanced steps. This came from something I mentioned about a month ago, where I've received a letter from AT&T informing me that my information might've been compromised and I've been taking some steps. A lot of listeners shared suggestions. We'll share those on another show, but I wanted to go right to an expert that thinks about this is in the battlefield of the cyber war and protecting our identity. So, we're going to have a great discussion. It's going to be a little bit longer show.
One last thing before we get to Tanya and the questions. Yesterday, we opened up enrollment for the Rock Retirement Club. You can learn more about that at rockretirementclub.com. I invite you to join us and get everything you need to get the tools, the community, and the coaching to build your retirement plan of record and confirm or help you improve the plan that you already have in a safe place where you can get world class education and coaching with no sales pitch. The only revenue from the club comes from the dues that members pay. It's a fantastic community of over a thousand, and we would love you to join us so you can begin that journey in rocking retirement. You can check that out at rockretirementclub.com. I think we have open enrollment until July 18th, when we'll begin bringing in the cohort of new members and focusing on a sprint of 30 days to get to a feasible plan so you can build that plan of record. Learn more about that at rockretirementclub.com.
With that let's get chatting with Tanya to answer your questions.
LISTENER QUESTIONS
All right, it's time to answer some of your questions and we're here with the magnificent Tanya Nichols from Align Financial.
Tanya, how are you?
Tanya: Hey, Roger, happy to be here.
Roger: It's been a while. I can tell you're hardcore today. You're wearing your camo to answer some questions. What's going on at Align Financial?
Tanya: Busy around here. We're growing, just brought in a new team member that we're really excited about, and Saturday's my birthday. So, I'm looking ahead at an exciting year.
Roger: You're in the best decade, I think, so far. Well, I'm in my 50s, so I better say the 50s are, but the 40s were really good. You feel like you finally have your sea legs in the 40s.
Tanya: Yeah, I've got one driver and then another driver in a few months. I feel like my schedule is opening up at home. It's just a really, it is an exciting time. I agree.
Roger: Awesome.
Tanya: You're in Colorado, enjoying yourself and your new place.
Roger: I am. One of the top five decisions I've ever made in hindsight.
Tanya: Well, done.
Roger: Yeah, we feel very at peace with it, and I want to thank everybody. You sent me a note too, but I want to thank everyone. I got so many notes from that discussion, just of encouragement of being able to relate to it, et cetera, and some of the vulnerability.
So, I appreciate that. I just want to thank everybody because it's hard to get back to everybody when I get a lot of emails. So, I just want to say that.
Well, let's answer some questions. If you have a question for the show, you can go to ask askroger.me and type in your question, leave an audio question or just say hi.
ARE SMA'S THE RIGHT CHOICE FOR TAX STRATEGIES?
All right. Our first question, Tanya comes from Julie. I like this question.
"Hey, love you guys. I'm 52 husband is the same age. We have about 2 million in assets."
She gives us a breakdown of that. Retirement goal is age 54. Husband retirement goal is 56. And she gave some monthly expenses and some details. But here's her main question.
"Met with a fiduciary and said we're on track with our retirement goals as long as we are dynamic and flexible, but we need to save more liquid in the next years before 59 and a half."
Okay. That makes sense.
"Need to increase brokerage, which we plan to do. He mentioned now is a time to consider SMAs, liquidate the brokerage, take a tax and move out. Mixed reviews on SMAs and not sure whether a half to 1 percent fee is worth it. Knowing we are on track but need funding for the gap years before 59 point half. Do SMAs feel right for tax gain harvesting strategy? We plan to fund the gap years with it.
Anything else you would need, just let me know.
Thank you."
Okay, so let's define what SMA are. So, you want to define that Tanya? You want me to?
Tanya: Go for it.
Roger: SMAs are separately managed accounts, and these have been around, they came into popularity in brokerage firms in the mid late 90s. The logic, the sell, back at the time was that you get access to institutional managers rather than have a fund with a portfolio behind it. You actually get to own all the individual positions and so you can instruct the manager to harvest losses, hold on to particular positions, et cetera. The idea was to have a lot more flexibility, especially around the tax end and then this allure of access to managers that you wouldn't be able to access anyway.
So, imagine you have the S&P 500 index fund and you see one position and then an SMA would be you own, let's say the S&P 500, but you see all the positions and you see all the trading that happens because you own the individual positions. That's what a separately managed account is.
Julie's wanting to know, does this make sense to do? I have my thoughts, but how would you think about this decision with Julie, Tanya?
Tanya: As I looked through her situation, I thought about her points about that she understands she's short on those gap years, I think that that seems to me to be the biggest kind of focus.
When I thought about whether the SMAs would make a difference, it seemed like one of those optimization types of pieces of the puzzle. Like, is that really where the focus should be on whether you're in an SMA versus a mutual fund versus the stocks or investments that you have today? It seemed like it might make sense to zoom out a little further, in my opinion.
What was your first instinct?
Roger: Yeah, this is definitely a tactical question, and looking, she has like 150 in brokerage account and index, she said. Most of our monies are in traditional IRAs. I would say you need a lot better case to do SMAs. I think separately managed accounts are bling from an advisor standpoint that we can sell this exclusivity and this ability to tax loss harvest. I think a lot of that's oversold and not really done in my experience. When you buy a separately managed account, there's a lot of friction that comes with it. Meaning your statement might go from 10 pages to 110 pages because you're going to see all the positions. You're going to see all the transactions happening at tax time. You're going to have all the different buys and sells on your tax form. There's got to be a lot of benefit.
I would say this doesn't make any sense at all to me. It sounds like bling. It's not going to improve your feasibility or resilience to retire. It likely will just simply complicate the journey rather than focusing on, I think, Tanya, the things that you said, right? Building up for those gap years.
Tanya: If you're going to pay, a fee of sorts at this stage, when you're talking about an earlier kind of retirement before some of those key ages, I think if you're going to, if you're open to paying the fee, I think looking at a retirement planner, who's really focused in on that area might be more beneficial, like a better bang for your buck in that instance. I also think her window is really short, so she pays the taxes right now to convert to this thing that maybe the investment strategy is really cool or better than what she has, but as soon as her husband retires, they're going to be spending all of that. So, 150 in brokerage now, plus the, she talked about adding about 90 grand a year, and she needs about 10 grand a month, that's 120 grand a year, and he's only going to be 56. So, you know, you're paying the tax up front to then just liquidate it. It's just a really short window.
Roger: We need to build up the pie cake.
Tanya: Yes. You need to build up the liquidity.
Roger: So, Julie, we can't give you advice, but we don't think you should do it.
How's that? With all the disclaimers based on the facts that you gave us, we're not helpful. You need a planner, not somebody who wants to bring up your portfolio.
ON DRAWING DOWN AN HSA
All right. Our next question, they probably have submitted the most questions in the history of the podcast.
Did you know that, Tanya? This next question.
Tanya: I did not.
Roger: Yes.
Anonymous wonders about drawing down a health savings account. This is a really good question because we think about one, a lot of people don't even invest in their health. They don't have a plan for the health savings account, and then we have plans for people that treat them like Roth. A lot of people don't think about the withdrawal strategy with an HSA.
" So, Roger, I have an HSA of about 60, 000. I've never taken a distribution from it. Instead, paying my medical expenses on a pay as you go."
I hope you're keeping track of all of those expenses so you can use those for reimbursement. By the way, anonymous.
"I am retired and no longer making contributions. My wife is the primary beneficiary of the account who would enjoy the same HSA benefits upon my passing. However, given the highly unfavorable tax treatment for HSAs inherited by a non-spouse, which they are very unfavorable, I am considering using the account for medical expense reimbursements going forward rather than contributing to Let It Ride.
I have not seen any guidance about this methodology for an optimal way to de cumulate a health savings account. What are your thoughts?"
Have you given any thought to this, Tanya?
Tanya: They're kind of like Roths where they're not, they're just not that old. So we're getting to the point where now we have clients who are entering distribution phases with maybe larger balances than what might've historically been true.
In the state of Minnesota where I'm located, a lot of the state employees do have fairly sizable health savings accounts. I guess my strategy, and I don't know if this is a really technical strategy, anonymous, but I kind of love the idea of using it for something that matters to you. So, I have a client that's using her HSA to invest in her health and so for her, it's a bucket to pay for the chiropractor or the, like, glasses or hearing aids. She's actually using it to pay for a personal trainer. Which apparently you just need a letter of medical necessity to make it eligible for personal trainer.
So I think to me, I like using the HSA as a strategy to decide, okay, what should this bucket of money fund, and then use it for that throughout your lifetime.
Roger: I really like that strategy. I hadn't thought of that Tanya, in the context of this question. Even if you can't get the medical necessity, if you have past expenses that you have the documentation for, you could still use those to justify the withdrawal and use it on the enhanced health care like, you talked about chiropractor, which I need to see one today, maybe. I like that idea a lot.
I think another way that you can approach this, in addition to Tanya's is when you're building out your withdrawal strategies, you might be able to use your HSA to help get you over the line in terms of making sure you're under IRMAA or social security taxation and help from a withdrawal strategy standpoint to maybe preserve some other assets somewhere else because it comes out in this tax free nature.
This is money that you should use, right. It's good that you can use it as a bucket for a health care shock, which is probably how we have thought about it. But you're right. As we get older, going to the spouse, it really is a good the transition is easy, but going to a non-spouse will accelerate a lot of taxation on things.
So, I like both of these strategies.
HOW TO GET UNBIASED FINANCIAL INFORMATION
Alright, our next question, I think it's a funny one.
Okay, I'm going to try to summarize this. I am blown away, Tanya, by the depth of questions we get. There's a lot of detail. I don't know if they're typing all of these.
Tanya: You have some smart listeners.
Roger: " I found your podcast a few months ago and have been binge listening."
Oh, Diana. Okay, we're friends now.
"Although I'm in finance myself, I've learned so much from you about investing, RMDs, etc. I am 60 and my husband is 59 and we plan to retire in May 2025. My question is about getting unbiased financial advice."
She gives us some of her information.
"When we retire, we'll have another set of money coming in. Our Merrill Lynch advisor charges us 1 percent of assets and says that once we go over 1, 000, 000, that could be reduced to 0. 8%. So, we're talking about 10 grand right now. Right? But no lower than that. Ever. Our advisors technically a fiduciary and does give us projections for our future, including cash flow, RMD tax implications.
Also, I feel a conflict of interest because if we move the 2. 3 million to Merrill, it would greatly increase his paycheck and I don't know that we're getting any more value from him. Is there someplace else we can put our tax deferred assets that won't cost us 80 basis points every year? How do we find an advisor that is incentivized to help us whether or not they get our funds?
I signed up for the Rock Retirement Club in July and I'm looking forward to that and using your worksheets to create a plan.
Really love the podcast."
Diana, really good question. We work a little bit differently, Tanya, so I'm interested in your perspective and then I'll share mine.
Tanya: I think that I'm thrilled Diana's joining the club because I think she's going to get a ton of really helpful resources, and not just resources, but like people who have thought through this decision. Everyone that might share her perspective or have different perspectives on why they did or did not hire maybe a onetime retirement planner to take a look at things and to give them advice and kind of send them on their way or why somebody might have chosen to remain with a financial advisor that charges AUM. Let's call them a retirement planner because I think that's what more people are looking for at this point or thirdly decided that they had the tools they needed to create the confidence that they need to create the confidence on the D. I. Y. sort of planning. I think that Diana will be able to get that in the club for sure.
Roger: For sure.
I think Diana, you hit on a point is how they're paid and how much they're paid is somewhat a function of cost, but also value. Running projections, this is my experience. So, I'm not saying this about your advisor, the vast majority of advisors that I get feedback from other individuals in the club and on the podcast are very good at the high level planning, the projections talking about tax treatment, et cetera.
But when you start to get out down into the details of how exactly things work, things usually get. a little less clear. We, in our practice, recently switched to charging an annual retainer, and we still have clients that pay AUM, but we're moving in that direction. But all of the value that we promised or tried to deliver is our standard of care, which you're going to find in the Rock Retirement Club.
It basically teaches you exactly how we do it. So, there are planners like me and others that charge just a flat annual retainer. There are planners that do flat fee planning, they'll just put it all together for you, and then you can go off and deal with it yourself. But the issue that you're facing is the issue with the model in that he's doing all this stuff for me, so if I triple his compensation, am I getting that much more value from the interaction if he's doing just all the same things that he's done anyway?
That's a hard one to justify. Generally, it's justified in, well, we do this portfolio management, we monitor this and have access to that, but they're doing that anyway. I agree with you. It's hard to figure that out. I think there are flat fee planners. There are planners that work on retainers. There are ways within the club where if you go through that model, you'll be able to be a better client with the advisor and maybe reframe it. So, you're getting a lot more value and more detail as you get to this transition in life.
But I get it. It's a hard thing to think through.
HOW DO YOU DEFINE WHETHER SOMEONE IS OVERFUNDED, CONSTRAINED, OR UNDERFUNDED?
All right. Our last question for today, because I know you got to run, Tanya is from Jennifer.
"Love your podcast as always."
Well, thank you, Jennifer.
"I have a follow up question on funded levels from your podcast. It appears that you use the Monte Carlo figure to classify three levels, underfunded, constrained, and overfunded.
Can you give me a number that you assign to these? For example, if my Monte Carlo scenario from the software is 95%, am I overfunded?
Follow up question. When working with a client, what Monte Carlo figure do you usually shoot for? I understand everyone is different and it's important to continue to revisit the plan, but what is the rule of thumb?
I would greatly appreciate your info."
Now you use Monte Carlo scenario analysis, right?
Tanya: I do. Yes. We use the same retirement planning tool we're using in the club too.
Roger: How do you define with someone that you're really overfunded or you're constrained or you're underfunded? Do you have numbers that you assign to that?
Tanya: I don't have numbers, but what I do is, on that page that Jennifer's talking about, I don't get too hung up on that percentage number. What I actually like to look at is, there's usually like a table that'll give you what the ending estate value, like the range of values might 90s, and I use the 750th scenario.
That's just cause that's how our money guy software works. So, I use a 750 a scenario number, and what that means is in 75 percent of the scenarios, you'll have more than X remaining at end of plan, which might be 95 or something like that. What I like about that number and why I use that with clients is because it's kind of like the buffer of, this is how much money we have to change our mind over time. This is how much money we have to if things go wrong, or if things go right, or we decide we want to buy a new place or spend more money or less money. I actually like to use that number as a guide to help clients understand their funding as well.
Roger: Okay, that's interesting. I have not done that approach.
So this is in the feasibility pillar of the four pillars to have a great plan. Jennifer, a vision, feasible, resilient, optimized. ISI numbers right around 90 and above. We'll say you're overfunded. 75 to 90. We'll say you're constrained. Then below 75, we would say you're underfunded. But those are very loose terms, Jennifer, right?
There's been research on, hey, you could have a 50 percent confidence number and still be okay. This is not an exact science, so I use this to help decision analysis of what is feasible, and it will be a moving target, right. Then when we talk about these numbers in terms of underfunded and overfunded, Jennifer, we like to classify things in three categories, right? You can see the results for each category. What is the Monte Carlo confidence number is the term they use, I don't use, for just my base, great life. Then what is it for my base, great life plus my discretionary spending? This is something to tease it out. There is no exact, but those are the numbers I use and they're just guides for your decision making. You're right. This number of 90 will be different for somebody that has a big pension and somebody that doesn't right there. One will be a lot more of a stable heading than the one that doesn't have a pension because they're relying on financial assets. But those are the numbers that I use, and it's meant not as a label, it's meant as a guide in terms of maybe how much buffer we should put into the system when we get to the resilience stage.
If you're way overfunded, you have the luxury, if you wanted to, to have less of a buffer financially because you have so many excess assets. So hopefully that helps you.
Tanya, you have a great newsletter. Where can people find it?
Tanya: Check us out at alignfinancial.
PRACTICAL PLANNING SEGMENT
Roger: All right, Pete, how are you, sir?
Pete: I'm doing well, Roger. Thanks for asking.
Roger: Now, you've been a member of the Rock Retirement Club for how long?
Pete: I'm in my second year.
Roger: Okay, and if I recall, was it last year that we had a meetup within the club talking about cybersecurity?
Pete: Yes.
Roger: Okay, and you reached out to me after my comments around the AT&T data breach with some suggestions.
I'm like, well, rather than me mimic the suggestions, let's go to the experts. So this is something that you do for a living. Describe what you do professionally.
Pete: Sure. So, I work for a financial services company and I'm kind of in charge of making sure that nobody takes away any sensitive data that we hold. We have quite a large number of what are called dossiers on virtually everybody in the United States. It's really important that we protect that data. So I'm on information security for that company, and I'm responsible for security architecture and generally just making sure that the things that we do inside the company really protect user data.
That's really a core value that we have, and you know, it's really important to keep both our brand reputation and make folks feel comfortable working with us.
Roger: One of my good friends, Pete, had this position at Equifax prior to the breach. He wasn't involved in the whole breach thing, but it is, my understanding is this is a secret escalating war between nefarious players and people like you trying to protect security. It never ends.
Pete: Yes, definitely. My company, I put out a security bulletin every morning. I collate sort of all the latest things that are going on out in the industry and put it kind of in a readable format and then send it out to executives and other folks, for example, in our IT group that are responsible for really being at the ground floor, protecting things. Ever since I've been doing that, it's a recent thing, I think we've really created some awareness that this war is going on and that it really is the responsibility of everybody in the company to play a part to make sure that we don't end up on that front page of the news.
Roger: For the context of what we're going to talk about today, probably one of the most important players in that battle of protecting personal information is the individual and their own information.
Pete: Absolutely.
Roger: We live in a world like AT&T and Equifax had their breaches. I mean, we could make a laundry list of where data was. All of these companies are asking for likely more information than they need a lot of times, like social security numbers and things like that. So, we thought we'd go through, you and I, on three phases of personal data security to better defend, because you'll never do it perfectly, your personal data to help prevent getting identity theft or some other issue, especially for those of us that already have.
Should we assume that our data is already out there? By the way?
Pete: You should, and that'll come into play when we talk about some of the items that are here, because some of it is to secure kind of what you have and make sure that You've sort of got the doors closed and the locks on so that somebody isn't sort of coming able to get into your house, as it were, but then there's the stuff that's already out there so then the 2nd and the 3rd pieces are really about monitoring and sort of putting blocks in place to prevent people from using that data to create problems for you.
Roger: Okay, so let's start with table stakes, level one of what we can do to be a guardian of our information and our accounts. Where do we start?
Pete: Sure. So, I would say the 1st one is to really make sure your email account is secured because as we all know, if we forget our password or you can't remember it, or it needs to be changed, you're going to click on that link that says forgot password, right? The first thing that's going to happen is you're going to get a link in your email account.
Now, if somebody's taken over your email account, you've essentially given them the opportunity to go ahead and reset your password, so you really want to lock down your email account. The way you can do that is have a complex password that you used to lock your email account, but also turn on, you know, two factor authentication. It'll be either an SMS code or something that can be sent to an app that's on your phone to make sure that when you log into your email account that it's only you that has access to it.
Roger: So, let's make sure we define what two factor authentication is. So, when I set that up, what happens?
Pete: Two factor authentication means that you've got two factors that the system that you're accessing needs to verify before it's going to say that you are the person that you say you are.
Generally, one factor is something, you know, which is going to be your password and then a second factor is either going to be like a biometric like your face or your fingerprint, which some folks have used with their phones and some computers. Then the 3rd one is usually a code, something that is generated and sent to you hopefully not the same way that, you know, not through email. It's going to be an SMS, or maybe it's an app that you have on your phone and you're going to be up. You're going to get a code that's specific to that application and you're going to go ahead and type it in. So, the two factors are what, you know, the password and what you have in this case, it's a one-time code.
Roger: Like a text you receive with a code and then you have to enter the code.
Okay, and so step one is secure your email account, because that is the hub of where passwords will get reset. So complex password. and a two-factor authentication. I imagine almost all email services, Gmail, et cetera, have that ability.
Pete: They do.
Roger: Okay. We just find that under settings. Real quickly on complex passwords, just define what that means.
Pete: So complex password is generally more than, let's say it's 12 characters or more, and that can create issues with people remembering it, but I'll give some hints about how to create them in a second. You don't want to use things like the people can find out about you on LinkedIn or on Facebook or anything else.
Usually, the best way to create some good passwords is just to string together 3 unrelated words. So, like, fence hop tree. Okay. Because these days, what happens is. The programs that are used to go ahead and hack passwords. They're very good at just really trying to put together almost any kind of symbols and letters and numbers that you can think of to try and figure out what your password is. So, you want to have something that's at least 12 characters long and it's good to just pick some things that you can remember that are words in sort of appended to each other really good way to create passwords is to use a password manager and then you don't really have to worry about whether it's a tree hop fence, or fence hop tree. It's going to be in your password manager.
Roger: Or just gobbledygook. They just have a string of letters and numbers and symbols, right?
Pete: Exactly, and they're usually set to be more than 12 characters. But again, it's not up to you to remember it. The only password that you need to remember is the master password to get into your vault, your password manager vault.
Roger: So as an example, I use 1Password and there are a number of them, LastPass, et cetera, and I've used one password for a long period of time. I have one password. I have to remember to get into the keys of the kingdom, right? Should I worry that somebody can get into everything by getting into my one password?
Pete: That's definitely a reasonable concern. There's one thing I can say about 1Password, I'm not sure about out of the other ones, but for 1Password, there's really two keys that you're given. One is the master password that you create, and then there's one that they give you when you first sign up, you can print it out, and what that does is that prevents, when you set up a new device to use your password manager, you have to provide both those keys. So, if somebody just gets your master password and they try and access it from a device that hasn't been registered, they're not going to be able to do it. So, it's only going to work on the computers or the phones that you've registered because it needed those two keys to be used at the outset.
Roger: Okay, so we're in level one here. Step one is to have a complex password and two factor authentication set up at least for your email. I would imagine any site that's offered is probably a good idea to do this.
Pete: It is and it's especially a good idea to set up two factor authentication for anything that's important to you and that would be like your financial accounts.
So, if you have a brokerage account or you have a bank that you're working with, you really should be setting up two factor authentication with those as well, because that's really where the attackers want to get to, right? Yeah, they'll want to get to your email account, but that's to reset passwords to like your bank, and then they want to get into your bank. You really want to set up those two factors at those sites that deal with your financial assets.
Roger: Then in order to create complex passwords and then manage all those passwords, because I probably have 100 plus logins in my password manager. It's amazing how many you have.
Pete: Yes.
Roger: You can have separate complex passwords for each one of them without having to worry about it.
But also, one feature I like about 1Password is that they will say, hey, these passwords look like they might have been compromised or they're old. Maybe you should refresh them. So, there's some monitoring built into them to help stay on top of this.
Pete: Yeah, that's definitely a feature 1Password, and I think most of the other password managers have something very similar as well.
Roger: Okay, so we're talking about the basics here, and then, so those are the two key basics from a security standpoint.
The next ones are a little bit more of our behavior, and this is getting harder and harder with AI because they're able to generate images and voices, et cetera. The next one we had was don't respond to unsolicited texts.
Pete: Yes, and I'm sure everybody who's listening has gotten these in some cases. It is behavioral because they'll say hi, and maybe they won't use your name or maybe they will know your name. They'll have looked up your phone number in the database. They'll know kind of who you are. So, they say, "hi, Pete. It's been a long time since we last talked", how are things going and they really just want to start a conversation and kind of rope you in and you don't know who's on the other end of that text. There are all kinds of things behaviorally, they can sort of lure you in to do. The best thing that you can do is just don't answer it.
Sometimes they'll say, "Hi, I lost your information in my address book. Can you send me your phone number so I can add it?" Please don't do that. They're really just trying to get as much information from unsolicited or in this case, solicited information that they can. So, then they can either compromise an account that you own using that and other information that they can get off the dark web, or they're trying to get you into a situation where you continue to carry on the conversation and you don't know where that's going to lead.
Roger: One that we didn't have on here that I think is level one as well, Pete is very wary of a "customer service call" from the company, whether it's the IRS, or any official type of company, AT&T or Apple, be very wary of incoming calls from any of these organizations. There's actually a YouTube channel of a lady who receives these calls and records it and messes with them, and there's a natural one that everybody says they're from the IRS. These people probably are not going to call you, right? So, if you get those calls, probably better say, I will just call the 800 number and go the other direction than engage in a conversation.
Pete: Yes, and they can all be very nice, well meaning.
I mean, if you're feeling lonely that day, they could be your best friend. But really, it's all about just getting information from you and kind of luring you into a conversation that could lead to lots of other places. But just like unsolicited texts, these are really unsolicited phone calls. I would say the same kinds of rules apply, so you can be nice to them. You can hang up whatever it is. But, you know, the best thing is to try and verify them through a different channel other than the one where they contacted you, as you mentioned, or call them back, go to the website.
A lot of things that you'll see is that. They say, oh, you know, there's been fraud. This is the credit card company, and we noticed that you have fraud on your card, can you go ahead and tell, you know, and they'll pick chase or some other and there might be a 1 in 5 chance that you have a chase card in your pocket and then they'll say, okay, can you tell me the last 4 digits of the card? You just don't even want to go down that road.
You can turn on fraud alerts and those kinds of things with your credit card company and they'll let you know and then you can go on the site and or call them back on the number on the back of the card and go ahead and have a good conversation about that.
Roger: This is similar with emails, which a lot of us have heard of fishing and the ones that look like they're correct when it comes to links and emails, or in text, how do we know if a link is a good link or something that is going to put something on our computer and be nefarious?
Pete: It's really tough. The bad guys have gotten really good at it and obscuring what those links are. In some cases, it'll look correct, but actually what they're doing is they're using what's called the Unicode character set, which is like all languages on the planet and they're able to go ahead and make you think that it's an O that's in Google, but in fact, it's a special little character and they actually have created a site that accepts that character. So, you think you're going to google.com, but it's actually going to google.com with a different O in it. So, you really have to be careful, you know, the best thing is just not to click on it. If you get something from somebody saying, go to the site yourself, type in the site URL in your browser and go there on your own, but it's really difficult. I think to your point earlier with AI, it's just going to get harder and harder to kind of tell the real things from.
Roger: I wanted to ask about that because voices, text photos, there's already been some anecdotal evidence of kidnappings where it sounds like it's the daughter's voice. The granddaughter's voice, as a security expert where are you going to go from here?
Pete: Well, I mean, in that case, what I would do is with your kids set up a pass code, right? That only you and they know that's going to be sort of the code word if they're in trouble. And if somebody doesn't respond, somebody's doing that kidnap thing and they're not giving you the code, then you know, it's probably not.
Roger: Yeah. What we did at Thanksgiving is the whole family has one nonsensical two-word code that we all agreed upon.
Then the last thing on level one. So, this is level one, this is table stakes of what we think everybody should do to help guard themselves, the last one is to check your credit reports annually because you get a free credit report each year if I recall, right?
Pete: Actually, it's more often than that.
I think it's it may even be once a month from all three credit reports They've made it more frequent. So definitely something to check and I think it's annualcreditreport.com. There are also some services, some reputable ones. You know, I'll mention Credit Karma. Credit Karma is one that they do two of the three major credit reporting agencies. It's good for you to check because this goes to the part that I was talking about earlier. There are things we can do to lock the doors, and then there's things that we have to do to detect when people are taking information that's already been spirited away and one of these many data breaches, and then they're using it to do real identity theft. They're trying to be you. They're trying to impersonate you and open credit in your name, and then potentially get the money from being able to do that, either opening a credit card account or bank account or some other account that's financial in nature.
Most reputable organizations will check the credit bureaus and they'll report to the credit bureaus, and so if you see something that's suspicious, that's definitely something to follow up on.
Roger: I've actually had this happen to me and discovered it by checking a credit report and then had to go through the process of the dispute. How often do you think someone should check their credit report?
Pete: I think quarterly is probably a good idea.
I think annually may be a little bit too long because things can happen from one year to the next, and I think you want to try and stay on top of it. Certainly, the more frequently the better, but we'll talk about another thing that you can do as well to go ahead and protect yourself with respect to credit, but in terms of just looking at and understanding if things are happening, I would say at least at least quarterly and maybe monthly.
Roger: Checking a credit report using a service like credit karma or going directly, could take five minutes just to see what, I mean, you'll know the history. You'll just see if there's anything new. I imagine the logic and the frequency is if something has happened. It's better to close the door if one horse got out, not when all the horses got out, right? You want to mitigate as quickly as possible.
Pete: Yeah, these things can snowball. These folks, they'll try for the first one. Then if that's successful and it hasn't been detected, they'll, they may continue to, they'll go for the next credit card, especially if you have good credit, which I think probably quite a few people who are listening do have. That's the thing that can really hurt you.
Roger: Okay. So that's level one. So that means this is the standard. This is what we all should be doing in my mind. Let's go to level two, which is escalating a little bit higher. I think of this almost like a castle. Now, as I was thinking of this, these are lines of defenses. They're not impenetrable, but they make you much less attractive to be a target and give you the opportunity to deal with things. So, let's go to level two. Where do we go if we want to take it a step further?
Pete: Yeah. So, I kind of mentioned this and that just a second ago, and that's to go ahead and freeze your credit at the three major credit bureaus, and then there's a couple more that are out there that are a little lesser known, but I think they're just as important. I think Clarity and INNOVIS are, are two of them. A lot of payday lenders will use those, so sometimes that may be easier for them to get past the lock and key that freezing your credit achieves if you don't take care of those as well.
By freezing your credit, and there's a difference here, a lot of the credit bureaus will go ahead and talk about locking your credit. Actually, the best practice and what's recommended is actually freeze your credit.
Roger: So, what's the difference between the two?
Pete: I'm not really sure. I've never used the locking capability, but the freeze is really what you want to do. In some cases, I think for the lock, they're looking for a subscription. It's just not as comprehensive as the freeze is.
Now, one of the things that happens when you freeze your credit is obviously if you decide you want to go ahead and apply for a credit card or you're going out to buy a car and they want to see if you qualify for the 2 percent loan, you're going to need to unfreeze your credit at the credit Bureau or more credit bureaus that they're going to use to go ahead and check your credit. That really doesn't take very long. You can do it online. You can say, okay, I want my credit unfrozen for today and today only. Like I said, it will unfreeze your credit within like 15 minutes. They can go ahead and run their credit report and then you can either refreeze it or you can just wait for the clock to run out and the next day it'll, it'll freeze it again.
Roger: So freezing your credit essentially pulls the drawbridge up in terms of anybody pinging your credit report to get approval to open an account.
Pete: Yes. Essentially and what you may find is once you do that, you may start to get things in the mail from the credit bureau or from a lender saying, Hey, you asked us to go ahead and open a credit card account in your name, and we couldn't do it because your credit was frozen and you should take that as an indication that actually somebody was trying to commit identity theft. It happens regularly to me.
Roger: I think in my initial comments, when I was talking about the AT&T breach, Pete, I said I wasn't going to freeze my credit and I got some encouragement and pushback from fellow RRC’ers so I actually went through the process of freezing my credit at the three bureaus, Experian, Equifax, and Transamerica, I believe. TransUnion. TransUnion, thank you. I found it interesting and I was going to create something on this. Equifax was really easy. Experian and TransUnion were much more upsell oriented.
I had to really navigate around these services they were trying to sell me in order to get to freezing. So that's something just to be aware of because they're a business and everybody likes to upsell. But it actually was very easy to do, but you had to be aware that you click on something to get upsold, something monitoring that you may not necessarily want, but I thought that was fine.
Then you said the other two, which I wasn't aware of. There's another one called Clarity and INNOVIS.
Pete: Clarity is one and then I think INNOVIS is the other one.
Roger: So those are probably, even if you don't want to freeze your credit, probably one to freeze because they're the smallest and probably used by smaller actors. Okay. Freezing credit. What's another level two action we can take?
Pete: So, I have passkeys on here, but I think passkeys is something that maybe we'd move to level three. They're starting to become more prevalent, so things like Google and Microsoft and Apple are starting to do passkeys. But if you have a password manager, and you've got a lot of things that are still password oriented, these are only going to work for a certain number of sites.
You can also set up pass keys in the password managers. What that does is. It essentially allows you to avoid the use of passwords and what happens is when you go to a site, it will go ahead and work with your cloud account, either Google or Apple or Microsoft, and it will go ahead and exchange a special key, and then it will always be in the background when you use that device to go back to that site, and it will let you in sort of transparently.
It's the future, but I would say it's not quite there yet everywhere, and so if people are feeling adventurous pasties or something to try out. But I would probably put that in level three, I think the most important things to get your password manager, because a lot of things have passwords today focus on that, making sure you got different passwords for each site and the password manager will help you do that. Then you know, if you want to venture into the past key realm, you can certainly do that.
The other big one is similar to like, checking your credit reports is, take advantage of your credit card and your bank and they almost always have like an alert or a notification where if they see either any transaction or a transaction above a certain level, they'll send you a text message or an email. That's really useful to just keep tabs on your bank account and keep tabs on your credit card, so you can just make sure that You know, it hasn't been used fraudulently and obviously, if you see something, then you want to maybe go online or call the customer service number, find out kind of what's going on. It may be that your credit card got breached and one of these public data breaches, somebody used it to order something from Target or who knows where, and you're on the hook. Well, it's essentially on your credit card statement. So you want to make sure you take care of that quickly so you can get that taken off. Oftentimes with credit cards, they'll want to send you a new one just to make sure.
Roger: All of them can give you alerts. Most of them will have, you can set up alerts for when certain things happen.
Pete: Yes.
Roger: One thing I want to ask you about, Pete, and this may go back to level one. is do you have an opinion about using a debit card or a credit card?
Pete: Yes, I do. There are a couple things with that. One, credit cards, they're kind of going to this imaginary account that's between you and the credit card company, so it isn't real money until you actually pay the bill at the end of the month. So, you really do have a lot more protection with credit cards than you do with debit cards. Debit cards, they're reaching into your bank account, and they're essentially taking the money out of out of your account and that if you don't see it and you want to get that money back, it gets much harder. You're going to have to go through a lot more hoops to do that.
Generally speaking, it's just better if you can put things on credit than to put it on debit.
Roger: Because if something goes wrong, you're not trying to get your money back. You're just arguing with the credit card and working through the process.
Pete: That's right. Okay.
Roger: We're going to put that on level one. All right. Level two. What's the next one? I think it's related to the IRS.
Pete: Yeah. So, this is, most people don't really think about this. They're used to going ahead and filing their taxes and everything goes kind of according to plan, at least you hope so. You get your refund or you have to pay, but with the amount of information that's kind of around on the dark web. It's not that difficult for a hacker scammer to go ahead, and at the beginning of the year, sort of file a, a fake tax return in your name.
This actually happened to me back in 2014, before you could get an identity pin from the IRS. I spent 400 days.
Roger: You know this stuff and you've spent 400 days.
Pete: I spent 400 days disputing with the IRS about the fact that the tax return wasn't mine. They kept sending me dining notices for like 10, 000 saying I hadn't paid for this, that, and the other thing, and those hackers, scammers, they got away with a refund that they claimed.
So they got 2, 500 out of the IRS and in fact, I think there were something like 700, 000 returns that were fraudulently put in that year, so you can do the math. It's serious millions of dollars that were spirited away. Then you and me and regular people are kind of holding the bag, trying to fight with the IRS and tell them, no, it wasn't me.
What you can do now is you can proactively sign up for an identity pin from the IRS, and what they'll do is they'll send it to you at the end of the year, usually in like December, via paper mail. Then when you go ahead and file, you just put that, I think it's a five-digit pin, in with your tax return, and they'll know it's you, and anybody else who tries to file and doesn't have that pin, they'll reject it.
Roger: So, it's a new pin every year in this case.
Pete: Yes, but you only have to sign up for it once and they just regularly send you a new one in the mail before tax season starts.
Roger: Yeah. As I listened to these, Pete, each one of these creates friction, obviously for the nefarious players, but they also create friction for us.
Pete: Yes.
Roger: Right, which is probably why we don't do them. It's sort of a pain in the butt to do this stuff. But if you think of that friction for us, it probably helps us use credit more thoughtfully because it's not so simple. So, on the flip side, like if I freeze my credit and I want to open a credit card. That extra friction might ask me, well, why aren't the 10 that I have good enough already, right, and don't open up another one.
I do not have 10 credit cards, by the way.
Pete: That's a great way to look at it. I love it.
Roger: All right. So, the last one on level two is what?
Pete: I think similar to setting up an identity pin from the IRS.
I would, I would claim your ssa.gov account. You might not need it right now, but it's a really good idea. So again, using the information that the folks are able to get on the dark web, they can go ahead and sort of try and impersonate you with that information and then get the login and password set up with your ssa.gov account and then at some point, if you're the right age, they can start to do things like have social security checks sent to their address.
Roger: For those of you that are familiar ssa.gov is socialsecurityadministration.gov so this is the account. that generates your annual report on your social security benefits. It shows your entire earnings history. It's how you manage that benefit and so even if you're 50, you should claim it in order to make sure somebody else doesn't claim it unknowingly.
All right. So that's level two. That's a lot of stuff. I'm going through my mental checklist of what I've done here, and I'm doing okay on level one and two.
Level three is for the belts and suspenders gang right where we really want to go to the next level and for those listening, level one. That's table stakes. If you just do that, you're a lot less attractive to nefarious players, level two makes you really less attractive. This is level three, a lot more involved.
So, let's talk about, we only have a couple of things here, but let's just talk about the few we have.
Pete: Sure. So, the first one, I guess maybe if I had a chance to rejigger things, I might put this one a little higher on the list, but we can debate that. But it's really about locking your mobile phone, your phone number, and making sure that it can't be appropriated by a third party.
Typically, the way that you do this is you go to one of the cell phone providers. You have an online account and there's usually a feature there where you can lock your mobile phone SIM card. It's on their site, and so what that says is that it's similar to freezing your credit report. What you're saying is. Look, it doesn't matter if somebody calls. Tries to impersonate me or do anything else. You're not going to allow them to go ahead and move my phone number to their phone. The reason why that's important for them is remember, we talked about two factor authentication a little higher up in the discussion. If you're using text messages, the SMS messages to get your codes, then you're at risk if your phone number's been moved to a scammer's phone. Then what they can do is if they somehow know your password, they can go ahead and have the code sent and they'll receive it on their phone. They can do this in the middle of the night when you're not awake to know that your phone's sort of been taken over and moved, so locking your phone sim to the number that you have and to the sim card that's in your phone is really important.
Roger: Okay.
Pete: You can do that yourself.
Roger: You have to do it online. Is it not something you do in the settings on your phone?
Pete: That's correct.
Roger: So, what happens when you're a dude in Colorado that goes fly fishing, and he keeps his phone in the pockets of his waiters and it wasn't quite waterproof. He fries his phone because it got all wet, which I did. So, I had to get a replacement phone like they had AppleCare. How difficult it is for me to move my phone number to a new phone?
Pete: Yeah. So, this is why you want the password manager, right? I mean, it can create some complexities.
Roger: But as a user, I can still hold onto my phone number as I upgrade my phones or have a replacement phone. There's more friction to it, but I'm still able to. That's why.
Pete: Yeah, you're ultimately going to have to do something with the phone company to prove your identity.
One of the things may be that if you go in and show your driver's license, for example, then they'll know it's you. You're right. You don't have to use all these other codes and things to know it's okay. Then they'll set up your phone and go ahead and move your SIM for you and all the rest.
Roger: Okay. Okay. More friction, but it protects you.
Pete: It does.
Roger: What's the next one?
Pete: This one might not seem that obvious, but if you're doing financial transactions, like you're doing bill pay and things like that, or you're like moving money, you've set up ways to move money between your brokerage account or your retirement accounts and your bank account. It's generally a good idea to do those transactions. If you can, from a separate device than the one that you use every day for just checking email and surfing the internet and all the rest.
The reason why is that if something should happen, and you may not even be aware of it. So, let's say you click on that link that you think is a good link in your email, but actually it goes to a bad site that looks like the site you want to go to, and they download malware on that computer, and it's got what's called a remote access Trojan on it, then they're going to be able to see everything that's happening on your computer, including the things you type, and it'll take screenshots of what's on your screen. You may not know this at all. So now you're going ahead and doing bill paying or financial transactions on your regular computer, and you have unwittingly been compromised and they now have that information and they can start to do things in the background to siphon things out of your account and things like that.
If you're doing bill paying and financial transactions on a separate computer or device, it could be a tablet or a phone that you don't use for email, general internet surfing, you really just have it focused on doing financial transactions. You're going to be much more likely to avoid any of those pitfalls with people sort of getting on your computer with malware and being able to see what you're doing and ultimately take control of your accounts.
Roger: When I think of this, and again, we're talking level three here.
Pete: Yes.
Roger: I have an Apple computer. Does setting up a separate profile that only does. Financial transactions, sort of like you have two users on a computer. Would that count under this or is it better to have an actual physical device that's separate?
Pete: Better to have a physical device that's separate, depending on the malware that's downloaded and how it works, that may be okay, but it wouldn't be in a hundred percent of cases.
Roger: Okay. I think I'm going to need to build a skiff in my house if anybody reads spy books, it's like a room that is sealed electronically.
Pete: It's metal lined, yes. No, no electromagnetic radiation coming
Roger: Shauna will go for it it'll be that and a storm shelter. It'll be a tornado shelter.
Pete: You can make them both the same.
Roger: That's right, and panic room. All right, we have one more for the level three people, which is remove your personal data from information aggregators.
I would have no idea how to do this.
Pete: This is definitely an advanced item, so there are quite a few sites. I mean, there are a lot of companies out there that are just, that's all they do is accumulate information about people. They build dossiers on people and then they sell it, right? They sell it to marketers, they sell it to people that want to do background checks, they sell it to people that are looking for long lost relatives.
But a lot of times they'll go ahead and make those portals available publicly, and they will put your name in them. All of a sudden, you find out all kinds of things. You're associated with these 14 people, 5 at work, 9 are your family relatives, this was your last phone number, this is your current phone number, this is your home address, this is how much your property's worth, et cetera, et cetera.
Many of those services do allow you to sort of opt out. So, what you just need to do is kind of claim your record, and they have enough information about you that if you give them an email address or a phone number that's on their record, they'll go ahead and send a little thing to that and it'll be yours. You'll just say, okay, yes, it's me and I can attest that it's my record and they'll take you off.
Roger: How do we find out what these services are?
Pete: I mean, you could do a Google search now. Some are like, we're not reputable, but probably ones that are higher up in the search and that you can find people saying things about in other places.
I can mention kind of like three that might be worth people taking a look at. One is called true people search. That one has probably the most thorough dossier. Another one is called My Life, and they seem to collect a lot of birth dates, which I find really not great, and the other one is called Spokeo, S P O K E O.
So, like, those are just three. There are more. But I think if you go into Google and you put your name in there, and your age and like your city, all of a sudden, I think you're going to see a bunch of these things pop up and again, use some caution with them, but there are definitely a couple of them that are higher up more used.
Roger: If you're going to the advanced level here, you're going to be probably much more comfortable on how to navigate this stuff. It's always interesting to me when you talk to an expert in an area, you're an expert in this type of security is there's a deep rabbit hole you can go down.
Pete: Absolutely.
Roger: That's one reason why, as we talked, we built three different layers. I don't know the statistics because I didn't look this up. I'm guessing almost none of us do layer one two factor authentication. If you look at the statistics, I have to look it up after this. I'm guessing a lot of us don't do it, I know just in my practice, people keep written sheets. They keep it open Excel spreadsheet for their passwords. They use the same password. With multiple accounts, that's their birthday or something like that. So just doing some of these things is going to help you protect yourself. So don't feel like you have to go down this laundry list.
Pete, I appreciate you sharing your wisdom on this. Do you have any final thoughts?
Pete: I would say it is a bit of a fraught environment that we're in, and the folks that are out there are really motivated by the fact that you have some money and they would like to have some too. It's easy to, I don't know, get paranoid about certain things, and actually I've seen that, especially for people that have been the victim of identity theft. I had a good friend, and this happened not too long ago, and she started seeing, like, all kinds of things happening to her, like shadows in the dark kind of thing in terms of emails that she got. She's like, oh, my gosh, they back into my system, and it can be very distressing to be the victim of identity theft.
So, I would say. You know, the more of these things that you can do to sort of put yourself in a place where you're just better defended than maybe other folks that are out there. It's kind of like the, if your door is locked and your neighbor's not, they're more likely to go to your neighbor. So, just doing a few of these things, password manager, making sure your email account is secured. Looking at your credit report, freezing your credit, those kinds of things, really helps you move up and be safer in the electronic world that we all live in now.
Roger: Definitely. Look, and we didn't even talk about the emotional toll, which is what you're referring to so that's a whole other thing.
Pete, I appreciate you sharing your wisdom.
Pete: Oh, my pleasure. Thanks for having me on. Roger.
TODAY’S SMART SPRINT SEGMENT
Roger: On your marks, get set,
and we're off to take baby step we can take in the next seven days to not just rock retirement, but rock life.
In the next seven days. Take one baby step from the list that we created to help better protect your identity. As simple as that.
CONCLUSION
I am now back in Texas after Shauna and I's first two months in Colorado, all I have to say is it is hot, hot, hot. I'll share some of my insights from this journey on another show. This has been a long show. I want you to go off and have a great day.
The opinions voiced in this podcast are for general information only, and not intended to provide specific advice or recommendations for any individual. All performance references are historical and do not guarantee future results. All indices are unmanaged and cannot be invested in directly. Make sure you consult your legal, tax, or financial advisor before making any decisions.