Vanguard Phishing

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.

Vanguard Phishing

Postby pheleven » Fri Mar 15, 2013 1:28 pm

With the threads about computer security floating around here I wasn't too keen to come across this article this morning!

http://benplesser.com/2013/03/15/vangua ... atttempts/
pheleven
 
Posts: 39
Joined: 20 Feb 2013

Re: Vanguard Phishing

Postby kitteh » Fri Mar 15, 2013 1:41 pm

I would never give important information to anyone I didn't know personally who initiated a phone call.

I did get a call once such as this, but not from Vanguard. I'm trying to remember who it was from, a bank or what. Instead of supplying the caller with the information, I called the bank at their public number and the call was legitimate, just strange.
kitteh
 
Posts: 194
Joined: 15 Mar 2013

Re: Vanguard Phishing

Postby nisiprius » Fri Mar 15, 2013 3:44 pm

The story says
My girlfriend received a call from someone claiming to be an employee of Vanguard. Without providing any verification, this person then proceeded to ask for the answer to one of her security questions.
If the story is accurate it seems to me like an unacceptable practice on Vanguard's part. But I can't help feeling there is more to the story than this. Fidelity local reps have occasionally cold-called me to let me know about seminars or wondering whether I had any questions etc. Vanguard never has, but even if they were trying to drum up business, I don't understand why they would ask for the answer to a security question.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
User avatar
nisiprius
Advisory Board
 
Posts: 24294
Joined: 26 Jul 2007
Location: "Citizen of the terrestrial sphere"--O. Henry, "A Cosmopolite in a Cafe"

Re: Vanguard Phishing

Postby richard » Fri Mar 15, 2013 4:13 pm

The only times I've been called by Vanguard are when I've asked my rep to call me. He asked security questions every time.
richard
 
Posts: 7058
Joined: 20 Feb 2007

Re: Vanguard Phishing

Postby pheleven » Fri Mar 15, 2013 4:15 pm

nisiprius wrote:The story says
My girlfriend received a call from someone claiming to be an employee of Vanguard. Without providing any verification, this person then proceeded to ask for the answer to one of her security questions.
If the story is accurate it seems to me like an unacceptable practice on Vanguard's part. But I can't help feeling there is more to the story than this. Fidelity local reps have occasionally cold-called me to let me know about seminars or wondering whether I had any questions etc. Vanguard never has, but even if they were trying to drum up business, I don't understand why they would ask for the answer to a security question.


In the comments he said they turned out to be calling to verify a change of address.
pheleven
 
Posts: 39
Joined: 20 Feb 2013

Re: Vanguard Phishing

Postby Van » Fri Mar 15, 2013 4:27 pm

"At Vanguard my voice is my password." Vanguard is already using this phrase as a voice recognition password.
Van
 
Posts: 398
Joined: 27 Oct 2010

Re: Vanguard Phishing

Postby Rob5TCP » Fri Mar 15, 2013 6:42 pm

I signed up for the voice recognition. That is one step in the right direction, though I believe Vanguard still has a way to go.
User avatar
Rob5TCP
 
Posts: 1719
Joined: 5 Jun 2007
Location: New York, NY

Re: Vanguard Phishing

Postby gkaplan » Fri Mar 15, 2013 7:11 pm

Rob5TCP wrote:I signed up for the voice recognition. That is one step in the right direction, though I believe Vanguard still has a way to go.


What does voice recognition mean? What does it do? How does it work? rarely call Vanguard. Since I am retiring at the end of the leave year, however, I expect I shall be calling Vanguard several times in the next year: how best to transfer my TSP to Vanguard, setting up my RMD, and so on.
Gordon
gkaplan
 
Posts: 5141
Joined: 3 Mar 2007
Location: Portland, Oregon

Re: Vanguard Phishing

Postby cheese_breath » Fri Mar 15, 2013 7:53 pm

gkaplan wrote:What does voice recognition mean? What does it do? How does it work? rarely call Vanguard. Since I am retiring at the end of the leave year, however, I expect I shall be calling Vanguard several times in the next year: how best to transfer my TSP to Vanguard, setting up my RMD, and so on.

Your voice sounds just like mine. What's your account number? :happy

Seriously though... I haven't studied voice recognition since I retired 16 years ago, but back in those days it had to be trained to recognize your voice. This involved you reading a pre-defined script of words and phrases so the software could learn what you sound like. I imagine it's probably the same or similar today.
The surest way to know the future is when it's the past.
User avatar
cheese_breath
 
Posts: 2466
Joined: 14 Sep 2011

Re: Vanguard Phishing

Postby gkaplan » Fri Mar 15, 2013 8:10 pm

I searched "voice recognition" on Vanguard's website and came up empty? Where do I go on the site to find something out about this feature?

Thanks.
Gordon
gkaplan
 
Posts: 5141
Joined: 3 Mar 2007
Location: Portland, Oregon

Re: Vanguard Phishing

Postby nisiprius » Fri Mar 15, 2013 8:16 pm

pheleven wrote:
nisiprius wrote:The story says
My girlfriend received a call from someone claiming to be an employee of Vanguard. Without providing any verification, this person then proceeded to ask for the answer to one of her security questions.
If the story is accurate it seems to me like an unacceptable practice on Vanguard's part. But I can't help feeling there is more to the story than this. Fidelity local reps have occasionally cold-called me to let me know about seminars or wondering whether I had any questions etc. Vanguard never has, but even if they were trying to drum up business, I don't understand why they would ask for the answer to a security question.
In the comments he said they turned out to be calling to verify a change of address.
I'm not seeing that in the blog,, where is it? But if that's the case, then it is understandable.

A change of address is a big deal, because if I can get all your paper mail sent to me, then I can change the bank account that's linked to your bank to my bank account, and you won't get the confirmation notice that tells you what happened and would alert you if it wasn't you that requested the change.

Plesser suggests "Vanguard [should] call a customer and ask that customer to call back on a secure, publicly verified phone line (or log in through the secure website)."

Not, logging onto the website won't do, nothing involving the website will do, because they got the change of address request through the website and the context of their double-checking is the possibility that your online account has already been compromised.

To get you on the phone, I agree with Plesser that it would be better if they told you to call them, but where do you get the number? You can't trust your online account access for the phone number, because the assumption is that your account might have been compromised and might be pointing to a phony Vanguard website--a little paranoid, yes, but possible. They could tell you to get it from your paper statement, but you might not be getting paper statements.

They could just tell you the number to call--1-800-THE-SPOOFER--but obviously calling a number an anonymous caller tells you to call is not secure.

Once they get you one the phone they need to verify that the voice on the phone is the same person who has account access, so, yes, they need to ask you the security question.
Last edited by nisiprius on Fri Mar 15, 2013 8:21 pm, edited 1 time in total.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
User avatar
nisiprius
Advisory Board
 
Posts: 24294
Joined: 26 Jul 2007
Location: "Citizen of the terrestrial sphere"--O. Henry, "A Cosmopolite in a Cafe"

Re: Vanguard Phishing

Postby Silence Dogood » Fri Mar 15, 2013 8:18 pm

Found this article via Google: http://www.consumerismcommentary.com/vanguard-voice-recognition/

After a few years of testing this new security feature, Vanguard has begun rolling out voice pattern recognition technology for security. According to the representative I spoke to today, this feature will be available for Flagship customers first, and all customers will eventually follow. Voice recognition adds another layer of security to your financial accounts, and I’m impressed with it so far.

When you call a Vanguard representative to discuss your account, they ask a security question to verify your identity. They may ask your pet’s name, your high school mascot, or some other piece of information a stranger might not know. This isn’t very secure; a friend or family member could easily know the answers to many of the questions typically used for security verification. It is much more difficult to fool voice pattern recognition. Even a digital recording of your voice will not have the same acoustic properties that can be detected over the phone.

The biggest benefit of this level of security is that it eliminates the need for Medallion signature guarantees for most financial transactions for which they were previously required. Signature guarantees can be a hassle; for a financial institution that conducts is business mostly online and over the phone, you might need to visit a local bank or credit union with identification in order to secure a signature guarantee, and then it will take some time to send the signature guarantee to Vanguard.

To enable voice recognition today, call a Vanguard representative today. You’ll be asked to repeat a passphrase several times: “At Vanguard, my voice is my password.” The security system will analyze your voice, which will act as a secure key. After confirming that you’re ready to begin using voice recognition as a security check, the new technology will be activated for you with your next call to Vanguard.

After entering your Social Security number via your phone’s keypad as usual, will be prompted to speak the passphrase. It sounds like this technology could be easily fooled through recording, or to be ineffective depending on the quality of your phone line, but it’s much more secure and accurate than the existing system.

If your security check through voice recognition fails when you call, you will be asked to answer a security question. This fallback can solve any issues if you’re in a noisy room, for example, but that reduces the level of security.
Silence Dogood
 
Posts: 238
Joined: 1 Feb 2011

Re: Vanguard Phishing

Postby grabiner » Fri Mar 15, 2013 9:09 pm

I had a similar experience two months ago. I received a message on my answering machine, "This is Mr. X from Vanguard. I need to talk to you about your IRA contribution. Please call me back on this phone number." The phone number wasn't one I recognized as a Vanguard number, so I was suspicious of a phishing attempt.

I called Vanguard back at the regular number, and dealt with the necessary business; they had a technical problem which was delaying my Roth IRA conversion but would backdate the transaction to the correct date. But I also told the Vanguard representative that this procedure was unacceptable.

Presumably, if I had been home when the call was made, I would have had the same attempt by Vanguard to verify my identity while I couldn't verify theirs.
David Grabiner
User avatar
grabiner
Advisory Board
 
Posts: 12292
Joined: 21 Feb 2007
Location: Columbia, MD

Re: Vanguard Phishing

Postby LadyGeek » Fri Mar 15, 2013 9:51 pm

This thread is now in the Personal Consumer Issues forum (phone phishing, a.k.a. Social engineering).
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 16092
Joined: 20 Dec 2008
Location: Philadelphia

Re: Vanguard Phishing

Postby LadyGeek » Fri Mar 15, 2013 11:38 pm

After receiving a PM, this thread is now in the Investing - Theory, News & General forum, as it more relates to Vanguard and Vanguard's investors rather than security.
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 16092
Joined: 20 Dec 2008
Location: Philadelphia

Re: Vanguard Phishing

Postby nisiprius » Sat Mar 16, 2013 8:30 am

Just a grumble. We will know more when it happens but I am not at all enthusiastic about the idea of voice recognition technology or any other "biometrics"-based technology. Security is hard. Biometrics are the fantasy of a superficial, easy, technical fix.

I am not so concerned about hackers getting in, although hackers have cracked fingerprint and iris-scanning systems. Just as many magic tricks depend essentially, not on sleight-of-hand or misdirection, but on an inability to believe that a magician would go to that much trouble for such a silly little trick, I think these new high-tech systems rely on the idea that most hacking attempts are lazy and casual and that hackers aren't rally going to try. (Until it became common, who would have ever believed that anyone would mount their own physical magnetic card scanner on top of a real one?)

No, I'm much more worried about losing access to my own account.

If you think Treasury Direct is bad, wait until the first time you can't log onto our Vanguard account because it doesn't recognize your voice.

Nothing against Vanguard, a quick Google indicates to me that voice recognition is all the rage and that "everyone" is going to be doing it soon. But it is interesting to me that the first hundred hits are predominantly about companies that sell it, companies planning to adopt it, and articles explaining how it works and how great it is... and I can't seem to find any about reliability and type I versus type II errors. We are in the "promotional" phase of biometrics, not the "real-world experience" phase.

And if it happens to me, I know what will happen next--the stress of the situation will change my voice pattern even more, reducing the chances of success on further attempts. And very likely after three attempts it will decide the account is under attack and lock it out--probably without giving any "telltale" clues, so that when I try again it will recognize my voice but pretend that it doesn't not. And of course it will happen at 7:02 p.m. Friday Eastern time, and the "help" number will say "Our normal business hours are M–F 8 a.m. to 7 p.m, but our website and automated voice systems are open."
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
User avatar
nisiprius
Advisory Board
 
Posts: 24294
Joined: 26 Jul 2007
Location: "Citizen of the terrestrial sphere"--O. Henry, "A Cosmopolite in a Cafe"

Re: Vanguard Phishing

Postby richard » Sat Mar 16, 2013 8:42 am

vanguard-voice-recognition wrote:When you call a Vanguard representative to discuss your account, they ask a security question to verify your identity. They may ask your pet’s name, your high school mascot, or some other piece of information a stranger might not know. This isn’t very secure; a friend or family member could easily know the answers to many of the questions typically used for security verification. It is much more difficult to fool voice pattern recognition. Even a digital recording of your voice will not have the same acoustic properties that can be detected over the phone.

This is my biggest concern with Vanguard's voice recognition - will a digital recording or, worse, a digital recording assembled from unrelated words and sounds, be good enough to fool the system. Unfortunately, I don't know any way to verify that it works well other than Vanguard saying it works. I doubt they'll let third parties test the system.

On the other hand, the current system isn't very secure. The answers to many of the security questions are discoverable. For example, mother's maiden name or high school mascot. One way around this is to create somewhat secure answers (e.g., my mother's maiden name is xy342hsno), but that's a major hassle and I'd guess approximately no one does it.
richard
 
Posts: 7058
Joined: 20 Feb 2007

Re: Vanguard Phishing

Postby richard » Sat Mar 16, 2013 8:47 am

nisiprius wrote:No, I'm much more worried about losing access to my own account.

If you think Treasury Direct is bad, wait until the first time you can't log onto our Vanguard account because it doesn't recognize your voice.

Nothing against Vanguard, a quick Google indicates to me that voice recognition is all the rage and that "everyone" is going to be doing it soon. But it is interesting to me that the first hundred hits are predominantly about companies that sell it, companies planning to adopt it, and articles explaining how it works and how great it is... and I can't seem to find any about reliability and type I versus type II errors. We are in the "promotional" phase of biometrics, not the "real-world experience" phase.

And if it happens to me, I know what will happen next--the stress of the situation will change my voice pattern even more, reducing the chances of success on further attempts. And very likely after three attempts it will decide the account is under attack and lock it out--probably without giving any "telltale" clues, so that when I try again it will recognize my voice but pretend that it doesn't not. And of course it will happen at 7:02 p.m. Friday Eastern time, and the "help" number will say "Our normal business hours are M–F 8 a.m. to 7 p.m, but our website and automated voice systems are open."

If it's outside normal business hours, why would you use the phone rather than the online system?
richard
 
Posts: 7058
Joined: 20 Feb 2007

Re: Vanguard Phishing

Postby linenfort » Sat Mar 16, 2013 4:20 pm

I know my particular rep's voice, so that's the one thing that gives me a sense of security.

I think it's funny that this thread is called "Vanguard Phishing" because no phishing actually occurred in this story!

nisiprius wrote:If you think Treasury Direct is bad,

They are the benchmark of bad. :-)
The key is not so much what couch you choose, but that you stay on it. | -- boglehead Random Musings | [i]Wolde ye bothe eate your cake, and haue your cake?[/i] (1546)
User avatar
linenfort
 
Posts: 1048
Joined: 22 Sep 2007
Location: United States

Re: Vanguard Phishing

Postby afan » Sat Mar 16, 2013 5:35 pm

The security questions are a very good system for verification as long as you do not give true answers.

What is the name of your pet should not be "Fido". It could be "periodic wasteland of the immortals" or something else that is NOT the name of your pet, and not a likely pet name. Even people who know you well will not be able to guess answers to these questions when you do NOT provide the real answers. The name of your pet is an even better question if you do not have a pet. Then someone who knows you might no there is no real answer, and be forced to guess.
"We don't know how to beat the market on a risk-adjusted basis, and we don't know anyone that does know either." | | --Larry Swedroe
afan
 
Posts: 775
Joined: 25 Jul 2010

Re: Vanguard Phishing

Postby linenfort » Sat Mar 16, 2013 7:50 pm

afan wrote:The security questions are a very good system for verification as long as you do not give true answers.

What is the name of your pet should not be "Fido". It could be "periodic wasteland of the immortals".

Unfortunately, that's really the name of my Himalayan cat.
Seriously, though, I follow the same rule. In the first year, I forgot my answer once or twice because the answer was false. This got me into a lot of red tape with Treasury Direct, but not with Vanguard. And, now I've got all the false answers down.

Last year, Atlantic magazine had a pretty good article on passwords, but neglected to mention how easy security questions are answered. (Just ask Sarah Palin). I wrote to the author of the piece about it, and he agreed it was a good idea.
The key is not so much what couch you choose, but that you stay on it. | -- boglehead Random Musings | [i]Wolde ye bothe eate your cake, and haue your cake?[/i] (1546)
User avatar
linenfort
 
Posts: 1048
Joined: 22 Sep 2007
Location: United States

Re: Vanguard Phishing

Postby bogleblitz » Sat Mar 16, 2013 10:35 pm

My bank, Citizens, did the same thing. They called me, then ask for verification.

I was reluctant to give it out but then they gave me back some confirmation. They told me my last bank transaction, the reason for calling, etc.
User avatar
bogleblitz
 
Posts: 233
Joined: 1 Oct 2012

Re: Vanguard Phishing

Postby grabiner » Sat Mar 16, 2013 11:52 pm

bogleblitz wrote:My bank, Citizens, did the same thing. They called me, then ask for verification.

I was reluctant to give it out but then they gave me back some confirmation. They told me my last bank transaction, the reason for calling, etc.


And that type of verification could work when you receive a call from Vanguard as well. You could ask a Vanguard representative the three digits after the decimal place of your Total Stock Market share balance; this is something only you (or someone who has access to your statements) would know, but it isn't sensitive information if it is disclosed to the wrong person.
David Grabiner
User avatar
grabiner
Advisory Board
 
Posts: 12292
Joined: 21 Feb 2007
Location: Columbia, MD

Re: Vanguard Phishing

Postby linenfort » Sun Mar 17, 2013 3:57 pm

grabiner wrote:...
You could ask a Vanguard representative the three digits after the decimal place of your Total Stock Market share balance; this is something only you (or someone who has access to your statements) would know, but it isn't sensitive information if it is disclosed to the wrong person.

An excellent idea!
The key is not so much what couch you choose, but that you stay on it. | -- boglehead Random Musings | [i]Wolde ye bothe eate your cake, and haue your cake?[/i] (1546)
User avatar
linenfort
 
Posts: 1048
Joined: 22 Sep 2007
Location: United States

Re: Vanguard Phishing

Postby nisiprius » Mon Mar 18, 2013 3:57 pm

afan wrote:The security questions are a very good system for verification as long as you do not give true answers.

What is the name of your pet should not be "Fido". It could be "periodic wasteland of the immortals" or something else that is NOT the name of your pet, and not a likely pet name. Even people who know you well will not be able to guess answers to these questions when you do NOT provide the real answers. The name of your pet is an even better question if you do not have a pet. Then someone who knows you might no there is no real answer, and be forced to guess.
The thing that gets me is that the answers to security questions always seem to be case-sensitive, exact string matches. So the problem I have is:

"Where did you honeymoon?"
"Niagara Falls, NY"
"Nope."
"niagara falls"
"Nope."
"Niagara Falls, N.Y."
"Three strikes, you're out."
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
User avatar
nisiprius
Advisory Board
 
Posts: 24294
Joined: 26 Jul 2007
Location: "Citizen of the terrestrial sphere"--O. Henry, "A Cosmopolite in a Cafe"

Re: Vanguard Phishing

Postby cheese_breath » Mon Mar 18, 2013 4:02 pm

nisiprius wrote:
afan wrote:The security questions are a very good system for verification as long as you do not give true answers.

What is the name of your pet should not be "Fido". It could be "periodic wasteland of the immortals" or something else that is NOT the name of your pet, and not a likely pet name. Even people who know you well will not be able to guess answers to these questions when you do NOT provide the real answers. The name of your pet is an even better question if you do not have a pet. Then someone who knows you might no there is no real answer, and be forced to guess.
The thing that gets me is that the answers to security questions always seem to be case-sensitive, exact string matches. So the problem I have is:

"Where did you honeymoon?"
"Niagara Falls, NY"
"Nope."
"niagara falls"
"Nope."
"Niagara Falls, N.Y."
"Three strikes, you're out."

Maybe you should have said Las Vegas. :D
The surest way to know the future is when it's the past.
User avatar
cheese_breath
 
Posts: 2466
Joined: 14 Sep 2011

Re: Vanguard Phishing

Postby rkhusky » Mon Mar 18, 2013 4:21 pm

grabiner wrote:
bogleblitz wrote:My bank, Citizens, did the same thing. They called me, then ask for verification.

I was reluctant to give it out but then they gave me back some confirmation. They told me my last bank transaction, the reason for calling, etc.


And that type of verification could work when you receive a call from Vanguard as well. You could ask a Vanguard representative the three digits after the decimal place of your Total Stock Market share balance; this is something only you (or someone who has access to your statements) would know, but it isn't sensitive information if it is disclosed to the wrong person.


Someone who hacked into your account would also get that information. What would be useful is some piece of information that is not displayed on the web site. The security questions could be that sort of information if they are not displayed on the web site and one cannot change the answers without first providing the original answers. And every time they are changed you get an email. And you also get an email with a confirmation code, before your email can be changed.
rkhusky
 
Posts: 1374
Joined: 18 Aug 2011

Re: Vanguard Phishing

Postby Phineas J. Whoopee » Mon Mar 18, 2013 5:33 pm

pheleven wrote:With the threads about computer security floating around here I wasn't too keen to come across this article this morning!

http://benplesser.com/2013/03/15/vangua ... atttempts/

Absolutely unacceptable if true.

The FTC says:
Be Alert to Impersonators

Make sure you know who is getting your personal or financial information. Don’t give out personal information on the phone, through the mail or over the Internet unless you’ve initiated the contact or know who you’re dealing with. If a company that claims to have an account with you sends email asking for personal information, don’t click on links in the email. Instead, type the company name into your web browser, go to their site, and contact them through customer service. Or, call the customer service number listed on your account statement. Ask whether the company really sent a request.
http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure

Suppose all of us contact Vanguard within 24 hours, linking to the FTC guidance, and tell them we demand they stop? I've just done so via secure email.

PJW
User avatar
Phineas J. Whoopee
 
Posts: 2020
Joined: 18 Dec 2011

Re: Vanguard Phishing

Postby gkaplan » Mon Mar 18, 2013 6:27 pm

One of my security questions asks what hospital I was born in.

Did I enter [Name of Hospital] [Hospital] or just [Name of Hospital]?

Another asks what street I lived on when I was growing up.

Did I enter [Name of Street] [Avenue] or just [Name of Street]?
Gordon
gkaplan
 
Posts: 5141
Joined: 3 Mar 2007
Location: Portland, Oregon

Re: Vanguard Phishing

Postby linenfort » Tue Mar 19, 2013 8:47 am

nisiprius wrote:
afan wrote:The security questions are a very good system for verification as long as you do not give true answers.

What is the name of your pet should not be "Fido". It could be "periodic wasteland of the immortals" or something else that is NOT the name of your pet, and not a likely pet name. Even people who know you well will not be able to guess answers to these questions when you do NOT provide the real answers. The name of your pet is an even better question if you do not have a pet. Then someone who knows you might no there is no real answer, and be forced to guess.
The thing that gets me is that the answers to security questions always seem to be case-sensitive, exact string matches. So the problem I have is:

"Where did you honeymoon?"
"Niagara Falls, NY"
"Nope."
"niagara falls"
"Nope."
"Niagara Falls, N.Y."
"Three strikes, you're out."


The way I handle that is to stick to one rule: always have spaces / or / never have spaces among all of your security questions.
You can put some numerals in there to make it extra hard to guess, but still stick to the rule above to make it easy for you, yourself.
The key is not so much what couch you choose, but that you stay on it. | -- boglehead Random Musings | [i]Wolde ye bothe eate your cake, and haue your cake?[/i] (1546)
User avatar
linenfort
 
Posts: 1048
Joined: 22 Sep 2007
Location: United States

Re: Vanguard Phishing

Postby Zephyr120 » Wed Mar 20, 2013 9:27 am

To verify a cold call, I ask *them* for a password. I got quarterly calls from a group that helped me to work on my health issues. On the first call, I gave them a password which they were to put in their files. On subsequent calls, they provided the password to me to verify their identity.

It worked much like Vanguard's picture and title on the logon page to verify their own identity. It was sometimes confusing to the person who called me, but it worked well.
Zephyr120
 
Posts: 33
Joined: 28 Jan 2012

Phishing?

Postby AQ » Fri Mar 29, 2013 5:04 pm

Got an email from Vanguard (flagship@eonline.evanguard.com) with the following message, but I haven't received any calls, and didn't expect one. Anything wrong?

Our records indicate that you or someone in your household recently received a call from your Vanguard representative. Could you please tell us how we did and if we can do anything better next time?
AQ
 
Posts: 352
Joined: 26 Feb 2008

Re: Vanguard Phishing

Postby LadyGeek » Fri Mar 29, 2013 5:21 pm

^^^ I merged your thread with this one, so we can keep all the Vanguard phishing emails in one spot.

BTW, the domain http:// eonline evanguard com/ (link broken) is registered to Vanguard.
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 16092
Joined: 20 Dec 2008
Location: Philadelphia

Re: Vanguard Phishing

Postby TheGreyingDuke » Fri Mar 29, 2013 5:52 pm

afan wrote:The security questions are a very good system for verification as long as you do not give true answers.

What is the name of your pet should not be "Fido". It could be "periodic wasteland of the immortals" or something else that is NOT the name of your pet, and not a likely pet name. Even people who know you well will not be able to guess answers to these questions when you do NOT provide the real answers. The name of your pet is an even better question if you do not have a pet. Then someone who knows you might no there is no real answer, and be forced to guess.


And if you use a password generating/storage program or service, you can have security question answers that are as "secure" as your password.
User avatar
TheGreyingDuke
 
Posts: 548
Joined: 2 Sep 2011


Return to Investing - Theory, News & General

Who is online

Users browsing this forum: Bing [Bot], Dale_G, kenyan, ralph124cf, Rodc, Roverdog, Taylor Larimore, Tristan, Yahoo [Bot] and 59 guests