Bogleheads.org

[pheleven]

With the threads about computer security floating around here I wasn't too keen to come across this article this morning!

http://benplesser.com/2013/03/15/vangua ... atttempts/

[kitteh]

I would never give important information to anyone I didn't know personally who initiated a phone call.

I did get a call once such as this, but not from Vanguard. I'm trying to remember who it was from, a bank or what. Instead of supplying the caller with the information, I called the bank at their public number and the call was legitimate, just strange.

[nisiprius]

The story says

My girlfriend received a call from someone claiming to be an employee of Vanguard. Without providing any verification, this person then proceeded to ask for the answer to one of her security questions.

If the story is accurate it seems to me like an unacceptable practice on Vanguard's part. But I can't help feeling there is more to the story than this. Fidelity local reps have occasionally cold-called me to let me know about seminars or wondering whether I had any questions etc. Vanguard never has, but even if they were trying to drum up business, I don't understand why they would ask for the answer to a security question.

[richard]

The only times I've been called by Vanguard are when I've asked my rep to call me. He asked security questions every time.

[pheleven]

The story says

My girlfriend received a call from someone claiming to be an employee of Vanguard. Without providing any verification, this person then proceeded to ask for the answer to one of her security questions.

If the story is accurate it seems to me like an unacceptable practice on Vanguard's part. But I can't help feeling there is more to the story than this. Fidelity local reps have occasionally cold-called me to let me know about seminars or wondering whether I had any questions etc. Vanguard never has, but even if they were trying to drum up business, I don't understand why they would ask for the answer to a security question.

In the comments he said they turned out to be calling to verify a change of address.

[Van]

"At Vanguard my voice is my password." Vanguard is already using this phrase as a voice recognition password.

[Rob5TCP]

I signed up for the voice recognition. That is one step in the right direction, though I believe Vanguard still has a way to go.

[gkaplan]

I signed up for the voice recognition. That is one step in the right direction, though I believe Vanguard still has a way to go.

What does voice recognition mean? What does it do? How does it work? rarely call Vanguard. Since I am retiring at the end of the leave year, however, I expect I shall be calling Vanguard several times in the next year: how best to transfer my TSP to Vanguard, setting up my RMD, and so on.

[cheese_breath]

What does voice recognition mean? What does it do? How does it work? rarely call Vanguard. Since I am retiring at the end of the leave year, however, I expect I shall be calling Vanguard several times in the next year: how best to transfer my TSP to Vanguard, setting up my RMD, and so on.

Your voice sounds just like mine. What's your account number?

Seriously though... I haven't studied voice recognition since I retired 16 years ago, but back in those days it had to be trained to recognize your voice. This involved you reading a pre-defined script of words and phrases so the software could learn what you sound like. I imagine it's probably the same or similar today.

[gkaplan]

I searched "voice recognition" on Vanguard's website and came up empty? Where do I go on the site to find something out about this feature?

Thanks.

[nisiprius]

The story says

My girlfriend received a call from someone claiming to be an employee of Vanguard. Without providing any verification, this person then proceeded to ask for the answer to one of her security questions.

If the story is accurate it seems to me like an unacceptable practice on Vanguard's part. But I can't help feeling there is more to the story than this. Fidelity local reps have occasionally cold-called me to let me know about seminars or wondering whether I had any questions etc. Vanguard never has, but even if they were trying to drum up business, I don't understand why they would ask for the answer to a security question.

In the comments he said they turned out to be calling to verify a change of address.

I'm not seeing that in the blog,, where is it? But if that's the case, then it is understandable.

A change of address is a big deal, because if I can get all your paper mail sent to me, then I can change the bank account that's linked to your bank to my bank account, and you won't get the confirmation notice that tells you what happened and would alert you if it wasn't you that requested the change.

Plesser suggests "Vanguard [should] call a customer and ask that customer to call back on a secure, publicly verified phone line (or log in through the secure website)."

Not, logging onto the website won't do, nothing involving the website will do, because they got the change of address request through the website and the context of their double-checking is the possibility that your online account has already been compromised.

To get you on the phone, I agree with Plesser that it would be better if they told you to call them, but where do you get the number? You can't trust your online account access for the phone number, because the assumption is that your account might have been compromised and might be pointing to a phony Vanguard website--a little paranoid, yes, but possible. They could tell you to get it from your paper statement, but you might not be getting paper statements.

They could just tell you the number to call--1-800-THE-SPOOFER--but obviously calling a number an anonymous caller tells you to call is not secure.

Once they get you one the phone they need to verify that the voice on the phone is the same person who has account access, so, yes, they need to ask you the security question.

[Silence Dogood]

Found this article via Google: http://www.consumerismcommentary.com/vanguard-voice-recognition/

After a few years of testing this new security feature, Vanguard has begun rolling out voice pattern recognition technology for security. According to the representative I spoke to today, this feature will be available for Flagship customers first, and all customers will eventually follow. Voice recognition adds another layer of security to your financial accounts, and I’m impressed with it so far.

When you call a Vanguard representative to discuss your account, they ask a security question to verify your identity. They may ask your pet’s name, your high school mascot, or some other piece of information a stranger might not know. This isn’t very secure; a friend or family member could easily know the answers to many of the questions typically used for security verification. It is much more difficult to fool voice pattern recognition. Even a digital recording of your voice will not have the same acoustic properties that can be detected over the phone.

The biggest benefit of this level of security is that it eliminates the need for Medallion signature guarantees for most financial transactions for which they were previously required. Signature guarantees can be a hassle; for a financial institution that conducts is business mostly online and over the phone, you might need to visit a local bank or credit union with identification in order to secure a signature guarantee, and then it will take some time to send the signature guarantee to Vanguard.

To enable voice recognition today, call a Vanguard representative today. You’ll be asked to repeat a passphrase several times: “At Vanguard, my voice is my password.” The security system will analyze your voice, which will act as a secure key. After confirming that you’re ready to begin using voice recognition as a security check, the new technology will be activated for you with your next call to Vanguard.

After entering your Social Security number via your phone’s keypad as usual, will be prompted to speak the passphrase. It sounds like this technology could be easily fooled through recording, or to be ineffective depending on the quality of your phone line, but it’s much more secure and accurate than the existing system.

If your security check through voice recognition fails when you call, you will be asked to answer a security question. This fallback can solve any issues if you’re in a noisy room, for example, but that reduces the level of security.

[grabiner]

I had a similar experience two months ago. I received a message on my answering machine, "This is Mr. X from Vanguard. I need to talk to you about your IRA contribution. Please call me back on this phone number." The phone number wasn't one I recognized as a Vanguard number, so I was suspicious of a phishing attempt.

I called Vanguard back at the regular number, and dealt with the necessary business; they had a technical problem which was delaying my Roth IRA conversion but would backdate the transaction to the correct date. But I also told the Vanguard representative that this procedure was unacceptable.

Presumably, if I had been home when the call was made, I would have had the same attempt by Vanguard to verify my identity while I couldn't verify theirs.

[LadyGeek]

This thread is now in the Personal Consumer Issues forum (phone phishing, a.k.a. Social engineering).

[LadyGeek]

After receiving a PM, this thread is now in the Investing - Theory, News & General forum, as it more relates to Vanguard and Vanguard's investors rather than security.

[nisiprius]

Just a grumble. We will know more when it happens but I am not at all enthusiastic about the idea of voice recognition technology or any other "biometrics"-based technology. Security is hard. Biometrics are the fantasy of a superficial, easy, technical fix.

I am not so concerned about hackers getting in, although hackers have cracked fingerprint and iris-scanning systems. Just as many magic tricks depend essentially, not on sleight-of-hand or misdirection, but on an inability to believe that a magician would go to that much trouble for such a silly little trick, I think these new high-tech systems rely on the idea that most hacking attempts are lazy and casual and that hackers aren't rally going to try. (Until it became common, who would have ever believed that anyone would mount their own physical magnetic card scanner on top of a real one?)

No, I'm much more worried about losing access to my own account.

If you think Treasury Direct is bad, wait until the first time you can't log onto our Vanguard account because it doesn't recognize your voice.

Nothing against Vanguard, a quick Google indicates to me that voice recognition is all the rage and that "everyone" is going to be doing it soon. But it is interesting to me that the first hundred hits are predominantly about companies that sell it, companies planning to adopt it, and articles explaining how it works and how great it is... and I can't seem to find any about reliability and type I versus type II errors. We are in the "promotional" phase of biometrics, not the "real-world experience" phase.

And if it happens to me, I know what will happen next--the stress of the situation will change my voice pattern even more, reducing the chances of success on further attempts. And very likely after three attempts it will decide the account is under attack and lock it out--probably without giving any "telltale" clues, so that when I try again it will recognize my voice but pretend that it doesn't not. And of course it will happen at 7:02 p.m. Friday Eastern time, and the "help" number will say "Our normal business hours are M–F 8 a.m. to 7 p.m, but our website and automated voice systems are open."

[richard]

When you call a Vanguard representative to discuss your account, they ask a security question to verify your identity. They may ask your pet’s name, your high school mascot, or some other piece of information a stranger might not know. This isn’t very secure; a friend or family member could easily know the answers to many of the questions typically used for security verification. It is much more difficult to fool voice pattern recognition. Even a digital recording of your voice will not have the same acoustic properties that can be detected over the phone.

This is my biggest concern with Vanguard's voice recognition - will a digital recording or, worse, a digital recording assembled from unrelated words and sounds, be good enough to fool the system. Unfortunately, I don't know any way to verify that it works well other than Vanguard saying it works. I doubt they'll let third parties test the system.

On the other hand, the current system isn't very secure. The answers to many of the security questions are discoverable. For example, mother's maiden name or high school mascot. One way around this is to create somewhat secure answers (e.g., my mother's maiden name is xy342hsno), but that's a major hassle and I'd guess approximately no one does it.

[richard]

No, I'm much more worried about losing access to my own account.

If you think Treasury Direct is bad, wait until the first time you can't log onto our Vanguard account because it doesn't recognize your voice.

Nothing against Vanguard, a quick Google indicates to me that voice recognition is all the rage and that "everyone" is going to be doing it soon. But it is interesting to me that the first hundred hits are predominantly about companies that sell it, companies planning to adopt it, and articles explaining how it works and how great it is... and I can't seem to find any about reliability and type I versus type II errors. We are in the "promotional" phase of biometrics, not the "real-world experience" phase.

And if it happens to me, I know what will happen next--the stress of the situation will change my voice pattern even more, reducing the chances of success on further attempts. And very likely after three attempts it will decide the account is under attack and lock it out--probably without giving any "telltale" clues, so that when I try again it will recognize my voice but pretend that it doesn't not. And of course it will happen at 7:02 p.m. Friday Eastern time, and the "help" number will say "Our normal business hours are M–F 8 a.m. to 7 p.m, but our website and automated voice systems are open."

If it's outside normal business hours, why would you use the phone rather than the online system?

[linenfort]

I know my particular rep's voice, so that's the one thing that gives me a sense of security.

I think it's funny that this thread is called "Vanguard Phishing" because no phishing actually occurred in this story!

If you think Treasury Direct is bad,

They are the benchmark of bad.

[afan]

The security questions are a very good system for verification as long as you do not give true answers.

What is the name of your pet should not be "Fido". It could be "periodic wasteland of the immortals" or something else that is NOT the name of your pet, and not a likely pet name. Even people who know you well will not be able to guess answers to these questions when you do NOT provide the real answers. The name of your pet is an even better question if you do not have a pet. Then someone who knows you might no there is no real answer, and be forced to guess.

[linenfort]

The security questions are a very good system for verification as long as you do not give true answers.

What is the name of your pet should not be "Fido". It could be "periodic wasteland of the immortals".

Unfortunately, that's really the name of my Himalayan cat.
Seriously, though, I follow the same rule. In the first year, I forgot my answer once or twice because the answer was false. This got me into a lot of red tape with Treasury Direct, but not with Vanguard. And, now I've got all the false answers down.

Last year, Atlantic magazine had a pretty good article on passwords, but neglected to mention how easy security questions are answered. (Just ask Sarah Palin). I wrote to the author of the piece about it, and he agreed it was a good idea.

[bogleblitz]

My bank, Citizens, did the same thing. They called me, then ask for verification.

I was reluctant to give it out but then they gave me back some confirmation. They told me my last bank transaction, the reason for calling, etc.

[grabiner]

My bank, Citizens, did the same thing. They called me, then ask for verification.

I was reluctant to give it out but then they gave me back some confirmation. They told me my last bank transaction, the reason for calling, etc.

And that type of verification could work when you receive a call from Vanguard as well. You could ask a Vanguard representative the three digits after the decimal place of your Total Stock Market share balance; this is something only you (or someone who has access to your statements) would know, but it isn't sensitive information if it is disclosed to the wrong person.

[linenfort]

...
You could ask a Vanguard representative the three digits after the decimal place of your Total Stock Market share balance; this is something only you (or someone who has access to your statements) would know, but it isn't sensitive information if it is disclosed to the wrong person.

An excellent idea!

[nisiprius]

The security questions are a very good system for verification as long as you do not give true answers.

What is the name of your pet should not be "Fido". It could be "periodic wasteland of the immortals" or something else that is NOT the name of your pet, and not a likely pet name. Even people who know you well will not be able to guess answers to these questions when you do NOT provide the real answers. The name of your pet is an even better question if you do not have a pet. Then someone who knows you might no there is no real answer, and be forced to guess.

The thing that gets me is that the answers to security questions always seem to be case-sensitive, exact string matches. So the problem I have is:

"Where did you honeymoon?"
"Niagara Falls, NY"
"Nope."
"niagara falls"
"Nope."
"Niagara Falls, N.Y."
"Three strikes, you're out."

[cheese_breath]

The security questions are a very good system for verification as long as you do not give true answers.

What is the name of your pet should not be "Fido". It could be "periodic wasteland of the immortals" or something else that is NOT the name of your pet, and not a likely pet name. Even people who know you well will not be able to guess answers to these questions when you do NOT provide the real answers. The name of your pet is an even better question if you do not have a pet. Then someone who knows you might no there is no real answer, and be forced to guess.

The thing that gets me is that the answers to security questions always seem to be case-sensitive, exact string matches. So the problem I have is:

"Where did you honeymoon?"
"Niagara Falls, NY"
"Nope."
"niagara falls"
"Nope."
"Niagara Falls, N.Y."
"Three strikes, you're out."

Maybe you should have said Las Vegas.

[rkhusky]

My bank, Citizens, did the same thing. They called me, then ask for verification.

I was reluctant to give it out but then they gave me back some confirmation. They told me my last bank transaction, the reason for calling, etc.

And that type of verification could work when you receive a call from Vanguard as well. You could ask a Vanguard representative the three digits after the decimal place of your Total Stock Market share balance; this is something only you (or someone who has access to your statements) would know, but it isn't sensitive information if it is disclosed to the wrong person.

Someone who hacked into your account would also get that information. What would be useful is some piece of information that is not displayed on the web site. The security questions could be that sort of information if they are not displayed on the web site and one cannot change the answers without first providing the original answers. And every time they are changed you get an email. And you also get an email with a confirmation code, before your email can be changed.

[Phineas J. Whoopee]

With the threads about computer security floating around here I wasn't too keen to come across this article this morning!

http://benplesser.com/2013/03/15/vangua ... atttempts/

Absolutely unacceptable if true.

The FTC says:

Be Alert to Impersonators

Make sure you know who is getting your personal or financial information. Don’t give out personal information on the phone, through the mail or over the Internet unless you’ve initiated the contact or know who you’re dealing with. If a company that claims to have an account with you sends email asking for personal information, don’t click on links in the email. Instead, type the company name into your web browser, go to their site, and contact them through customer service. Or, call the customer service number listed on your account statement. Ask whether the company really sent a request.
http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure

Suppose all of us contact Vanguard within 24 hours, linking to the FTC guidance, and tell them we demand they stop? I've just done so via secure email.

PJW

[gkaplan]

One of my security questions asks what hospital I was born in.

Did I enter [Name of Hospital] [Hospital] or just [Name of Hospital]?

Another asks what street I lived on when I was growing up.

Did I enter [Name of Street] [Avenue] or just [Name of Street]?

[linenfort]

The security questions are a very good system for verification as long as you do not give true answers.

What is the name of your pet should not be "Fido". It could be "periodic wasteland of the immortals" or something else that is NOT the name of your pet, and not a likely pet name. Even people who know you well will not be able to guess answers to these questions when you do NOT provide the real answers. The name of your pet is an even better question if you do not have a pet. Then someone who knows you might no there is no real answer, and be forced to guess.

The thing that gets me is that the answers to security questions always seem to be case-sensitive, exact string matches. So the problem I have is:

"Where did you honeymoon?"
"Niagara Falls, NY"
"Nope."
"niagara falls"
"Nope."
"Niagara Falls, N.Y."
"Three strikes, you're out."

The way I handle that is to stick to one rule: always have spaces / or / never have spaces among all of your security questions.
You can put some numerals in there to make it extra hard to guess, but still stick to the rule above to make it easy for you, yourself.

[Zephyr120]

To verify a cold call, I ask *them* for a password. I got quarterly calls from a group that helped me to work on my health issues. On the first call, I gave them a password which they were to put in their files. On subsequent calls, they provided the password to me to verify their identity.

It worked much like Vanguard's picture and title on the logon page to verify their own identity. It was sometimes confusing to the person who called me, but it worked well.

[AQ]

Got an email from Vanguard (flagship@eonline.evanguard.com) with the following message, but I haven't received any calls, and didn't expect one. Anything wrong?

Our records indicate that you or someone in your household recently received a call from your Vanguard representative. Could you please tell us how we did and if we can do anything better next time?

[LadyGeek]

^^^ I merged your thread with this one, so we can keep all the Vanguard phishing emails in one spot.

BTW, the domain http:// eonline evanguard com/ (link broken) is registered to Vanguard.

[TheGreyingDuke]

The security questions are a very good system for verification as long as you do not give true answers.

What is the name of your pet should not be "Fido". It could be "periodic wasteland of the immortals" or something else that is NOT the name of your pet, and not a likely pet name. Even people who know you well will not be able to guess answers to these questions when you do NOT provide the real answers. The name of your pet is an even better question if you do not have a pet. Then someone who knows you might no there is no real answer, and be forced to guess.

And if you use a password generating/storage program or service, you can have security question answers that are as "secure" as your password.