Vanguard is on the Password Hall of Shame.

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
Bob.Beeman

Re: Vanguard is on the Password Hall of Shame.

Post by Bob.Beeman »

Mudpuppy wrote:
KyleAAA wrote:I for one am not even slightly worried about the password cracking thing. What I AM worried about is that Vanguard isn't taking a pretty obvious (even if it's only symbolic) step. The excuse that it would cost too much is nonsense. It would not be an overly complex change, even on a legacy system. It wouldn't even be all THAT expensive to completely replace the legacy system. Not for a company with nearly $2 trillion under management, at least.
It is clear from this comment that you do not understand the technical and logistical issues involved in such a change. Suffice it to say, it is a very, very non-trivial process to replace a legacy system. It IS a overtly complex change. It is a huge logistical nightmare, even with the best plan and flawless execution of said plan. Throw in regulatory issues and paperwork requirements and it's a can of worms so massive, one cannot just throw money or experts at it and expect it to be done in days.
Complex change?? To change the size limit of an html text field from "10" to "20"... REALLY !?

Of course if you are using that value as something other than the input to a standard cryptographic hash (wink wink - saving plaintext passwords) it might just be very complicated.

- Bob Beeman.
KyleAAA
Posts: 9498
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by KyleAAA »

Mudpuppy wrote:
KyleAAA wrote:I for one am not even slightly worried about the password cracking thing. What I AM worried about is that Vanguard isn't taking a pretty obvious (even if it's only symbolic) step. The excuse that it would cost too much is nonsense. It would not be an overly complex change, even on a legacy system. It wouldn't even be all THAT expensive to completely replace the legacy system. Not for a company with nearly $2 trillion under management, at least.
It is clear from this comment that you do not understand the technical and logistical issues involved in such a change. Suffice it to say, it is a very, very non-trivial process to replace a legacy system. It IS a overtly complex change. It is a huge logistical nightmare, even with the best plan and flawless execution of said plan. Throw in regulatory issues and paperwork requirements and it's a can of worms so massive, one cannot just throw money or experts at it and expect it to be done in days.

Great, now I am having flashbacks to Y2K patches and the paperwork that had to be filed in triplicate for each patch installed.... stacks and stacks of paperwork....
I assure you, I'm well aware of the technical and logistical issues involved. I've done things like this before, specifically software involving financial transactions and all the regulatory crap that comes with it. But it would probably be easier to just throw the old system away and create a new one. Still not expensive for a company Vanguard's size especially since, unlike in the Y2K bug era, there are plenty of good off-the-shelf solutions for most of that stuff.
KyleAAA
Posts: 9498
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by KyleAAA »

Bob.Beeman wrote:
Mudpuppy wrote:
KyleAAA wrote:I for one am not even slightly worried about the password cracking thing. What I AM worried about is that Vanguard isn't taking a pretty obvious (even if it's only symbolic) step. The excuse that it would cost too much is nonsense. It would not be an overly complex change, even on a legacy system. It wouldn't even be all THAT expensive to completely replace the legacy system. Not for a company with nearly $2 trillion under management, at least.
It is clear from this comment that you do not understand the technical and logistical issues involved in such a change. Suffice it to say, it is a very, very non-trivial process to replace a legacy system. It IS a overtly complex change. It is a huge logistical nightmare, even with the best plan and flawless execution of said plan. Throw in regulatory issues and paperwork requirements and it's a can of worms so massive, one cannot just throw money or experts at it and expect it to be done in days.
Complex change?? To change the size limit of an html text field from "10" to "20"... REALLY !?

Of course if you are using that value as something other than the input to a standard cryptographic hash (wink wink - saving plaintext passwords) it might just be very complicated.

- Bob Beeman.
Well it's more than that. The problem is that Vanguard is obviously using something ancient and probably manufactured by IBM on the back end to validate all that stuff. I wouldn't be surprised if their back end is identical to what it was in the 70's or early 80's. The fact that passwords are case-insensitive is pretty convincing evidence of this because NOBODY would do that now if they could avoid it, however, it wasn't uncommon back in the day. I've seen it before. Those things cost a fortune to maintain so even completely replacing it with something new wouldn't cost more than a few years worth of maintenance on the old system. It's a lot more work than just changing the length of a text field in a database though, unfortunately.
geekpryde
Posts: 93
Joined: Mon Jun 01, 2009 2:37 pm

Re: Vanguard is on the Password Hall of Shame.

Post by geekpryde »

This thread is getting more play than previous threads on the same topic here, and also over at VG blog. For that, I have very happy, and even a little hopeful. This is a valuable discussion.

I hope that VG is listening.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

Bob.Beeman wrote:
Mudpuppy wrote:
KyleAAA wrote:I for one am not even slightly worried about the password cracking thing. What I AM worried about is that Vanguard isn't taking a pretty obvious (even if it's only symbolic) step. The excuse that it would cost too much is nonsense. It would not be an overly complex change, even on a legacy system. It wouldn't even be all THAT expensive to completely replace the legacy system. Not for a company with nearly $2 trillion under management, at least.
It is clear from this comment that you do not understand the technical and logistical issues involved in such a change. Suffice it to say, it is a very, very non-trivial process to replace a legacy system. It IS a overtly complex change. It is a huge logistical nightmare, even with the best plan and flawless execution of said plan. Throw in regulatory issues and paperwork requirements and it's a can of worms so massive, one cannot just throw money or experts at it and expect it to be done in days.
Complex change?? To change the size limit of an html text field from "10" to "20"... REALLY !?

Of course if you are using that value as something other than the input to a standard cryptographic hash (wink wink - saving plaintext passwords) it might just be very complicated.

- Bob Beeman.
Vanguard is on record as using hashing not plaintext:

http://www.bogleheads.org/forum/viewtop ... 0#p1545627

I work on a legacy system, and I know that maximum field lengths can require lots of work to increase because of the impact on display formats and on data structures and data processing that was not originally well-designed to allow such changes.
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: Vanguard is on the Password Hall of Shame.

Post by telemark »

KyleAAA wrote: The fact that passwords are case-insensitive is pretty convincing evidence of this because NOBODY would do that now if they could avoid it, however, it wasn't uncommon back in the day. I've seen it before.
Or perhaps the case-insensitivity is to cut down on support calls from people who didn't notice they'd hit the caps lock key. There's a balance between good security and what the general public is willing to accept. Need I point out that Treasury Direct has very good security?

If the problem is a legacy system (and we don't know that; this is pure speculation) there is at least one workaround: take the password as entered, however long that may be, hash the whole thing, and then pick ten characters from the hash to pass to the legacy system.
User avatar
Ducks
Posts: 515
Joined: Sun Apr 20, 2008 5:01 pm

Re: Vanguard is on the Password Hall of Shame.

Post by Ducks »

stlutz wrote:Because accounts get locked after X number of incorrect login attempts, I don't know that a 45 character password is more secure than a 10 character one.
I always liked this xkcd cartoon about password strength:

http://xkcd.com/936/
Getting our Ducks in a row since 2008.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

Here's a fairly recent response from Vanguard's Ellen Rinaldi on the matter of the password 10-character length limit and case-insensitivity:
July 24, 2012 at 10:17 am
Thanks for your comment. Length and randomness are generally recognized as good ways to create secure passwords. Beyond that, it would be inappropriate for me to comment on the details of our internal controls.
- Ellen Rinaldi
http://www.vanguardblog.com/2012.06.12/ ... riend.html
geekpryde
Posts: 93
Joined: Mon Jun 01, 2009 2:37 pm

Re: Vanguard is on the Password Hall of Shame.

Post by geekpryde »

An interesting and relevant article posted yesterday:

http://securityledger.com/new-25-gpu-mo ... n-seconds/

I assume that VG is hashing, maybe even salting. But it's just not good enough when you limit the passwords to a max 10 char size:
In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM, for example, would fall in just six minutes...
In June, Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and other Linux-based operating systems was forced to acknowledge that the hashing function is no longer suitable for production use - a victim of GPU powered systems that could perform “close to 1 million checks per second on COTS (commercial off the shelf) GPU hardware
I don't really want to get into a debate on WHICH hash VG is using. But my overall point is, even if we assume VG uses one of the better encryption algorithms, password length can make all the difference in the world when it comes to how long a given password takes to crack. So, assuming someone gets ahold of say 10,000 VG accounts, who do you think they are going to spend time cracking? The 100 people with really long, really random passwords? or the 1,000 accounts they can break with rainbow tables in a matter of minutes/hours per account?

I would assume a smart hacker would spend at most an hour per account, and then if it's not cracked, have the code move on to the next account in the database. They could collect quite a few accounts with minimal effort (low hanging fruit), and completely ignore accounts like mine.

Read the article, it's very good.
KyleAAA
Posts: 9498
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by KyleAAA »

telemark wrote: Or perhaps the case-insensitivity is to cut down on support calls from people who didn't notice they'd hit the caps lock key. There's a balance between good security and what the general public is willing to accept. Need I point out that Treasury Direct has very good security?
No, that is not a reasonable explanation. NOBODY else does that and they aren't inundated by support calls.
telemark wrote: If the problem is a legacy system (and we don't know that; this is pure speculation) there is at least one workaround: take the password as entered, however long that may be, hash the whole thing, and then pick ten characters from the hash to pass to the legacy system.
I admit there is a <1% chance I'm wrong. But come on, this is not pure speculation. It's based on knowledge of how this kind of thing is almost always done in the industry. Is it your contention that Vanguard has chosen to do everything completely different than EVERYBODY ELSE in the world? I doubt it. Legacy systems often have this characteristic. Financial companies (not just Vanguard) mostly still use legacy systems.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

Lastpass has this interesting site where you can test if you Linkedin password was one of the 6.5 million released (as hashes) by the hacker. At the bottom of the pages are links similar tools for eHarmony and Last.fm breaches.

https://lastpass.com/linkedin/

But, a lot else has to happen before you lose money from a data breach of this sort at Vanguard, even if all the passwords were relatively easy to crack.

1. The hacker would need your username.
2. The hacker would might need to be able to answer your security questions.
3. Vanguard would have to not take counter-measures or not detect the breach quickly.
4. It takes weeks to get money out by setting up a new bank account and you would get snail mail in the meantime.
5. You could long in regularly to detect the unauthorized activity.
6. Vanguard would reimburse even if there was loss.

I think the risk is higher with a stock account since hack, pump, and dump gets money out fast, so assumption #4 does not apply.

I'd be interested if anyone can shoot holes in my reasoning, making me more concerned. I guess one could move your money to Schwab and get two factor authentication (2fa) if you want better security.
Alex Frakt
Founder
Posts: 11589
Joined: Fri Feb 23, 2007 12:06 pm
Location: Chicago
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by Alex Frakt »

geekpryde wrote:...So, assuming someone gets ahold of say 10,000 VG accounts...
This is a pure strawman argument. You chose this particular scenario out of all possible security breaches because it is the only one in which password length matters. There is nothing to indicate that this scenario is more likely at Vanguard than other financial institutions. FWIW, I would guess that it's actually less likely, since Vanguard is certainly aware of this potential weakness and has probably taken more than the usual steps to guard against it.

Again, while password length is vital in a single-layer security system, it's a trivial component of an end-to-end security system. In a truly secured system, you should never be dependent on people not being able to brute force or decrypt a password, because the day will always come where faster hardware or new techniques renders such a dependency fatal.
User avatar
Random Musings
Posts: 6770
Joined: Thu Feb 22, 2007 3:24 pm
Location: Pennsylvania

Re: Vanguard is on the Password Hall of Shame.

Post by Random Musings »

Wolves prey on the weak.

Saying that, would it really be that difficult for them to bump up from 10 to 12 and include characters? Or is it a matter that handling the higher volume of people who forgot their password and locked themselves out outweighs the potential costs of breach?

RM
I figure the odds be fifty-fifty I just might have something to say. FZ
User avatar
LadyGeek
Site Admin
Posts: 95686
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by LadyGeek »

This thread is now in the Personal Consumer Issues forum (computer security).

BTW there are a lot of good tips in this thread: Another reason why you should never reuse passwords...
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
geekpryde
Posts: 93
Joined: Mon Jun 01, 2009 2:37 pm

Re: Vanguard is on the Password Hall of Shame.

Post by geekpryde »

Alex Frakt wrote:
geekpryde wrote:...So, assuming someone gets ahold of say 10,000 VG accounts...
This is a pure strawman argument. You chose this particular scenario out of all possible security breaches because it is the only one in which password length matters. There is nothing to indicate that this scenario is more likely at Vanguard than other financial institutions. FWIW, I would guess that it's actually less likely, since Vanguard is certainly aware of this potential weakness and has probably taken more than the usual steps to guard against it.

Again, while password length is vital in a single-layer security system, it's a trivial component of an end-to-end security system. In a truly secured system, you should never be dependent on people not being able to brute force or decrypt a password, because the day will always come where faster hardware or new techniques renders such a dependency fatal.
I do not agree that my reasoning for advocating longer max passwords is false. There are several ways to get ahold of a database of 10,000 VG accounts, all very different. Brute forcing a bunch of accounts is the end result of ANY NUMBER of possible security breaches. Here are a few:

(1) VG employee leaves sensitive laptop in Starbucks, and maybe VG doesn't use whole drive encryption. (Think this doesn't happen, go ask Boeing\TSA\ any number of companies).
(2) VG *thinks* it has safely disposed of old computers containing old hard drives with sensitive info. But the recycling company ends up re-selling them on eBay for a quick buck. (Again, this has happened).
(3) VG has a security issue on the site, and some smart 19 year old in the Philippines exploits it and sells a database of 10,000 VG accounts to the Russian black marker. (This happens to companies all the time)
(4) Rouge VG employee steals and sells 10,000 accounts to the highest bidder on hacker black market. (Inside security threats are probably more damaging than outside threats)
(5) Sally, a secretary in accounting at VG accidentally infected her work PC with a Trojan while playing a free online game. Now the person running the botnet is renting her infected machine on the hacker underground by the hour. (http://krebsonsecurity.com/2012/10/serv ... 500-firms/)
(6) A guy in Kenya just convinced Tony, a mid-level manager at VG that he is from VG tech support, and needs start a join.me session on his computer. Oops, Tony has rights to the database that stores customer account profiles. Someone in China is now brute forcing the database.
(7) There are so many more possibilities....

I am fully aware that password length is only 1 part of a multi-faceted means that VG uses to keep us safe. I am sure VG has very robust layers, including physical security of servers, regular penetration testing, patching procedures, hashing and salting of password databases, etc.

But, we are talking about an aspect of the layered security that VG outsiders (you, me, the hacker in the Philippines) KNOWS FOR A FACT is a lot weaker than is acceptable. It is KNOW FACT to be weaker than almost anyone else in the same industry.

So, if you are looking for a large bank or brokerage firm to hack, do you spent time on hacking/buying a database of accounts at VG or say Discover card. Discover allows 32 character long passwords, mixed case, and special characters. VG allows a pathetic 10 characters, and no case sensitivity. HMM, let me think.

I did NOT say that a breach at VG if more likely than at other institutions, I said that IF a breach happens, than password length can be the only thing between a hacked account and a useless hash.

Let me respectfully ask you this Alex, if VG took a poll of customers about increasing max password length, would you really vote option “D” over “A”,"B","C"?

“A” – Vanguard should spend money to increase password length, even though I (the customer) think it probably will have a negligible impact on overall holistic security.
“B” - Vanguard should definitely spend money increase password length, I (the customer) strongly believe password length is an important aspect of overall holistic security.
“C” – Vanguard should NOT spend money to increase password length, I (the customer) thinks the benefit does not justify the cost.
“D” – Vanguard should definitely NOT spend money to increase password length, it is a meaningless false security blanket, and I (the customer) love having the weakest password policy in the industry.


I understand all of the options above, including “C”. If you are a “D” kind of guy, than I just don’t understand you.

If this is still a false argument, then I guess I am not smart enough to understand how it is false.
User avatar
JamesSFO
Posts: 3404
Joined: Thu Apr 26, 2012 10:16 pm

Re: Vanguard is on the Password Hall of Shame.

Post by JamesSFO »

News announcement about a password cracking machine that TODAY this machine can crack 90-95% of all hashed passwords easily (http://securityledger.com/new-25-gpu-mo ... n-seconds/). Food for thought about whether longer passwords will really help or if the shift has to be to other layers of security.
User avatar
JamesSFO
Posts: 3404
Joined: Thu Apr 26, 2012 10:16 pm

Re: Vanguard is on the Password Hall of Shame.

Post by JamesSFO »

geekpryde wrote: Let me respectfully ask you this Alex, if VG took a poll of customers about increasing max password length, would you really vote option “D” over “A”,"B","C"?

“A” – Vanguard should spend money to increase password length, even though I (the customer) think it probably will have a negligible impact on overall holistic security.
“B” - Vanguard should definitely spend money increase password length, I (the customer) strongly believe password length is an important aspect of overall holistic security.
“C” – Vanguard should NOT spend money to increase password length, I (the customer) thinks the benefit does not justify the cost.
“D” – Vanguard should definitely NOT spend money to increase password length, it is a meaningless false security blanket, and I (the customer) love having the weakest password policy in the industry.


I understand all of the options above, including “C”. If you are a “D” kind of guy, than I just don’t understand you.

If this is still a false argument, then I guess I am not smart enough to understand how it is false.
Not alex, feel like this presents the four choices as if these are the only possible options, I suspect a number of us may think something like "E - VG should spend money on security and password length is one of the things to investigate, based on their insights I want them to spend the money most wisely, password length could be, but need not be part of that spend."
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: Vanguard is on the Password Hall of Shame.

Post by telemark »

If you're willing to assume that the contents of the password file will always remain secret, then the current password length is more than enough. In fact, if you can assume that then you might as well store the passwords in plain text, and stop nagging users about choosing strong passwords.

The problem is that the password file is always secure, right up until the moment it isn't, and then it's too late. I'm sure LinkedIn thought they had good security practices too.
User avatar
ryuns
Posts: 3511
Joined: Tue Aug 07, 2007 6:07 pm
Location: Sacramento, CA

Re: Vanguard is on the Password Hall of Shame.

Post by ryuns »

Semi-serious question, how long until financial institutions roll out an optional retinal scan for logging in? Most of our devices have a (low-res) front-facing camera as it is. While this surely wouldn't be fool proof, and perhaps the cameras themselves are different enough that this wouldn't work, but it seems inevitable that we'll live enough of our life in the cloud (socially, financially, as well as all of your digital possessions) that biometric security will become a reality.
An inconvenience is only an adventure wrongly considered; an adventure is an inconvenience rightly considered. -- GK Chesterton
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard is on the Password Hall of Shame.

Post by Epsilon Delta »

tadamsmar wrote: I work on a legacy system, and I know that maximum field lengths can require lots of work to increase because of the impact on display formats and on data structures and data processing that was not originally well-designed to allow such changes.
It takes a lot of work to do it right on non-legacy systems too, but most people hip to the latest buzz words just don't care.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

JamesSFO wrote:
geekpryde wrote: Let me respectfully ask you this Alex, if VG took a poll of customers about increasing max password length, would you really vote option “D” over “A”,"B","C"?

“A” – Vanguard should spend money to increase password length, even though I (the customer) think it probably will have a negligible impact on overall holistic security.
“B” - Vanguard should definitely spend money increase password length, I (the customer) strongly believe password length is an important aspect of overall holistic security.
“C” – Vanguard should NOT spend money to increase password length, I (the customer) thinks the benefit does not justify the cost.
“D” – Vanguard should definitely NOT spend money to increase password length, it is a meaningless false security blanket, and I (the customer) love having the weakest password policy in the industry.


I understand all of the options above, including “C”. If you are a “D” kind of guy, than I just don’t understand you.

If this is still a false argument, then I guess I am not smart enough to understand how it is false.
Not alex, feel like this presents the four choices as if these are the only possible options, I suspect a number of us may think something like "E - VG should spend money on security and password length is one of the things to investigate, based on their insights I want them to spend the money most wisely, password length could be, but need not be part of that spend."
"F" VG should not spend on passwords, because they would be a laughingstock in the press if they did.

2FA is the industry and regulatory trend. Schwab is considered a security god compared with VG, even though their passwords are as bad or worse and they got hit with "hack pump and dump", because they now offer 2FA as an option.

Here's what's been happening in regulation:

http://en.wikipedia.org/wiki/Multi-fact ... Compliance

I think there are reasons that the regulators are not pushing for longer passwords.

If all VG did was extend the maximum length and add case sensitivity, then the bulk of VG passwords (which are selected by the clients) would continue to become weaker at a fast pace compared with the cracking tech. No commercial firm can possibly impose Draconian measures on the clients that would prevent that from happening.
Last edited by tadamsmar on Wed Dec 05, 2012 6:02 pm, edited 3 times in total.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard is on the Password Hall of Shame.

Post by Epsilon Delta »

ryuns wrote:Semi-serious question, how long until financial institutions roll out an optional retinal scan for logging in? Most of our devices have a (low-res) front-facing camera as it is. While this surely wouldn't be fool proof, and perhaps the cameras themselves are different enough that this wouldn't work, but it seems inevitable that we'll live enough of our life in the cloud (socially, financially, as well as all of your digital possessions) that biometric security will become a reality.
"Biometrics" are just passwords, unless Vanguard completely controls the camera. If Vanguard wants to let people log in from their own PC this does not help.
geekpryde
Posts: 93
Joined: Mon Jun 01, 2009 2:37 pm

Re: Vanguard is on the Password Hall of Shame.

Post by geekpryde »

JamesSFO wrote:"E" - VG should spend money on security and password length is one of the things to investigate, based on their insights I want them to spend the money most wisely, password length could be, but need not be part of that."
Yes, I like your "E", and I'm sure there are other good options for my hypothetical poll.
geekpryde
Posts: 93
Joined: Mon Jun 01, 2009 2:37 pm

Re: Vanguard is on the Password Hall of Shame.

Post by geekpryde »

tadamsmar wrote: "F" VG - should not spend on passwords, because they would be a laughingstock in the press if they did.
I have no idea why you think VG would be a laughingstock for increasing max password length. :confused
tadamsmar wrote:[Two factor authentication] is the industry and regulatory trend. Schwab is considered a security god compared with VG, even though their passwords are as bad or worse and they got hit with "hack pump and dump", because they now offer 2FA as an option.
Agreed here, VG should strongly look into and implement 2FA along with new password requirements.
tadamsmar wrote:If all VG did was extend the maximum length and add case sensitivity, then the bulk of VG passwords (which are selected by the clients) would continue to become weaker at a fast pace compared with the cracking tech.
Yes, as others have pointed out this is an arms race. But unless quantum computing suddenly becomes very practical, 30 char long max entropy passwords hashed and salted should be good for many more years, especially with the addition of 2FA. Even if this only buys VG ten years until they need to come up with the next big thing in security, I think it's worth it. Do you?
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

American Express changed their maximum length from 8 to 20 and it was not ridiculed, mostly it was ignored, it is mentioned in a few blogs. Before the change they got lots of criticism online for the limit of 8 characters. So I guess it can be a good PR move.
Tabulator
Posts: 322
Joined: Sat Mar 31, 2012 4:03 pm

Re: Vanguard is on the Password Hall of Shame.

Post by Tabulator »

Maybe it makes sense to access Vanguard funds via firms with better security (rather than simply open a Vanguard account). I wonder about the security of Vanguard mutual fund investments through third-party brokers like Ameritrade.
User avatar
magellan
Posts: 3489
Joined: Fri Mar 09, 2007 3:12 pm

Re: Vanguard is on the Password Hall of Shame.

Post by magellan »

I've been out of the business for a few years, but my understanding is that current best practice for financial services firms is to START with the assumption that the bad guys have the client's username and password. Then build out the security infrastructure from there.

The widespread deployment of viruses with man-in-the-browser password grabbers has dramatically altered the security mindset of the financial industry. Sure, solid authentication slows down simpleton attackers and is important for protecting customers' private information, but when it comes to theft of funds from online accounts, authentication is not viewed as a very serious barrier anymore. It's a good bet that Vanguard often deals with cases of customer accounts getting hacked into with credentials that were grabbed using man-in-the-browser attacks on infected machines.

Even multi-factor authentication is no match for this latest generation of viruses. They often include a real-time hidden communication channel between your authenticated browser session and a console that the criminal network can remotely operate (basically a hidden browser window that they control). This technology can be purchased in a developer's kit for around $5k on the black market.

Regardless of the authentication scheme that your FI uses, if your computer is compromised by a virus and you can access your online account, it's a good bet that criminals could access your account too.

Jim
ataloss
Posts: 887
Joined: Tue Feb 20, 2007 2:24 pm

Re: Vanguard is on the Password Hall of Shame.

Post by ataloss »

I am confident that Vanguard, the largest mutual fund company in the world, employs the top security consultants in the business. I suspect we have almost no idea what security measures they use. Vanguard is certainly not going to tell us.
Exactly and the speculation that passwords are stored plain text is based on no information. The details of hashing and salting and encryption of the salt are all secret so none of us really knows.
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: Vanguard is on the Password Hall of Shame.

Post by telemark »

multivoiced wrote:Maybe it makes sense to access Vanguard funds via firms with better security (rather than simply open a Vanguard account). I wonder about the security of Vanguard mutual fund investments through third-party brokers like Ameritrade.
I wouldn't recommend doing that based on anything we've seen in this thread: other than what is immediately verifiable (case ignored, passwords limited to 10 characters), there isn't enough information to say whether Vanguard's security is significantly better or worse than its competitors. Alex is correct that password strength is only one part of a larger system. Actionable items that I would recommend include
  • Keep an eye on your account, especially if you get email from Vanguard about recent transactions you don't remember.
  • If you've been carefully typing in a mixed case password, you can save a little effort.
  • Don't include a year in your password, e.g. "mary1978". This is one of the things a cracking program will try, after it gets past stuff like "password" and "123456". Substituting numbers for letters in words isn't a good idea either, for the same reason. The safest approach is to pick 10 characters at random from letters, numbers, and punctuation. This may not be significantly stronger, but at least it shows you're trying.
  • If someone from Vanguard talks about the importance of using strong passwords, gently ask when Vanguard plans to start supporting them.
geekpryde
Posts: 93
Joined: Mon Jun 01, 2009 2:37 pm

Re: Vanguard is on the Password Hall of Shame.

Post by geekpryde »

telemark wrote:If someone from Vanguard talks about the importance of using strong passwords, gently ask when Vanguard plans to start supporting them.
Here, here!

:sharebeer
khh
Posts: 343
Joined: Sat Dec 27, 2008 9:31 pm

Re: Vanguard is on the Password Hall of Shame.

Post by khh »

magellan wrote:I've been out of the business for a few years, but my understanding is that current best practice for financial services firms is to START with the assumption that the bad guys have the client's username and password. Then build out the security infrastructure from there.

The widespread deployment of viruses with man-in-the-browser password grabbers has dramatically altered the security mindset of the financial industry. Sure, solid authentication slows down simpleton attackers and is important for protecting customers' private information, but when it comes to theft of funds from online accounts, authentication is not viewed as a very serious barrier anymore. It's a good bet that Vanguard often deals with cases of customer accounts getting hacked into with credentials that were grabbed using man-in-the-browser attacks on infected machines.

Even multi-factor authentication is no match for this latest generation of viruses. They often include a real-time hidden communication channel between your authenticated browser session and a console that the criminal network can remotely operate (basically a hidden browser window that they control). This technology can be purchased in a developer's kit for around $5k on the black market.

Regardless of the authentication scheme that your FI uses, if your computer is compromised by a virus and you can access your online account, it's a good bet that criminals could access your account too.

Jim
Does a protection suite (AVG, for example) block these viruses? Are tablets vulnerable as well?
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

telemark wrote:Actionable items that I would recommend include
  • Keep an eye on your account, especially if you get email from Vanguard about recent transactions you don't remember.
Try changing the email on your Vanguard account and you will find that you do not get an e-mail at the old address. If a hacker has your login credentials then they can first login and change your email address and you will not be notified at that address of any subsequent transactions.

I agree that you should keep an eye on your account and your snail mail. The first screen after login displays your email address and the last login time so you can quickly check those. But aggregators like Mint make the last login time pretty much useless an an indicator or unauthorized logins.
User avatar
magellan
Posts: 3489
Joined: Fri Mar 09, 2007 3:12 pm

Re: Vanguard is on the Password Hall of Shame.

Post by magellan »

khh wrote:Does a protection suite (AVG, for example) block these viruses?
Anti-virus tools try to detect and remove all viruses. The challenge is that they generally only detect viruses that they know about. To evade anti-virus tools, criminals create malware that's self-modifying.

This ACM survey on malware analysis techniques is fairly technical, but it's pretty readable and has lots of good details about the state of the art.
ACM malware doc wrote:4.6.1. Self-Modifying Code and Packers.Historically, malware used self-modifying code to make static analysis more cumbersome and disguise its malicious intents. While such modifications were first performed by incorporating the self-modifying parts in the malware itself, more recent developments have led to packer tools. A packer program automatically transforms an executable (e.g., a malware binary) into a syntactically different, but semantically equivalent, representation. The packer creates the seman-tically equivalent representation by obfuscating or encrypting the original binary and stores the result as data in a new executable. An unpacker routine is prepended to the data, whose responsibility upon invocation lies in restoring (i.e., deobfuscating or decrypting) the data to the original representation. This reconstruction takes place solely in memory which prevents leaking any unpacked versions of the binary to the disk. After unpacking, the control is handed over to the, now unpacked, original bi-nary that performs the intended tasks. Polymorphic variants of a given binary can be automatically created by choosing random keys for the encryption. However, their unpacking routines are, apart from the decryption keys, largely identical. Therefore, while signatures cannot assess the threat of the packed binary, signature matching can be used to detect the fact that a packer program was used to create the binary. Metamorphic variants, in contrast to polymorphic binaries, can also mutate the un-packing routine, and may encumber detection even more. According to Taha [2007] and Yan et al. [2008], a large percentage of malicious software today comes in packed form. Moreover, malware instances that apply multiple recursive layers of packers are becoming more prevalent.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

khh wrote:Does a protection suite (AVG, for example) block these viruses?
Zeus is a Trojan horse that steals banking information by Man-in-the-browser keystroke logging and Form Grabbing.

Zeus is very difficult to detect even with up-to-date antivirus software due to being stealthy. This is the primary reason why its malware family is considered the largest botnet on the Internet: Some 3.6 million PCs are said to be infected in the U.S. alone. Security experts are advising that businesses continue to offer training to users to prevent them from clicking hostile or suspicious links in emails or on the web while also keeping up with antivirus updates. Symantec claims its Symantec Browser Protection can prevent "some infection attempts"[9] but it remains unclear if modern antivirus software is effective at preventing all of its variants from taking root.
http://en.wikipedia.org/wiki/Zeus_(Troj ... _detection
User avatar
magellan
Posts: 3489
Joined: Fri Mar 09, 2007 3:12 pm

Re: Vanguard is on the Password Hall of Shame.

Post by magellan »

khh wrote:Are tablets vulnerable as well?
Everything is vulnerable. Personally, I don't trust the maturity of tablet security enough to use one to access investment accounts. I worry about the security of app stores and about software vulnerabilities in legitimate tablet apps. I doubt tablets are more risky than PCs, but since they're not as mature, the risks aren't as well understood. I don't need to use a tablet to access my financial accounts, so I don't. If using a tablet to access my financial accounts made my life a lot easier, I'd re-think my position.

Security is all about weighing potential risks against the cost of protection. Choosing a reasonable level of caution is personal. For example, I use a dedicated PC to access investment accounts, but I use my regular laptop for bank accounts and credit cards. Why? Bank and credit card accounts have strong legal protections that make it unlikely I'd lose money if these accounts are hacked. Also, I access bank and cc accounts more frequently than investment accounts, so the hassle would be greater. Again, this is based on a very rough cost vs. benefit analysis of my personal situation. Your mileage will likely vary.

Jim
User avatar
Kenkat
Posts: 9549
Joined: Thu Mar 01, 2007 10:18 am
Location: Cincinnati, OH

Re: Vanguard is on the Password Hall of Shame.

Post by Kenkat »

magellan wrote:
khh wrote:Does a protection suite (AVG, for example) block these viruses?
Anti-virus tools try to detect and remove all viruses. The challenge is that they generally only detect viruses that they know about. To evade anti-virus tools, criminals create malware that's self-modifying.
There are also some very nasty rootkit viruses that anti-virus tools can detect but cannot reliably remove. My son recently had a rootkit virus on his laptop; it prevented Microsoft Security Essentials from scanning or removing it and while MalwareBytes Anti-Malware could detect it and reported removing it, it would return upon restart. I finally did a complete wipe and re-install of Win/7 from the recovery partition to get rid of it.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

A quick search on google news shows that tens of millions are being stolen from banks by Zeus users. Yet you hear little about thefts from brokerage firms and mutual fund companies. Perhaps the fact that its relatively difficult for a crook to extract money from a mutual fund account quickly and without detection is the reason for this. Not sure.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Vanguard is on the Password Hall of Shame.

Post by Mudpuppy »

tadamsmar wrote:A quick search on google news shows that tens of millions are being stolen from banks by Zeus users. Yet you hear little about thefts from brokerage firms and mutual fund companies. Perhaps the fact that its relatively difficult for a crook to extract money from a mutual fund account quickly and without detection is the reason for this. Not sure.
You have to keep in mind that if the crook got your brokerage login information from malware like Zeus, the crook also probably has your banking login information from the same malware. The crook could then use a two step process to compromise your brokerage accounts that allow withdrawals: 1) use the stolen brokerage information to initiate a transfer to the bank and 2) use the stolen bank information to initiate a wire transfer to a money mule or offshore account. Probably the only reason we haven't seen such sort of activity out of these sort of malware theft rings is there is still plentiful low-hanging fruit from just compromising the bank accounts and there's no need for such complexity.... yet.

I have to agree with others that two-factor authentication is the way to go. However, I am reluctant to use the cell phone as the second factor given how many issues there have been with smartphone malware.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

Mudpuppy wrote:
tadamsmar wrote:A quick search on google news shows that tens of millions are being stolen from banks by Zeus users. Yet you hear little about thefts from brokerage firms and mutual fund companies. Perhaps the fact that its relatively difficult for a crook to extract money from a mutual fund account quickly and without detection is the reason for this. Not sure.
You have to keep in mind that if the crook got your brokerage login information from malware like Zeus, the crook also probably has your banking login information from the same malware. The crook could then use a two step process to compromise your brokerage accounts that allow withdrawals: 1) use the stolen brokerage information to initiate a transfer to the bank and 2) use the stolen bank information to initiate a wire transfer to a money mule or offshore account. Probably the only reason we haven't seen such sort of activity out of these sort of malware theft rings is there is still plentiful low-hanging fruit from just compromising the bank accounts and there's no need for such complexity.... yet.

I have to agree with others that two-factor authentication is the way to go. However, I am reluctant to use the cell phone as the second factor given how many issues there have been with smartphone malware.
In the case of bank transactions, you have good protection under law if you report them soon enough.

Speaking of cell phone malware, the news is reporting that $47M has been stolen in Europe by defeating two factor authentication using cell phones:

http://news.cnet.com/8301-1009_3-575574 ... customers/
Last edited by tadamsmar on Fri Dec 07, 2012 1:38 pm, edited 1 time in total.
Alex Frakt
Founder
Posts: 11589
Joined: Fri Feb 23, 2007 12:06 pm
Location: Chicago
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by Alex Frakt »

magellan wrote:I've been out of the business for a few years, but my understanding is that current best practice for financial services firms is to START with the assumption that the bad guys have the client's username and password. Then build out the security infrastructure from there.
This is what I've been trying to say. For customer accounts at financial institutions, strong passwords are nothing more than security theater. They do not protect from the primary threats these systems face today.
geekpryde
Posts: 93
Joined: Mon Jun 01, 2009 2:37 pm

Re: Vanguard is on the Password Hall of Shame.

Post by geekpryde »

Alex Frakt wrote:
magellan wrote:I've been out of the business for a few years, but my understanding is that current best practice for financial services firms is to START with the assumption that the bad guys have the client's username and password. Then build out the security infrastructure from there.
This is what I've been trying to say. For customer accounts at financial institutions, strong passwords are nothing more than security theater. They do not protect from the primary threats these systems face today.
Alex, I finally understand the gist of your previous post calling my arguments for stronger passwords a fallacy. I still don't agree with you that advocating for a stronger password policy is a waste of time, but with Magellan's wording, I get what you were trying to convey.

Even if you assume VG has every safeguard to prevent a transfer of monies out of an account, my question to you would be: Why not lock the front door and close the shades too? Locking the door on a house is basically "security theater", but it sure seems to prevent a lot of less determined thief's / voyeurs.

At this point, I've pretty much covering the same ground, so I'll pipe down for now. 8-)
ENE703
Posts: 6
Joined: Mon Mar 17, 2008 4:43 pm
Location: Houston,TX

Re: Vanguard is on the Password Hall of Shame.

Post by ENE703 »

Whether Vanguard is on a "hall of shame" or not does not change the fact that my password is my key to my data at Vanguard.
I found the following http://xkcd.com/936/ a useful way to think about password complexity... :beer
User avatar
NAVigator
Posts: 2545
Joined: Tue Feb 27, 2007 6:24 am
Location: Iowa

Re: Vanguard is on the Password Hall of Shame.

Post by NAVigator »

Three links to the same xkcd comic in the same thread means it must be a classic.

Jerry
"I was born with nothing and I have most of it left."
Topic Author
Bob.Beeman

Re: Vanguard is on the Password Hall of Shame.

Post by Bob.Beeman »

I have written a page that allows you to calculate the number of bits of entropy in a randomly chosen password with a given alphabet size and length.

The page is Here:
http://www.bee-man.us/computer/password_strength.html

More will follow.

- Bob Beeman.
Topic Author
Bob.Beeman

Re: Vanguard is on the Password Hall of Shame.

Post by Bob.Beeman »

First, I wanted to emphasize that yes, security is multi-layered, and you can't just focus on one thing (like password lengths). But there are only a few things that ordinary users can check for themselves. And if we find that these are flawed, why should that give us confidence?tadamsmar pointed out that Vanguard probably uses legacy systems to handle certain background functions:
tadamsmar wrote:I work on a legacy system, and I know that maximum field lengths can require lots of work to increase because of the impact on display formats and on data structures and data processing that was not originally well-designed to allow such changes.
But surely Vanguard is not using the old UNIX modified DES password scheme. They must have a some point upgraded to MD5 at least, and more likely SHA-1 or better. MD5 and all the hash algorithms from then on all support input blocks of multiples of 512 bits. The algorithms would not work correctly unless you allowed for at least one block of 512 bits (64 bytes). Unless you are saying that Vanguard intentionally did a non-standard implementation of password hashes (an extremely dangerous thing to do) how could the input field be limited to 10 characters (80 bits)?

Alex Fract has made the point several times that password security is only one layer of the security onion.
Alex Frakt wrote:
magellan wrote:I've been out of the business for a few years, but my understanding is that current best practice for financial services firms is to START with the assumption that the bad guys have the client's username and password. Then build out the security infrastructure from there.
This is what I've been trying to say. For customer accounts at financial institutions, strong passwords are nothing more than security theater. They do not protect from the primary threats these systems face today.
Alex and magellan make a good point, but one which could be easily misunderstood. Starting from the assumption that the bad guys have the client's username and password means (as I understand it) that you have to have a plan to deal with such situations. Correct.

But this could be misunderstood to mean that you don't really need passwords. Wrong.

Ask yourself if any conceivable security system could work by letting anybody just type "Alex Frakt" into a userID box and then be logged in as Alex Frakt. Obviously this would quickly become a security nightmare. Even if you could implement some undefined system that could recognize Alex Frakt's real presence (a tall order indeed), it would be overwhelmed by millions of people messing around with other people's accounts, as I think we all agree that such a system (besides being totally mysterious and therefore susceptible to mis-implementation) would be a LOT more complex than a password based scheme, and therefore consume a lot more resources.

Clearly there are some ways to defeat attacks that don't depend on password security. Years ago Siemens attacked spam directed at their domain by having hundreds (maybe thousands) of fake email addresses scattered throughout their network. These (as I understand it) were mostly emails of former employees. This is easy to do in an organization where lots of people retire, resign, or are let go. From then on any emails directed to these addresses would feed directly into the spam detection apparatus, noting the IP addresses, mailservers, source domains, addresses, and content involved. Once a few spams were detected, anyone sending any email of any kind to Siemens addresses with content or other attributes that matched received a bounce message stating that "Spammers are using your domain. Try again later." These emails were silently deleted from the system, and the recipient never saw them. This, plus other methods they used were seldom annoying, but highly effective. I NEVER got spam on my Siemens account.

Similar attacks could be launched against keystroke loggers, etc. by creating fake Vanguard accounts and leaking the UserIDs and passwords via "infected" PCs set up by Vanguard for just this purpose. Any login from anyone would be flagged as fraudulent and all available information logged. If Vanguard worked fast enough, they could trace some of them and, if the bank accounts or credit cards asking to receive money identified unambiguously, Vanguard might actually allow some of these users to withdraw money, then have them prosecuted. Many other similar schemes could exist. For example purposely polluting the databases of key loggers or doing "denial of service" attacks by thousands or millions of infected virtual computers might actually be legal. After all, the key logger programs are doing what the writers intended. Vanguard would be so sorry that they overwhelmed the key logger servers, but after all, Vanguard didn't initiate the problem. They were the "victims".

geekpryde wrote:An interesting and relevant article posted yesterday:

http://securityledger.com/new-25-gpu-mo ... n-seconds/

I assume that VG is hashing, maybe even salting. But it's just not good enough when you limit the passwords to a max 10 char size:
In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM, for example, would fall in just six minutes...
In June, Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and other Linux-based operating systems was forced to acknowledge that the hashing function is no longer suitable for production use - a victim of GPU powered systems that could perform “close to 1 million checks per second on COTS (commercial off the shelf) GPU hardware
I don't really want to get into a debate on WHICH hash VG is using. But my overall point is, even if we assume VG uses one of the better encryption algorithms, password length can make all the difference in the world when it comes to how long a given password takes to crack. So, assuming someone gets ahold of say 10,000 VG accounts, who do you think they are going to spend time cracking? The 100 people with really long, really random passwords? or the 1,000 accounts they can break with rainbow tables in a matter of minutes/hours per account?

I would assume a smart hacker would spend at most an hour per account, and then if it's not cracked, have the code move on to the next account in the database. They could collect quite a few accounts with minimal effort (low hanging fruit), and completely ignore accounts like mine.

Read the article, it's very good.
Yes, it is good. Assuming that Vanguard is using SHA-1 and is not doing multiple hashing ala PBKDF2 http://en.wikipedia.org/wiki/PBKDF2 this equipment could do 63 billion SHA-1 hashes per second. If you go to my Password Strength http://www.bee-man.us/computer/password_strength page you will see that a password consisting of 10 RANDOMLY CHOSEN lower-case letters would be cracked in 19.6 minutes for a brute-force approach with 50% probability (twice as long for 100% probability). Under the same assumptions a 10-character random password using all 69 legal ASCII characters that are not upper-case, this would take 33.7 weeks. Alternatively, 13 characters, all lower-case letters would take 34.2 weeks.

Finally, with 14 lower-case only characters this would take 17 years. 1621 years if you throw in the 10 numerical digits. A few extra characters goes a lot further than short strings of weird characters.

I suspect this is the last post in this thread. I hope everyone has enjoyed it and that we have all learned a thing or two.

- Bob Beeman
User avatar
LadyGeek
Site Admin
Posts: 95686
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Vanguard is on the Password Hall of Shame.

Post by LadyGeek »

Agreed, as this thread is about Vanguard. Feel free to continue in Another reason why you should never reuse passwords..., where we can discuss your website compared to How Big is Your Haystack? and what constitutes a "password strength meter."
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Topic Author
Bob.Beeman

Re: Vanguard is on the Password Hall of Shame.

Post by Bob.Beeman »

Thanks ladygeek.

When set to 100% probability (a brute force search of the entire keyspace) my calculator gives answers within a few percent of the ones at https://www.grc.com/haystack.htm

- Bob Beeman.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard is on the Password Hall of Shame.

Post by tadamsmar »

Given all the tricks on this site:

http://crackstation.net/hashing-security.htm

I am not 100% convinced that Vanguard passwords are all that easy to crack via brute force. They could be using slow hashes, long individualized salt, encryption of the hashes, keyed hashes, and special hashing hardware and these would make brute force cracking harder.

Seems to me that this article does not indicate that all 10 character password hashing/encrytion/keyed/specialized hardware systems are easy to crack:

http://securityledger.com/new-25-gpu-mo ... n-seconds/
User avatar
magellan
Posts: 3489
Joined: Fri Mar 09, 2007 3:12 pm

Re: Vanguard is on the Password Hall of Shame.

Post by magellan »

Cyber-security reporter Brian Krebs posted on his blog today about a new botnet that's believed to be targeting investment accounts, instead of the more typical bank accounts that these criminal enterprises usually go after.

This doesn't change anything in terms of what we've been discussing in this thread, but it does drive home that point that the threat is real and probably growing.

http://krebsonsecurity.com/2012/12/new- ... ecurity%29
Brian Krebs wrote:“The last victim we documented was November 30, 2012, so it shows there has been activity subsequent to his posting,” Sherstobitoff said. “Our research indicates the operation has been in the planning stages for months.”

Sherstobitoff posits that vorVzakone most likely intended to hire botmasters who already had access to substantial numbers of login credentials for the U.S. financial institutions targeted in the scheme. As detailed in a screen shot published on this blog in early October, there are some banks you’d expect to see on the list — Bank of America, Capital One and Suntrust, for example — but many of the targets of Project Blitzkrieg are in fact investment banks, such as American Funds, Ameritrade, eTrade, Fidelity, OptionsExpress, and Schwab.
Jim
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Vanguard is on the Password Hall of Shame.

Post by Mudpuppy »

magellan wrote:Cyber-security reporter Brian Krebs posted on his blog today about a new botnet that's believed to be targeting investment accounts, instead of the more typical bank accounts that these criminal enterprises usually go after.

This doesn't change anything in terms of what we've been discussing in this thread, but it does drive home that point that the threat is real and probably growing.

http://krebsonsecurity.com/2012/12/new- ... ecurity%29
Brian Krebs wrote:“The last victim we documented was November 30, 2012, so it shows there has been activity subsequent to his posting,” Sherstobitoff said. “Our research indicates the operation has been in the planning stages for months.”

Sherstobitoff posits that vorVzakone most likely intended to hire botmasters who already had access to substantial numbers of login credentials for the U.S. financial institutions targeted in the scheme. As detailed in a screen shot published on this blog in early October, there are some banks you’d expect to see on the list — Bank of America, Capital One and Suntrust, for example — but many of the targets of Project Blitzkrieg are in fact investment banks, such as American Funds, Ameritrade, eTrade, Fidelity, OptionsExpress, and Schwab.
Jim
That botnet uses stolen credentials from keylogging malware to break into the accounts, not password cracking. It more emphasizes the previous threads on having a dedicated machine for investment purposes than anything to do with passwords. Once you have been compromised with a keylogger, it doesn't matter what the password policy is or how complex the password is, the game has already been lost.
Post Reply