Bogleheads.org

by **genjix** » Sat Dec 29, 2012 7:34 pm

I have both a vanguard and etrade account.
A month ago, my etrade account got hacked into, but their security is pretty good, so since there was a suspicious login from a different state, etrade asked 5 security questions and locked the account since they got the questions wrong. However they did manage to change the email address from an earlier time. Etrade told me the hacker attempted to add an external bank account as well.

Does vanguard have this type of technology? I'm worried since a majority of my investments are in vanguard.

by **umfundi** » Sat Dec 29, 2012 9:17 pm

Ask Vanguard.

I might note that my Vanguard password is not very secure, because of their password requirements.

Keith

by **kayo** » Sun Dec 30, 2012 1:15 am

genjix wrote:I have both a vanguard and etrade account.
A month ago, my etrade account got hacked into, but their security is pretty good, so since there was a suspicious login from a different state, etrade asked 5 security questions and locked the account since they got the questions wrong. However they did manage to change the email address from an earlier time. Etrade told me the hacker attempted to add an external bank account as well.

Does vanguard have this type of technology? I'm worried since a majority of my investments are in vanguard.

Using a couple of different browsers on a few different computers I logged into my Vanguard account, answered the security question(s), and selected the option that said I was not on a public computer.

Having done that, I then logged in and went to My Accounts->Account maintenance-> Security Profile/Computer Access Restrictions and selected the preference "Restrict unrecognized computers from accessing my account."

Computers crash, browsers get updated, cookies get purged, and so on. When I get down to the point that I only have two ways to get access online, then I will lift this restriction and add a few more browsers/machines to the list of recognized "computers."

This is not a panacea, but it does create one additional hurdle for fraudsters to overcome.

by **bogleblitz** » Sun Dec 30, 2012 2:12 am

I work in the security field and I think the security on all these investment sites should be the same. One of my favorite security is 2 factor authentication which requires you to put in an additional 6 digit password.

Etrade has this:
https://us.etrade.com/e/t/jumppage/view ... reid_enter

I recommend to add it to gmail as well for all accounts linked to etrade, vanguard, etc.
http://support.google.com/accounts/bin/ ... er=1066447

I personally use 2 factor authentication for work, gmail, and blizzard videogames. It is all setup on my smartphone.

by **dwang** » Sun Dec 30, 2012 8:12 pm

The Vanguard account login password allows only up to 10 characters, shorter than perhaps most of what the other secure access web sites allow. However the Vanguard security measure does include prompting the person trying to access the account to answer a security question if the login is originated from a computer that's not recognized. My understanding is that as long as one security question is answered correctly, the login will move on to the final step, the password prompt... So it does not walk through all security questions stored in place in this case.

by **1530jesup** » Sun Dec 30, 2012 9:33 pm

kayo wrote:
Having done that, I then logged in and went to My Accounts->Account maintenance-> Security Profile/Computer Access Restrictions and selected the preference "Restrict unrecognized computers from accessing my account."

Computers crash, browsers get updated, cookies get purged, and so on. When I get down to the point that I only have two ways to get access online, then I will lift this restriction and add a few more browsers/machines to the list of recognized "computers."

This is not a panacea, but it does create one additional hurdle for fraudsters to overcome.

Over the years I have used my computer while on Virtual Networks (VPN's) belonging to my clients. This seems to have resulted in Vanguard, Chase and Bank of America challenging me with security questions and in the case of Chase sending a new access code to my email address or phone number that they have on file. Both Vanguard and BoA send me email alerts when I change something in my account - such as adding a payee for pay out or security transactions. At first I felt this was an inconvenience but then realized I am better off with these financial sites challenging me and one hopes, any one else trying to hack my account. I never knew there was a restriction option on Vanguard's site.
Rich

by **FinancialDave** » Sun Dec 30, 2012 10:27 pm

genjix wrote:I have both a vanguard and etrade account.
A month ago, my etrade account got hacked into, but their security is pretty good, so since there was a suspicious login from a different state, etrade asked 5 security questions and locked the account since they got the questions wrong. However they did manage to change the email address from an earlier time. Etrade told me the hacker attempted to add an external bank account as well.

Does vanguard have this type of technology? I'm worried since a majority of my investments are in vanguard.

I think E*TRADE is much more secure and had you been using their Digital Security "key fob" it most likely would not have happened.

In fact I have both TDA and Vanguard accounts as well and neither (as far as I know) have the digital security that E*TRADE has, BUT you do have to use it.

fd

by **genjix** » Sun Dec 30, 2012 10:35 pm

1530jesup wrote:
kayo wrote:
Having done that, I then logged in and went to My Accounts->Account maintenance-> Security Profile/Computer Access Restrictions and selected the preference "Restrict unrecognized computers from accessing my account."

Computers crash, browsers get updated, cookies get purged, and so on. When I get down to the point that I only have two ways to get access online, then I will lift this restriction and add a few more browsers/machines to the list of recognized "computers."

This is not a panacea, but it does create one additional hurdle for fraudsters to overcome.

Over the years I have used my computer while on Virtual Networks (VPN's) belonging to my clients. This seems to have resulted in Vanguard, Chase and Bank of America challenging me with security questions and in the case of Chase sending a new access code to my email address or phone number that they have on file. Both Vanguard and BoA send me email alerts when I change something in my account - such as adding a payee for pay out or security transactions. At first I felt this was an inconvenience but then realized I am better off with these financial sites challenging me and one hopes, any one else trying to hack my account. I never knew there was a restriction option on Vanguard's site.
Rich

Etrade also emails you any changes, the problem was the hacker changed the email address to his email, so any changes after were going to him.

by **genjix** » Sun Dec 30, 2012 10:37 pm

FinancialDave wrote:
genjix wrote:I have both a vanguard and etrade account.
A month ago, my etrade account got hacked into, but their security is pretty good, so since there was a suspicious login from a different state, etrade asked 5 security questions and locked the account since they got the questions wrong. However they did manage to change the email address from an earlier time. Etrade told me the hacker attempted to add an external bank account as well.

Does vanguard have this type of technology? I'm worried since a majority of my investments are in vanguard.

I think E*TRADE is much more secure and had you been using their Digital Security "key fob" it most likely would not have happened.

In fact I have both TDA and Vanguard accounts as well and neither (as far as I know) have the digital security that E*TRADE has, BUT you do have to use it.

fd

yup, after this happened they sent me a digital security key. I wish vanguard had this as I dont feel even the security questions are useful, because if they have a key logger spyware installed on your computer, they can record your password and all the answers the security questions.

by **cb474** » Sun Dec 30, 2012 11:01 pm

umfundi wrote:I might note that my Vanguard password is not very secure, because of their password requirements.

I agree that Vanguard's password requirements are not very secure. I find it bizarre that they limit you to ten characters and allow no special characters. Why prevent people from having better passwords (even if some/most people won't bother)? Most web forums and free email addresses allow better passwords. It makes no sense to me to actively restrict members from deploying better security precautions, if they want to.

I questioned Vanguard about this a couple years ago and they basically just replied that they feel their security measures are adequate. It was very disappointing. (I do think I recall Vanguard saying that if someone tried to send money from my account to a new bank account or address, they would contact me at my "old" address first. So this is sort of a last point of double checking. Although if one has opted to receive mail from Vanguard electronically, I don't know if this would apply. It does seem one would always want to receive such correspondences via regular mail.)

Obviously a good password is not the end all and be all of security, since keyloggers would defeat this regardless of password complexity. But it's one element amongst many that should be there.

One simple security measure people can take (although also not a panacea) is to always quit their browser and restart it before logging into a sensitive website. This would defeat any cross site scripting type of attacks, where java script is running in the background from another site that's logging keystrokes. I think it's a good idea before logging into Vanguard or a bank site. Of course, this would not defeat a keylogger running as a virus on your system. Password managers like Roboform or Lastpass would help with this.

Also, in case people are unaware, people should not use real answers to their security questions. These can often be guessed or socially engineered. Nonsense answers are much more secure. And I would not store any emails from Vanguard or my bank in an online email account. If someone hacks your email account they now know what bank and mutual fund company you use. And if they can find your name and address in a receipt from Amazon, or something like that, they're well on their way to impersonating you. Email accounts are a treasure trove of personal information for social engineering.

Ultimately, the key fob solution, that FinancialDave mentions E*Trade (and some banks) use is probably the best solution. Not the most convenient, but how much of a risk do people want to take with their life savings?

In the end, sadly, I don't think security will get better until their is some terrible event where hundreds or thousands of people lose huge sums of money form one financial institution or another, because of lax security and it creates a scandal. And I imagine this is probably something that will happen sooner or later.

by **FinancialDave** » Sun Dec 30, 2012 11:23 pm

cb474 wrote:In the end, sadly, I don't think security will get better until their is some terrible event where hundreds or thousands of people lose huge sums of money form one financial institution or another, because of lax security and it creates a scandal. And I imagine this is probably something that will happen sooner or later.

I guess this is one reason I'm in no hurry to consolidate all my accounts - diversification in accounts is not a bad idea either.

by **umfundi** » Sun Dec 30, 2012 11:53 pm

cb474 wrote:
umfundi wrote:I might note that my Vanguard password is not very secure, because of their password requirements.

I agree that Vanguard's password requirements are not very secure. I find it bizarre that they limit you to ten characters and allow no special characters. Why prevent people from having better passwords (even if some/most people won't bother)? Most web forums and free email addresses allow better passwords. It makes no sense to me to actively restrict members from deploying better security precautions, if they want to.

Yes,

I have about a half dozen passwords that I am able to carry in my head. The most secure is an 8-digit random string of upper and lower case letters, but contains only one numeric digit. The next most secure is a six-character foreign word, upper and lower case, plus two numerics and a special character. Neither is acceptable to Vanguard, so I have devolved to a much less secure 6-character password that, yes, contains two numeric digits.

Keith

by **genjix** » Mon Dec 31, 2012 12:01 am

umfundi wrote:
cb474 wrote:
umfundi wrote:I might note that my Vanguard password is not very secure, because of their password requirements.

.

Yes,

I have about a half dozen passwords that I am able to carry in my head. The most secure is an 8-digit random string of upper and lower case letters, but contains only one numeric digit. The next most secure is a six-character foreign word, upper and lower case, plus two numerics and a special character. Neither is acceptable to Vanguard, so I have devolved to a much less secure 6-character password that, yes, contains two numeric digits.

Keith

In my case of etrade, I had a 9 character password with one of them being a capital, letter, a number and the account still got hacked.

by **Sunny Sarkar** » Mon Dec 31, 2012 12:28 am

According to http://howsecureismypassword.net/, a desktop computer would take 6 years to break the following password generated by a password generator according to Vanguard's 10 character alphanumeric only limitation: xZ42B3g5Ut

If Vanguard allowed special characters, it would take 58 years to break.
If Vanguard allowed 14 character passwords, it would take 90 million years!
If Vanguard allowed both 14 characters & special characters, 2 billion years!!

The best we can do is enforce as many of the following as possible:
1. use a truly random 10 character alphanumeric password, AND not use the same password anywhere else.
2. fudge the security question answers a little to prevent social engineering, AND enforce the security questions every login by selecting "public computer".
3. use a separate email for password recovery that is not the regular daily-use email, make sure it has a unique truly random long password, AND enforce 2-step authentication for that email.
4. use a truly random username as well, just like the password, AND not use the same username anywhere else either.
5. switch to Linux (less chance of virus or other malware), at least for logging in to important accounts like Vanguard.

Happy New Year!
-Sunny

by **Epsilon Delta** » Mon Dec 31, 2012 12:53 am

Sunny Sarkar wrote:
2. fudge the security question answers a little to prevent social engineering, AND enforce the security questions every login by selecting "public computer".

The problem with fudging the security questions is you have to remember them. The reason they (i.e. the secure site) doesn't just provide a list of 5 pairs of random words and request you memorize them is that nobody would (and many people couldn't). Yet they try to do exactly that via the back door.

The problem with enforcing security questions on every login is that if a key logger is installed on your PC a patient hacker gets the answers to all you security questions after a short time. And then they can login from any computer. If you don't enforce the security questions then they need to do more work.

by **Sunny Sarkar** » Mon Dec 31, 2012 1:22 am

Ed,

Fudging the security answers can be done by adding something before & after the actual answer.

For example:

Q: What's your mother's maiden name?
A: Jones
A (fudged): It's Jones, right?

Q: Which city were you born?
A: Smalltown
A (fudged): It's Smalltown, right?

Won't be too hard to remember the "fudge" (in italics).

p.s. Don't know what to say about the keylogger problem you wrote about. Very good point!

Happy New Year!
Sunny

by **lawman3966** » Mon Dec 31, 2012 3:29 am

cb474 wrote: I find it bizarre that they limit you to ten characters and allow no special characters. Why prevent people from having better passwords (even if some/most people won't bother)? Most web forums and free email addresses allow better passwords. It makes no sense to me to actively restrict members from deploying better security precautions, if they want to.

This comment surprises me. I have a Rollover IRA with VG, and my password is over 10 characters long and includes special characters (that is, characters other than alphanumeric ones). Perhaps the account type determines this. I would have made the same comment you did about Fidelity which did in fact limit me in the manner you indicate above.

cb474 wrote: Not the most convenient, but how much of a risk do people want to take with their life savings?

Promises of reimbursement for unauthorized use of accounts is increasingly common. Fidelity, Wells Fargo, and Ally Bank offer this promise. I have been unable to confirm whether Vanguard offers the same thing.
That said, this is a very scary thing.

by **cb474** » Mon Dec 31, 2012 5:56 am

Sunny Sarkar wrote:According to http://howsecureismypassword.net/, a desktop computer would take 6 years to break the following password generated by a password generator according to Vanguard's 10 character alphanumeric only limitation: xZ42B3g5Ut

If Vanguard allowed special characters, it would take 58 years to break.
If Vanguard allowed 14 character passwords, it would take 90 million years!
If Vanguard allowed both 14 characters & special characters, 2 billion years!!

A ten character alphanumeric password is about 46 bits. 56 bit passwords have been broken in less than a day, so I'm not sure how that website is doing its calculations that give the 6 year number. I think that website may be creating grounds for a false sense of security.

Also, if you string together two computers, you obviously cut that 6 year number in half. But malicious sophisticated hackers use bot networks, where they have infected thousands of computers with a virus that uses the computers cpu when it's idle to do whatever you want with it. So now you've turned a 6 year calculation into nothing. And you can buy bot networks on the black market, so they're already ready to go in the millions of infected computers out there.

You have to get up to about 80 bits before you get a really good password. Using all special characters, etc., the shortest truly random password that could accomplish this, would require 11 characters. With Vanguard's alphanumeric limitation, you need at leat 14 characters.

Of course, few people memorize genuinely random passwords (or would even know how to generate one). They do some number substitutions, maybe a capital letter, and really don't have a very good password for it (at best--more likey they choose some word that they think is obscure, forgetting that it's in the dictionary and trivial for a comptuer to guess in little time--or even more likely they choose something really obvious). What a longer password would allow, if Vanguard permitted it, is a random passphrase that could be very secure and much easier to memorize. This cartoon makes the point well: http://xkcd.com/936/.

In any case, if people won't use good passwords, that's one thing. Vangaurd going out of its way to prevent people form having longer passwords, to me, is inexcusable.

Sunny Sarkar wrote:The best we can do is enforce as many of the following as possible:
1. use a truly random 10 character alphanumeric password, AND not use the same password anywhere else.
2. fudge the security question answers a little to prevent social engineering, AND enforce the security questions every login by selecting "public computer".
3. use a separate email for password recovery that is not the regular daily-use email, make sure it has a unique truly random long password, AND enforce 2-step authentication for that email.
4. use a truly random username as well, just like the password, AND not use the same username anywhere else either.
5. switch to Linux (less chance of virus or other malware), at least for logging in to important accounts like Vanguard.

Yes, those are all good suggestions. Especially the point about also having a random login name. I'll bet close ot 99% of people just use some version of their actual name. A random login name essentially functions like a second password. Strangely, Vanguard allows longer login names than passwords.

I would also say that I really would not log into a bank or financial institution with a cell phone. Very little attention has been paid to security on these devices and it is just not up to snuff. I know people who work for banks who admit the cell phones and cell phone apps really do not have the security possible on the desktop. That's another scandal that I think is waiting to happen. Also, if you lose your cell phone (a fairly probable event) people have all kinds of personal information about you, access to your email, and know what bank you use, etc., if you have the app from your bank on your phone. I'm not touching cell phone banking with a ten foot poll.

by **cb474** » Mon Dec 31, 2012 5:57 am

genjix wrote:In my case of etrade, I had a 9 character password with one of them being a capital, letter, a number and the account still got hacked.

If your password was a normal word with one capital and one number, that probably was not a very strong password. Password cracking software makes obvious guesses first. A dictionary attack, trying every word in the dictionary, doesn't take a computer much time. And some number substitutions are pretty common. Of course, that assumes that Etrade lets one repeatedly enter passwords, which is probably doesn't. It seems more likely someone figured out your password by logging it somehow when you typed it in. You probalby should be seriously scanning your computer for malware. Perhaps you've already done that. Also did you use someone elses computer to log into your account? It's worth trying to think through all of the ways this might have happened, so it doesn't happen again with your new password.

by **johnep** » Mon Dec 31, 2012 9:24 am

I have not done this yet, but I have seen the suggestion of using a different browser to access your financial accounts and only use it for that purpose. I use IE9, but could use Google Chrome for financial accounts.

As for thwarting key loggers I was thinking to use an encrypted flashdrive that I would attach when needed and copy and paste the password rather than key it. Would this bypass the keylogger? I am asking, not sure. You could also use for security question answers if you get creative with these.

I am leery of password services like Lastpass because i have heard some of these have been hacked.

by **bUU** » Mon Dec 31, 2012 9:43 am

Services like LastPass don't get hacked on a regular basis. There have been a few very well-publicized incidents, no different from incidents that banks and investment houses themselves have experienced. It is incumbent on you to take appropriate action when such incidents occur, with the only difference being that you need to go through you entire vault and change all your passwords. To make that easier, LastPass and similar tools provide an easy way to come up with new passwords as secure as the services will allow. As with everything in life, it's a trade-off, a trade-off in this case between the ability to use far more secure and unique passwords than most of us have the capability of remembering ourselves, against the small risk of an incident where you'll have to take action.

by **Karamatsu** » Mon Dec 31, 2012 10:57 am

Schwab simply gives its customers a guarantee: "Schwab will cover 100% of any losses in any of your Schwab accounts due to unauthorized activity." I'd surprised if Vanguard didn't offer the same sort of protection.

For what it's worth, though, it seems like a well-chosen 10-character alphanumeric password should be fine as long as Vanguard locks the account after a small, yet reasonable, number of unsuccessful attempts.

by **Sidney** » Mon Dec 31, 2012 11:01 am

johnep wrote:I am leery of password services like Lastpass because i have heard some of these have been hacked.

KeePass is an open-source password database that maintains the data in an encrypted file on the device of your choice.

by **jimkinny** » Mon Dec 31, 2012 11:04 am

If we are worried about someone making unauthorized transactions on our accounts, all we have to do is check for any pending orders after 4:30 PM or before 09:30 AM.

Jim

by **Sidney** » Mon Dec 31, 2012 11:06 am

jimkinny wrote:If we are worried about someone making unauthorized transactions on our accounts, all we have to do is check for any pending orders after 4:30 PM or before 09:30 AM.

Jim

That won't stop trades of things like ETFs and securities. But check often is a good thing.

by **1530jesup** » Mon Dec 31, 2012 12:36 pm

kayo wrote:
Etrade also emails you any changes, the problem was the hacker changed the email address to his email, so any changes after were going to him.

Still, when changes are made, the initial alert should go to the original contact address as well. That happened when I made changes to my accounts. And, as someone else posted, after several tries the login should get locked - but of course that usually happens to me when typing away with thickl finghers...

by **JW Nearly Retired** » Mon Dec 31, 2012 12:47 pm

genjix wrote: I have both a vanguard and etrade account.
A month ago, my etrade account got hacked into, but their security is pretty good, so since there was a suspicious login from a different state, etrade asked 5 security questions and locked the account since they got the questions wrong. However they did manage to change the email address from an earlier time. Etrade told me the hacker attempted to add an external bank account as well.

Except for having keylogger malware on your computer, I don't get how a password hacking process could work. OP said he/she had a 9-character password. I don't understand how whatever this was could be guessed. Sure, a computer could run through all possible 9-charter passwords in no time, but don't all these etrade and such accounts get locked after several incorrect passwords are entered? Where did the hacker get the password? I would worry that however the hacker stole the 9-character password will work just as well on a longer more "secure" one.

Several questions for OP........ 1) is your login name something ultrasimple like your email address? 2) Do you access your accounts from multiple computers outside your home? 3) Could anybody else know your password and/or have casual access to your computer? 4) Was the password written in a file somewhere on your computer? 5) Why didn't Etrade use the security questions the first time the hacker got in and changed your email address?
JW

by **FinancialDave** » Mon Dec 31, 2012 1:13 pm

For all the E*TRADE guys and gals PLEASE if you are at all interested in protecting your money just go to the Customer Service tab at the top of the page and select - REQUEST A DIGITAL SECURITY ID TOKEN, its free!

You will sleep better at night!

fd

by **genjix** » Mon Dec 31, 2012 1:20 pm

FinancialDave wrote:For all the E*TRADE guys and gals PLEASE if you are at all interested in protecting your money just go to the Customer Service tab at the top of the page and select - REQUEST A DIGITAL SECURITY ID TOKEN, its free!

You will sleep better at night!

fd

Yup, I got a digital security token now. its great, the random number changes every minute. I really wish vangaurd had this.

by **genjix** » Mon Dec 31, 2012 1:29 pm

JW Nearly Retired wrote:
genjix wrote: I have both a vanguard and etrade account.
A month ago, my etrade account got hacked into, but their security is pretty good, so since there was a suspicious login from a different state, etrade asked 5 security questions and locked the account since they got the questions wrong. However they did manage to change the email address from an earlier time. Etrade told me the hacker attempted to add an external bank account as well.

Except for having keylogger malware on your computer, I don't get how a password hacking process could work. OP said he/she had a 9-character password. I don't understand how whatever this was could be guessed. Sure, a computer could run through all possible 9-charter passwords in no time, but don't all these etrade and such accounts get locked after several incorrect passwords are entered? Where did the hacker get the password? I would worry that however the hacker stole the 9-character password will work just as well on a longer more "secure" one.

Several questions for OP........ 1) is your login name something ultrasimple like your email address? 2) Do you access your accounts from multiple computers outside your home? 3) Could anybody else know your password and/or have casual access to your computer? 4) Was the password written in a file somewhere on your computer? 5) Why didn't Etrade use the security questions the first time the hacker got in and changed your email address?
JW

1) is your login name something ultrasimple like your email address?
no, its a random series of letters and numbers

2) Do you access your accounts from multiple computers outside your home?
yes, i do once and a while rom work, they do have antivirus, but of course it probably doesnt catch all spyware

3) Could anybody else know your password and/or have casual access to your computer?
nope

4) Was the password written in a file somewhere on your computer?
no, i never have it saved or never choose in browser "remember this password"

5) Why didn't Etrade use the security questions the first time the hacker got in and changed your email address?
I'm not sure, etrade wanted to me verify all my computer MAC addresses. They have identified that they were using a different computer then my 2 laptops and work computer. When I called to verify my account they didnt ask the typical security questions I answered when setting up the account, they asked very detailed questions that I never answered like "where did I live in 1995" and they gave me multiple choice and 4 other questions like this.

in the end im glad it happened to my etrade and not vangaurd, as I'm not confident vangaurd has this level security system.

I'm imagining the probable scenrio was some keylogger at my work computer, since viruses can spread across networks pretty easy

by **umfundi** » Mon Dec 31, 2012 1:34 pm

they asked very detailed questions that I never answered like "where did I live in 1995" and they gave me multiple choice and 4 other questions like this

This is the kind of thing that credit bureaus ask to verify your identity. The answers are, of course, in your credit report.

Keith

by **Phineas J. Whoopee** » Mon Dec 31, 2012 1:57 pm

JW Nearly Retired wrote: ... Except for having keylogger malware on your computer, I don't get how a password hacking process could work. ...

Hi JW,

This topic was covered in the long-ish thread:
http://www.bogleheads.org/forum/viewtopic.php?f=11&t=106338

To give a very quick response to your question, which is a common one, among the attacks would be if the criminals gain access to Vanguard's computer systems by bypassing their security, and are able to find and steal the file Vanguard keeps of user IDs vs encrypted passwords.

I don't know that it has ever happened to Vanguard, but it has to plenty of others. See the linked thread for examples.

Once in possession of the user ID vs encrypted password information, the attacker at his leisure will be able to have computers try combinations until finally they hit on the correct one. Vanguard's customer user interface never enters into it. As the thief finds valid user ID / password combinations, one by one, they can log in directly, without Vanguard seeing they had to guess, and begin to wreak havoc.

Recent advances in affordable computer hardware have highly reduced the amount of time and money it takes to crack passwords in this way. The attackers also know the most commonly used passwords so they program their computers to check for those first. Using a difficult-to-crack password makes you less of an easy target. I hear the pickpocket term is "a bad mark."

Vanguard knows all this of course, and presumably goes to great lengths to protect the ID vs password file.

There are other scenarios but that's among the major ones.

PJW

by **Default User BR** » Mon Dec 31, 2012 2:32 pm

Karamatsu wrote:Schwab simply gives its customers a guarantee: "Schwab will cover 100% of any losses in any of your Schwab accounts due to unauthorized activity." I'd surprised if Vanguard didn't offer the same sort of protection.

Prepare to be surprised, because Vanguard's policy is not like that.

https://personal.vanguard.com/us/help/SecurityOnlineFraudPledgeContent.jsp

Brian

by **tadamsmar** » Mon Dec 31, 2012 2:44 pm

There's some misinformation in this thread, Vanguard allows special characters in passwords:

viewtopic.php?p=1062144#p1062144

by **tadamsmar** » Mon Dec 31, 2012 2:51 pm

genjix wrote:I have both a vanguard and etrade account.
A month ago, my etrade account got hacked into, but their security is pretty good, so since there was a suspicious login from a different state, etrade asked 5 security questions and locked the account since they got the questions wrong. However they did manage to change the email address from an earlier time. Etrade told me the hacker attempted to add an external bank account as well.

Does vanguard have this type of technology? I'm worried since a majority of my investments are in vanguard.

Did you figure out how you were hacked? If it happened to me, I would suspect malware on my personal computer. That could mean that other account passwords were stolen.

by **JW Nearly Retired** » Mon Dec 31, 2012 3:37 pm

Phineas J. Whoopee wrote:
JW Nearly Retired wrote: ... Except for having keylogger malware on your computer, I don't get how a password hacking process could work. ...

Hi JW,

This topic was covered in the long-ish thread:
http://www.bogleheads.org/forum/viewtopic.php?f=11&t=106338

To give a very quick response to your question, which is a common one, among the attacks would be if the criminals gain access to Vanguard's computer systems by bypassing their security, and are able to find and steal the file Vanguard keeps of user IDs vs encrypted passwords.

I don't know that it has ever happened to Vanguard, but it has to plenty of others. See the linked thread for examples.

Once in possession of the user ID vs encrypted password information, the attacker at his leisure will be able to have computers try combinations until finally they hit on the correct one. Vanguard's customer user interface never enters into it. As the thief finds valid user ID / password combinations, one by one, they can log in directly, without Vanguard seeing they had to guess, and begin to wreak havoc.

PJW

Thanks PJW,
I didn't wade through the entire thread, but I can see that a longer password is better makes sense if the hacker begins with the User ID / hashed password files stolen from Vanguard/Etrade/*. Doubtful that it does much good if you have a keylogger on the computer you are using.
JW

by **Phineas J. Whoopee** » Mon Dec 31, 2012 3:51 pm

JW Nearly Retired wrote:Thanks PJW,
I didn't wade through the entire thread, but I can see that a longer password is better makes sense if the hacker begins with the User ID / hashed password files stolen from Vanguard/Etrade/*. Doubtful that it does much good if you have a keylogger on the computer you are using.
JW

Glad that was helpful. You're correct that a complex password doesn't save you from a keylogger. Anti-malware protection and two-factor authentication can help with it. There are other possible attacks to defend against in other ways, which is why computer security is hard for those involved in the nuts and bolts, and why a guarantee of reimbursement for unauthorized transactions is so important to us consumers.

PJW

by **Epsilon Delta** » Mon Dec 31, 2012 4:27 pm

jimkinny wrote:If we are worried about someone making unauthorized transactions on our accounts, all we have to do is check for any pending orders after 4:30 PM or before 09:30 AM.

Jim

I use a bank to safe guard my money so that their vault and their armed guards can protect it. It rather defeats the point if I need me to erect a wall round the bank and stand post.

by **grabiner** » Mon Dec 31, 2012 8:30 pm

1530jesup wrote:
kayo wrote:
Etrade also emails you any changes, the problem was the hacker changed the email address to his email, so any changes after were going to him.

Still, when changes are made, the initial alert should go to the original contact address as well.

And Vanguard does do this when you change your physical address; the change-of-address notice goes to both your old and new addresses, so that you will get it whether you actually moved or someone hacked your account with a new address.

It makes even more sense to do this for Email addresses, since the old Email address is unlikely to be going to someone else, while the old physical address will.

by **cb474** » Mon Dec 31, 2012 9:35 pm

umfundi wrote:
they asked very detailed questions that I never answered like "where did I live in 1995" and they gave me multiple choice and 4 other questions like this

This is the kind of thing that credit bureaus ask to verify your identity. The answers are, of course, in your credit report.

Yeah, I'm pretty sure you could buy that information on most people for a couple dollars from the online white pages sites. I don't find it reassuring if those are the back up security questions.

Default User BR wrote:
Karamatsu wrote:Schwab simply gives its customers a guarantee: "Schwab will cover 100% of any losses in any of your Schwab accounts due to unauthorized activity." I'd surprised if Vanguard didn't offer the same sort of protection.

Prepare to be surprised, because Vanguard's policy is not like that.

https://personal.vanguard.com/us/help/SecurityOnlineFraudPledgeContent.jsp

Thanks for the link. The "responsibilities" that Vanguard requires customers to have followed, if they want to get reimbursed, seem like a lot of ways to give Vanguard an out. I suspect only a very small single digit percentage of users meet all of those criteria. It seems especially problematic when Vanguard doesn't allow customers the option of two factor authentication and longer passwords.

tadamsmar wrote:There's some misinformation in this thread, Vanguard allows special characters in passwords:

viewtopic.php?p=1062144#p1062144

Thanks for the link. That is definitely a change in policy. I communicated with Vanguard at length about this a few years ago and they definitely did not used to allow special characters. Anyway, I'm glad they changed that policy. They should be more clear on their password rules pages, however (https://personal.vanguard.com/us/help/SecuritySecurePasswordsContent.jsp), which does to specify to users that they can use special characters, let alone encourage them to do so, and makes it appear that you cannot. And they still need to get rid of the pointless ten character limit.

by **johnep** » Tue Jan 01, 2013 9:26 am

Sidney wrote:
johnep wrote:I am leery of password services like Lastpass because i have heard some of these have been hacked.

KeePass is an open-source password database that maintains the data in an encrypted file on the device of your choice.

Thanks Sidney. I will check it out.

by **Rick_29T9W** » Tue Jan 01, 2013 1:31 pm

For some time now, my password at Vanguard has included a random mixture of symbols, numbers, and upper and lower case letters. I am glad that Vanguard now allows including symbols in the password. If I am not mistaken, the maximum length is 10 characters.

A while back, I also changed my user name into a 12 character long collection of symbols, numbers, and upper and lower case letters.

One concern of mine has been that someone who knew me well enough might conceivably know the answers to the security questions. A year or two ago, an ex-convict that I know, once casually asked me a couple of questions about such minor details of my past. That had me concerned, so since then, I have fudged the answers to the security questions in a way somewhat similar to how Sunny Sarkar described. I have changed the security question answers slightly at both Vanguard, my bank, and elsewhere.

I once read that Sarah Palin's email account had been hacked, back in 2008, by looking up publicly known bigraphical details such as her high school and date of birth, and then using Yahoo's forgotten password option. That is why I have made the answers to my security questions tougher. I just need to make sure that I do not forget these not quite accurate answers.

by **tadamsmar** » Tue Jan 01, 2013 1:40 pm

Rick_29T9W wrote:For some time now, my password at Vanguard has included a random mixture of symbols, numbers, and upper and lower case letters. I am glad that Vanguard now allows including symbols in the password. If I am not mistaken, the maximum length is 10 characters.

A while back, I also changed my user name into a 12 character long collection of symbols, numbers, and upper and lower case letters.

Vanguard does allow you to include upper and lower case when you enter a password. But Vanguard does not check the case when you enter your password. So you don't need to bother with the shift key when you enter letters. Surprise!

by **ftobin** » Tue Jan 01, 2013 2:31 pm

The amount of bits of entropy (randomness) in passwords entered into a website usually does not matter much, since should be difficult to brute-force these accounts. Heavy mixtures of upper/lower/numeric/symbolic characters are desirable when an attacker has access to an encrypted database or other ciphertext they can test against, but not as much they have to login via a controlled mechanism, such as the webpage login. This is because Vanguard, controlling the login process, should easily recognize significant numbers of login failures.

If Vanguard's backend database was compromised, and the passwords are stored in ciphertext, that the attacker needs to brute-force, that's another story, but Vanguard themselves are clearly at a great fault in this situation, instead of the user.

As bogleblitz noted, 2-factor authentication is by far very desirable, and I'm surprised more financial sites haven't moved to it. I have it enabled for Google, PayPal, and Ebay. Treasury Direct has it by default. Accessing my work systems remotely also requires 2-factor authentication.

by **Phineas J. Whoopee** » Wed Jan 02, 2013 9:54 pm

ftobin wrote: ... As bogleblitz noted, 2-factor authentication is by far very desirable, and I'm surprised more financial sites haven't moved to it. I have it enabled for Google, PayPal, and Ebay. Treasury Direct has it by default. Accessing my work systems remotely also requires 2-factor authentication.

Hi ftobin,

Treasury Direct used to have two-factor authentication, when they challenged your possession of the matrix card. Today it is most certainly not two-factor. The factors are: something you know (like your email provider and password); something you have (like the former matrix card); and something you are (like a retina scan).

http://en.wikipedia.org/wiki/Two-factor_authentication

Today it is only something you know. Granted, it's two things you know, but still only one of the factors.

I think I'm in the minority (at least based on how many people used to be vocal on this forum in complaining about Treasury Direct's good security practices while simultaneously complaining about their restricted reimbursement policy), but I would like the access card back.

PJW

by **ftobin** » Wed Jan 02, 2013 10:40 pm

Phineas J. Whoopee wrote:Treasury Direct used to have two-factor authentication, when they challenged your possession of the matrix card. Today it is most certainly not two-factor. The factors are: something you know (like your email provider and password); something you have (like the former matrix card); and something you are (like a retina scan).

http://en.wikipedia.org/wiki/Two-factor_authentication

Today it is only something you know. Granted, it's two things you know, but still only one of the factors.

Thanks for the heads-up -- I didn't realize e-mail wouldn't qualify as a separate factor. I'm surprised that the sort of multi-channel authentication that Treasury Direct uses doesn't have a specific name, though, since while it isn't as good as multifactor, it is significantly much better than a single password.

I'll point out that if your email has two-factor authentication, your Treasury Direct account does too :)

by **Phineas J. Whoopee** » Wed Jan 02, 2013 10:50 pm

ftobin wrote: ... I'll point out that if your email has two-factor authentication, your Treasury Direct account does too

Hoist with my own petard!

by **Sunny Sarkar** » Wed Jan 02, 2013 10:57 pm

Link to Vanguard's security page...

https://personal.vanguard.com/us/help/S ... ontent.jsp

by **cb474** » Thu Jan 03, 2013 5:58 am

tadamsmar wrote:Vanguard does allow you to include upper and lower case when you enter a password. But Vanguard does not check the case when you enter your password. So you don't need to bother with the shift key when you enter letters. Surprise!

Holy cow, you're right. That is so dumb. It's like Vanguard is going out of their way to prevent people from having good passwords. I just don't get it, given how common place longer passwords, capitals, etc., are on the most basic email account.

by **tadamsmar** » Thu Jan 03, 2013 9:10 am

Phineas J. Whoopee wrote:I think I'm in the minority (at least based on how many people used to be vocal on this forum in complaining about Treasury Direct's good security practices while simultaneously complaining about their restricted reimbursement policy), but I would like the access card back.

Does Treasury Direct reimburse losses due to online fraud? TSP (the federal "401k") famously refused to reimburse some losses due to online theft, I have always assumed Treasury Direct would not reimburse. Do you know their policy?

PS: TSP did eliminate online withdrawals and that made theft harder.

Who is online