How real is cyber risk?

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Mon Sep 17, 2018 8:57 am

3-20Characters wrote:
Mon Sep 17, 2018 8:53 am
damjam wrote:
Mon Sep 17, 2018 8:48 am
3-20Characters wrote:
Mon Sep 17, 2018 6:15 am
damjam wrote:
Mon Sep 17, 2018 4:05 am
Although I greatly appreciate what all of you have contributed to this thread and other threads, I think you guys have given me a headache.

I really wish someone could explain to me what is a reasonable course of action.

I have a tech person who is willing to help me (a former UNIX administrator), but personal cyber security is not his area of expertise.

Honestly I'm beginning to see why most people don't even bother to try to get this right.
— Use a strong, unique password for each site and store passwords in a password manager.
— Use 2FA.
— For security questions, instead of giving the the correct answer (first car is a mustang), give an answer that doesn’t make sense and only you would know, like lollipop.
— Use a strong passcode on your computer and other devices.
— Keep all your devices updated (latest OS).
— Do not click on email links and if you do, never enter password into site you clicked from email.
— Be mighty suspicious of any file you download.
— If your worried about viruses, use virus software.

If you do all these, you’ll be way ahead of most people.
Thank you for responding to my early morning plaintive cry.

I see you fail to mention a password manager. Is that because you think they're a bad idea?

Here's my difficulty around not using a password manager: I really am terrible at coming up with passwords. Also I simply have too many accounts to manage with paper and pencil efficiently. I suppose if I imagine a gun to my head, I could do it. But it's more annoyance/inconvenience than I'd like to endure, especially if it's not really necessary.

To those of you who strongly believe that a password manager is not worth the risk, what do you suggest?
I DO, STRONGLY recommend a password manager. See bullet point #1.
:beer
OOPs :oops:
Not enough sleep last night. Too worried about cyber Armageddon. :beer

But I'll still pose my question to the others who disagree. If no password manager, what do you suggest?

User avatar
TimeRunner
Posts: 1388
Joined: Sat Dec 29, 2012 9:23 pm

Re: How real is cyber risk?

Post by TimeRunner » Mon Sep 17, 2018 9:53 am

damjam wrote:
Mon Sep 17, 2018 8:57 am
OOPs :oops:
Not enough sleep last night. Too worried about cyber Armageddon. :beer
Most password managers will generate complex passwords for you, so you don't have to make them up yourself, then they will store the password for you and make it available during the login process. You will never (almost) have to actually type that password manually. Download a password manager such as LastPass and give it a try. “Every journey begins with a single step.”― lao tsu
"...There're just so many summers, and just so many springs." -Don Henley "What'd ya expect in an opera, a happy ending?" -Bugs Bunny

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: How real is cyber risk?

Post by SpaethCo » Mon Sep 17, 2018 10:32 am

damjam wrote:
Mon Sep 17, 2018 8:57 am
But I'll still pose my question to the others who disagree. If no password manager, what do you suggest?
There are strong parallels between investing and IT security.

On this forum I've seen this quote a few times: "The greatest enemy of a good plan is the dream of a perfect plan."

There are countless arguments against password managers calling out the previously identified bugs and exploits, but that's like saying we should never invest because markets have crashed before.

Even if you take the nightmare scenario like what happened with Lastpass, where an attacker was able to gain access to the systems hosting their cloud-based password vault, still 3 years after the fact there has been no evidence that vaults were able to be compromised and data extracted. For all the problems these products have had, the vast majority have been serious but not catastrophic. At this point, even if the Lastpass vaults were able to be decoded, anyone who had a vault in 2015 would have had the last 3 years to change all their passwords making the contents of the vaults largely useless.

Investing in the market can be risky for your long term financial health. Not investing in the market can be even riskier for your long term financial health.

Similarly, using a password manager is a risk. Not using a password manager leads to solutions that are often far riskier.

The IT security community is great at pointing out all the security pitfalls of every aspect of technology. On the one hand, this is good because it leads to these exploits being patched or otherwise remediated over time. The downside is the noise we generate distracts people from sticking with solutions that exponentially increase their security because we poke at all the ways they are imperfect.

Browser-integrated password managers solve far more security problems than they create. They're the airbag and seatbelt system of online authentication. Far from perfect, but still far more likely than not to save your life.

User avatar
tadamsmar
Posts: 7782
Joined: Mon May 07, 2007 12:33 pm

Re: How real is cyber risk?

Post by tadamsmar » Mon Sep 17, 2018 6:43 pm

evestor wrote:
Sun Sep 16, 2018 2:47 pm
tadamsmar wrote:
Sat Sep 15, 2018 7:08 am
damjam wrote:
Fri Sep 14, 2018 6:36 pm
tadamsmar wrote:
Fri Sep 14, 2018 5:19 pm
For Vanguard and other brokerage and mutual fund companies there is no federal regulation if you are hacked. Some firms offer a policy. Here is Vanguard policy about your responsibilities:

https://personal.vanguard.com/us/help/S ... ontent.jsp
I found this requirement from Vanguard interesting:
Don't store your password or answers to security questions on the computer or device you use to access your Vanguard accounts.
I suppose they don't intend us to use password managers then?
If you follow the informational links from the fraud pledge page, get to a page that says that you are not supposed to store your password unencrypted on your computer:

https://investor.vanguard.com/security/credentials

I guess that means encrypted is OK. But, interpreting the fraud pledge has always been a guessing game!

The pledge used to imply that not sharing your password was one of your responsibilities required for the reimbursement guarantee. Now it just states that all shared-password transactions are considered to be authorized by you. A good clarification for the many clients that share passwords with their spouses.
The threat model of the OS is not such that encrypting your credentials locally moves the needle anyway.
iOS is probably the only exception as the sandboxing track record, while imperfect, it awfully good over the last 10 years.

That said, on some level this is all a fools errand. If a bad guy gets on your computer they own everything on your computer. It is not a matter if but rather when this happens.
Note that you can get hacked and still be made whole by Vanguard. The idea is to strive to meet a standard. Striving to be unhackable is perhaps an impossible standard. But you can of course exceed Vanguard’s standard.

I think it would be a bad idea to do a bunch of stuff and fail to meet Vanguard’s standards.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Tue Sep 18, 2018 12:58 am

tadamsmar wrote:
Mon Sep 17, 2018 6:43 pm
Note that you can get hacked and still be made whole by Vanguard. The idea is to strive to meet a standard. Striving to be unhackable is perhaps an impossible standard. But you can of course exceed Vanguard’s standard.

I think it would be a bad idea to do a bunch of stuff and fail to meet Vanguard’s standards.
I would not care *at all* about this problem if Vanguard et al. would 100% stand behind me if I got hacked. Security problems should not be tackled for fun. This is only if required.
The challenge is that the fin institutions are not clear on where their liability ends and yours begins.
The second this changes my position changes entirely. If they take on the risk, I'm done worrying about this problem.

Eventually this will get sorted out in court.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Tue Sep 18, 2018 1:06 am

SpaethCo wrote:
Mon Sep 17, 2018 10:32 am
Similarly, using a password manager is a risk. Not using a password manager leads to solutions that are often far riskier.

The IT security community is great at pointing out all the security pitfalls of every aspect of technology. On the one hand, this is good because it leads to these exploits being patched or otherwise remediated over time. The downside is the noise we generate distracts people from sticking with solutions that exponentially increase their security because we poke at all the ways they are imperfect.

Browser-integrated password managers solve far more security problems than they create. They're the airbag and seatbelt system of online authentication. Far from perfect, but still far more likely than not to save your life.
There's no question that if the choice is password manager or something worse, password manager is the winner.

Sadly the industry of which I am a part has not done a good job educating users about real world trade-offs here.
I argue that doing better is attainable and required to be fully responsible in this day in age. Going as far as I go is probably not required (how many among us want to use dedicated devices for financial transactions?). But going further than picking good passwords is.
The corollary to your analogy is that just because you have an airbag and wear a seat belt does not mean you can drive recklessly on the freeway.
An apt analogy might be...why do football players get more head injuries than rugby players when football players wear helmets & thick pads while rugby players do not? (This is a reach for me, I don't really watch any professional sports at all :D :D :D )

As was commented on in another fork of this thread, a real problem here is that financial institutions have been non-committal in how much liability they will bear when the worst happens. Nor have they done much to help users help themselves. This is a large part of the problem we're discussing. Consolidating this risk would help.

User avatar
pokebowl
Posts: 205
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: How real is cyber risk?

Post by pokebowl » Tue Sep 18, 2018 2:49 am

I'd argue the main realistic infosec risk end users face is phishing. I've parroted this response on several of the 2FA token threads, but complex passwords, OTP tokens or password managers won't protect you against common financial phishing attacks, specifically what is known as time of use phishing. Phishing in this context doesn't just mean a spoofed email, it can also come in the form of SEO spamdexing websites, malvertising, etc. Hardware 2FA is the best approach here to mitigate that type of risk if you so choose.
There is nothing more expensive than something offered for free.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Tue Sep 18, 2018 2:52 am

pokebowl wrote:
Tue Sep 18, 2018 2:49 am
I'd argue the main realistic infosec risk end users face is phishing. I've parroted this response on several of the 2FA token threads, but complex passwords, OTP tokens or password managers won't protect you against common financial phishing attacks, specifically what is known as time of use phishing. Phishing in this context doesn't just mean a spoofed email, it can also come in the form of SEO spamdexing websites, malvertising, etc. Hardware 2FA is the best approach here to mitigate that type of risk if you so choose.
I agree. I am a huge fan of yubikey or similar. I use them everywhere I can.

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Tue Sep 18, 2018 6:44 am

evestor wrote:
Tue Sep 18, 2018 2:52 am
pokebowl wrote:
Tue Sep 18, 2018 2:49 am
I'd argue the main realistic infosec risk end users face is phishing. I've parroted this response on several of the 2FA token threads, but complex passwords, OTP tokens or password managers won't protect you against common financial phishing attacks, specifically what is known as time of use phishing. Phishing in this context doesn't just mean a spoofed email, it can also come in the form of SEO spamdexing websites, malvertising, etc. Hardware 2FA is the best approach here to mitigate that type of risk if you so choose.
I agree. I am a huge fan of yubikey or similar. I use them everywhere I can.
OK, you guys and others have successfully explained this stuff and convinced me to make a few changes.

Regretfully I think I'll have to walk back a few things I've been recently doing for convenience. Being ignorant of the risks allowed me to become a bit sloppy.

One of those conveniences being banking by phone. It's really quick and easy to do many things this way but the biggest for me is depositing checks. No branch visit required. However...
Early in the thread Victoria F pointed this issue out
The cyber risk depends on how you use your smart phone. Is it a Single Point of Failure?

Some of the most common exploits are triggered by phishing. People know, in general, not to click on links. But people forget about it when the topic is exciting or the sender is trustworthy. And so attackers send messages with irresistible subjects and impersonate trusted sources. It's more tempting to click a link in a text message that comes over a small-screen device than to click a link in email viewed on a large-screen device.

All your financial accounts and primary email accounts must be configured for 2-Factor Authentication, and you must make sure that your two factors are entered over different devices. You don't want someone to penetrate your smartphone and gain access to both of your factors.

And of course, you should use different complex passwords on all your critical accounts.

Victoria
If you want to follow that advice, and I do, it eliminates banking by phone as far as I can tell. I don't see how you can login to the app and then use a second factor without also entering that into the phone. (Assuming your bank even offers 2FA, which some (many?) don't).
So with a tear in my eye I say adieu to my banking app. :wink:
But I'm holding on tight to my new password manager - one that works with a security key. 8-)
Thank you for your posts.
damjam

Call_Me_Op
Posts: 7029
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: How real is cyber risk?

Post by Call_Me_Op » Tue Sep 18, 2018 7:24 am

I assume that most of the password managers allow you to cut and paste the password. This seems like a good feature to prevent keyloggers from getting the password, but you also need to remember to delete the password from the cut-and-paste buffer.
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Tue Sep 18, 2018 7:46 am

Call_Me_Op wrote:
Tue Sep 18, 2018 7:24 am
I assume that most of the password managers allow you to cut and paste the password. This seems like a good feature to prevent keyloggers from getting the password, but you also need to remember to delete the password from the cut-and-paste buffer.
Password managers typically clear the clipboard automatically. I think KeePass did it in 30 seconds or something like that.
But in computing time 30 seconds is an eternity. I imagine there is some type of malware that can capture clipboard data with ease - although that's just a guess on my part. I believe 2FA might protect you in this type of situation, depending on all the specifics - what type of 2FA, etc.

As an aside, another poster possibly on one of the other threads re cyber security, pointed out that cut and paste is not the best method to use from a user behavior standpoint. Password managers such as LastPass can identify URLs and autofill your login info if you land on the correct page, rather than have you cut and paste. This provides some measure of protection if you've been misdirected to a malicious page because the password manager will not recognize the URL and not autofill, hopefully that will be a warning sign to the user.

Edited for clarification.
Last edited by damjam on Tue Sep 18, 2018 8:05 am, edited 1 time in total.

User avatar
tadamsmar
Posts: 7782
Joined: Mon May 07, 2007 12:33 pm

Re: How real is cyber risk?

Post by tadamsmar » Tue Sep 18, 2018 7:56 am

evestor wrote:
Tue Sep 18, 2018 12:58 am
tadamsmar wrote:
Mon Sep 17, 2018 6:43 pm
Note that you can get hacked and still be made whole by Vanguard. The idea is to strive to meet a standard. Striving to be unhackable is perhaps an impossible standard. But you can of course exceed Vanguard’s standard.

I think it would be a bad idea to do a bunch of stuff and fail to meet Vanguard’s standards.
I would not care *at all* about this problem if Vanguard et al. would 100% stand behind me if I got hacked. Security problems should not be tackled for fun. This is only if required.
The challenge is that the fin institutions are not clear on where their liability ends and yours begins.
The second this changes my position changes entirely. If they take on the risk, I'm done worrying about this problem.

Eventually this will get sorted out in court.
You are right, the institutions are not clear.

I’m not sure it’s properly called “their liability”. They are pledging to reimburse you if you’re not negligent.

Some think it’s a PR issue. If they don’t reimburse then they get bad press assuming you’re security practices are not awful. They would lose customers.

The closest thing to a court case that I know of involves banks and small business accounts. These accounts have traditionally had close to zero protection. But their was a case where a judge ruled that the bank should have detected a hack. But I did not follow the case closely enough to know if it held in all appeals courts.

User avatar
pokebowl
Posts: 205
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: How real is cyber risk?

Post by pokebowl » Tue Sep 18, 2018 8:31 am

damjam wrote:
Tue Sep 18, 2018 6:44 am

One of those conveniences being banking by phone. It's really quick and easy to do many things this way but the biggest for me is depositing checks.
Check depositing via mobile is not necessarily a bad thing however. I would just ensure if using your mobile fancy thinking device for banking, you enable some sort of PIN/Pass on the phone and can confirm how both your phone and your banking app encrypts your session or data stored. The PIN/Pass depending on model will also ensure data encryption as well as being a barrier to access.

This isn't so much of a problem now, but many moons ago, early smartphones used to not take data security seriously. As one of my former jobs involved mobile forensics it made my life easier, but from a privacy standpoint probably would make your hair stand up.
Call_Me_Op wrote:
Tue Sep 18, 2018 7:24 am
I assume that most of the password managers allow you to cut and paste the password. This seems like a good feature to prevent keyloggers from getting the password, but you also need to remember to delete the password from the cut-and-paste buffer.
If you fell for a time of use phishing attack, unfortunately you still provided that password to a phishing site/attacker who simply forwarded it on your behalf to your financial broker and logged right in. This isn't an in theory attack, these were quite common in 2017 against cryto exchanges and took only minutes to withdrawal funds. A hardware token compatible with FIDO/U2F would be your best option here. Vanguard supports it, Google recommends it for their own employees, and hopefully more major providers will allow it going forward as adaption catches on.
There is nothing more expensive than something offered for free.

rich126
Posts: 130
Joined: Thu Mar 01, 2018 4:56 pm

Re: How real is cyber risk?

Post by rich126 » Tue Sep 18, 2018 8:58 am

Unfortunately dealing with passwords is a really big PITA. You can start with the fact that a complex password is very important, especially having a long, non-dictionary word. You want something that isn't already pre-computer in rainbow attacks. Lets assume someone creates a nice 20 character password with special characters in it. Now the person has to remember it. Using a password manager makes it a bit easier. Unfortunately that only solves the desktop/laptop computer password issues.

No one wants to go around trying to type long passwords on a phone. Now I think I just read that the newer version of iOS will allow password managers to auto fill passwords. If that is true and applies to web pages as well as apps on the phone, that would really help out. It is highly frustrating while on the road, especially internationally where you don't have access to anything but a phone, trying to type in correctly a long password while in a rush.

Of course it doesn't help much with passwords you have to enter for things running on a tv (netflix, amazon, etc.) where you have to manually enter in a user name and then a long password with nothing but a remote control moving a cursor around a keyboard on a screen.

Also the whole SMS thing is potentially a huge annoyance while traveling because you may need to get to a web site to do something but you may not have cell service so how do you easily complete the task you want to do? Microsoft Hotmail was horrible when I was traveling a few years ago because it kept telling me I was out of the country and it wanted multiple authentication. Well that would have been fine once, but every time I logged on it was as if it couldn't understand I was on the road. Whereas gmail asked once, and then didn't bother me. (And I don't use hotmail for much of anything anymore.)

Sadly companies aren't held financially responsible for security (sure they get some bad press) so the burden keeps falling on the user. And the stupid free credit monitoring companies give you when things are hacked is essentially worthless.

Like a lot of things in life, it is another annoying hassle.

User avatar
jainn
Posts: 256
Joined: Tue Jun 28, 2011 6:41 pm

Re: How real is cyber risk?

Post by jainn » Tue Sep 18, 2018 9:05 am

AIG Fraud SafeGuard coverage add-on to homeowners insurance.
https://halcyonuw.com/Home/Pdf?path=Aig ... ochure.pdf


AIG has another product called Family CyberEdge
https://www-200.aigprivateclient.com/in ... e-coverage


Image
Last edited by jainn on Tue Sep 18, 2018 9:07 am, edited 1 time in total.

JBTX
Posts: 4043
Joined: Wed Jul 26, 2017 12:46 pm

Re: How real is cyber risk?

Post by JBTX » Tue Sep 18, 2018 9:06 am

The other day I received an email with a Bank of America logo, saying account will be locked because of missing or incorrect information, and I should contact customer service, or click onto a link in the email and sign in. It was really well designed, and I am sure others will probably fall for it.

jkrm
Posts: 55
Joined: Wed Oct 08, 2008 8:20 am

Re: How real is cyber risk?

Post by jkrm » Tue Sep 18, 2018 9:12 am

I have read only about half of this thread, so I apologize if someone has already mentioned this.

With regard to Vanguard's implementation of Yubikey as a second factor, I agree that the use of an SMS text message as a backup is a poor decision on their part. The National Institute of Standards and Technology (NIST) now cautions against using SMS as a second factor, there are increasing numbers of examples of SMS-based fraud, and I think government agencies are supposed to avoid using it. It's hard for me to believe that Vanguard's security team thinks that Yubikey backed by SMS is a good idea - I am concerned that the use of SMS was a decision made by clueless upper management.

We've gotten around the problem by giving Vanguard our old-fashioned landline (yes, we still have one) as the backup number to send a security code to. If we say we've lost our Yubikey or don't have it, a call goes to that phone and we get the code via a robot voice. True, we can't use our phones to log into Vanguard, but we don't do that as a rule anyway.

I feel fairly safe with a Yubikey and my landline as backup. Still, I can't help but wonder just how committed to security Vanguard is based on their dumb implementation of Yubikey. I have told my Flagship rep that I am seriously considering moving our money to Fidelity and Schwab as they seem to take security more seriously (at least, the authentication part of it). I know SMS codes can be avoided at Fidelity and I believe they can at Schwab as well.

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Tue Sep 18, 2018 9:23 am

pokebowl wrote:
Tue Sep 18, 2018 8:31 am
damjam wrote:
Tue Sep 18, 2018 6:44 am

One of those conveniences being banking by phone. It's really quick and easy to do many things this way but the biggest for me is depositing checks.
Check depositing via mobile is not necessarily a bad thing however. I would just ensure if using your mobile fancy thinking device for banking, you enable some sort of PIN/Pass on the phone and can confirm how both your phone and your banking app encrypts your session or data stored. The PIN/Pass depending on model will also ensure data encryption as well as being a barrier to access.
That's interesting. I really need to understand the underlying tech, but as of now I do not. Right now I probably know just enough to make me dangerous - to myself mostly. At the moment I'm going to make as conservative a set up as practicable and possibly add more convenience as I understand more fully.

As for
jkrm wrote:
Tue Sep 18, 2018 9:12 am
I have read only about half of this thread, so I apologize if someone has already mentioned this.

With regard to Vanguard's implementation of Yubikey as a second factor, I agree that the use of an SMS text message as a backup is a poor decision on their part. The National Institute of Standards and Technology (NIST) now cautions against using SMS as a second factor, there are increasing numbers of examples of SMS-based fraud, and I think government agencies are supposed to avoid using it. It's hard for me to believe that Vanguard's security team thinks that Yubikey backed by SMS is a good idea - I am concerned that the use of SMS was a decision made by clueless upper management.

We've gotten around the problem by giving Vanguard our old-fashioned landline (yes, we still have one) as the backup number to send a security code to. If we say we've lost our Yubikey or don't have it, a call goes to that phone and we get the code via a robot voice. True, we can't use our phones to log into Vanguard, but we don't do that as a rule anyway.

I feel fairly safe with a Yubikey and my landline as backup. Still, I can't help but wonder just how committed to security Vanguard is based on their dumb implementation of Yubikey. I have told my Flagship rep that I am seriously considering moving our money to Fidelity and Schwab as they seem to take security more seriously (at least, the authentication part of it). I know SMS codes can be avoided at Fidelity and I believe they can at Schwab as well.
I believe it was pokebowl who proposed the "nuclear option" in some other thread some time back re Vanguard access. That being locking your access to one known device. Although your system (to my untrained ears) sounds good as well.

Poor implementation of security keys as 2FA is a major pet peeve of mine. I worry that these mixed up half measures that firms are taking (ie using SMS as a recovery method), will hobble adoption of security keys to a critical degree.
Last edited by damjam on Tue Sep 18, 2018 9:38 am, edited 3 times in total.

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Tue Sep 18, 2018 9:27 am

jainn wrote:
Tue Sep 18, 2018 9:05 am
AIG Fraud SafeGuard coverage add-on to homeowners insurance.
https://halcyonuw.com/Home/Pdf?path=Aig ... ochure.pdf


AIG has another product called Family CyberEdge
https://www-200.aigprivateclient.com/in ... e-coverage


Image
CyberEdge sounds fantastic, especially for those with caregivers and other staff entering the home. Wonder how high the premium would be.

JBTX
Posts: 4043
Joined: Wed Jul 26, 2017 12:46 pm

Re: How real is cyber risk?

Post by JBTX » Tue Sep 18, 2018 9:37 am

jkrm wrote:
Tue Sep 18, 2018 9:12 am
I have read only about half of this thread, so I apologize if someone has already mentioned this.

With regard to Vanguard's implementation of Yubikey as a second factor, I agree that the use of an SMS text message as a backup is a poor decision on their part. The National Institute of Standards and Technology (NIST) now cautions against using SMS as a second factor, there are increasing numbers of examples of SMS-based fraud, and I think government agencies are supposed to avoid using it. It's hard for me to believe that Vanguard's security team thinks that Yubikey backed by SMS is a good idea - I am concerned that the use of SMS was a decision made by clueless upper management.

We've gotten around the problem by giving Vanguard our old-fashioned landline (yes, we still have one) as the backup number to send a security code to. If we say we've lost our Yubikey or don't have it, a call goes to that phone and we get the code via a robot voice. True, we can't use our phones to log into Vanguard, but we don't do that as a rule anyway.

I feel fairly safe with a Yubikey and my landline as backup. Still, I can't help but wonder just how committed to security Vanguard is based on their dumb implementation of Yubikey. I have told my Flagship rep that I am seriously considering moving our money to Fidelity and Schwab as they seem to take security more seriously (at least, the authentication part of it). I know SMS codes can be avoided at Fidelity and I believe they can at Schwab as well.
That seems like a clever work around.

Seems to me there is no incremental value to the Yubikey - it is only as good as whatever backup is set up.

JBTX
Posts: 4043
Joined: Wed Jul 26, 2017 12:46 pm

Re: How real is cyber risk?

Post by JBTX » Tue Sep 18, 2018 9:38 am

damjam wrote:
Tue Sep 18, 2018 9:23 am
pokebowl wrote:
Tue Sep 18, 2018 8:31 am
damjam wrote:
Tue Sep 18, 2018 6:44 am

One of those conveniences being banking by phone. It's really quick and easy to do many things this way but the biggest for me is depositing checks.
Check depositing via mobile is not necessarily a bad thing however. I would just ensure if using your mobile fancy thinking device for banking, you enable some sort of PIN/Pass on the phone and can confirm how both your phone and your banking app encrypts your session or data stored. The PIN/Pass depending on model will also ensure data encryption as well as being a barrier to access.
That's interesting. I really need to understand the underlying tech, but as of now I do not. Right now I probably know just enough to make me dangerous - to myself mostly. At the moment I'm going to make as conservative a set up as practicable and possibly add more convenience as I understand more fully.

As for
jkrm wrote:
Tue Sep 18, 2018 9:12 am
I have read only about half of this thread, so I apologize if someone has already mentioned this.

With regard to Vanguard's implementation of Yubikey as a second factor, I agree that the use of an SMS text message as a backup is a poor decision on their part. The National Institute of Standards and Technology (NIST) now cautions against using SMS as a second factor, there are increasing numbers of examples of SMS-based fraud, and I think government agencies are supposed to avoid using it. It's hard for me to believe that Vanguard's security team thinks that Yubikey backed by SMS is a good idea - I am concerned that the use of SMS was a decision made by clueless upper management.

We've gotten around the problem by giving Vanguard our old-fashioned landline (yes, we still have one) as the backup number to send a security code to. If we say we've lost our Yubikey or don't have it, a call goes to that phone and we get the code via a robot voice. True, we can't use our phones to log into Vanguard, but we don't do that as a rule anyway.

I feel fairly safe with a Yubikey and my landline as backup. Still, I can't help but wonder just how committed to security Vanguard is based on their dumb implementation of Yubikey. I have told my Flagship rep that I am seriously considering moving our money to Fidelity and Schwab as they seem to take security more seriously (at least, the authentication part of it). I know SMS codes can be avoided at Fidelity and I believe they can at Schwab as well.
I believe it was pokebowl who proposed the "nuclear option" in some other thread some time back re Vanguard access. That being locking your access to one known device. Although your system (to my untrained ears) sounds good as well.

Poor implementation of security keys as 2FA is a major pet peeve of mine. I worry that these mixed up half measures that firms are taking (ie using SMS as a recovery method), will hobble adoption to a critical degree.
That seems like a really bad idea. Computers crash and die sometimes. What happens then?

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Tue Sep 18, 2018 9:41 am

JBTX wrote:
Tue Sep 18, 2018 9:38 am
damjam wrote:
Tue Sep 18, 2018 9:23 am
pokebowl wrote:
Tue Sep 18, 2018 8:31 am
damjam wrote:
Tue Sep 18, 2018 6:44 am

One of those conveniences being banking by phone. It's really quick and easy to do many things this way but the biggest for me is depositing checks.
Check depositing via mobile is not necessarily a bad thing however. I would just ensure if using your mobile fancy thinking device for banking, you enable some sort of PIN/Pass on the phone and can confirm how both your phone and your banking app encrypts your session or data stored. The PIN/Pass depending on model will also ensure data encryption as well as being a barrier to access.
That's interesting. I really need to understand the underlying tech, but as of now I do not. Right now I probably know just enough to make me dangerous - to myself mostly. At the moment I'm going to make as conservative a set up as practicable and possibly add more convenience as I understand more fully.

As for
jkrm wrote:
Tue Sep 18, 2018 9:12 am
I have read only about half of this thread, so I apologize if someone has already mentioned this.

With regard to Vanguard's implementation of Yubikey as a second factor, I agree that the use of an SMS text message as a backup is a poor decision on their part. The National Institute of Standards and Technology (NIST) now cautions against using SMS as a second factor, there are increasing numbers of examples of SMS-based fraud, and I think government agencies are supposed to avoid using it. It's hard for me to believe that Vanguard's security team thinks that Yubikey backed by SMS is a good idea - I am concerned that the use of SMS was a decision made by clueless upper management.

We've gotten around the problem by giving Vanguard our old-fashioned landline (yes, we still have one) as the backup number to send a security code to. If we say we've lost our Yubikey or don't have it, a call goes to that phone and we get the code via a robot voice. True, we can't use our phones to log into Vanguard, but we don't do that as a rule anyway.

I feel fairly safe with a Yubikey and my landline as backup. Still, I can't help but wonder just how committed to security Vanguard is based on their dumb implementation of Yubikey. I have told my Flagship rep that I am seriously considering moving our money to Fidelity and Schwab as they seem to take security more seriously (at least, the authentication part of it). I know SMS codes can be avoided at Fidelity and I believe they can at Schwab as well.
I believe it was pokebowl who proposed the "nuclear option" in some other thread some time back re Vanguard access. That being locking your access to one known device. Although your system (to my untrained ears) sounds good as well.

Poor implementation of security keys as 2FA is a major pet peeve of mine. I worry that these mixed up half measures that firms are taking (ie using SMS as a recovery method), will hobble adoption to a critical degree.
That seems like a really bad idea. Computers crash and die sometimes. What happens then?
You have to call Vanguard and convince them to let you back in. An inconvenience yes, but not insurmountable. Since a lot of Bogleheads implement a lazy portfolio approach this seems a small issue for them. If you must transact business you can always do it over the phone.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Tue Sep 18, 2018 12:47 pm

jkrm wrote:
Tue Sep 18, 2018 9:12 am
I feel fairly safe with a Yubikey and my landline as backup. Still, I can't help but wonder just how committed to security Vanguard is based on their dumb implementation of Yubikey. I have told my Flagship rep that I am seriously considering moving our money to Fidelity and Schwab as they seem to take security more seriously (at least, the authentication part of it). I know SMS codes can be avoided at Fidelity and I believe they can at Schwab as well.
Don't worry, I can make you feel worse about those institutions too. :D

Example #1: Not too long ago there was an outage of the symantec TFA backend service. During that outage, which lasted many hours, Fidelity did not require TFA at all. U+P was enough.
Example #2: Try out the Fidelity phone system and let me know what you think of them after that experience. :D

Unfortunately none of them are great. They all have done something to lock the front door while leaving the window wide open.

But this does not take away from your point. SMS fallback is a terrible decision.
I had a long call with Vanguard this AM on this very topic and am applying pressure higher on the mgmt chain. They need to get better. They are making progress but are not there yet (IMHO anyway).

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Tue Sep 18, 2018 12:52 pm

tadamsmar wrote:
Tue Sep 18, 2018 7:56 am
evestor wrote:
Tue Sep 18, 2018 12:58 am
tadamsmar wrote:
Mon Sep 17, 2018 6:43 pm
Note that you can get hacked and still be made whole by Vanguard. The idea is to strive to meet a standard. Striving to be unhackable is perhaps an impossible standard. But you can of course exceed Vanguard’s standard.

I think it would be a bad idea to do a bunch of stuff and fail to meet Vanguard’s standards.
I would not care *at all* about this problem if Vanguard et al. would 100% stand behind me if I got hacked. Security problems should not be tackled for fun. This is only if required.
The challenge is that the fin institutions are not clear on where their liability ends and yours begins.
The second this changes my position changes entirely. If they take on the risk, I'm done worrying about this problem.

Eventually this will get sorted out in court.
You are right, the institutions are not clear.

I’m not sure it’s properly called “their liability”. They are pledging to reimburse you if you’re not negligent.

Some think it’s a PR issue. If they don’t reimburse then they get bad press assuming you’re security practices are not awful. They would lose customers.

The closest thing to a court case that I know of involves banks and small business accounts. These accounts have traditionally had close to zero protection. But their was a case where a judge ruled that the bank should have detected a hack. But I did not follow the case closely enough to know if it held in all appeals courts.
There are some active cases in this space right now.
Example: https://www.cnbc.com/2018/08/15/cryptoc ... igita.html

jkrm
Posts: 55
Joined: Wed Oct 08, 2008 8:20 am

Re: How real is cyber risk?

Post by jkrm » Tue Sep 18, 2018 1:01 pm

evestor wrote:
Tue Sep 18, 2018 12:47 pm

Don't worry, I can make you feel worse about those institutions too. :D

Example #1: Not too long ago there was an outage of the symantec TFA backend service. During that outage, which lasted many hours, Fidelity did not require TFA at all. U+P was enough.
Example #2: Try out the Fidelity phone system and let me know what you think of them after that experience. :D

Unfortunately none of them are great. They all have done something to lock the front door while leaving the window wide open.

But this does not take away from your point. SMS fallback is a terrible decision.
I had a long call with Vanguard this AM on this very topic and am applying pressure higher on the mgmt chain. They need to get better. They are making progress but are not there yet (IMHO anyway).
Ugh. I have a Fidelity account too, with Symantec VIP. I didn't know about the outage. That's scary.

But I am glad that you are trying to put pressure on them. I spent about half an hour on the phone with my Flagship rep a few weeks ago, also on the SMS issue, but I don't know if it went any further. Also, Vanguard had a webinar on account security a few weeks ago and I sent in a question about this problem in advance, but noticed that while they touted Yubikey in the webinar, they did not address my question. In fact, they talked about how great it is that they have SMS backup in case you lose or don't have the Yubikey! That's when I decided that someone there is either clueless or just ignoring facts.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Tue Sep 18, 2018 1:44 pm

jkrm wrote:
Tue Sep 18, 2018 1:01 pm
evestor wrote:
Tue Sep 18, 2018 12:47 pm

Don't worry, I can make you feel worse about those institutions too. :D

Example #1: Not too long ago there was an outage of the symantec TFA backend service. During that outage, which lasted many hours, Fidelity did not require TFA at all. U+P was enough.
Example #2: Try out the Fidelity phone system and let me know what you think of them after that experience. :D

Unfortunately none of them are great. They all have done something to lock the front door while leaving the window wide open.

But this does not take away from your point. SMS fallback is a terrible decision.
I had a long call with Vanguard this AM on this very topic and am applying pressure higher on the mgmt chain. They need to get better. They are making progress but are not there yet (IMHO anyway).
Ugh. I have a Fidelity account too, with Symantec VIP. I didn't know about the outage. That's scary.

But I am glad that you are trying to put pressure on them. I spent about half an hour on the phone with my Flagship rep a few weeks ago, also on the SMS issue, but I don't know if it went any further. Also, Vanguard had a webinar on account security a few weeks ago and I sent in a question about this problem in advance, but noticed that while they touted Yubikey in the webinar, they did not address my question. In fact, they talked about how great it is that they have SMS backup in case you lose or don't have the Yubikey! That's when I decided that someone there is either clueless or just ignoring facts.
It's important to remember these organizations all mean well. They are trying. They are just not sure what to do.
We need to help them.

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Tue Sep 18, 2018 2:00 pm

evestor wrote:
Tue Sep 18, 2018 1:44 pm
jkrm wrote:
Tue Sep 18, 2018 1:01 pm
evestor wrote:
Tue Sep 18, 2018 12:47 pm

Don't worry, I can make you feel worse about those institutions too. :D

Example #1: Not too long ago there was an outage of the symantec TFA backend service. During that outage, which lasted many hours, Fidelity did not require TFA at all. U+P was enough.
Example #2: Try out the Fidelity phone system and let me know what you think of them after that experience. :D

Unfortunately none of them are great. They all have done something to lock the front door while leaving the window wide open.

But this does not take away from your point. SMS fallback is a terrible decision.
I had a long call with Vanguard this AM on this very topic and am applying pressure higher on the mgmt chain. They need to get better. They are making progress but are not there yet (IMHO anyway).
Ugh. I have a Fidelity account too, with Symantec VIP. I didn't know about the outage. That's scary.

But I am glad that you are trying to put pressure on them. I spent about half an hour on the phone with my Flagship rep a few weeks ago, also on the SMS issue, but I don't know if it went any further. Also, Vanguard had a webinar on account security a few weeks ago and I sent in a question about this problem in advance, but noticed that while they touted Yubikey in the webinar, they did not address my question. In fact, they talked about how great it is that they have SMS backup in case you lose or don't have the Yubikey! That's when I decided that someone there is either clueless or just ignoring facts.
It's important to remember these organizations all mean well. They are trying. They are just not sure what to do.
We need to help them.
OMG! ROTG LOL
You make them (financial institutions) sound like they're my Great Aunt Betty or something. :D

What needs to happen is for large investors start throwing their weight around. Demand better security.
I'm going write a few letters. Although my paltry account probably won't move the needle very much.
I like the idea of registering a few Yubikeys and giving up on SMS recovery.

User avatar
VictoriaF
Posts: 18560
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: How real is cyber risk?

Post by VictoriaF » Tue Sep 18, 2018 7:13 pm

Cyber Risk is so real that there will be an entire week on 15-19 October 2019, full of cyber security events in D.C.: CyberWeek by CyberScoop https://www.cyberscoop.com/events/dc-cyberweek/2018/ . I have signed for several events including a session with the Israeli cybersecurity experts.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Tue Sep 18, 2018 7:29 pm

JBTX wrote:
Tue Sep 18, 2018 9:37 am
jkrm wrote:
Tue Sep 18, 2018 9:12 am
I have read only about half of this thread, so I apologize if someone has already mentioned this.

With regard to Vanguard's implementation of Yubikey as a second factor, I agree that the use of an SMS text message as a backup is a poor decision on their part. The National Institute of Standards and Technology (NIST) now cautions against using SMS as a second factor, there are increasing numbers of examples of SMS-based fraud, and I think government agencies are supposed to avoid using it. It's hard for me to believe that Vanguard's security team thinks that Yubikey backed by SMS is a good idea - I am concerned that the use of SMS was a decision made by clueless upper management.

We've gotten around the problem by giving Vanguard our old-fashioned landline (yes, we still have one) as the backup number to send a security code to. If we say we've lost our Yubikey or don't have it, a call goes to that phone and we get the code via a robot voice. True, we can't use our phones to log into Vanguard, but we don't do that as a rule anyway.

I feel fairly safe with a Yubikey and my landline as backup. Still, I can't help but wonder just how committed to security Vanguard is based on their dumb implementation of Yubikey. I have told my Flagship rep that I am seriously considering moving our money to Fidelity and Schwab as they seem to take security more seriously (at least, the authentication part of it). I know SMS codes can be avoided at Fidelity and I believe they can at Schwab as well.
That seems like a clever work around.

Seems to me there is no incremental value to the Yubikey - it is only as good as whatever backup is set up.
I agree, however I worry that the lack of adoption of the Yubikey by those interested will be taken as a sign that customers don't want it at all. What will be the incentive to fully adopt this form of 2FA if they can't get people to make the incremental step that they are offering?

An improvement would be email as recovery method, if you believe a SIM cloning type thing is the most likely. Those who are serious about committing to Yubikey can make that email a dead end. It can be done. Perfect? No, but possibly a little better.
(Cue: entry stage right; someone who will explain how email is even worse... :) )
Last edited by damjam on Tue Sep 18, 2018 7:56 pm, edited 1 time in total.

golfCaddy
Posts: 704
Joined: Wed Jan 10, 2018 10:02 pm

Re: How real is cyber risk?

Post by golfCaddy » Tue Sep 18, 2018 7:45 pm

tadamsmar wrote:
Fri Sep 14, 2018 8:51 pm
golfCaddy wrote:
Fri Sep 14, 2018 8:38 pm
tadamsmar wrote:
Fri Sep 14, 2018 5:19 pm
golfCaddy wrote:
Fri Sep 14, 2018 4:13 pm
Cyber risk is real: https://www.nytimes.com/interactive/201 ... heist.html, but it's nothing something I worry about much. If Vanguard or your bank account was hacked, I would expect you to eventually be made whole by the financial institutions.
You should not expect to be made whole without some due diligence on your part.

For personal bank accounts and credit cards, there are federal regulations that require reimbursement if you report the fraud in a timely manner. I don't recall what timely means but I think it's at least 30 days after your bank statement is available.

For Vanguard and other brokerage and mutual fund companies there is no federal regulation if you are hacked. Some firms offer a policy. Here is Vanguard policy about your responsibilities:

https://personal.vanguard.com/us/help/S ... ontent.jsp
Let's take the most likely scenario. Someone hacks Vanguard, steal's Vanguard's password file from Vanguard's servers, and then extracts tens to hundreds of thousands of passwords. I happen to be one of those accounts. There would be a class action lawsuit against Vanguard and I bet a federal judge would be more than happy to throw out whatever nonsensical language Vanguard has in those user agreements no one reads. Disclaimer:IANAL
I think Vanguard would be responsible for that.

I said "if you are hacked" and I meant you not Vanguard.

I don't think that is the most likely scenario. All the cases I know of involved hacks of individual investors or seemed to involve hacks of individual investors. Never heard of a hack of a brokerage firm's password file.
In the few cases that make the news, the technical details aren't discussed. I'm willing to bet the way some of those individual investors had their passwords compromised was by first hacking the brokerage servers and compromising the broker's password file.

User avatar
TimeRunner
Posts: 1388
Joined: Sat Dec 29, 2012 9:23 pm

Re: How real is cyber risk?

Post by TimeRunner » Tue Sep 18, 2018 7:55 pm

damjam wrote:
Tue Sep 18, 2018 7:29 pm
(Cue: entry stage right; someone who will explain how email is even worse... :) )
This is what Vanguard says: "Why can't you email security codes to me?
We believe that text messages and phone calls provide greater security for our clients. Email providers can be compromised on a large scale, and email phishing attempts are prevalent."

There doesn't seem to be a way to use a SECOND Yubikey as a sole backup to the first one. Is there (anyone, anyone, Bueller)?
"...There're just so many summers, and just so many springs." -Don Henley "What'd ya expect in an opera, a happy ending?" -Bugs Bunny

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Tue Sep 18, 2018 8:04 pm

TimeRunner wrote:
Tue Sep 18, 2018 7:55 pm
damjam wrote:
Tue Sep 18, 2018 7:29 pm
(Cue: entry stage right; someone who will explain how email is even worse... :) )
This is what Vanguard says: "Why can't you email security codes to me?
We believe that text messages and phone calls provide greater security for our clients. Email providers can be compromised on a large scale, and email phishing attempts are prevalent."

There doesn't seem to be a way to use a SECOND Yubikey as a sole backup to the first one. Is there (anyone, anyone, Bueller)?
No there is no way to disable the SMS at this time and no you can't use a second Yubikey as backup.
I would love if I could register two or more keys and disable all forms of recovery that don't involve talking to someone. Calling will always have to be the ultimate fallback.
I'm not going to bother wasting time talking to someone on the phone. I plan to send one or more letters.
Last edited by damjam on Wed Sep 19, 2018 12:02 pm, edited 1 time in total.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Wed Sep 19, 2018 12:34 am

golfCaddy wrote:
Tue Sep 18, 2018 7:45 pm
tadamsmar wrote:
Fri Sep 14, 2018 8:51 pm
I think Vanguard would be responsible for that.

I said "if you are hacked" and I meant you not Vanguard.

I don't think that is the most likely scenario. All the cases I know of involved hacks of individual investors or seemed to involve hacks of individual investors. Never heard of a hack of a brokerage firm's password file.
In the few cases that make the news, the technical details aren't discussed. I'm willing to bet the way some of those individual investors had their passwords compromised was by first hacking the brokerage servers and compromising the broker's password file.
Passwords stored by the fin institution typically have a variety of protections...hashed and salted using appropriate algorithms (PBKDF2 or better) with appropriate # of rounds, encrypted with keys that are then protected separately from the data itself, etc etc etc.
But the key is what was discussed above. The institution would almost certainly take responsibility if this happened.

I am not worried about them being hacked and trying to pass the liability off on me. I'm worried about my accounts getting hacked because of something I did wrong / something one of my providers did wrong (like say my phone co giving up my line) and someone attacking me as a result.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Wed Sep 19, 2018 12:38 am

damjam wrote:
Tue Sep 18, 2018 2:00 pm
evestor wrote:
Tue Sep 18, 2018 1:44 pm
It's important to remember these organizations all mean well. They are trying. They are just not sure what to do.
We need to help them.
OMG! ROTG LOL
You make them (financial institutions) sound like they're my Great Aunt Betty or something. :D

What needs to happen is for large investors start throwing their weight around. Demand better security.
I'm going write a few letters. Although my paltry account probably won't move the needle very much.
I like the idea of registering a few Yubikeys and giving up on SMS recovery.
I have worked at companies large and small. Large companies are made up of lots of mostly well meaning employees who are trying to make a difference.

I have engaged with folks at these large banks. By and large they mean well and want to help their clients. Working in a large system like this means you have hundreds of edge cases neither of us have considered that prevent you from doing what seem like otherwise obvious work items.
I am using my leverage (small as it may be) to try and get them to move the needle slightly for those worried about this problem. I hope others do the same. With our collective leverage I believe we can make a difference.

I'll stop replying to this thread...I don't think I'm adding value anymore. I will still reach out to moderators one of these days and pitch the idea of some wiki pages on this topic. I hope others will contribute to them if I get the moderators to yes.

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: How real is cyber risk?

Post by SpaethCo » Thu Sep 20, 2018 12:17 pm

damjam wrote:
Tue Sep 18, 2018 6:44 am
If you want to follow that advice, and I do, it eliminates banking by phone as far as I can tell. I don't see how you can login to the app and then use a second factor without also entering that into the phone. (Assuming your bank even offers 2FA, which some (many?) don't).
So with a tear in my eye I say adieu to my banking app. :wink:
At the risk of bumping this thread into another tailspin of confusion, I want to hit these 2 points.
  1. Your phone is likely a full order of magnitude more secure than a standard desktop/laptop computer.
  2. 2FA (with the exception of U2F) feels more secure than it actually is
For the phone:
For most people, their smart phone is the most secure computing platform they use, particularly iPhones and 'flagship' Android devices that get regular software updates. As long as you don't jailbreak or root your phone, there are substantial protections that the operating system provides. Unlike a traditional Windows or Mac desktop, the applications always run without admin privileges, are sandboxed to prevent cross-app data leakage, are running on an encrypted filesystem, and the apps are code-signed and undergo validation (even if imperfect) through the respective platform app stores.

For example, on your desktop machine you might run Quicken. You might get an email notification that an update is available, click the link, and install an update that would modify Quicken. If you're not careful in that process, you might end up installing code that was modified from what the developer originally produced. It's up to you, the user, to handle all of the authenticity checking along that deployment path. This can get even more risky when you consider projects like the Keepass password manager which is distributed as open source code. The official site only has Windows binaries, so if you want to run on another platform you have to grab a port/fork like KeepassX, KeepassXC, MiniKeepass, or a handful of others. If you're a first time user who just does a Google search for "Keepass" -- how do you know that you landed on a site that actually has a non-tampered binary distribution of that application? The source code is openly published, so nothing would stop someone from publishing a binary build that looks exactly like the real Keepass app, but on the back end sends the passwords you enter back to an attacker's system.

For smartphone app stores, the developers sign their applications when they publish to Google Play / Apple App Store. Additionally, Google and Apple sign the application so that your phone can validate that the app came from a valid location. This allows your phone to self-check if an application has been tampered with between leaving the developer and when you downloaded it. All you need to do is make sure the App name and Developer name are what you believe they should be when you install it the first time from the app store, and your phone will take care of all that validation for all updates going forward.

For 2FA:
The thing that people gloss over is that this is the SECOND authentication factor. This leads to 2 important questions:
  • How did your attacker get your FIRST authentication factor? (your password)
  • Is your second factor protected against the attack methods through which the first factor would be obtained?
Only U2F keys offer protection against phishing and malware/keyloggers. Even if you somehow land on bad.com and click the U2F token button, the authentication response it generates can never be used on good.com . This is not the case for SMS, Google Authenticator, Authy, Duo, or any of the other "punch in the code" or "approve this login y/n?" style 2FA systems out there.

The very best that the most common 2FA implementations can offer is that an attacker will only be able to log in once. Just remember, an attacker only needs 1 successful entry to be able to add their own 2FA method to your account and they can have perpetual access going forward. How often do you log into your accounts and double check the registered authentication apps or phone numbers?

It's not like we didn't know about this. Bruce Schneier pointed out the obvious problems with 2FA systems in 2005 ( https://www.schneier.com/blog/archives/ ... re_of.html ) and there are countless examples of these bypass systems being used regularly. If you want to see the cutting edge of the exploits that can be run, focus on security exploit news around cryptocurrency wallets, where there are very real financial gains to be had from theft and almost zero chance of any kind of prosecution.

jkrm
Posts: 55
Joined: Wed Oct 08, 2008 8:20 am

Re: How real is cyber risk?

Post by jkrm » Thu Sep 20, 2018 1:40 pm

Previously in this thread I mentioned that Vanguard had recently had a webinar on account security. Today they sent out an email with highlights from that webinar, including their approach to multifactor authentication. The link to that part is https://investornews.vanguard/what-is-m ... -offer-it/

What troubles me is this exchange, concerning Yubikeys:

Ellen Rinaldi: Another benefit, actually, is even if you lost the key, you’re already signed up for security codes.
Emily Farrell: There you go.
Ellen Rinaldi: So a security code would then substitute.
Emily Farrell: Okay, so you’ve got both.
Ellen Rinaldi: So you don’t have to worry if for some reason you lost it.
Jeffrey Lampinski: That’s correct.

"So you don't have to worry if for some reason you lost it." In other words, your Yubikey adds no extra security over SMS security codes, so why bother?

What's rather scary is that Ellen Rinaldi is Vanguard's Chief Information Security Officer, and Jeffrey Lampinski is their Head of Global Security and Fraud Operations. Is it possible that they really don't know how weak a second factor an SMS text message is? Do they really not understand that Vanguard's implementation of U2F (Yubikey) completely subverts all of their advantages?

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: How real is cyber risk?

Post by SpaethCo » Thu Sep 20, 2018 2:41 pm

jkrm wrote:
Thu Sep 20, 2018 1:40 pm
"So you don't have to worry if for some reason you lost it." In other words, your Yubikey adds no extra security over SMS security codes, so why bother?

What's rather scary is that Ellen Rinaldi is Vanguard's Chief Information Security Officer, and Jeffrey Lampinski is their Head of Global Security and Fraud Operations. Is it possible that they really don't know how weak a second factor an SMS text message is? Do they really not understand that Vanguard's implementation of U2F (Yubikey) completely subverts all of their advantages?
It's actually a more sane implementation than it might seem.

Your greatest risk is when you are actively using the Time-based One Time Password codes. It's while you are frequently punching those codes in that you are vulnerable to entering them into a convincing phishing site, or having some type of malware capture your password and one valid code in the process.

Using the U2F token as part of your regular login process gives you actual protection for all the times where you're not on super high alert when entering your login details. If you accidentally click a bad link, even if they are able to get your password the U2F component remains secure. This buys you time to change your password once you realize what happened, unlike with the TOTP codes where once you realize you've been phished it's all game over because automated scripts can lock you out of your account really quickly. There's a reason that Google's news that U2F security keys completely eliminated phishing for them was such big news. https://www.businessinsider.com/none-of ... key-2018-7

If you lose your token (and want to register a new one), however, now the login becomes a method that is outside of your ordinary process. You're going to go to your browser and probably manually type in "https://vanguard.com" and be more cautious than normal when using the TOTP code option. You won't take any risks doing this on a machine you don't trust, you're not going to use this method when a SMS or email security alert triggers you to log in, and you're not going to do this before you've had your first cup of coffee in the morning when you might mistype something.

So for your standard day-to-day login activity you get a solution that mitigates the ongoing risks of phishing and malware, but if you lose the key you still have an "escape hatch" of the SMS code where you can protect yourself by using it rarely and being hyper-vigilant when you do use it.

User avatar
TimeRunner
Posts: 1388
Joined: Sat Dec 29, 2012 9:23 pm

Re: How real is cyber risk?

Post by TimeRunner » Thu Sep 20, 2018 3:04 pm

SpaethCo wrote:
Thu Sep 20, 2018 2:41 pm
It's actually a more sane implementation than it might seem.<quote snipped>
Good point - your posts are informative, thank you.
"...There're just so many summers, and just so many springs." -Don Henley "What'd ya expect in an opera, a happy ending?" -Bugs Bunny

chambers136
Posts: 167
Joined: Tue Feb 28, 2017 9:49 am

Re: How real is cyber risk?

Post by chambers136 » Thu Sep 20, 2018 3:20 pm

Is Symantec VIP considered U2F?

User avatar
VictoriaF
Posts: 18560
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: How real is cyber risk?

Post by VictoriaF » Thu Sep 20, 2018 3:24 pm

Here is an excellent recent article "Before You Turn On Two-Factor Authentication…" Aug 14, 2018, https://medium.com/@stuartschechter/bef ... 148cc5b9a1

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

jkrm
Posts: 55
Joined: Wed Oct 08, 2008 8:20 am

Re: How real is cyber risk?

Post by jkrm » Thu Sep 20, 2018 3:43 pm

SpaethCo wrote:
Thu Sep 20, 2018 2:41 pm
jkrm wrote:
Thu Sep 20, 2018 1:40 pm
"So you don't have to worry if for some reason you lost it." In other words, your Yubikey adds no extra security over SMS security codes, so why bother?

What's rather scary is that Ellen Rinaldi is Vanguard's Chief Information Security Officer, and Jeffrey Lampinski is their Head of Global Security and Fraud Operations. Is it possible that they really don't know how weak a second factor an SMS text message is? Do they really not understand that Vanguard's implementation of U2F (Yubikey) completely subverts all of their advantages?
It's actually a more sane implementation than it might seem.

Your greatest risk is when you are actively using the Time-based One Time Password codes. It's while you are frequently punching those codes in that you are vulnerable to entering them into a convincing phishing site, or having some type of malware capture your password and one valid code in the process.

Using the U2F token as part of your regular login process gives you actual protection for all the times where you're not on super high alert when entering your login details. If you accidentally click a bad link, even if they are able to get your password the U2F component remains secure. This buys you time to change your password once you realize what happened, unlike with the TOTP codes where once you realize you've been phished it's all game over because automated scripts can lock you out of your account really quickly. There's a reason that Google's news that U2F security keys completely eliminated phishing for them was such big news. https://www.businessinsider.com/none-of ... key-2018-7

If you lose your token (and want to register a new one), however, now the login becomes a method that is outside of your ordinary process. You're going to go to your browser and probably manually type in "https://vanguard.com" and be more cautious than normal when using the TOTP code option. You won't take any risks doing this on a machine you don't trust, you're not going to use this method when a SMS or email security alert triggers you to log in, and you're not going to do this before you've had your first cup of coffee in the morning when you might mistype something.

So for your standard day-to-day login activity you get a solution that mitigates the ongoing risks of phishing and malware, but if you lose the key you still have an "escape hatch" of the SMS code where you can protect yourself by using it rarely and being hyper-vigilant when you do use it.
The problem here is not convenience for me, the user. I acknowledge that most of the time I will have my Yubikey and the few times I might not, it might be nice to have a fallback. The problem is that Vanguard's implementation makes it very easy for a "bad guy" to circumvent the entire Ybikey process through a "SIM swap" (see https://krebsonsecurity.com/2018/08/han ... -security/). (See also https://krebsonsecurity.com/2016/09/the ... ntication/ , there are lots of other articles on this also available).

Suppose a bad actor has somehow gotten hold of my Vanguard account password and has executed a SIM swap so that text messages now go to HIS phone, and not mine. The fact that my account is protected with a Yubikey is irrelevant, and in fact he does not even need to know that before executing his attack. On entering my username and password in Chrome or Opera, he'll get a page that instructs him to insert the Yubikey into a USB port. But that same page also includes a helpful link to click in case you don't have the key, so that an SMS code will be sent (to HIS phone). If he uses a different browser, Vanguard just immediately sends the SMS code. So in either case, my "protecting" the account with a Yubikey makes no difference at all. What Vanguard needs to do is allow people with Yubikeys to turn off the SMS-based security code feature so that they can have the full security that U2F (Yubikey) provides (you can register more than one Yubikey, and I'd suggest that Vanguard only allow turning off security codes for those with two or more keys registered).

I am not personally that concerned about this, as I have a very strong, random password made and maintained by 1Password and unique to my Vanguard account. I also am one of the few people left with a copper loop landline, so I set up my Vanguard security codes to go to the landline phone and avoid the SMS problem altogether. But many, if not most, people still have weak passwords that they reuse and are thus subject to discovery by a scammer. Vanguard's use of SMS security codes is a relatively weak second factor. Yubikey is a very strong second factor, but Vanguard defeats it with SMS security codes.

BigJohn
Posts: 1581
Joined: Wed Apr 02, 2014 11:27 pm

Re: How real is cyber risk?

Post by BigJohn » Thu Sep 20, 2018 6:00 pm

Forgive the potential ignorance of these questions but I’m trying to better understand the vulnerability of 2FA via SMS to my iPhone. Also trying to understand what value, if any, transaction alerts add to my security. My understanding... to be vulnerable they have to have already gotten my PW so let’s assume that’s happened. Now they have to hack my phone to intercept the authentication code. So some questions when this occurs...

Do they get the SMS in addition to it coming to my phone or have they fooled the phone system system so my phone no longer receives any SMS messages?

On the assumption that I don’t see it, can they then “unfool” the system so my phone goes back to behaving normally? I’m trying to understand if I will know my phone has been hacked.

On the assumption that it’s impossible to be bulletproof, what tech and/or access is required to hijack my SMS system (eg would they need my iPhone unlock code)? I’m sure it’s possible, just trying to get a feel for how likely anyone is to go to the trouble for any one individual’s account access.

Lastly, do transaction alerts sent to an email account rather than the same SMS add an extra level of protection?

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: How real is cyber risk?

Post by SpaethCo » Thu Sep 20, 2018 7:50 pm

jkrm wrote:
Thu Sep 20, 2018 3:43 pm
The problem is that Vanguard's implementation makes it very easy for a "bad guy" to circumvent the entire Ybikey process through a "SIM swap"
Yep, you're right. This is far from ideal.
jkrm wrote:
Thu Sep 20, 2018 3:43 pm
Suppose a bad actor has somehow gotten hold of my Vanguard account password and has executed a SIM swap so that text messages now go to HIS phone, and not mine.
This is the only part I feel might be stretching a bit. For this to work the attacker needs to know your:
  1. Username
  2. Password
  3. Phone number registered with Vanguard
*AND* they have to SIM swap that number.

This is a little more involved than just a straight phishing page where all they need is for you to click on it, you supply the user/pass, and they don't even need to know your phone number, they just need you to enter the code so they can feed it to the Vanguard site and get a valid session.

All that said, I agree that SMS is a compromise I really wish they hadn't made. If you could replace the SMS component with a set of, say, 10 backup codes that you would print out and store offline -- I think that would be far more reasonable.

BigJohn wrote:
Thu Sep 20, 2018 6:00 pm
Do they get the SMS in addition to it coming to my phone or have they fooled the phone system system so my phone no longer receives any SMS messages?
Service shuts off on your phone, and turns on for the new phone.
BigJohn wrote:
Thu Sep 20, 2018 6:00 pm
On the assumption that I don’t see it, can they then “unfool” the system so my phone goes back to behaving normally? I’m trying to understand if I will know my phone has been hacked.
It depends on the hack. In a lot of cases they don't have your phone's IMEI or ESN, they just know your cell phone number and the IMEI/ESN of the device they want to have service.
BigJohn wrote:
Thu Sep 20, 2018 6:00 pm
On the assumption that it’s impossible to be bulletproof, what tech and/or access is required to hijack my SMS system (eg would they need my iPhone unlock code)?
The best you can do is setup a PIN code with your cell carrier to restrict account changes and number porting. Then it comes down every call center or store employee caring enough to actually enforce that you have to know the PIN to make the change. The security is only as strong as the will of the least-motivated employee with access to make customer account changes.
BigJohn wrote:
Thu Sep 20, 2018 6:00 pm
Lastly, do transaction alerts sent to an email account rather than the same SMS add an extra level of protection?
It's a different hack than the SMS hack, so you get some diversification of risk there. In general, a well secured Gmail account would fare better than something like an ISP email account. The problem with ISP accounts is that it's another company with call center agents who are easily socially engineered.

randomguy
Posts: 6299
Joined: Wed Sep 17, 2014 9:00 am

Re: How real is cyber risk?

Post by randomguy » Thu Sep 20, 2018 8:13 pm

SpaethCo wrote:
Thu Sep 20, 2018 7:50 pm
jkrm wrote:
Thu Sep 20, 2018 3:43 pm
Suppose a bad actor has somehow gotten hold of my Vanguard account password and has executed a SIM swap so that text messages now go to HIS phone, and not mine.
This is the only part I feel might be stretching a bit. For this to work the attacker needs to know your:
  1. Username
  2. Password
  3. Phone number registered with Vanguard
*AND* they have to SIM swap that number.

This is a little more involved than just a straight phishing page where all they need is for you to click on it, you supply the user/pass, and they don't even need to know your phone number, they just need you to enter the code so they can feed it to the Vanguard site and get a valid session.

All that said, I agree that SMS is a compromise I really wish they hadn't made. If you could replace the SMS component with a set of, say, 10 backup codes that you would print out and store offline -- I think that would be far more reasonable.
It always seems to me that the likely way of doing this hack it to get a bit of malware on your phone. That give you the phone number, username and password all from one hack.

With any system you have to balance convenience and security. The SMS approach adds a bunch of security while still being convenient. For people though that sign up for security keys and the like, they shouldn't allow SMS to bypass it.

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Thu Sep 20, 2018 8:53 pm

randomguy wrote:
Thu Sep 20, 2018 8:13 pm
With any system you have to balance convenience and security. The SMS approach adds a bunch of security while still being convenient. For people though that sign up for security keys and the like, they shouldn't allow SMS to bypass it.
The VG defaults are not insane. Sure I think they should press this lever or that, but at the highest level, they are not crazy.

What they lack is a more secure mode for interested (paranoid?) customers.

IE I want Google Advanced Protection for my financial accounts. SMS off, Yubikey only with multiple keys (include a mobile story), etc etc etc. Full threat model thought through with protections implemented at all layers. And additional levers I can flip to protect myself further if my workflow allows it (ex: I never do phone based transactions, disable this feature on my accounts entirely).

jkrm
Posts: 55
Joined: Wed Oct 08, 2008 8:20 am

Re: How real is cyber risk?

Post by jkrm » Fri Sep 21, 2018 5:02 am

SpaethCo wrote:
Thu Sep 20, 2018 7:50 pm
jkrm wrote:
Thu Sep 20, 2018 3:43 pm
The problem is that Vanguard's implementation makes it very easy for a "bad guy" to circumvent the entire Ybikey process through a "SIM swap"
Yep, you're right. This is far from ideal.
jkrm wrote:
Thu Sep 20, 2018 3:43 pm
Suppose a bad actor has somehow gotten hold of my Vanguard account password and has executed a SIM swap so that text messages now go to HIS phone, and not mine.
This is the only part I feel might be stretching a bit. For this to work the attacker needs to know your:
  1. Username
  2. Password
  3. Phone number registered with Vanguard
*AND* they have to SIM swap that number.

This is a little more involved than just a straight phishing page where all they need is for you to click on it, you supply the user/pass, and they don't even need to know your phone number, they just need you to enter the code so they can feed it to the Vanguard site and get a valid session.

All that said, I agree that SMS is a compromise I really wish they hadn't made. If you could replace the SMS component with a set of, say, 10 backup codes that you would print out and store offline -- I think that would be far more reasonable.

BigJohn wrote:
Thu Sep 20, 2018 6:00 pm
Do they get the SMS in addition to it coming to my phone or have they fooled the phone system system so my phone no longer receives any SMS messages?
Service shuts off on your phone, and turns on for the new phone.
BigJohn wrote:
Thu Sep 20, 2018 6:00 pm
On the assumption that I don’t see it, can they then “unfool” the system so my phone goes back to behaving normally? I’m trying to understand if I will know my phone has been hacked.
It depends on the hack. In a lot of cases they don't have your phone's IMEI or ESN, they just know your cell phone number and the IMEI/ESN of the device they want to have service.
BigJohn wrote:
Thu Sep 20, 2018 6:00 pm
On the assumption that it’s impossible to be bulletproof, what tech and/or access is required to hijack my SMS system (eg would they need my iPhone unlock code)?
The best you can do is setup a PIN code with your cell carrier to restrict account changes and number porting. Then it comes down every call center or store employee caring enough to actually enforce that you have to know the PIN to make the change. The security is only as strong as the will of the least-motivated employee with access to make customer account changes.
BigJohn wrote:
Thu Sep 20, 2018 6:00 pm
Lastly, do transaction alerts sent to an email account rather than the same SMS add an extra level of protection?
It's a different hack than the SMS hack, so you get some diversification of risk there. In general, a well secured Gmail account would fare better than something like an ISP email account. The problem with ISP accounts is that it's another company with call center agents who are easily socially engineered.
I agree completely that the scenario I laid out is somewhat involved. You would have to be specifically targeted I think, not just the victim of a random attack. But that's exactly what happened to the fellow described in the first link I sent (https://krebsonsecurity.com/2018/08/han ... -security/).

The risk is admittedly small, but apparently growing as hackers become more sophisticated and choose their targets. But even with a small risk, if YOU are the one who has his/her retirement funds drained at the age of 64, knowing that the risk was small is no consolation! I think it's just a shame that Vanguard has implemented a very strong security method here but, as one poster said, left the screen window open.

I guess I am somewhat paranoid, but I used to run a division of 40 - 50 security experts including "white hat" hackers, and they made me this way! (I am not an expert myself, BTW.) I am pretty happy with my landline workaround to the security code issue. To others, I recommend following the advice given several posts ago by 3-20Characters, including using a password manager. You'll probably be fine.

Cunobelinus
Posts: 196
Joined: Tue Dec 04, 2012 5:31 pm

Re: How real is cyber risk?

Post by Cunobelinus » Fri Sep 21, 2018 5:04 am

damjam wrote:
Sat Sep 15, 2018 6:49 am
golfCaddy wrote:
Fri Sep 14, 2018 9:39 pm
tadamsmar wrote:
Fri Sep 14, 2018 8:51 pm
I think Vanguard would be responsible for that.

I said "if you are hacked" and I meant you not Vanguard.

I don't think that is the most likely scenario. All the cases I know of involved hacks of individual investors or seemed to involve hacks of individual investors. Never heard of a hack of a brokerage firm's password file.
For the types of hacks you're talking about, most of the advice in this thread is useless. If someone pwns your phone, it doesn't matter that you use two-factor authentication or strong passwords. They have access to your password because you type it on your phone and they have access to the SMS text codes which get sent to your phone. 2FA and strong passwords are designed to protect you against dictionary attacks, in other words someone hacks Vanguard's servers.
Vanguard opens people's accounts up to the possibility of this type of attack. Vanguard requires SMS as a recovery method and they offer a phone app to access accounts.

This trend of tying everything to a person's smart phone is just creating an Achilles heal that will be increasingly targeted.

Meanwhile Vanguard's fraud policy seems to say that using a password manager is verboten for storing passwords and notes re the Vanguard account. Any decent password manager highly encrypts all that information for goodness sake. From what I can gather it's when entering the password that your most vulnerable, not when it's stored in an encrypted format. Password managers enable and encourage long, complicated and unique passwords for every site. PMs make keeping and remembering non-obvious answers to challenge questions simple. Why forbid the use of password managers?
This trend of tying everything to a person's smart phone follows the trends of yesteryears to tie account access/recovery to PII like social security numbers and mother's maiden names and street addresses (knowledge-based access, I think it's called).. which quickly became compromised once one company's data was exfiltrated and later once credit reports become publicly accessible. Most commercial services seem to significantly lag in implementing legitimate security practices and instead struggle to give the appearance of implementing security.

I recall when Bank of America started to use a personalized image upon login, so that you could verify that you were accessing a legitimate BoA website. The only problem was that they made you put your username and password in first, then showed you an image that you had pre-selected to show you that you just put your username and password into a legitimate BoA website. Took a few months for them to realize their botched attempt at implementing a newer "security" protocol. (to be clear, you couldn't make sure the website was legitimate before you typed in your login/password).

Non-SMS 2FA is a reasonable practice, as long as you're maintaining your phone (or key) secure too.. otherwise non-SMS 2FA is just as useless once your phone is compromised. Security is like ogres. And ogres are like onions. Layers are important.

BigJohn
Posts: 1581
Joined: Wed Apr 02, 2014 11:27 pm

Re: How real is cyber risk?

Post by BigJohn » Fri Sep 21, 2018 6:07 am

SpaethCo and jkrm, thank you for the helpful replies. With several layers of hacking needed and the fact that it would require me to be specifically targeted, I think I'm comfortable with my current setup. If I was a very high net worth individual with a well known public presence like the guy in the Krebs article, I'd probably do more as the probability of being specifically targeted would be much higher.

Edited for clarity
Last edited by BigJohn on Fri Sep 21, 2018 6:19 am, edited 2 times in total.

phantom0308
Posts: 34
Joined: Thu Aug 25, 2016 6:52 pm

Re: How real is cyber risk?

Post by phantom0308 » Fri Sep 21, 2018 6:17 am

I don’t think I’d recommend google voice for anyone who doesn’t already have it. The number is identified as a land line for a lot of companies and it makes setting up accounts a pain in the ass. For example, neither Uber or Venmo would allow me to set up accounts using my Gvoice number.
I’ve used it for years, so I don’t plan on switching. It also forwards personal calls to my work phone, so I don’t need a personal cell plan. Without those benefits I’d get rid of it, since google seems like it’s not actively promoting it for the future.

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Fri Sep 21, 2018 6:47 am

Cunobelinus wrote:
Fri Sep 21, 2018 5:04 am
Non-SMS 2FA is a reasonable practice, as long as you're maintaining your phone (or key) secure too.. otherwise non-SMS 2FA is just as useless once your phone is compromised. Security is like ogres. And ogres are like onions. Layers are important.
VictoriaF wrote:
Thu Sep 20, 2018 3:24 pm
Here is an excellent recent article "Before You Turn On Two-Factor Authentication…" Aug 14, 2018, https://medium.com/@stuartschechter/bef ... 148cc5b9a1

Victoria
I found the article VictoriaF reference muddied in execution but this chart helped untangle some of the issues:
Image

It's too bad SMS was not explicitly added to the chart, but at best I think SMS can only be expected to perform as well as an Authenticator App in the situations listed above.
In an additional form of attack that targets SMS, SIM swaps, a security key is much better protection.
Google has found security keys are a big improvement in security. Requiring employees to use security keys eliminated successful phishing attempts.
https://krebsonsecurity.com/2018/07/goo ... -phishing/
Can a security key protect you from all types of attack? Clearly, no.
Can a security key protect you from the type of attack that a user who practices good cyber hygiene will most likely face? Yes.

The fact that Google has clearly shown the effectiveness of security keys in eliminating phishing should be instructive to firms like Vanguard. Doesn't Vanguard eschew email notifications because phishing is a huge problem? The current implementation of Yubikey by Vanguard does not eliminate the phishing issue for their clients either.

If I take a rather charitable view of the situation re Vanguard and Yubikey, I can only assume this is some type of half measure that some desperate security person was able to get accepted by decision makers. It stands to reason that Vanguard is going to be watching acceptance rates and user experience re Yubikey. At least I would hope someone will track that type of information. That is why those of us who see this gaping hole should be expressing our concerns to the right parties - Vanguard employees - rather than just discussing it here among ourselves.

Post Reply