Vanguard Rep asked security question

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
User avatar
Topic Author
Abe
Posts: 2226
Joined: Fri Sep 18, 2009 5:24 pm
Location: Earth in the Milky Way Galaxy

Vanguard Rep asked security question

Post by Abe »

I just got off the phone with my Vanguard representative. He called me to discuss my account. During the conversation, he asked me for the answer to one of my security questions, not all of them, just one. He said he needed it to be able to see my account. I give it to him, but I had second thoughts after getting off the phone. When he first called, he introduced himself and his name matches my account representative shown on my account. I think everything is okay, but I was just wondering if this is customary.
Slow and steady wins the race.
mptfan
Posts: 6401
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard Rep asked security question

Post by mptfan »

What was the purpose of the call? I don't meant to sound paranoid, but this does not sound customary to me. The only way I would give out sensitive information is if I was the one who initiated the call to Vanguard, that way, I know who I am talking to.

By the way, not to scare you, but if someone knows the answers to your security questions, they can claim to be you, claim that they forgot the password, and reset the password, and then they have access to your accounts--and you don't. The moral of the story is treat the answers to your security questions like passwords.
Last edited by mptfan on Thu Jul 12, 2012 2:37 pm, edited 2 times in total.
User avatar
HomerJ
Posts: 16032
Joined: Fri Jun 06, 2008 12:50 pm

Re: Vanguard Rep asked security question

Post by HomerJ »

Call Vanguard and see if they have a log of someone calling you.

NEVER answer security questions when someone calls you; only when you call them.
LynnC
Posts: 800
Joined: Thu Mar 01, 2007 7:01 pm
Location: California

Re: Vanguard Rep asked security question

Post by LynnC »

OMG...NEVER answer those questions if THEY call you.

I called Vanguard last week to ask THEM a question and was asked one of my security questions. I really appreciate the extra security.

LynnC
EagertoLearnMore
Posts: 594
Joined: Wed Jun 30, 2010 4:05 pm

Re: Vanguard Rep asked security question

Post by EagertoLearnMore »

Before you get too concerned, I was contacted several times by Vanguard and they asked a security question. I REFUSED and offered to return the call using the Vanguard numbers that I have. I called and sure enough, the same person with the same voice. So, what did they want? One time they were just inquiring about any concerns I had because of a long past problem. Another time it was a survey of some sorts. Anyway, call and check their log to ease your mind.
User avatar
Mister Whale
Posts: 484
Joined: Sat Jan 02, 2010 10:39 am

Re: Vanguard Rep asked security question

Post by Mister Whale »

Uh oh.

I would change all of my sign-in information immediately.

EDIT below:
EagertoLearnMore wrote:Before you get too concerned, I was contacted several times by Vanguard and they asked a security question. I REFUSED and offered to return the call using the Vanguard numbers that I have. I called and sure enough, the same person with the same voice. So, what did they want? One time they were just inquiring about any concerns I had because of a long past problem. Another time it was a survey of some sorts. Anyway, call and check their log to ease your mind.
Well, that is somewhat reassuring.
" ... advice is most useful and at its best, not when it is telling you what to do, but when it is illuminating aspects of the situation you hadn't thought about." --nisiprius
mptfan
Posts: 6401
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard Rep asked security question

Post by mptfan »

If you want to ease your mind, log on to Vanguard right now, and change your password AND your security questions. And don't give them out next time someone calls you and asks for them.
:oops:
User avatar
Topic Author
Abe
Posts: 2226
Joined: Fri Sep 18, 2009 5:24 pm
Location: Earth in the Milky Way Galaxy

Re: Vanguard Rep asked security question

Post by Abe »

He called me to discuss my account. The reason he called was because he is my new account representative, he said. He wanted to introduce himself and just wanted to know if I had any questions. He gave me some information regarding what was available to me at Vanguard, etc. I did have second thoughts about answering the security question. Even though I think everything is okay, I think I will call Vanguard to verify.
Slow and steady wins the race.
mptfan
Posts: 6401
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard Rep asked security question

Post by mptfan »

Abe wrote:Even though I think everything is okay, ....
Every scam victim thinks everything is ok, until they realize that it's not.
User avatar
Topic Author
Abe
Posts: 2226
Joined: Fri Sep 18, 2009 5:24 pm
Location: Earth in the Milky Way Galaxy

Re: Vanguard Rep asked security question

Post by Abe »

I just called Vanguard and everything is okay. He's even mailing me a signed book by John Bogle, which I didn't know he was going to do. Thanks everyone for your help.
Slow and steady wins the race.
mptfan
Posts: 6401
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard Rep asked security question

Post by mptfan »

You're welcome, I'm glad it worked out.

By the way, I would like to discuss your account, what is your password?
:sharebeer
User avatar
Topic Author
Abe
Posts: 2226
Joined: Fri Sep 18, 2009 5:24 pm
Location: Earth in the Milky Way Galaxy

Re: Vanguard Rep asked security question

Post by Abe »

:wink:
mptfan wrote:You're welcome, I'm glad it worked out.

By the way, I would like to discuss your account, what is your password?
:sharebeer
We used to have a party line. Freddie, the little boy down the road, would listen in on our conversations. One day, when I was talking to someone, I said "Freddie, is that you on this line. He said, "ain't gonna tell ya". So, next time someone ask for my secure information, I'll tell them what Freddie said.
Slow and steady wins the race.
User avatar
grabiner
Advisory Board
Posts: 29192
Joined: Tue Feb 20, 2007 11:58 pm
Location: Columbia, MD

Re: Vanguard Rep asked security question

Post by grabiner »

Vanguard's own security guidelines say "Vanguard will never ask for your Web password in an e-mail or request it via the phone or U.S. mail." A security question serves the same purpose as the password and thus Vanguard should never ask for it when they initiate the call. (On many Web sites, the security question allows you to reset a forgotten password.)

I would suggest contacting Vanguard security, not just to confirm that everything is OK, but to suggest that they clarify their policy (and, if necessary, train the representative on proper procedure). I have received phishing phone calls claiming to be from several banks, and it would be just as easy to phish from Vanguard.
Wiki David Grabiner
User avatar
TF Hutch
Posts: 121
Joined: Sat Sep 12, 2009 12:57 am
Location: Florida

Re: Vanguard Rep asked security question

Post by TF Hutch »

Am I the only one without an "Account Represetitive"? I certainly don't want one.
Hutch | A fool and his funds are soon parted! - Thomas Tusser (English Farmer and Writer. 1524-1580)
User avatar
CaliJim
Posts: 3050
Joined: Sun Feb 28, 2010 8:47 pm
Location: California, near the beach

Re: Vanguard Rep asked security question

Post by CaliJim »

Abe wrote:I just called Vanguard and everything is okay. He's even mailing me a signed book by John Bogle, which I didn't know he was going to do. Thanks everyone for your help.
Abe must be one of those high roller guys! :moneybag

:P
-calijim- | | For more info, click this Wiki
User avatar
CaliJim
Posts: 3050
Joined: Sun Feb 28, 2010 8:47 pm
Location: California, near the beach

Re: Vanguard Rep asked security question

Post by CaliJim »

If anyone from Vanguard is reading this thread - they should consider changing their policy when placing outbound calls.

They should always ask the client to call Vanguard back.

It is not a good idea to condition clients to give passwords to random phone callers.
Last edited by CaliJim on Thu Jul 12, 2012 10:28 pm, edited 1 time in total.
-calijim- | | For more info, click this Wiki
Agent9
Posts: 157
Joined: Thu Feb 18, 2010 2:15 pm

Re: Vanguard Rep asked security question

Post by Agent9 »

TF Hutch wrote:Am I the only one without an "Account Represetitive"? I certainly don't want one.
I'll take a signed book though...
S&L1940
Posts: 1658
Joined: Fri Nov 02, 2007 11:19 pm
Location: South Florida

Re: Vanguard Rep asked security question

Post by S&L1940 »

TF Hutch wrote:Am I the only one without an "Account Represetitive"? I certainly don't want one.
no, me too

do I have to build up my account to get a representative assigned to me?
Don't it always seem to go * That you don't know what you've got * Till it's gone
khh
Posts: 324
Joined: Sat Dec 27, 2008 10:31 pm

Re: Vanguard Rep asked security question

Post by khh »

I had a security concern at Vanguard in January of this year when I changed the email address on my account. VG sent confirmation of the change to the new email address but not to the old one. My concern was that if someone got into my account and changed the email address, I might not be aware of it until the snail mail notification arrived. If such a thing were to happen, a confirmation email from VG to the old address would serve as an immediate fraud alert. I sent a message to VG at the time but did not get a reply.
Fallible
Posts: 7704
Joined: Fri Nov 27, 2009 4:44 pm
Contact:

Re: Vanguard Rep asked security question

Post by Fallible »

grabiner wrote:Vanguard's own security guidelines say "Vanguard will never ask for your Web password in an e-mail or request it via the phone or U.S. mail." A security question serves the same purpose as the password and thus Vanguard should never ask for it when they initiate the call. (On many Web sites, the security question allows you to reset a forgotten password.)

I would suggest contacting Vanguard security, not just to confirm that everything is OK, but to suggest that they clarify their policy (and, if necessary, train the representative on proper procedure). I have received phishing phone calls claiming to be from several banks, and it would be just as easy to phish from Vanguard.
Excellent advice. I'm with Vanguard and I was surprised, concerned, and even disappointed to learn of these calls.
"Yes, investing is simple. But it is not easy, for it requires discipline, patience, steadfastness, and that most uncommon of all gifts, common sense." ~Jack Bogle
Rich in Michigan
Posts: 180
Joined: Mon Jun 11, 2012 1:27 pm

Re: Vanguard Rep asked security question

Post by Rich in Michigan »

Abe wrote:I just got off the phone with my Vanguard representative. He called me to discuss my account. During the conversation, he asked me for the answer to one of my security questions, not all of them, just one. He said he needed it to be able to see my account. I give it to him, but I had second thoughts after getting off the phone. When he first called, he introduced himself and his name matches my account representative shown on my account. I think everything is okay, but I was just wondering if this is customary.
I have not received a call from my Vanguard rep, but when I have called him he always starts the conversation by stating that the call is being recorded and has me state my name for the record. He then does ask for the answer to one of my security questions, presumably to verify that I am who I am say I am.

I just assumed this was SOP.
User avatar
fandango
Posts: 518
Joined: Wed Dec 08, 2010 6:44 pm
Location: Greater Atlanta area

Re: Vanguard Rep asked security question

Post by fandango »

Sounds like a formal or informal approach to try to sell you something.

"I just happened to be caling you about "blah, blah, blah. Is there anything else that I can do for you?"

It is disturbing to think that Vanguard would do this.

This has never happened to me. But I would have made a note of the caller's name, called Vanguard back, and tried to report it.

Is there a contact person within Vanguard to report compliance violations?
User avatar
mapleosb
Posts: 230
Joined: Tue Feb 20, 2007 10:48 pm
Location: CT

Re: Vanguard Rep asked security question

Post by mapleosb »

CaliJim wrote:If anyone from Vanguard is reading this thread - they should consider changing their policy when placing outbound calls.

They should always ask the client to call Vanguard back.

It is not a good idea to condition clients to give passwords to random phone callers.
Personally, it is sad to me to hear that this is till happening.

About three years ago, I had the very same thing take place. A representative calls me and then asks to discuss my accounts and would I please answer my security question. I was absolutely floored by this request. In this day and age when any number can be spoofed to caller ID, and, the fact that we are all trained by modern life to never give out personal information to a cold call, I could not believe that this was a working policy at Vanguard. It is fine if I am the caller to Vanguard, not the other way around. Here is a link to that post and a direct response from a Vanguard rep:

http://www.bogleheads.org/forum/viewtop ... 4#p1219684

I both called and wrote a letter to the head of their Internet Security and waited for the follow up that took forever. It was as if this question had never been asked before. The answer I received back was a cordial "but, that is the way we do it" type note which left me less than satisfied. Regretfully, it was one of the final reasons that caused me to close my accounts at Vanguard.

I hope this information will help throw some light on the discussion.

Best to all,
“A mile of highway will take you a mile. A mile of runway will take you anywhere!”
User avatar
nisiprius
Advisory Board
Posts: 42889
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Vanguard Rep asked security question

Post by nisiprius »

I am on the alert whenever a company calls me instead of the other way around.

I would NOT have answered the security question, not when a company calls ME.

I would have said "I want to be sure I am talking to Vanguard. I am going to call back using Vanguard's published 800 number. What do I need to tell them to get connected to you?"

Depending on how paranoid I was feeling that day, I might have dialed *69 after hanging up to get the number from which I was called.

P.S. About ten years ago I was shocked to the core when Fidelity asked for my password. Yes, really. I said "I don't tell anyone my password." He said, quote, "It's OK, I can see it here on my screen." I declined, called back, asked for computer security department, very analogous experience to mapleosb's. They said it was true about the rep being able to see my password, and seemed clueless about why I'd have a problem with that.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
User avatar
JPH
Posts: 1102
Joined: Mon Jun 27, 2011 8:56 pm

Re: Vanguard Rep asked security question

Post by JPH »

A Vanguard rep called me yesterday just to let me know that the last in a series of transaction was completed and to ask if I was satisfied. He did ask a security question, which I naswered. I'm not worried because I clearly recognized the voice. But lesson learned. Thanks for the advice on this.

Edit on July 14, 2012. I lied here. I recalled later that the rep did not call me and ask me to answer the security question. Actually, my wife took a message and I returned the call. So, it was appropriate to ask the security question. I appologize for the mistake.
Last edited by JPH on Sat Jul 14, 2012 8:56 am, edited 1 time in total.
While the moments do summersaults into eternity | Cling to their coattails and beg them to stay - Townes Van Zandt
armeliusc
Posts: 402
Joined: Wed Dec 21, 2011 9:40 am

Re: Vanguard Rep asked security question

Post by armeliusc »

nisiprius wrote:I am on the alert whenever a company calls me instead of the other way around.
P.S. About ten years ago I was shocked to the core when Fidelity asked for my password. Yes, really. I said "I don't tell anyone my password." He said, quote, "It's OK, I can see it here on my screen." I declined, called back, asked for computer security department, very analogous experience to mapleosb's. They said it was true about the rep being able to see my password, and seemed clueless about why I'd have a problem with that.
If the rep can see your password on the screen, that means the password is stored as is on their database, not one-way hashed nor encrypted. This is a major security flaw. The reason hackers can steal passwords mostly is because the password is stored as is, rather than its (salted) hashed. If I know that a company I am dealing with (esp. financially) stores my password that way, I would close my account immediately (or possibly try to contaminate my password first in their database before closing it).
kobbiemandd
Posts: 54
Joined: Fri Mar 18, 2011 6:54 pm

Re: Vanguard Rep asked security question

Post by kobbiemandd »

He didn't ask you for your password but a security question. That is the purpose of the security question.
I highly doubt he would be able to see your password.
mptfan
Posts: 6401
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard Rep asked security question

Post by mptfan »

CaliJim wrote: It is not a good idea to condition clients to give passwords to random phone callers.
Just to clarify, Vanguard did not ask for his password, they asked for an answer to a security question.
sscritic
Posts: 21858
Joined: Thu Sep 06, 2007 8:36 am

Re: Vanguard Rep asked security question

Post by sscritic »

Basic question: why do you accept phone calls from businesses? I don't, unless it is a credit card company calling to tell me that there has been suspicious activity on my card. And then I would not continue to talk, but call them back at their official number.

If Vanguard ever called me, I would say "no thank you" and hang up, just as I do when my cable company calls me, when my telephone company calls me, and when companies that I have no affiliation with call me. My phone is for my use, not for the use of others. My answering machine's message makes this clear: "This phone is for the use of my family and friends and companies that I have contacted that are returning my call. Any other use is unauthorized."
Bob.Beeman
Posts: 148
Joined: Mon Dec 12, 2011 5:32 pm

Re: Vanguard Rep asked security question

Post by Bob.Beeman »

Abe wrote:He called me to discuss my account. The reason he called was because he is my new account representative, he said. He wanted to introduce himself and just wanted to know if I had any questions. He gave me some information regarding what was available to me at Vanguard, etc. I did have second thoughts about answering the security question. Even though I think everything is okay, I think I will call Vanguard to verify.
As others have commented, if *ANYONE* at a website has any idea what your password is, close your account. The entire thing is insecure. Honestly-run websites use salted, hashed passwords in the password file and don't store plaintext passwords anywhere. The good ones use at least 160-bit hashes (SHA1). Some use hashes that give longer outputs.

Vanguard may have a real password security problem, in that they restrict passwords to 10 characters that are case-insensitive. Since there are only 95 ASCII characters that you can type, and only 69 when you are case-insensitive, the best possible password on Vanguard's site has only about 60 bits of entropy. Thus the strength of any password you can use is MUCH weaker than the underlying security infrastructure. If anyone gets hold of Vanguard's password file (and only a fool would thing that won't happen) breaking passwords of that length is very feasible. If the password file contains info about level of membership (Admiral), they could concentrate on the high-value accounts. Given any kind of reasonable computer installation, passwords with 60 bits of entropy could be broken quickly, even if they were random. Sadly, most passwords are not random, and could be broken trivially.

I sent an email to my Vanguard rep, and he forwarded it to "the experts". I am really worried that Vanguard is open to a big disaster.
Fallible
Posts: 7704
Joined: Fri Nov 27, 2009 4:44 pm
Contact:

Re: Vanguard Rep asked security question

Post by Fallible »

Bob.Beeman wrote:
Abe wrote:He called me to discuss my account. The reason he called was because he is my new account representative, he said. He wanted to introduce himself and just wanted to know if I had any questions. He gave me some information regarding what was available to me at Vanguard, etc. I did have second thoughts about answering the security question. Even though I think everything is okay, I think I will call Vanguard to verify.
As others have commented, if *ANYONE* at a website has any idea what your password is, close your account. The entire thing is insecure. Honestly-run websites use salted, hashed passwords in the password file and don't store plaintext passwords anywhere. The good ones use at least 160-bit hashes (SHA1). Some use hashes that give longer outputs.

Vanguard may have a real password security problem, in that they restrict passwords to 10 characters that are case-insensitive. Since there are only 95 ASCII characters that you can type, and only 69 when you are case-insensitive, the best possible password on Vanguard's site has only about 60 bits of entropy. Thus the strength of any password you can use is MUCH weaker than the underlying security infrastructure. If anyone gets hold of Vanguard's password file (and only a fool would thing that won't happen) breaking passwords of that length is very feasible. If the password file contains info about level of membership (Admiral), they could concentrate on the high-value accounts. Given any kind of reasonable computer installation, passwords with 60 bits of entropy could be broken quickly, even if they were random. Sadly, most passwords are not random, and could be broken trivially.

I sent an email to my Vanguard rep, and he forwarded it to "the experts". I am really worried that Vanguard is open to a big disaster.
I'm very glad you did email this info to VG, but even though your rep probably did pass it on, I would suggest you try to send it directly to the "experts" to make sure they do get it. I'd also later ask the rep what the experts' response is. I base these suggestions on your knowledge of password security and that you're "really worried" about the situation.
"Yes, investing is simple. But it is not easy, for it requires discipline, patience, steadfastness, and that most uncommon of all gifts, common sense." ~Jack Bogle
3247
Posts: 51
Joined: Sat Feb 11, 2012 3:34 pm

Re: Vanguard Rep asked security question

Post by 3247 »

Perhaps I am naive, but I just assumed that everybody who has a Vanguard Representative had already received the printed material that comes with being introduced to the Flagship level about a year ago. This material includes the name and contact information of your assigned Rep. along with the information that they will be contacting you soon to discuss the benefits of belonging to the Flagship group. Also, the reps name is prominently displayed on your "My Accounts" page. Generally, I would recommend never giving out any security information...however, it has been my experience with Vanguard that they are very sensitive to their clients personal security and take it seriously.

My Rep called me when I was admitted to the Flagship Community, introduced himself, asked if I had received the company literature and if I had any questions. He then asked if I minded him asking a security question to verify that "I was who I said I was" and told me if I objected, I could call Vanguard and ask for him by name. So Vanguard doesn't take it for granted that the person they reach on the phone is who they say they are either. I personally felt comfortable that he was who he said he was.

Incidentally, your Rep will change from time to time and each time it does, you will get a new introduction letter (and now, an email too) as well as the new Reps name being posted on your 'My Accounts" page (it may also be posted elsewhere, now that the new web pages are in effect). One more thing, even tho Vanguard does not require case sensitive passwords, that doesn't stop you from making your password case sensitive with a mix of figures and characters that will be extremely difficult for computer programs designed to break/steal them.
BYUvol
Posts: 120
Joined: Sat Mar 24, 2012 3:06 pm
Location: KY

Re: Vanguard Rep asked security question

Post by BYUvol »

Bob.Beeman wrote:
Abe wrote:He called me to discuss my account. The reason he called was because he is my new account representative, he said. He wanted to introduce himself and just wanted to know if I had any questions. He gave me some information regarding what was available to me at Vanguard, etc. I did have second thoughts about answering the security question. Even though I think everything is okay, I think I will call Vanguard to verify.
As others have commented, if *ANYONE* at a website has any idea what your password is, close your account. The entire thing is insecure. Honestly-run websites use salted, hashed passwords in the password file and don't store plaintext passwords anywhere. The good ones use at least 160-bit hashes (SHA1). Some use hashes that give longer outputs.

Vanguard may have a real password security problem, in that they restrict passwords to 10 characters that are case-insensitive. Since there are only 95 ASCII characters that you can type, and only 69 when you are case-insensitive, the best possible password on Vanguard's site has only about 60 bits of entropy. Thus the strength of any password you can use is MUCH weaker than the underlying security infrastructure. If anyone gets hold of Vanguard's password file (and only a fool would thing that won't happen) breaking passwords of that length is very feasible. If the password file contains info about level of membership (Admiral), they could concentrate on the high-value accounts. Given any kind of reasonable computer installation, passwords with 60 bits of entropy could be broken quickly, even if they were random. Sadly, most passwords are not random, and could be broken trivially.

I sent an email to my Vanguard rep, and he forwarded it to "the experts". I am really worried that Vanguard is open to a big disaster.
I think you are making this out to be a bigger problem than it is.

1) They asked for his security question, not password.
2) It was Fidelity who asked for the password, and that was years ago, things have changed.
3) To quote Lord of the Rings, "One does not simply stroll into Mordor." Some script kiddie isn't going to do an SQL injection and get access to the database from their bedroom, access to their databases would be restricted to an internal IP. Then, assuming the attacker made it into their servers' intranet, taking a dump of a database with hundreds of millions of rows would take hours, long enough for Vanguard to realize they have been compromised, and alert customers to change their password. All before any work of rainbow tables could begin their work.

Banks are very very very secure these days. Our small business has undergone security audits from some of the very large ones, and know their procedures... I'd be far more concerned with being held at gunpoint and forced to reveal my password.
User avatar
mapleosb
Posts: 230
Joined: Tue Feb 20, 2007 10:48 pm
Location: CT

Re: Vanguard Rep asked security question

Post by mapleosb »

BYUvol wrote:
I think you are making this out to be a bigger problem than it is.

1) They asked for his security question, not password.
2) It was Fidelity who asked for the password, and that was years ago, things have changed.
3) To quote Lord of the Rings, "One does not simply stroll into Mordor." Some script kiddie isn't going to do an SQL injection and get access to the database from their bedroom, access to their databases would be restricted to an internal IP. Then, assuming the attacker made it into their servers' intranet, taking a dump of a database with hundreds of millions of rows would take hours, long enough for Vanguard to realize they have been compromised, and alert customers to change their password. All before any work of rainbow tables could begin their work.

Banks are very very very secure these days. Our small business has undergone security audits from some of the very large ones, and know their procedures... I'd be far more concerned with being held at gunpoint and forced to reveal my password.
Of course, it is and always be a personal level of trust and comfort as to what one will accept, but, when I read things like this I have to wonder:

http://news.sky.com/story/952931/fraud- ... n-60-banks

Just sayin...
“A mile of highway will take you a mile. A mile of runway will take you anywhere!”
Bob.Beeman
Posts: 148
Joined: Mon Dec 12, 2011 5:32 pm

Re: Vanguard Rep asked security question

Post by Bob.Beeman »

BYUvol wrote: Of course, it is and always be a personal level of trust and comfort as to what one will accept, but, when I read things like this I have to wonder:

http://news.sky.com/story/952931/fraud- ... n-60-banks

Just sayin...
As I think BYUvol appreciates, the breakins at eHarmony and LinkedIn were not done by script kiddies. They were done by organized hackers. Apparently not criminal ones, as the motive appeared to be shining light on outrageously bad security. But criminal gangs ARE attacking banks, and apparently successfully. I'm sure eHarmony and LinkedIn have competent IT people just like Vanguard. But orders tend to be given by naive management types who don't understand security.

To show how bad this is, eHarmony and LinkedIn were using unsalted password files. A paper from 1978: http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps pointed out the need for salting. This paper was considered a review of old technology in 1978. Sadly, some people didn't get the message.

with only 69 ASCII characters to choose from each character has a maximum entropy of 6.1 bits (log2(69) = 6.1) and the 10-character length limit gives 61 bits of entropy MAXIMUM. To put this into perspective, using a 128 bit-hash (something that security experts would laugh at) your 61-bit-entropy password is 2^(128 - 61) or 2^67 times weaker than the system security. This works out to your password being limited to
147,570,000,000,000,000,000 times weaker than what security experts mostly consider inadequate.

At a security conference I attended years ago, a presenter from AT&T gave a paper summarized in the following points:
1. Hackers are smarter than you.
2. They have more time than you have.
3. They are better financed than you are.

Beware!!
BYUvol
Posts: 120
Joined: Sat Mar 24, 2012 3:06 pm
Location: KY

Re: Vanguard Rep asked security question

Post by BYUvol »

mapleosb wrote:
BYUvol wrote:
I think you are making this out to be a bigger problem than it is.

1) They asked for his security question, not password.
2) It was Fidelity who asked for the password, and that was years ago, things have changed.
3) To quote Lord of the Rings, "One does not simply stroll into Mordor." Some script kiddie isn't going to do an SQL injection and get access to the database from their bedroom, access to their databases would be restricted to an internal IP. Then, assuming the attacker made it into their servers' intranet, taking a dump of a database with hundreds of millions of rows would take hours, long enough for Vanguard to realize they have been compromised, and alert customers to change their password. All before any work of rainbow tables could begin their work.

Banks are very very very secure these days. Our small business has undergone security audits from some of the very large ones, and know their procedures... I'd be far more concerned with being held at gunpoint and forced to reveal my password.
Of course, it is and always be a personal level of trust and comfort as to what one will accept, but, when I read things like this I have to wonder:

http://news.sky.com/story/952931/fraud- ... n-60-banks

Just sayin...
The link describes why I said banks are very very very secure, and not impenetrable. Security firms have said the attackers had an "insider level of understanding". Like I said in my first post, you would need internal access to the databases. Banks in the US are required to have insurance to cover fraud from employees, so those people who lost money would of course be refunded (assuming the EU has similar laws). This news doesn't affect best practices in web security, and shouldn't cause people to change course and start storing all their wealth buried in their back yard.
User avatar
mapleosb
Posts: 230
Joined: Tue Feb 20, 2007 10:48 pm
Location: CT

Re: Vanguard Rep asked security question

Post by mapleosb »

BYUvol wrote:The link describes why I said banks are very very very secure, and not impenetrable. Security firms have said the attackers had an "insider level of understanding". Like I said in my first post, you would need internal access to the databases. Banks in the US are required to have insurance to cover fraud from employees, so those people who lost money would of course be refunded (assuming the EU has similar laws). This news doesn't affect best practices in web security, and shouldn't cause people to change course and start storing all their wealth buried in their back yard.
BYUvol,

Thanks for that explanation which I tend to agree with, but, wouldn't the guy on the other end of the phone asking unsolicited for security question answers or passwords be considered as one with "insider level of understanding?'

FYI, I am NOT a security expert or tech guru, so forgive me if the questions sounds basic.
“A mile of highway will take you a mile. A mile of runway will take you anywhere!”
BYUvol
Posts: 120
Joined: Sat Mar 24, 2012 3:06 pm
Location: KY

Re: Vanguard Rep asked security question

Post by BYUvol »

Bob.Beeman wrote:
BYUvol wrote: Of course, it is and always be a personal level of trust and comfort as to what one will accept, but, when I read things like this I have to wonder:

http://news.sky.com/story/952931/fraud- ... n-60-banks

Just sayin...
As I think BYUvol appreciates, the breakins at eHarmony and LinkedIn were not done by script kiddies. They were done by organized hackers. Apparently not criminal ones, as the motive appeared to be shining light on outrageously bad security. But criminal gangs ARE attacking banks, and apparently successfully. I'm sure eHarmony and LinkedIn have competent IT people just like Vanguard. But orders tend to be given by naive management types who don't understand security.

To show how bad this is, eHarmony and LinkedIn were using unsalted password files. A paper from 1978: http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps pointed out the need for salting. This paper was considered a review of old technology in 1978. Sadly, some people didn't get the message.

with only 69 ASCII characters to choose from each character has a maximum entropy of 6.1 bits (log2(69) = 6.1) and the 10-character length limit gives 61 bits of entropy MAXIMUM. To put this into perspective, using a 128 bit-hash (something that security experts would laugh at) your 61-bit-entropy password is 2^(128 - 61) or 2^67 times weaker than the system security. This works out to your password being limited to
147,570,000,000,000,000,000 times weaker than what security experts mostly consider inadequate.

At a security conference I attended years ago, a presenter from AT&T gave a paper summarized in the following points:
1. Hackers are smarter than you.
2. They have more time than you have.
3. They are better financed than you are.

Beware!!
eHarmony and LinkedIn are not banks, don't have bank level security, and people should not have reasonably expected their security to be as strong as banks. The attacks weren't organized, although the subsequent password cracking was loosely organized. I expect banks to have the strongest security protocols (both physical and electronic) available, and if their security is circumvented, I expect to be compensated for that breach. Everywhere else I expect passwords to be compromised. I set my password here on Bogleheads with the expectation that it would be compromised, and to not interfere with my other activities.

The point remains that I don't think there is a legitimate cause to worry as long as you have reasonably secure passwords, and don't reuse them on multiple sites. Life is full of inconveniences, but why get worked up over this?
User avatar
CaliJim
Posts: 3050
Joined: Sun Feb 28, 2010 8:47 pm
Location: California, near the beach

Re: Vanguard Rep asked security question

Post by CaliJim »

I don't think a system has been built that is totally secure. Keep copies of your statements in your possession.
-calijim- | | For more info, click this Wiki
BYUvol
Posts: 120
Joined: Sat Mar 24, 2012 3:06 pm
Location: KY

Re: Vanguard Rep asked security question

Post by BYUvol »

mapleosb wrote:
BYUvol wrote:The link describes why I said banks are very very very secure, and not impenetrable. Security firms have said the attackers had an "insider level of understanding". Like I said in my first post, you would need internal access to the databases. Banks in the US are required to have insurance to cover fraud from employees, so those people who lost money would of course be refunded (assuming the EU has similar laws). This news doesn't affect best practices in web security, and shouldn't cause people to change course and start storing all their wealth buried in their back yard.
BYUvol,

Thanks for that explanation which I tend to agree with, but, wouldn't the guy on the other end of the phone asking unsolicited for security question answers or passwords be considered as one with "insider level of understanding?'

FYI, I am NOT a security expert or tech guru, so forgive me if the questions sounds basic.
If a person asked for my password, I would certainly never give it to them. And they certainly should not be able to see your password. I would be concerned by this because someone could access your account without any way of you knowing it.

However, security questions are much different. If they knew your security questions, they could reset your password, sure, but you would get an e-mail notifying you about it. Since you follow best practices, and don't have the same passwords for your e-mail as your bank login, you click on "Forgot password" and have a password reset link sent to your e-mail where you gain control. You also notify the financial institution of the breach, so they can investigate what the person did while they had access to your account. This is an inconvenience, but there is no alternative to this inconvenience. No bank is impenetrable, completely immune to fraud, therefore it is a risk you have to assume if you choose to have a custodian for your assets. If there was an alternative, I would say lets all switch to them, but there isn't an alternative.

Financial institutions all operate under more stringent operating regulations than most industries, which include independent audits of not only their finances, but also their security, so you can assume all banks will be approximately as secure as others.
User avatar
JamesSFO
Posts: 3247
Joined: Thu Apr 26, 2012 10:16 pm

Re: Vanguard Rep asked security question

Post by JamesSFO »

Just a thought, even if you have an appointment scheduled with them, e.g. Flagship rep to call me at 715AM today, and even if you've talked to your Flagship representative before they will ask for one of the security questions. If you are deeply concerned, the right thing to do is call the person back using a number YOU know for Vanguard as opposed to one they provide.

That said, asking a security question is important for them to establish that you are who you say you are.
KyleAAA
Posts: 8759
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Vanguard Rep asked security question

Post by KyleAAA »

I would absolutely call them back and ask if it was them who called. In the future, I would probably not give the answers to any security questions over the phone unless I initiated the call. But it sounds like you're probably fine. I'm surprised Vanguard does this, as it's definitely a red flag in most cases.
mikep
Posts: 3730
Joined: Wed Apr 22, 2009 9:27 pm

Re: Vanguard Rep asked security question

Post by mikep »

Thsi happened to me also .. actually my wife who was totally off guard when I was the one dealing with her account (she gave me authorization to do so). She was like why are they calling me and asking all these questions .. told me she just got mad gave them no answers and hung up the phone and called me .. I was shocked they would do this. So it must be standard operating procedure
mschmitt
Posts: 77
Joined: Mon Aug 13, 2007 7:16 pm

Re: Vanguard Rep asked security question

Post by mschmitt »

nisiprius wrote:
P.S. About ten years ago I was shocked to the core when Fidelity asked for my password. Yes, really. I said "I don't tell anyone my password." He said, quote, "It's OK, I can see it here on my screen." I declined, called back, asked for computer security department, very analogous experience to mapleosb's. They said it was true about the rep being able to see my password, and seemed clueless about why I'd have a problem with that.
I had this exact problem with Dean Witter years ago. They asked for my password, I said no I won't tell you. Then the lady asked, is it xxyxyxyx? Pretty damn scary.
mptfan
Posts: 6401
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard Rep asked security question

Post by mptfan »

Bob.Beeman wrote:Vanguard may have a real password security problem, in that they restrict passwords to 10 characters that are case-insensitive. Since there are only 95 ASCII characters that you can type, and only 69 when you are case-insensitive, the best possible password on Vanguard's site has only about 60 bits of entropy. Thus the strength of any password you can use is MUCH weaker than the underlying security infrastructure. If anyone gets hold of Vanguard's password file (and only a fool would thing that won't happen) breaking passwords of that length is very feasible. If the password file contains info about level of membership (Admiral), they could concentrate on the high-value accounts. Given any kind of reasonable computer installation, passwords with 60 bits of entropy could be broken quickly, even if they were random. Sadly, most passwords are not random, and could be broken trivially.
Bob, I have a question about this, since you seem to be an expert in this area. (I say that sincerely, not sarcastically) Doesn't Vanguard disable your account for online access after 3 or 4 failed attempts to enter the correct password? Wouldn't this stop a brute force attack to guess the password? Thanks.
User avatar
Topic Author
Abe
Posts: 2226
Joined: Fri Sep 18, 2009 5:24 pm
Location: Earth in the Milky Way Galaxy

Re: Vanguard Rep asked security question

Post by Abe »

Hello everyone. I am the OP with additional information. As i said in an earlier post, I called Vanguard after my conversation with my account representative who asked for the answer to one of my security questions. Vanguard said that he did in fact call me. When he called me, he asked for the answer to one of my security questions, not my password. That was yesterday. Today I received an email from Vanguard saying they locked my account because someone had attempted to enter my security questions multiple times. They advised me to change my security questions, so I did that. Everything seems to be okay now.
Slow and steady wins the race.
billern
Posts: 1079
Joined: Fri Dec 07, 2007 4:08 pm

Re: Vanguard Rep asked security question

Post by billern »

mptfan wrote:
Bob.Beeman wrote:Vanguard may have a real password security problem, in that they restrict passwords to 10 characters that are case-insensitive. Since there are only 95 ASCII characters that you can type, and only 69 when you are case-insensitive, the best possible password on Vanguard's site has only about 60 bits of entropy. Thus the strength of any password you can use is MUCH weaker than the underlying security infrastructure. If anyone gets hold of Vanguard's password file (and only a fool would thing that won't happen) breaking passwords of that length is very feasible. If the password file contains info about level of membership (Admiral), they could concentrate on the high-value accounts. Given any kind of reasonable computer installation, passwords with 60 bits of entropy could be broken quickly, even if they were random. Sadly, most passwords are not random, and could be broken trivially.
Bob, I have a question about this, since you seem to be an expert in this area. (I say that sincerely, not sarcastically) Doesn't Vanguard disable your account for online access after 3 or 4 failed attempts to enter the correct password? Wouldn't this stop a brute force attack to guess the password? Thanks.
The previous posted is talking about how easy it would be for someone who got access to Vanguard's password database to brute force the passwords based upon their limited complexity.
mptfan
Posts: 6401
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard Rep asked security question

Post by mptfan »

billern wrote:The previous posted is talking about how easy it would be for someone who got access to Vanguard's password database to brute force the passwords based upon their limited complexity.
Ok, fair enough. Can I assume that (1) Vanguard's password database is encrypted? and (2) that if somehow the password database was compromised, then Vanguard would alert me to change my password? Thanks.
Bob.Beeman
Posts: 148
Joined: Mon Dec 12, 2011 5:32 pm

Re: Vanguard Rep asked security question

Post by Bob.Beeman »

mptfan wrote: Bob, I have a question about this, since you seem to be an expert in this area. (I say that sincerely, not sarcastically) Doesn't Vanguard disable your account for online access after 3 or 4 failed attempts to enter the correct password? Wouldn't this stop a brute force attack to guess the password? Thanks.
This is a great question! Hackers do not use the on-line login to find your password. They only use it once they know your password for sure. This is a misconception that a lot of people have, though. The problem is that if hackers steal Vanguard's password file, they then have (salted and hashed hopefully) passwords for everyone. People here keep saying that this can't happen. Not until it does. And once it happens, Vanguard won't know about it for some time, so forget having everyone changing their passwords. Most users won't know for days or weeks, and re-establishing new passwords isn't so easy once they have been compromised.

Further, assuming that nobody can recover the password file breaks a fundamental rule of security: that it is in layers. If you just assume that nobody can get the password file, and use this as an excuse to force people to use short passwords, then the rest of your security will be lax and you will be wide open if the password file gets hacked. Kind of like the security of a multi-engine airplane. If you take off with one engine sputtering, you have thrown away the security of having multiple engines, and are worse off than you would be with a single engine.

For example, the hash system for the resources management tool I wrote for the school where I work is at: https://www.bee-man.us/cghstech/hash_tool.php This is only there in case I need to get back in after a disaster. It allows me to calculate my own password hash from my account name, salt, and password. I can only get into my own account this way because I don't know anyone else's password. Of course I could log into the database that holds the password hashes, but that's another story (and another potential vulnerability).

In the password file you would find something like the following:

Code: Select all

Account           Salt      Hash
bob.beeman        8675309   24acdcc47f0af5c2f9f9f9754cee45828c0dec94
fred.flintstone   4871209   d572f5f9cfeae60396a443eba0f6210cdf44aaba
greta.garbo       8401276   f4d7d7be88c3c794fc3677921cc5d0502e0f7565
han.solo          7396739   84f0d5ba6499acee1d5515d998712467246225fa
iam.naive         7329275   951e7cae2cbe2b6155a77756a04527a3bd9bbbe4
Lets say that one of them, some naive person, has "password" for their password. Who could that be? Well, if you go to the hash page referenced above and set the first 3 select boxes to "lower case" and the fourth (hash) to "sha1" you could determine this by brute force. Item 1 is the account name, item 2 is the salt, and item 3 is the password. Unsurprisingly, it is iam.naive who has this password.

If I had not salted the passwords, it would be easy to discover that greta garbo and I have the same password, but you can't discover that, because we have different salts. Having different salts for each user is the thing that eHarmony and LinkedIn missed. In that case you can use a "rainbow table" which has the hashes of millions or billions of passwords pre-computed. You try to look up each hash in the rainbow table. When you find a match, you know that user's password. If you use salt it is more complex, because you then need to figure each one separately. This is a lot harder, but not insurmountable, because most people use stupid passwords like "password" "password1" or, worst of all some obscene word or phrase. The obscene ones are simple. Don't ever use anything obscene. This TOTALLY blows your security.

The next best thing to people using simple passwords (best for hackers, anyway) is organizations that limit the length of passwords. Then everyone is vulnerable.

For some more discussion from a real expert, go to: http://deadliestwebattacks.com/2012/06/ ... ur-wounds/

PS:
bob.beeman password = fat.green.giraffe
fred.flintstone password = fat.green.fred
greta.garbo password = fat.green.giraffe
han.solo password = some.really.long.password.relating.to.star.wars
iam.naive password (I gave it to you above).
SurfCityBill
Posts: 547
Joined: Tue May 01, 2012 10:15 pm

Re: Vanguard Rep asked security question

Post by SurfCityBill »

If all of you Bogleheads are 3 core fund investors, or similar, why do you have/need a VG rep? :?:

-B
Post Reply