Vanguard Rep asked security question

Abe · Post by **Abe** » Thu Jul 12, 2012 2:24 pm

I just got off the phone with my Vanguard representative. He called me to discuss my account. During the conversation, he asked me for the answer to one of my security questions, not all of them, just one. He said he needed it to be able to see my account. I give it to him, but I had second thoughts after getting off the phone. When he first called, he introduced himself and his name matches my account representative shown on my account. I think everything is okay, but I was just wondering if this is customary.

mptfan · Post by **mptfan** » Thu Jul 12, 2012 2:28 pm

What was the purpose of the call? I don't meant to sound paranoid, but this does not sound customary to me. The only way I would give out sensitive information is if I was the one who initiated the call to Vanguard, that way, I know who I am talking to.

By the way, not to scare you, but if someone knows the answers to your security questions, they can claim to be you, claim that they forgot the password, and reset the password, and then they have access to your accounts--and you don't. The moral of the story is treat the answers to your security questions like passwords.

HomerJ · Post by **HomerJ** » Thu Jul 12, 2012 2:30 pm

Call Vanguard and see if they have a log of someone calling you.

NEVER answer security questions when someone calls you; only when you call them.

LynnC · Post by **LynnC** » Thu Jul 12, 2012 2:33 pm

OMG...NEVER answer those questions if THEY call you.

I called Vanguard last week to ask THEM a question and was asked one of my security questions. I really appreciate the extra security.

LynnC

EagertoLearnMore · Post by **EagertoLearnMore** » Thu Jul 12, 2012 2:35 pm

Before you get too concerned, I was contacted several times by Vanguard and they asked a security question. I REFUSED and offered to return the call using the Vanguard numbers that I have. I called and sure enough, the same person with the same voice. So, what did they want? One time they were just inquiring about any concerns I had because of a long past problem. Another time it was a survey of some sorts. Anyway, call and check their log to ease your mind.

Mister Whale · Post by **Mister Whale** » Thu Jul 12, 2012 2:36 pm

Uh oh.

I would change all of my sign-in information immediately.

EDIT below:

EagertoLearnMore wrote:Before you get too concerned, I was contacted several times by Vanguard and they asked a security question. I REFUSED and offered to return the call using the Vanguard numbers that I have. I called and sure enough, the same person with the same voice. So, what did they want? One time they were just inquiring about any concerns I had because of a long past problem. Another time it was a survey of some sorts. Anyway, call and check their log to ease your mind.

Well, that is somewhat reassuring.

mptfan · Post by **mptfan** » Thu Jul 12, 2012 2:42 pm

If you want to ease your mind, log on to Vanguard right now, and change your password AND your security questions. And don't give them out next time someone calls you and asks for them.

Abe · Post by **Abe** » Thu Jul 12, 2012 2:44 pm

He called me to discuss my account. The reason he called was because he is my new account representative, he said. He wanted to introduce himself and just wanted to know if I had any questions. He gave me some information regarding what was available to me at Vanguard, etc. I did have second thoughts about answering the security question. Even though I think everything is okay, I think I will call Vanguard to verify.

mptfan · Post by **mptfan** » Thu Jul 12, 2012 2:46 pm

Abe wrote:Even though I think everything is okay, ....

Every scam victim thinks everything is ok, until they realize that it's not.

Abe · Post by **Abe** » Thu Jul 12, 2012 2:56 pm

I just called Vanguard and everything is okay. He's even mailing me a signed book by John Bogle, which I didn't know he was going to do. Thanks everyone for your help.

mptfan · Post by **mptfan** » Thu Jul 12, 2012 3:06 pm

You're welcome, I'm glad it worked out.

By the way, I would like to discuss your account, what is your password?

Abe · Post by **Abe** » Thu Jul 12, 2012 3:32 pm

mptfan wrote:You're welcome, I'm glad it worked out.

By the way, I would like to discuss your account, what is your password?

We used to have a party line. Freddie, the little boy down the road, would listen in on our conversations. One day, when I was talking to someone, I said "Freddie, is that you on this line. He said, "ain't gonna tell ya". So, next time someone ask for my secure information, I'll tell them what Freddie said.

grabiner · Post by **grabiner** » Thu Jul 12, 2012 9:13 pm

Vanguard's own security guidelines say "Vanguard will never ask for your Web password in an e-mail or request it via the phone or U.S. mail." A security question serves the same purpose as the password and thus Vanguard should never ask for it when they initiate the call. (On many Web sites, the security question allows you to reset a forgotten password.)

I would suggest contacting Vanguard security, not just to confirm that everything is OK, but to suggest that they clarify their policy (and, if necessary, train the representative on proper procedure). I have received phishing phone calls claiming to be from several banks, and it would be just as easy to phish from Vanguard.

TF Hutch · Post by **TF Hutch** » Thu Jul 12, 2012 10:21 pm

Am I the only one without an "Account Represetitive"? I certainly don't want one.

CaliJim · Post by **CaliJim** » Thu Jul 12, 2012 10:25 pm

Abe wrote:I just called Vanguard and everything is okay. He's even mailing me a signed book by John Bogle, which I didn't know he was going to do. Thanks everyone for your help.

Abe must be one of those high roller guys!

CaliJim · Post by **CaliJim** » Thu Jul 12, 2012 10:28 pm

If anyone from Vanguard is reading this thread - they should consider changing their policy when placing outbound calls.

They should always ask the client to call Vanguard back.

It is not a good idea to condition clients to give passwords to random phone callers.

Agent9 · Post by **Agent9** » Thu Jul 12, 2012 10:28 pm

TF Hutch wrote:Am I the only one without an "Account Represetitive"? I certainly don't want one.

I'll take a signed book though...

S&L1940 · Post by **S&L1940** » Thu Jul 12, 2012 10:36 pm

TF Hutch wrote:Am I the only one without an "Account Represetitive"? I certainly don't want one.

no, me too

do I have to build up my account to get a representative assigned to me?

khh · Post by **khh** » Thu Jul 12, 2012 10:49 pm

I had a security concern at Vanguard in January of this year when I changed the email address on my account. VG sent confirmation of the change to the new email address but not to the old one. My concern was that if someone got into my account and changed the email address, I might not be aware of it until the snail mail notification arrived. If such a thing were to happen, a confirmation email from VG to the old address would serve as an immediate fraud alert. I sent a message to VG at the time but did not get a reply.

Fallible · Post by **Fallible** » Thu Jul 12, 2012 11:00 pm

grabiner wrote:Vanguard's own security guidelines say "Vanguard will never ask for your Web password in an e-mail or request it via the phone or U.S. mail." A security question serves the same purpose as the password and thus Vanguard should never ask for it when they initiate the call. (On many Web sites, the security question allows you to reset a forgotten password.)

I would suggest contacting Vanguard security, not just to confirm that everything is OK, but to suggest that they clarify their policy (and, if necessary, train the representative on proper procedure). I have received phishing phone calls claiming to be from several banks, and it would be just as easy to phish from Vanguard.

Excellent advice. I'm with Vanguard and I was surprised, concerned, and even disappointed to learn of these calls.

Rich in Michigan · Post by **Rich in Michigan** » Fri Jul 13, 2012 5:33 am

Abe wrote:I just got off the phone with my Vanguard representative. He called me to discuss my account. During the conversation, he asked me for the answer to one of my security questions, not all of them, just one. He said he needed it to be able to see my account. I give it to him, but I had second thoughts after getting off the phone. When he first called, he introduced himself and his name matches my account representative shown on my account. I think everything is okay, but I was just wondering if this is customary.

I have not received a call from my Vanguard rep, but when I have called him he always starts the conversation by stating that the call is being recorded and has me state my name for the record. He then does ask for the answer to one of my security questions, presumably to verify that I am who I am say I am.

I just assumed this was SOP.

fandango · Post by **fandango** » Fri Jul 13, 2012 6:02 am

Sounds like a formal or informal approach to try to sell you something.

"I just happened to be caling you about "blah, blah, blah. Is there anything else that I can do for you?"

It is disturbing to think that Vanguard would do this.

This has never happened to me. But I would have made a note of the caller's name, called Vanguard back, and tried to report it.

Is there a contact person within Vanguard to report compliance violations?

mapleosb · Post by **mapleosb** » Fri Jul 13, 2012 6:08 am

CaliJim wrote:If anyone from Vanguard is reading this thread - they should consider changing their policy when placing outbound calls.

They should always ask the client to call Vanguard back.

It is not a good idea to condition clients to give passwords to random phone callers.

Personally, it is sad to me to hear that this is till happening.

About three years ago, I had the very same thing take place. A representative calls me and then asks to discuss my accounts and would I please answer my security question. I was absolutely floored by this request. In this day and age when any number can be spoofed to caller ID, and, the fact that we are all trained by modern life to never give out personal information to a cold call, I could not believe that this was a working policy at Vanguard. It is fine if I am the caller to Vanguard, not the other way around. Here is a link to that post and a direct response from a Vanguard rep:

http://www.bogleheads.org/forum/viewtop ... 4#p1219684

I both called and wrote a letter to the head of their Internet Security and waited for the follow up that took forever. It was as if this question had never been asked before. The answer I received back was a cordial "but, that is the way we do it" type note which left me less than satisfied. Regretfully, it was one of the final reasons that caused me to close my accounts at Vanguard.

I hope this information will help throw some light on the discussion.

Best to all,

nisiprius · Post by **nisiprius** » Fri Jul 13, 2012 7:25 am

I am on the alert whenever a company calls me instead of the other way around.

I would NOT have answered the security question, not when a company calls ME.

I would have said "I want to be sure I am talking to Vanguard. I am going to call back using Vanguard's published 800 number. What do I need to tell them to get connected to you?"

Depending on how paranoid I was feeling that day, I might have dialed *69 after hanging up to get the number from which I was called.

P.S. About ten years ago I was shocked to the core when Fidelity asked for my password. Yes, really. I said "I don't tell anyone my password." He said, quote, "It's OK, I can see it here on my screen." I declined, called back, asked for computer security department, very analogous experience to mapleosb's. They said it was true about the rep being able to see my password, and seemed clueless about why I'd have a problem with that.

JPH · Post by **JPH** » Fri Jul 13, 2012 8:13 am

A Vanguard rep called me yesterday just to let me know that the last in a series of transaction was completed and to ask if I was satisfied. He did ask a security question, which I naswered. I'm not worried because I clearly recognized the voice. But lesson learned. Thanks for the advice on this.

Edit on July 14, 2012. I lied here. I recalled later that the rep did not call me and ask me to answer the security question. Actually, my wife took a message and I returned the call. So, it was appropriate to ask the security question. I appologize for the mistake.

armeliusc · Post by **armeliusc** » Fri Jul 13, 2012 8:22 am

nisiprius wrote:I am on the alert whenever a company calls me instead of the other way around.
P.S. About ten years ago I was shocked to the core when Fidelity asked for my password. Yes, really. I said "I don't tell anyone my password." He said, quote, "It's OK, I can see it here on my screen." I declined, called back, asked for computer security department, very analogous experience to mapleosb's. They said it was true about the rep being able to see my password, and seemed clueless about why I'd have a problem with that.

If the rep can see your password on the screen, that means the password is stored as is on their database, not one-way hashed nor encrypted. This is a major security flaw. The reason hackers can steal passwords mostly is because the password is stored as is, rather than its (salted) hashed. If I know that a company I am dealing with (esp. financially) stores my password that way, I would close my account immediately (or possibly try to contaminate my password first in their database before closing it).

kobbiemandd · Post by **kobbiemandd** » Fri Jul 13, 2012 9:07 am

He didn't ask you for your password but a security question. That is the purpose of the security question.
I highly doubt he would be able to see your password.

mptfan · Post by **mptfan** » Fri Jul 13, 2012 9:28 am

CaliJim wrote: It is not a good idea to condition clients to give passwords to random phone callers.

Just to clarify, Vanguard did not ask for his password, they asked for an answer to a security question.

sscritic · Post by **sscritic** » Fri Jul 13, 2012 9:40 am

Basic question: why do you accept phone calls from businesses? I don't, unless it is a credit card company calling to tell me that there has been suspicious activity on my card. And then I would not continue to talk, but call them back at their official number.

If Vanguard ever called me, I would say "no thank you" and hang up, just as I do when my cable company calls me, when my telephone company calls me, and when companies that I have no affiliation with call me. My phone is for my use, not for the use of others. My answering machine's message makes this clear: "This phone is for the use of my family and friends and companies that I have contacted that are returning my call. Any other use is unauthorized."

Bob.Beeman · Post by **Bob.Beeman** » Fri Jul 13, 2012 9:42 am

Abe wrote:He called me to discuss my account. The reason he called was because he is my new account representative, he said. He wanted to introduce himself and just wanted to know if I had any questions. He gave me some information regarding what was available to me at Vanguard, etc. I did have second thoughts about answering the security question. Even though I think everything is okay, I think I will call Vanguard to verify.

As others have commented, if *ANYONE* at a website has any idea what your password is, close your account. The entire thing is insecure. Honestly-run websites use salted, hashed passwords in the password file and don't store plaintext passwords anywhere. The good ones use at least 160-bit hashes (SHA1). Some use hashes that give longer outputs.

Vanguard may have a real password security problem, in that they restrict passwords to 10 characters that are case-insensitive. Since there are only 95 ASCII characters that you can type, and only 69 when you are case-insensitive, the best possible password on Vanguard's site has only about 60 bits of entropy. Thus the strength of any password you can use is MUCH weaker than the underlying security infrastructure. If anyone gets hold of Vanguard's password file (and only a fool would thing that won't happen) breaking passwords of that length is very feasible. If the password file contains info about level of membership (Admiral), they could concentrate on the high-value accounts. Given any kind of reasonable computer installation, passwords with 60 bits of entropy could be broken quickly, even if they were random. Sadly, most passwords are not random, and could be broken trivially.

I sent an email to my Vanguard rep, and he forwarded it to "the experts". I am really worried that Vanguard is open to a big disaster.

Fallible · Post by **Fallible** » Fri Jul 13, 2012 9:55 am

Bob.Beeman wrote:
Abe wrote:He called me to discuss my account. The reason he called was because he is my new account representative, he said. He wanted to introduce himself and just wanted to know if I had any questions. He gave me some information regarding what was available to me at Vanguard, etc. I did have second thoughts about answering the security question. Even though I think everything is okay, I think I will call Vanguard to verify.
As others have commented, if *ANYONE* at a website has any idea what your password is, close your account. The entire thing is insecure. Honestly-run websites use salted, hashed passwords in the password file and don't store plaintext passwords anywhere. The good ones use at least 160-bit hashes (SHA1). Some use hashes that give longer outputs.

Vanguard may have a real password security problem, in that they restrict passwords to 10 characters that are case-insensitive. Since there are only 95 ASCII characters that you can type, and only 69 when you are case-insensitive, the best possible password on Vanguard's site has only about 60 bits of entropy. Thus the strength of any password you can use is MUCH weaker than the underlying security infrastructure. If anyone gets hold of Vanguard's password file (and only a fool would thing that won't happen) breaking passwords of that length is very feasible. If the password file contains info about level of membership (Admiral), they could concentrate on the high-value accounts. Given any kind of reasonable computer installation, passwords with 60 bits of entropy could be broken quickly, even if they were random. Sadly, most passwords are not random, and could be broken trivially.

I sent an email to my Vanguard rep, and he forwarded it to "the experts". I am really worried that Vanguard is open to a big disaster.

I'm very glad you did email this info to VG, but even though your rep probably did pass it on, I would suggest you try to send it directly to the "experts" to make sure they do get it. I'd also later ask the rep what the experts' response is. I base these suggestions on your knowledge of password security and that you're "really worried" about the situation.

3247 · Post by **3247** » Fri Jul 13, 2012 9:57 am

Perhaps I am naive, but I just assumed that everybody who has a Vanguard Representative had already received the printed material that comes with being introduced to the Flagship level about a year ago. This material includes the name and contact information of your assigned Rep. along with the information that they will be contacting you soon to discuss the benefits of belonging to the Flagship group. Also, the reps name is prominently displayed on your "My Accounts" page. Generally, I would recommend never giving out any security information...however, it has been my experience with Vanguard that they are very sensitive to their clients personal security and take it seriously.

My Rep called me when I was admitted to the Flagship Community, introduced himself, asked if I had received the company literature and if I had any questions. He then asked if I minded him asking a security question to verify that "I was who I said I was" and told me if I objected, I could call Vanguard and ask for him by name. So Vanguard doesn't take it for granted that the person they reach on the phone is who they say they are either. I personally felt comfortable that he was who he said he was.

Incidentally, your Rep will change from time to time and each time it does, you will get a new introduction letter (and now, an email too) as well as the new Reps name being posted on your 'My Accounts" page (it may also be posted elsewhere, now that the new web pages are in effect). One more thing, even tho Vanguard does not require case sensitive passwords, that doesn't stop you from making your password case sensitive with a mix of figures and characters that will be extremely difficult for computer programs designed to break/steal them.

BYUvol · Post by **BYUvol** » Fri Jul 13, 2012 10:11 am

Bob.Beeman wrote:
Abe wrote:He called me to discuss my account. The reason he called was because he is my new account representative, he said. He wanted to introduce himself and just wanted to know if I had any questions. He gave me some information regarding what was available to me at Vanguard, etc. I did have second thoughts about answering the security question. Even though I think everything is okay, I think I will call Vanguard to verify.
As others have commented, if *ANYONE* at a website has any idea what your password is, close your account. The entire thing is insecure. Honestly-run websites use salted, hashed passwords in the password file and don't store plaintext passwords anywhere. The good ones use at least 160-bit hashes (SHA1). Some use hashes that give longer outputs.

Vanguard may have a real password security problem, in that they restrict passwords to 10 characters that are case-insensitive. Since there are only 95 ASCII characters that you can type, and only 69 when you are case-insensitive, the best possible password on Vanguard's site has only about 60 bits of entropy. Thus the strength of any password you can use is MUCH weaker than the underlying security infrastructure. If anyone gets hold of Vanguard's password file (and only a fool would thing that won't happen) breaking passwords of that length is very feasible. If the password file contains info about level of membership (Admiral), they could concentrate on the high-value accounts. Given any kind of reasonable computer installation, passwords with 60 bits of entropy could be broken quickly, even if they were random. Sadly, most passwords are not random, and could be broken trivially.

I sent an email to my Vanguard rep, and he forwarded it to "the experts". I am really worried that Vanguard is open to a big disaster.

I think you are making this out to be a bigger problem than it is.

1) They asked for his security question, not password.
2) It was Fidelity who asked for the password, and that was years ago, things have changed.
3) To quote Lord of the Rings, "One does not simply stroll into Mordor." Some script kiddie isn't going to do an SQL injection and get access to the database from their bedroom, access to their databases would be restricted to an internal IP. Then, assuming the attacker made it into their servers' intranet, taking a dump of a database with hundreds of millions of rows would take hours, long enough for Vanguard to realize they have been compromised, and alert customers to change their password. All before any work of rainbow tables could begin their work.

Banks are very very very secure these days. Our small business has undergone security audits from some of the very large ones, and know their procedures... I'd be far more concerned with being held at gunpoint and forced to reveal my password.

mapleosb · Post by **mapleosb** » Fri Jul 13, 2012 10:30 am

BYUvol wrote:
I think you are making this out to be a bigger problem than it is.

1) They asked for his security question, not password.
2) It was Fidelity who asked for the password, and that was years ago, things have changed.
3) To quote Lord of the Rings, "One does not simply stroll into Mordor." Some script kiddie isn't going to do an SQL injection and get access to the database from their bedroom, access to their databases would be restricted to an internal IP. Then, assuming the attacker made it into their servers' intranet, taking a dump of a database with hundreds of millions of rows would take hours, long enough for Vanguard to realize they have been compromised, and alert customers to change their password. All before any work of rainbow tables could begin their work.

Banks are very very very secure these days. Our small business has undergone security audits from some of the very large ones, and know their procedures... I'd be far more concerned with being held at gunpoint and forced to reveal my password.

Of course, it is and always be a personal level of trust and comfort as to what one will accept, but, when I read things like this I have to wonder:

http://news.sky.com/story/952931/fraud- ... n-60-banks

Just sayin...

Bob.Beeman · Post by **Bob.Beeman** » Fri Jul 13, 2012 10:45 am

BYUvol wrote: Of course, it is and always be a personal level of trust and comfort as to what one will accept, but, when I read things like this I have to wonder:

http://news.sky.com/story/952931/fraud- ... n-60-banks

Just sayin...

As I think BYUvol appreciates, the breakins at eHarmony and LinkedIn were not done by script kiddies. They were done by organized hackers. Apparently not criminal ones, as the motive appeared to be shining light on outrageously bad security. But criminal gangs ARE attacking banks, and apparently successfully. I'm sure eHarmony and LinkedIn have competent IT people just like Vanguard. But orders tend to be given by naive management types who don't understand security.

To show how bad this is, eHarmony and LinkedIn were using unsalted password files. A paper from 1978: http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps pointed out the need for salting. This paper was considered a review of old technology in 1978. Sadly, some people didn't get the message.

with only 69 ASCII characters to choose from each character has a maximum entropy of 6.1 bits (log2(69) = 6.1) and the 10-character length limit gives 61 bits of entropy MAXIMUM. To put this into perspective, using a 128 bit-hash (something that security experts would laugh at) your 61-bit-entropy password is 2^(128 - 61) or 2^67 times weaker than the system security. This works out to your password being limited to
147,570,000,000,000,000,000 times weaker than what security experts mostly consider inadequate.

At a security conference I attended years ago, a presenter from AT&T gave a paper summarized in the following points:
1. Hackers are smarter than you.
2. They have more time than you have.
3. They are better financed than you are.

Beware!!

BYUvol · Post by **BYUvol** » Fri Jul 13, 2012 10:51 am

mapleosb wrote:
BYUvol wrote:
I think you are making this out to be a bigger problem than it is.

1) They asked for his security question, not password.
2) It was Fidelity who asked for the password, and that was years ago, things have changed.
3) To quote Lord of the Rings, "One does not simply stroll into Mordor." Some script kiddie isn't going to do an SQL injection and get access to the database from their bedroom, access to their databases would be restricted to an internal IP. Then, assuming the attacker made it into their servers' intranet, taking a dump of a database with hundreds of millions of rows would take hours, long enough for Vanguard to realize they have been compromised, and alert customers to change their password. All before any work of rainbow tables could begin their work.

Banks are very very very secure these days. Our small business has undergone security audits from some of the very large ones, and know their procedures... I'd be far more concerned with being held at gunpoint and forced to reveal my password.
Of course, it is and always be a personal level of trust and comfort as to what one will accept, but, when I read things like this I have to wonder:

http://news.sky.com/story/952931/fraud- ... n-60-banks

Just sayin...

The link describes why I said banks are very very very secure, and not impenetrable. Security firms have said the attackers had an "insider level of understanding". Like I said in my first post, you would need internal access to the databases. Banks in the US are required to have insurance to cover fraud from employees, so those people who lost money would of course be refunded (assuming the EU has similar laws). This news doesn't affect best practices in web security, and shouldn't cause people to change course and start storing all their wealth buried in their back yard.

mapleosb · Post by **mapleosb** » Fri Jul 13, 2012 11:02 am

BYUvol wrote:The link describes why I said banks are very very very secure, and not impenetrable. Security firms have said the attackers had an "insider level of understanding". Like I said in my first post, you would need internal access to the databases. Banks in the US are required to have insurance to cover fraud from employees, so those people who lost money would of course be refunded (assuming the EU has similar laws). This news doesn't affect best practices in web security, and shouldn't cause people to change course and start storing all their wealth buried in their back yard.

BYUvol,

Thanks for that explanation which I tend to agree with, but, wouldn't the guy on the other end of the phone asking unsolicited for security question answers or passwords be considered as one with "insider level of understanding?'

FYI, I am NOT a security expert or tech guru, so forgive me if the questions sounds basic.

BYUvol · Post by **BYUvol** » Fri Jul 13, 2012 11:02 am

Bob.Beeman wrote:
BYUvol wrote: Of course, it is and always be a personal level of trust and comfort as to what one will accept, but, when I read things like this I have to wonder:

http://news.sky.com/story/952931/fraud- ... n-60-banks

Just sayin...
As I think BYUvol appreciates, the breakins at eHarmony and LinkedIn were not done by script kiddies. They were done by organized hackers. Apparently not criminal ones, as the motive appeared to be shining light on outrageously bad security. But criminal gangs ARE attacking banks, and apparently successfully. I'm sure eHarmony and LinkedIn have competent IT people just like Vanguard. But orders tend to be given by naive management types who don't understand security.

To show how bad this is, eHarmony and LinkedIn were using unsalted password files. A paper from 1978: http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps pointed out the need for salting. This paper was considered a review of old technology in 1978. Sadly, some people didn't get the message.

with only 69 ASCII characters to choose from each character has a maximum entropy of 6.1 bits (log2(69) = 6.1) and the 10-character length limit gives 61 bits of entropy MAXIMUM. To put this into perspective, using a 128 bit-hash (something that security experts would laugh at) your 61-bit-entropy password is 2^(128 - 61) or 2^67 times weaker than the system security. This works out to your password being limited to
147,570,000,000,000,000,000 times weaker than what security experts mostly consider inadequate.

At a security conference I attended years ago, a presenter from AT&T gave a paper summarized in the following points:
1. Hackers are smarter than you.
2. They have more time than you have.
3. They are better financed than you are.

Beware!!

eHarmony and LinkedIn are not banks, don't have bank level security, and people should not have reasonably expected their security to be as strong as banks. The attacks weren't organized, although the subsequent password cracking was loosely organized. I expect banks to have the strongest security protocols (both physical and electronic) available, and if their security is circumvented, I expect to be compensated for that breach. Everywhere else I expect passwords to be compromised. I set my password here on Bogleheads with the expectation that it would be compromised, and to not interfere with my other activities.

The point remains that I don't think there is a legitimate cause to worry as long as you have reasonably secure passwords, and don't reuse them on multiple sites. Life is full of inconveniences, but why get worked up over this?

CaliJim · Post by **CaliJim** » Fri Jul 13, 2012 11:11 am

I don't think a system has been built that is totally secure. Keep copies of your statements in your possession.

BYUvol · Post by **BYUvol** » Fri Jul 13, 2012 11:11 am

mapleosb wrote:
BYUvol wrote:The link describes why I said banks are very very very secure, and not impenetrable. Security firms have said the attackers had an "insider level of understanding". Like I said in my first post, you would need internal access to the databases. Banks in the US are required to have insurance to cover fraud from employees, so those people who lost money would of course be refunded (assuming the EU has similar laws). This news doesn't affect best practices in web security, and shouldn't cause people to change course and start storing all their wealth buried in their back yard.
BYUvol,

Thanks for that explanation which I tend to agree with, but, wouldn't the guy on the other end of the phone asking unsolicited for security question answers or passwords be considered as one with "insider level of understanding?'

FYI, I am NOT a security expert or tech guru, so forgive me if the questions sounds basic.

If a person asked for my password, I would certainly never give it to them. And they certainly should not be able to see your password. I would be concerned by this because someone could access your account without any way of you knowing it.

However, security questions are much different. If they knew your security questions, they could reset your password, sure, but you would get an e-mail notifying you about it. Since you follow best practices, and don't have the same passwords for your e-mail as your bank login, you click on "Forgot password" and have a password reset link sent to your e-mail where you gain control. You also notify the financial institution of the breach, so they can investigate what the person did while they had access to your account. This is an inconvenience, but there is no alternative to this inconvenience. No bank is impenetrable, completely immune to fraud, therefore it is a risk you have to assume if you choose to have a custodian for your assets. If there was an alternative, I would say lets all switch to them, but there isn't an alternative.

Financial institutions all operate under more stringent operating regulations than most industries, which include independent audits of not only their finances, but also their security, so you can assume all banks will be approximately as secure as others.

JamesSFO · Post by **JamesSFO** » Fri Jul 13, 2012 11:25 am

Just a thought, even if you have an appointment scheduled with them, e.g. Flagship rep to call me at 715AM today, and even if you've talked to your Flagship representative before they will ask for one of the security questions. If you are deeply concerned, the right thing to do is call the person back using a number YOU know for Vanguard as opposed to one they provide.

That said, asking a security question is important for them to establish that you are who you say you are.

KyleAAA · Post by **KyleAAA** » Fri Jul 13, 2012 11:28 am

I would absolutely call them back and ask if it was them who called. In the future, I would probably not give the answers to any security questions over the phone unless I initiated the call. But it sounds like you're probably fine. I'm surprised Vanguard does this, as it's definitely a red flag in most cases.

mikep · Post by **mikep** » Fri Jul 13, 2012 11:34 am

Thsi happened to me also .. actually my wife who was totally off guard when I was the one dealing with her account (she gave me authorization to do so). She was like why are they calling me and asking all these questions .. told me she just got mad gave them no answers and hung up the phone and called me .. I was shocked they would do this. So it must be standard operating procedure

mschmitt · Post by **mschmitt** » Fri Jul 13, 2012 11:48 am

nisiprius wrote:
P.S. About ten years ago I was shocked to the core when Fidelity asked for my password. Yes, really. I said "I don't tell anyone my password." He said, quote, "It's OK, I can see it here on my screen." I declined, called back, asked for computer security department, very analogous experience to mapleosb's. They said it was true about the rep being able to see my password, and seemed clueless about why I'd have a problem with that.

I had this exact problem with Dean Witter years ago. They asked for my password, I said no I won't tell you. Then the lady asked, is it xxyxyxyx? Pretty damn scary.

mptfan · Post by **mptfan** » Fri Jul 13, 2012 12:31 pm

Bob.Beeman wrote:Vanguard may have a real password security problem, in that they restrict passwords to 10 characters that are case-insensitive. Since there are only 95 ASCII characters that you can type, and only 69 when you are case-insensitive, the best possible password on Vanguard's site has only about 60 bits of entropy. Thus the strength of any password you can use is MUCH weaker than the underlying security infrastructure. If anyone gets hold of Vanguard's password file (and only a fool would thing that won't happen) breaking passwords of that length is very feasible. If the password file contains info about level of membership (Admiral), they could concentrate on the high-value accounts. Given any kind of reasonable computer installation, passwords with 60 bits of entropy could be broken quickly, even if they were random. Sadly, most passwords are not random, and could be broken trivially.

Bob, I have a question about this, since you seem to be an expert in this area. (I say that sincerely, not sarcastically) Doesn't Vanguard disable your account for online access after 3 or 4 failed attempts to enter the correct password? Wouldn't this stop a brute force attack to guess the password? Thanks.

Abe · Post by **Abe** » Fri Jul 13, 2012 12:51 pm

Hello everyone. I am the OP with additional information. As i said in an earlier post, I called Vanguard after my conversation with my account representative who asked for the answer to one of my security questions. Vanguard said that he did in fact call me. When he called me, he asked for the answer to one of my security questions, not my password. That was yesterday. Today I received an email from Vanguard saying they locked my account because someone had attempted to enter my security questions multiple times. They advised me to change my security questions, so I did that. Everything seems to be okay now.

billern · Post by **billern** » Fri Jul 13, 2012 1:19 pm

mptfan wrote:
Bob.Beeman wrote:Vanguard may have a real password security problem, in that they restrict passwords to 10 characters that are case-insensitive. Since there are only 95 ASCII characters that you can type, and only 69 when you are case-insensitive, the best possible password on Vanguard's site has only about 60 bits of entropy. Thus the strength of any password you can use is MUCH weaker than the underlying security infrastructure. If anyone gets hold of Vanguard's password file (and only a fool would thing that won't happen) breaking passwords of that length is very feasible. If the password file contains info about level of membership (Admiral), they could concentrate on the high-value accounts. Given any kind of reasonable computer installation, passwords with 60 bits of entropy could be broken quickly, even if they were random. Sadly, most passwords are not random, and could be broken trivially.
Bob, I have a question about this, since you seem to be an expert in this area. (I say that sincerely, not sarcastically) Doesn't Vanguard disable your account for online access after 3 or 4 failed attempts to enter the correct password? Wouldn't this stop a brute force attack to guess the password? Thanks.

The previous posted is talking about how easy it would be for someone who got access to Vanguard's password database to brute force the passwords based upon their limited complexity.

mptfan · Post by **mptfan** » Fri Jul 13, 2012 1:32 pm

billern wrote:The previous posted is talking about how easy it would be for someone who got access to Vanguard's password database to brute force the passwords based upon their limited complexity.

Ok, fair enough. Can I assume that (1) Vanguard's password database is encrypted? and (2) that if somehow the password database was compromised, then Vanguard would alert me to change my password? Thanks.

Bob.Beeman · Post by **Bob.Beeman** » Fri Jul 13, 2012 2:08 pm

mptfan wrote: Bob, I have a question about this, since you seem to be an expert in this area. (I say that sincerely, not sarcastically) Doesn't Vanguard disable your account for online access after 3 or 4 failed attempts to enter the correct password? Wouldn't this stop a brute force attack to guess the password? Thanks.

This is a great question! Hackers do not use the on-line login to find your password. They only use it once they know your password for sure. This is a misconception that a lot of people have, though. The problem is that if hackers steal Vanguard's password file, they then have (salted and hashed hopefully) passwords for everyone. People here keep saying that this can't happen. Not until it does. And once it happens, Vanguard won't know about it for some time, so forget having everyone changing their passwords. Most users won't know for days or weeks, and re-establishing new passwords isn't so easy once they have been compromised.

Further, assuming that nobody can recover the password file breaks a fundamental rule of security: that it is in layers. If you just assume that nobody can get the password file, and use this as an excuse to force people to use short passwords, then the rest of your security will be lax and you will be wide open if the password file gets hacked. Kind of like the security of a multi-engine airplane. If you take off with one engine sputtering, you have thrown away the security of having multiple engines, and are worse off than you would be with a single engine.

For example, the hash system for the resources management tool I wrote for the school where I work is at: https://www.bee-man.us/cghstech/hash_tool.php This is only there in case I need to get back in after a disaster. It allows me to calculate my own password hash from my account name, salt, and password. I can only get into my own account this way because I don't know anyone else's password. Of course I could log into the database that holds the password hashes, but that's another story (and another potential vulnerability).

In the password file you would find something like the following:

Code: Select all

Account           Salt      Hash
bob.beeman        8675309   24acdcc47f0af5c2f9f9f9754cee45828c0dec94
fred.flintstone   4871209   d572f5f9cfeae60396a443eba0f6210cdf44aaba
greta.garbo       8401276   f4d7d7be88c3c794fc3677921cc5d0502e0f7565
han.solo          7396739   84f0d5ba6499acee1d5515d998712467246225fa
iam.naive         7329275   951e7cae2cbe2b6155a77756a04527a3bd9bbbe4

Lets say that one of them, some naive person, has "password" for their password. Who could that be? Well, if you go to the hash page referenced above and set the first 3 select boxes to "lower case" and the fourth (hash) to "sha1" you could determine this by brute force. Item 1 is the account name, item 2 is the salt, and item 3 is the password. Unsurprisingly, it is iam.naive who has this password.

If I had not salted the passwords, it would be easy to discover that greta garbo and I have the same password, but you can't discover that, because we have different salts. Having different salts for each user is the thing that eHarmony and LinkedIn missed. In that case you can use a "rainbow table" which has the hashes of millions or billions of passwords pre-computed. You try to look up each hash in the rainbow table. When you find a match, you know that user's password. If you use salt it is more complex, because you then need to figure each one separately. This is a lot harder, but not insurmountable, because most people use stupid passwords like "password" "password1" or, worst of all some obscene word or phrase. The obscene ones are simple. Don't ever use anything obscene. This TOTALLY blows your security.

The next best thing to people using simple passwords (best for hackers, anyway) is organizations that limit the length of passwords. Then everyone is vulnerable.

For some more discussion from a real expert, go to: http://deadliestwebattacks.com/2012/06/ ... ur-wounds/

PS:
bob.beeman password = fat.green.giraffe
fred.flintstone password = fat.green.fred
greta.garbo password = fat.green.giraffe
han.solo password = some.really.long.password.relating.to.star.wars
iam.naive password (I gave it to you above).

SurfCityBill · Post by **SurfCityBill** » Fri Jul 13, 2012 2:16 pm

If all of you Bogleheads are 3 core fund investors, or similar, why do you have/need a VG rep?

-B