Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
Vanguard Security Issue
NEW YORK (TheStreet) -- The Vanguard Group, the world's largest mutual fund company, has fired a whistleblower who shared information with TheStreet about deficiencies in the company's customer account security.
According to the public database of stockbroker records kept by The Financial Industry Regulatory Authority, or Finra, Karen Brock, a Client Relationship Administrator in Vanguard's Scottsdale, Arizona office, is no longer employed by Vanguard or registered as a broker.
Finra's public records said nothing about the reason for Brock's termination. But an unredacted version of her records supplied by a state securities regulator said that she had been discharged for "violation of Vanguard's Professional Conduct Policy."
The state records said that her last day at Vanguard was August 27, 2015. Brock said in an interview that she was on family medical leave when she was fired.
http://www.thestreet.com/story/13293245 ... _ven=YAHOO
According to the public database of stockbroker records kept by The Financial Industry Regulatory Authority, or Finra, Karen Brock, a Client Relationship Administrator in Vanguard's Scottsdale, Arizona office, is no longer employed by Vanguard or registered as a broker.
Finra's public records said nothing about the reason for Brock's termination. But an unredacted version of her records supplied by a state securities regulator said that she had been discharged for "violation of Vanguard's Professional Conduct Policy."
The state records said that her last day at Vanguard was August 27, 2015. Brock said in an interview that she was on family medical leave when she was fired.
http://www.thestreet.com/story/13293245 ... _ven=YAHOO
- nisiprius
- Advisory Board
- Posts: 52211
- Joined: Thu Jul 26, 2007 9:33 am
- Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry
Re: Vanguard Security Issue
According to the article, this was the nature of the security issue:
Brock told TheStreet that Vanguard had been aware since 2013 that customers could log in to their accounts even if they entered typographical errors in their personal security answers. In my own account at Vanguard, I have repeatedly tested her assertions and found them to be true. On some occasions I have been able to get Vanguard to generate a link to a new password even after deliberately inserting typos into three security answers. Customers still can access their accounts despite typos in security answers.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
[Thread merged into here, see below. --admin LadyGeek]
http://www.thestreet.com/story/13293245 ... l=dontmiss
http://www.thestreet.com/story/13293245 ... l=dontmiss
Brock told TheStreet that Vanguard had been aware since 2013 that customers could log in to their accounts even if they entered typographical errors in their personal security answers. In my own account at Vanguard, I have repeatedly tested her assertions and found them to be true.
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
I take it with a grain of salt.
I trust my dollars are safe with Vanguard.
Moving On
I trust my dollars are safe with Vanguard.
Moving On
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
Hey, the story mentions Bogleheads and has a link to a post: viewtopic.php?t=106338. All publicity is good, right?
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
I hope Vanguard's security isn't as weak as implied in this article.
"Don't trust everything you read on the Internet"- Abraham Lincoln
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
Just a reminder to change your passwords regularly and don't use the same password for all your different internet logins.
I'm just a fan of the person I got my user name from
- nisiprius
- Advisory Board
- Posts: 52211
- Joined: Thu Jul 26, 2007 9:33 am
- Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
According to the article, this was the nature of the security issue:
Brock told TheStreet that Vanguard had been aware since 2013 that customers could log in to their accounts even if they entered typographical errors in their personal security answers. In my own account at Vanguard, I have repeatedly tested her assertions and found them to be true. On some occasions I have been able to get Vanguard to generate a link to a new password even after deliberately inserting typos into three security answers. Customers still can access their accounts despite typos in security answers.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
-
- Posts: 93
- Joined: Tue Sep 04, 2012 8:49 pm
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
I activated the new two step verification login. I'd imagine that will protect me from the vast majority of threats.
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
Folks might be surprised how many other sites allow typos in the responses to security questions where clients have previously provided the answers.
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
It all depends on who the employee was 'Whistleblowering' to. If she went to her superiors that is one thing. But to go to an outside organization like a website (Thestreet.com) - that is another thing. If I shared internal information with other entities, I would be fired also.
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
How do they define a "typo"? Let's say my high school mascot was The Spartans. Which of these should the site accept as the answer:
The Spartans
the spartans
spartans
Spartans
...
...
Is it reasonable to expect people to recall the phrase exactly as typed originally (which is likely years earlier)? If this is the type of thing they are talking about I think calling it a "security flaw" is an exaggeration.
The Spartans
the spartans
spartans
Spartans
...
...
Is it reasonable to expect people to recall the phrase exactly as typed originally (which is likely years earlier)? If this is the type of thing they are talking about I think calling it a "security flaw" is an exaggeration.
- nisiprius
- Advisory Board
- Posts: 52211
- Joined: Thu Jul 26, 2007 9:33 am
- Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
Don't get me started on "security questions." Oops, too late. I am not trying to be an apologist for Vanguard, but...livesoft wrote:Folks might be surprised how many other sites allow typos in the responses to security questions where clients have previously provided the answers.
...one of the big problems I (used to) have with "security questions" is that they are totally freeform. Unlike passwords, you don't rehearse them very often. And unless I write them down, which I shouldn't do, even if I remember the answer, it is hard to remember the exact form of the answer. For example, let's suppose I honeymooned in Truth or Consequences, New Mexico. I learned to type when I was 15 and using mixed-case is effortless for me. Now, did I answer that question "Truth or Consequences, New Mexico", "truth or consequences, new mexico", "truth or consequences, nm", "truthorconsequences", "truth", "torcnm"?
Have you noticed that, unlike passwords, they never even require you to re-type a second time, so you don't catch mistakes like accidentally typing two spaces when you meant to type one?
And, of course, many sites use security questions to which the only possible correct answer is "not applicable".
I tried to get around this by using the same password-like answer to all security questions regardless of what was asked. What was your childhood pet's name? Cerberus3heads¡¡¡ What school did your maternal grandmother's aunt attend? Cerberus3heads¡¡¡ What is the airspeed velocity of an unladen African swallow? Cerberus3heads¡¡¡ . But then you run into things like sites that insist that all security answers be different from each other!
Anyway, I think "security questions" are bad in the first place, but if they are going to be used, I would think that "recasting them into canonical form" would be a good practice.
(For the record, I did not honeymoon in Truth or Consequences, New Mexico, and I have never used Cerberus3heads¡¡¡ as a security answer or password to anything).
Last edited by nisiprius on Fri Sep 18, 2015 1:54 pm, edited 2 times in total.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
She began reporting internally to Vanguard in 2013, filed whistleblower complaints with the SEC and FINRA in May 2014. The Street article came out in August 2015. Taken individually, the issues of allowing typos, the voice recognition problem, and publishing of client data without internal confidential markings seem not too serious and easily addressed, but taken together, plus her firing, they indicate to me a culture where security is not very high on the list of priorities.
-
- Posts: 15362
- Joined: Fri Apr 10, 2015 12:29 am
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
Why would a long-term, stay-the-course investor need on-line access? If it is a concern, and it should be, just have Vanguard disable all on-line access from your account. Create a strong enhanced phone security password either way. Once you take these steps, a medallion signature guarantee is needed to enable on-line access or to set up a new mechanism for moving funds out of the account (such as money market fund check writing privilege or ACH transfers to a bank account).
-jalbert
-jalbert
-
- Posts: 15362
- Joined: Fri Apr 10, 2015 12:29 am
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
A more serious problem is that the fact that (in the hypothetical example) you honeymooned in T or C NM is not non-public information that only you know. If someone were divorced, for instance, they may not want their ex-spouse to be able to reset their password.nisiprius wrote:Don't get me started on "security questions." Oops, too late. I am not trying to be an apologist for Vanguard, but...livesoft wrote:Folks might be surprised how many other sites allow typos in the responses to security questions where clients have previously provided the answers.
...one of the big problems I (used to) have with "security questions" is that they are totally freeform. Unlike passwords, you don't rehearse them very often. And unless I write them down, which I shouldn't do, even if I remember the answer, it is hard to remember the exact form of the answer. For example, let's suppose I honeymooned in Truth or Consequences, New Mexico. I learned to type when I was 15 and using mixed-case is effortless for me. Now, did I answer that question "Truth or Consequences, New Mexico", "truth or consequences, new mexico", "truth or consequences, nm", "truthorconsequences", "truth", "torcnm"?
Have you noticed that, unlike passwords, they never even require you to re-type a second time, so you don't catch mistakes like accidentally typing two spaces when you meant to type one?
It also fails tests of cryptographic soundness. If someone had a robot to try "New York" or "Not applicable" as the answer to the question of everyone's account question of where you met your spouse or where you honeymooned, how many hits would it get?
-jalbert
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
We New Mexicans call it "T or C" - and I would not recommend it for a honeymoon! (Although the Riverbend resort is rather romantic...)nisiprius wrote:...For example, let's suppose I honeymooned in Truth or Consequences, New Mexico. I learned to type when I was 15 and using mixed-case is effortless for me. Now, did I answer that question "Truth or Consequences, New Mexico", "truth or consequences, new mexico", "truth or consequences, nm", "truthorconsequences", "truth", "torcnm"?
- patriciamgr2
- Posts: 861
- Joined: Mon Nov 19, 2007 2:06 pm
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
/edited 1 time to remove post/
-
- Posts: 7
- Joined: Sat Aug 15, 2015 2:49 pm
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
Here's what the whistleblower was saying in the original article: if you are logging on to your Vanguard account, and wish to have more security, mark "don't remember this computer" as that would tend to mean you want Vanguard's site to ask you security questions. This isn't just about typos, but if I have an answer that is "manning" for my favorite athlete, and I put "Qanring" you would think I couldn't access my accounts. BUT, you can. Even the IT expert quoted in the original article said he doesn't have enough words to say how stupid this type of "security" would be. She went to management first, and read the article: "You need to stop talking about security issues because it really upsets people." Apparently Vanguard isn't taking this seriously. I just tried it and I accessed my account. I'm not willing to risk another hack. This is really serious people.
-
- Posts: 7
- Joined: Sat Aug 15, 2015 2:49 pm
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
jalbert wrote:Why would a long-term, stay-the-course investor need on-line access? If it is a concern, and it should be, just have Vanguard disable all on-line access from your account. Create a strong enhanced phone security password either way. Once you take these steps, a medallion signature guarantee is needed to enable on-line access or to set up a new mechanism for moving funds out of the account (such as money market fund check writing privilege or ACH transfers to a bank account).
-jalbert
Hi Jalbert,
Even a long-term stay-the-course investor needs to rebalance when 5% over their asset allocation on either the stock or bond side. If Vanguard can't get something as serious as security straight, how am I supposed to trust the asset allocation mixes?
-
- Posts: 7
- Joined: Sat Aug 15, 2015 2:49 pm
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
This isn't the type of think they're talking about. If you answer is Spartans, try something like "fp3rtans." This isn't a typo issue, you can actually add alpha numeric characters not in your answer. But you can only have 2 variations.yosef wrote:How do they define a "typo"? Let's say my high school mascot was The Spartans. Which of these should the site accept as the answer:
The Spartans
the spartans
spartans
Spartans
...
...
Is it reasonable to expect people to recall the phrase exactly as typed originally (which is likely years earlier)? If this is the type of thing they are talking about I think calling it a "security flaw" is an exaggeration.
-
- Posts: 7
- Joined: Sat Aug 15, 2015 2:49 pm
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
It said John that she blew the whistle with the SEC back in May 2014 because she went to her superiors and they wouldn't take any of the issues she reported seriously.johnubc wrote:It all depends on who the employee was 'Whistleblowering' to. If she went to her superiors that is one thing. But to go to an outside organization like a website (Thestreet.com) - that is another thing. If I shared internal information with other entities, I would be fired also.
- bertilak
- Posts: 10725
- Joined: Tue Aug 02, 2011 5:23 pm
- Location: East of the Pecos, West of the Mississippi
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
Wow! Glad I read through to the end -- saved me fro wasting a lot of time!nisiprius wrote:(For the record, I did not honeymoon in Truth or Consequences, New Mexico, and I have never used Cerberus3heads¡¡¡ as a security answer or password to anything).
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
The security questions are not case sensitive. For example, proper nouns need not be capitalized but I don't consider that a problem.
Best Wishes, SpringMan
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
FYI - I merged NonnyGoGo's thread into here.
- nisiprius
- Advisory Board
- Posts: 52211
- Joined: Thu Jul 26, 2007 9:33 am
- Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
Sometimes they are. If you're saying Vanguard's aren't, I'll believe you, but I don't want to test because you never know which sites will lock you out after how many strikes.SpringMan wrote:The security questions are not case sensitive. For example, proper nouns need not be capitalized but I don't consider that a problem.
That's another one of my gripes--the sites with security questions never do say whether they are case-sensitive or not, whether blanks are significant, whether a run of blanks is different from a single blank, etc.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security
This thread has run its course and is locked (stupidity of other people). See: Unacceptable Topics
The thread is derailed due to off-topic comments regarding passwords (not the focus of this thread). Also, discussions on the actions of whistle blowers are rarely productive, which is why we have this policy in place.UNACCEPTABLE TOPICS
Non-actionable (Trolling) Topics
If readers can't do anything with the content of a topic other than argue about it, it does not belong here. Examples include:
- US or world economic, political, tax, health care and climate policies
- conspiracy theories of any type including oil price manipulation
- discussions of the crimes, shortcomings or stupidity of other people, whether they be political figures, celebrities, CEOs, Fed chairmen, subprime mortgage borrowers, lottery winners, federal "bailout" recipients, poor people, rich people, etc. Of course, you are welcome to talk about the stupid financial things you have done.