Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Locked
Topic Author
bgscms
Posts: 41
Joined: Sun Oct 13, 2013 11:18 am

Vanguard Security Issue

Post by bgscms »

NEW YORK (TheStreet) -- The Vanguard Group, the world's largest mutual fund company, has fired a whistleblower who shared information with TheStreet about deficiencies in the company's customer account security.

According to the public database of stockbroker records kept by The Financial Industry Regulatory Authority, or Finra, Karen Brock, a Client Relationship Administrator in Vanguard's Scottsdale, Arizona office, is no longer employed by Vanguard or registered as a broker.

Finra's public records said nothing about the reason for Brock's termination. But an unredacted version of her records supplied by a state securities regulator said that she had been discharged for "violation of Vanguard's Professional Conduct Policy."

The state records said that her last day at Vanguard was August 27, 2015. Brock said in an interview that she was on family medical leave when she was fired.
http://www.thestreet.com/story/13293245 ... _ven=YAHOO
User avatar
nisiprius
Advisory Board
Posts: 52211
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Vanguard Security Issue

Post by nisiprius »

According to the article, this was the nature of the security issue:
Brock told TheStreet that Vanguard had been aware since 2013 that customers could log in to their accounts even if they entered typographical errors in their personal security answers. In my own account at Vanguard, I have repeatedly tested her assertions and found them to be true. On some occasions I have been able to get Vanguard to generate a link to a new password even after deliberately inserting typos into three security answers. Customers still can access their accounts despite typos in security answers.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
NonnyGoGo
Posts: 87
Joined: Tue Feb 03, 2015 1:04 pm

Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by NonnyGoGo »

[Thread merged into here, see below. --admin LadyGeek]

http://www.thestreet.com/story/13293245 ... l=dontmiss
Brock told TheStreet that Vanguard had been aware since 2013 that customers could log in to their accounts even if they entered typographical errors in their personal security answers. In my own account at Vanguard, I have repeatedly tested her assertions and found them to be true.
User avatar
Toons
Posts: 14467
Joined: Fri Nov 21, 2008 9:20 am
Location: Hills of Tennessee

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by Toons »

I take it with a grain of salt.
I trust my dollars are safe with Vanguard.
Moving On :happy
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee
rkhusky
Posts: 17763
Joined: Thu Aug 18, 2011 8:09 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by rkhusky »

Hey, the story mentions Bogleheads and has a link to a post: viewtopic.php?t=106338. All publicity is good, right?
denovo
Posts: 4808
Joined: Sun Oct 13, 2013 1:04 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by denovo »

I hope Vanguard's security isn't as weak as implied in this article.
"Don't trust everything you read on the Internet"- Abraham Lincoln
Day9
Posts: 1000
Joined: Mon Jun 11, 2012 6:22 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by Day9 »

Just a reminder to change your passwords regularly and don't use the same password for all your different internet logins.
I'm just a fan of the person I got my user name from
User avatar
nisiprius
Advisory Board
Posts: 52211
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by nisiprius »

According to the article, this was the nature of the security issue:
Brock told TheStreet that Vanguard had been aware since 2013 that customers could log in to their accounts even if they entered typographical errors in their personal security answers. In my own account at Vanguard, I have repeatedly tested her assertions and found them to be true. On some occasions I have been able to get Vanguard to generate a link to a new password even after deliberately inserting typos into three security answers. Customers still can access their accounts despite typos in security answers.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
M1garand30064
Posts: 93
Joined: Tue Sep 04, 2012 8:49 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by M1garand30064 »

I activated the new two step verification login. I'd imagine that will protect me from the vast majority of threats.
livesoft
Posts: 86075
Joined: Thu Mar 01, 2007 7:00 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by livesoft »

Folks might be surprised how many other sites allow typos in the responses to security questions where clients have previously provided the answers.
Wiki This signature message sponsored by sscritic: Learn to fish.
johnubc
Posts: 870
Joined: Wed Jan 06, 2010 5:54 am

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by johnubc »

It all depends on who the employee was 'Whistleblowering' to. If she went to her superiors that is one thing. But to go to an outside organization like a website (Thestreet.com) - that is another thing. If I shared internal information with other entities, I would be fired also.
yosef
Posts: 355
Joined: Tue May 24, 2011 2:10 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by yosef »

How do they define a "typo"? Let's say my high school mascot was The Spartans. Which of these should the site accept as the answer:

The Spartans
the spartans
spartans
Spartans
...
...

Is it reasonable to expect people to recall the phrase exactly as typed originally (which is likely years earlier)? If this is the type of thing they are talking about I think calling it a "security flaw" is an exaggeration.
User avatar
nisiprius
Advisory Board
Posts: 52211
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by nisiprius »

livesoft wrote:Folks might be surprised how many other sites allow typos in the responses to security questions where clients have previously provided the answers.
Don't get me started on "security questions." Oops, too late. I am not trying to be an apologist for Vanguard, but...

...one of the big problems I (used to) have with "security questions" is that they are totally freeform. Unlike passwords, you don't rehearse them very often. And unless I write them down, which I shouldn't do, even if I remember the answer, it is hard to remember the exact form of the answer. For example, let's suppose I honeymooned in Truth or Consequences, New Mexico. I learned to type when I was 15 and using mixed-case is effortless for me. Now, did I answer that question "Truth or Consequences, New Mexico", "truth or consequences, new mexico", "truth or consequences, nm", "truthorconsequences", "truth", "torcnm"?

Have you noticed that, unlike passwords, they never even require you to re-type a second time, so you don't catch mistakes like accidentally typing two spaces when you meant to type one?

And, of course, many sites use security questions to which the only possible correct answer is "not applicable".

I tried to get around this by using the same password-like answer to all security questions regardless of what was asked. What was your childhood pet's name? Cerberus3heads¡¡¡ What school did your maternal grandmother's aunt attend? Cerberus3heads¡¡¡ What is the airspeed velocity of an unladen African swallow? Cerberus3heads¡¡¡ . But then you run into things like sites that insist that all security answers be different from each other!

Anyway, I think "security questions" are bad in the first place, but if they are going to be used, I would think that "recasting them into canonical form" would be a good practice.

(For the record, I did not honeymoon in Truth or Consequences, New Mexico, and I have never used Cerberus3heads¡¡¡ as a security answer or password to anything).
Last edited by nisiprius on Fri Sep 18, 2015 1:54 pm, edited 2 times in total.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
NonnyGoGo
Posts: 87
Joined: Tue Feb 03, 2015 1:04 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by NonnyGoGo »

She began reporting internally to Vanguard in 2013, filed whistleblower complaints with the SEC and FINRA in May 2014. The Street article came out in August 2015. Taken individually, the issues of allowing typos, the voice recognition problem, and publishing of client data without internal confidential markings seem not too serious and easily addressed, but taken together, plus her firing, they indicate to me a culture where security is not very high on the list of priorities.
Northern Flicker
Posts: 15362
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by Northern Flicker »

Why would a long-term, stay-the-course investor need on-line access? If it is a concern, and it should be, just have Vanguard disable all on-line access from your account. Create a strong enhanced phone security password either way. Once you take these steps, a medallion signature guarantee is needed to enable on-line access or to set up a new mechanism for moving funds out of the account (such as money market fund check writing privilege or ACH transfers to a bank account).

-jalbert
Northern Flicker
Posts: 15362
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by Northern Flicker »

nisiprius wrote:
livesoft wrote:Folks might be surprised how many other sites allow typos in the responses to security questions where clients have previously provided the answers.
Don't get me started on "security questions." Oops, too late. I am not trying to be an apologist for Vanguard, but...

...one of the big problems I (used to) have with "security questions" is that they are totally freeform. Unlike passwords, you don't rehearse them very often. And unless I write them down, which I shouldn't do, even if I remember the answer, it is hard to remember the exact form of the answer. For example, let's suppose I honeymooned in Truth or Consequences, New Mexico. I learned to type when I was 15 and using mixed-case is effortless for me. Now, did I answer that question "Truth or Consequences, New Mexico", "truth or consequences, new mexico", "truth or consequences, nm", "truthorconsequences", "truth", "torcnm"?

Have you noticed that, unlike passwords, they never even require you to re-type a second time, so you don't catch mistakes like accidentally typing two spaces when you meant to type one?
A more serious problem is that the fact that (in the hypothetical example) you honeymooned in T or C NM is not non-public information that only you know. If someone were divorced, for instance, they may not want their ex-spouse to be able to reset their password.

It also fails tests of cryptographic soundness. If someone had a robot to try "New York" or "Not applicable" as the answer to the question of everyone's account question of where you met your spouse or where you honeymooned, how many hits would it get?

-jalbert
User avatar
PaddyMac
Posts: 1808
Joined: Fri Jul 09, 2010 10:29 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by PaddyMac »

nisiprius wrote:...For example, let's suppose I honeymooned in Truth or Consequences, New Mexico. I learned to type when I was 15 and using mixed-case is effortless for me. Now, did I answer that question "Truth or Consequences, New Mexico", "truth or consequences, new mexico", "truth or consequences, nm", "truthorconsequences", "truth", "torcnm"?
We New Mexicans call it "T or C" - and I would not recommend it for a honeymoon! :) (Although the Riverbend resort is rather romantic...)
User avatar
patriciamgr2
Posts: 861
Joined: Mon Nov 19, 2007 2:06 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by patriciamgr2 »

/edited 1 time to remove post/
informedinvestor
Posts: 7
Joined: Sat Aug 15, 2015 2:49 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by informedinvestor »

Here's what the whistleblower was saying in the original article: if you are logging on to your Vanguard account, and wish to have more security, mark "don't remember this computer" as that would tend to mean you want Vanguard's site to ask you security questions. This isn't just about typos, but if I have an answer that is "manning" for my favorite athlete, and I put "Qanring" you would think I couldn't access my accounts. BUT, you can. Even the IT expert quoted in the original article said he doesn't have enough words to say how stupid this type of "security" would be. She went to management first, and read the article: "You need to stop talking about security issues because it really upsets people." Apparently Vanguard isn't taking this seriously. I just tried it and I accessed my account. I'm not willing to risk another hack. This is really serious people.
informedinvestor
Posts: 7
Joined: Sat Aug 15, 2015 2:49 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by informedinvestor »

jalbert wrote:Why would a long-term, stay-the-course investor need on-line access? If it is a concern, and it should be, just have Vanguard disable all on-line access from your account. Create a strong enhanced phone security password either way. Once you take these steps, a medallion signature guarantee is needed to enable on-line access or to set up a new mechanism for moving funds out of the account (such as money market fund check writing privilege or ACH transfers to a bank account).

-jalbert

Hi Jalbert,

Even a long-term stay-the-course investor needs to rebalance when 5% over their asset allocation on either the stock or bond side. If Vanguard can't get something as serious as security straight, how am I supposed to trust the asset allocation mixes?
informedinvestor
Posts: 7
Joined: Sat Aug 15, 2015 2:49 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by informedinvestor »

yosef wrote:How do they define a "typo"? Let's say my high school mascot was The Spartans. Which of these should the site accept as the answer:

The Spartans
the spartans
spartans
Spartans
...
...

Is it reasonable to expect people to recall the phrase exactly as typed originally (which is likely years earlier)? If this is the type of thing they are talking about I think calling it a "security flaw" is an exaggeration.
This isn't the type of think they're talking about. If you answer is Spartans, try something like "fp3rtans." This isn't a typo issue, you can actually add alpha numeric characters not in your answer. But you can only have 2 variations.
informedinvestor
Posts: 7
Joined: Sat Aug 15, 2015 2:49 pm

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by informedinvestor »

johnubc wrote:It all depends on who the employee was 'Whistleblowering' to. If she went to her superiors that is one thing. But to go to an outside organization like a website (Thestreet.com) - that is another thing. If I shared internal information with other entities, I would be fired also.
It said John that she blew the whistle with the SEC back in May 2014 because she went to her superiors and they wouldn't take any of the issues she reported seriously.
User avatar
bertilak
Posts: 10725
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by bertilak »

nisiprius wrote:(For the record, I did not honeymoon in Truth or Consequences, New Mexico, and I have never used Cerberus3heads¡¡¡ as a security answer or password to anything).
Wow! Glad I read through to the end -- saved me fro wasting a lot of time!
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
User avatar
SpringMan
Posts: 5422
Joined: Wed Mar 21, 2007 11:32 am
Location: Michigan

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by SpringMan »

The security questions are not case sensitive. For example, proper nouns need not be capitalized but I don't consider that a problem.
Best Wishes, SpringMan
User avatar
LadyGeek
Site Admin
Posts: 95686
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by LadyGeek »

FYI - I merged NonnyGoGo's thread into here.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
nisiprius
Advisory Board
Posts: 52211
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by nisiprius »

SpringMan wrote:The security questions are not case sensitive. For example, proper nouns need not be capitalized but I don't consider that a problem.
Sometimes they are. If you're saying Vanguard's aren't, I'll believe you, but I don't want to test because you never know which sites will lock you out after how many strikes.

That's another one of my gripes--the sites with security questions never do say whether they are case-sensitive or not, whether blanks are significant, whether a run of blanks is different from a single blank, etc.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
User avatar
LadyGeek
Site Admin
Posts: 95686
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Vanguard Group Fires Whistleblower Who Told TheStreet About Flaws in Customer Security

Post by LadyGeek »

This thread has run its course and is locked (stupidity of other people). See: Unacceptable Topics
UNACCEPTABLE TOPICS

Non-actionable (Trolling) Topics

If readers can't do anything with the content of a topic other than argue about it, it does not belong here. Examples include:
  • US or world economic, political, tax, health care and climate policies
  • conspiracy theories of any type including oil price manipulation
  • discussions of the crimes, shortcomings or stupidity of other people, whether they be political figures, celebrities, CEOs, Fed chairmen, subprime mortgage borrowers, lottery winners, federal "bailout" recipients, poor people, rich people, etc. Of course, you are welcome to talk about the stupid financial things you have done.
The thread is derailed due to off-topic comments regarding passwords (not the focus of this thread). Also, discussions on the actions of whistle blowers are rarely productive, which is why we have this policy in place.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Locked