Security Issue?

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
Topic Author
BBBob
Posts: 220
Joined: Tue Aug 11, 2015 12:25 pm

Security Issue?

Post by BBBob »

I am disturbed by Vanguard's latest practice in emailed confirmation notices of identifying its client's name, the funds involved in the transaction and transaction amounts. It seems to me that sending this email over unsecure email servers is problematic.

A generally-worded notice of "activity on the account" should suffice as a "heads-up" after a transaction, no? The client can then access details, if desired, using a browser and a secured path (e.g., https) as we do with Vanguard's detailed financial reports.

I may be way off on this, and am interested in an opinion from you computer-savvy folks. (BTW, do Fidelity and others also email confirmation notices with that level of detail?)
User avatar
Dale_G
Posts: 3466
Joined: Tue Feb 20, 2007 4:43 pm
Location: Central Florida - on the grown up side of 85

Re: Security Issue?

Post by Dale_G »

So I got an email this evening from Vanguard stating:
The following money movement request was submitted on 10/28/2015 at 10:16 PM, Eastern time:
From: Vanguard Prime Money Market Fund in account ending in 9776 in the amount of $5,000.00
To: Vanguard Total International Stock Index Fund Admiral Shares in account ending in 9776
I did leave my name out of the above quote, but other than that who cares. The only information in the full email is my name, the fact that I probably have $5,000, my account numbers end in 9776 and that I requested that some money be moved from one fund to another.

I think hackers have much easier ways to make money that looking at my emails from Vanguard.

And I would certainly pay attention if I got such an email about a transaction I did not request. I am quite happy to get the email.

Dale
Volatility is my friend
kaneohe
Posts: 6786
Joined: Mon Sep 22, 2008 12:38 pm

Re: Security Issue?

Post by kaneohe »

My experience is that what you are getting from VG is most common........at least for moving money from a broker or from a bank.
Name/date/amount/ truncated acct #s at sender/receiver. Broker does not send e-mail for stock/fund transactions. At least for
company retirement plans, Fidelity does not send any details.....just notifies you that a transaction has taken place and requires you
to log in to view details.
ftobin
Posts: 1071
Joined: Fri Mar 20, 2009 3:28 pm

Re: Security Issue?

Post by ftobin »

Revealing some information that the reader desires to capture without requiring them to authenticate can be more secure than requiring to authenticate to get it. This is because each time you authenticate yourself to a service, particularly with passwords, you are slightly opening a window to an attacker to capture credentials. In contrast, it's really hard to capture a password if you never login.
User avatar
Index Fan
Posts: 2587
Joined: Wed Mar 07, 2007 11:13 am
Location: The great Midwest

Re: Security Issue?

Post by Index Fan »

Have to agree with the OP the less info the better in email notifications. Not that I worry a lot about this as a security hole, but something along the lines of 'your account has activity as of today. If you did not initiate this activity, contact us immediately' would be fine.
"Optimum est pati quod emendare non possis." | -Seneca
IPer
Posts: 1639
Joined: Sun Jul 28, 2013 8:51 pm

Re: Security Issue?

Post by IPer »

Index Fan wrote:Have to agree with the OP the less info the better in email notifications. Not that I worry a lot about this as a security hole, but something along the lines of 'your account has activity as of today. If you did not initiate this activity, contact us immediately' would be fine.
Agreed, however, I believe this sort of thing should be regulated, by law. It should be just a matter of conforming to a legal spec
when writing software that controls systems of the financial industry. I know that already most of the software is controlled by
these specifications so why does it seem that certain firms (like Vanguard) can just do whatever they want? To me that doesn't
make sense when all the others have a set way of doing things. On a lighter note brokerage "courtesy" email confirmations usually
include details of the trade in my experience (TDAmeritrade, etc...).
Read the Wiki Wiki !
User avatar
BolderBoy
Posts: 6753
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Security Issue?

Post by BolderBoy »

BBBob wrote:I am disturbed by Vanguard's latest practice in emailed confirmation notices of identifying its client's name, the funds involved in the transaction and transaction amounts. It seems to me that sending this email over unsecure email servers is problematic.

A generally-worded notice of "activity on the account" should suffice as a "heads-up" after a transaction, no? The client can then access details, if desired, using a browser and a secured path (e.g., https) as we do with Vanguard's detailed financial reports.

I may be way off on this, and am interested in an opinion from you computer-savvy folks. (BTW, do Fidelity and others also email confirmation notices with that level of detail?)
Some months ago I complained to my rep about this. Basically he said the only option is to turn off notification altogether.

So I did.
User avatar
saltycaper
Posts: 2650
Joined: Thu Apr 24, 2014 8:47 pm
Location: The Tower

Re: Security Issue?

Post by saltycaper »

Fidelity also sends email trade confirmations that include fund name, fund price, account owner's name, and last four digits of the account number, though not purchase amount.

I prefer some specificity as opposed to a totally generic message. In my 529 account, I get emails that say something like, "your transaction has been processed." These drive me crazy, as I have no idea what the transaction is. Sometimes even after logging in to the account it's not obvious. The slightest thing like an inflation adjustment seems to trigger them.
Quod vitae sectabor iter?
whomever
Posts: 1202
Joined: Sat Apr 21, 2012 5:21 pm

Re: Security Issue?

Post by whomever »

Just FWIW, I think the right solution is for people to set up encryption and supply their public key to Vanguard or whoever when they sign up for email notifications. Supplying an email/public key pair isn't much harder than just supplying an email.

Then it's up to the consumer - if you don't mind plain text, don't provide a key. If you want security, provide the key. Everyone gets what they want.
Topic Author
BBBob
Posts: 220
Joined: Tue Aug 11, 2015 12:25 pm

Re: Security Issue?

Post by BBBob »

Does Vanguard use public keys if provided to them?
Post Reply