Security Issue?
Security Issue?
I am disturbed by Vanguard's latest practice in emailed confirmation notices of identifying its client's name, the funds involved in the transaction and transaction amounts. It seems to me that sending this email over unsecure email servers is problematic.
A generally-worded notice of "activity on the account" should suffice as a "heads-up" after a transaction, no? The client can then access details, if desired, using a browser and a secured path (e.g., https) as we do with Vanguard's detailed financial reports.
I may be way off on this, and am interested in an opinion from you computer-savvy folks. (BTW, do Fidelity and others also email confirmation notices with that level of detail?)
A generally-worded notice of "activity on the account" should suffice as a "heads-up" after a transaction, no? The client can then access details, if desired, using a browser and a secured path (e.g., https) as we do with Vanguard's detailed financial reports.
I may be way off on this, and am interested in an opinion from you computer-savvy folks. (BTW, do Fidelity and others also email confirmation notices with that level of detail?)
- Dale_G
- Posts: 3466
- Joined: Tue Feb 20, 2007 4:43 pm
- Location: Central Florida - on the grown up side of 85
Re: Security Issue?
So I got an email this evening from Vanguard stating:
I think hackers have much easier ways to make money that looking at my emails from Vanguard.
And I would certainly pay attention if I got such an email about a transaction I did not request. I am quite happy to get the email.
Dale
I did leave my name out of the above quote, but other than that who cares. The only information in the full email is my name, the fact that I probably have $5,000, my account numbers end in 9776 and that I requested that some money be moved from one fund to another.The following money movement request was submitted on 10/28/2015 at 10:16 PM, Eastern time:
From: Vanguard Prime Money Market Fund in account ending in 9776 in the amount of $5,000.00
To: Vanguard Total International Stock Index Fund Admiral Shares in account ending in 9776
I think hackers have much easier ways to make money that looking at my emails from Vanguard.
And I would certainly pay attention if I got such an email about a transaction I did not request. I am quite happy to get the email.
Dale
Volatility is my friend
Re: Security Issue?
My experience is that what you are getting from VG is most common........at least for moving money from a broker or from a bank.
Name/date/amount/ truncated acct #s at sender/receiver. Broker does not send e-mail for stock/fund transactions. At least for
company retirement plans, Fidelity does not send any details.....just notifies you that a transaction has taken place and requires you
to log in to view details.
Name/date/amount/ truncated acct #s at sender/receiver. Broker does not send e-mail for stock/fund transactions. At least for
company retirement plans, Fidelity does not send any details.....just notifies you that a transaction has taken place and requires you
to log in to view details.
Re: Security Issue?
Revealing some information that the reader desires to capture without requiring them to authenticate can be more secure than requiring to authenticate to get it. This is because each time you authenticate yourself to a service, particularly with passwords, you are slightly opening a window to an attacker to capture credentials. In contrast, it's really hard to capture a password if you never login.
Re: Security Issue?
Have to agree with the OP the less info the better in email notifications. Not that I worry a lot about this as a security hole, but something along the lines of 'your account has activity as of today. If you did not initiate this activity, contact us immediately' would be fine.
"Optimum est pati quod emendare non possis." |
-Seneca
Re: Security Issue?
Agreed, however, I believe this sort of thing should be regulated, by law. It should be just a matter of conforming to a legal specIndex Fan wrote:Have to agree with the OP the less info the better in email notifications. Not that I worry a lot about this as a security hole, but something along the lines of 'your account has activity as of today. If you did not initiate this activity, contact us immediately' would be fine.
when writing software that controls systems of the financial industry. I know that already most of the software is controlled by
these specifications so why does it seem that certain firms (like Vanguard) can just do whatever they want? To me that doesn't
make sense when all the others have a set way of doing things. On a lighter note brokerage "courtesy" email confirmations usually
include details of the trade in my experience (TDAmeritrade, etc...).
Re: Security Issue?
Some months ago I complained to my rep about this. Basically he said the only option is to turn off notification altogether.BBBob wrote:I am disturbed by Vanguard's latest practice in emailed confirmation notices of identifying its client's name, the funds involved in the transaction and transaction amounts. It seems to me that sending this email over unsecure email servers is problematic.
A generally-worded notice of "activity on the account" should suffice as a "heads-up" after a transaction, no? The client can then access details, if desired, using a browser and a secured path (e.g., https) as we do with Vanguard's detailed financial reports.
I may be way off on this, and am interested in an opinion from you computer-savvy folks. (BTW, do Fidelity and others also email confirmation notices with that level of detail?)
So I did.
- saltycaper
- Posts: 2650
- Joined: Thu Apr 24, 2014 8:47 pm
- Location: The Tower
Re: Security Issue?
Fidelity also sends email trade confirmations that include fund name, fund price, account owner's name, and last four digits of the account number, though not purchase amount.
I prefer some specificity as opposed to a totally generic message. In my 529 account, I get emails that say something like, "your transaction has been processed." These drive me crazy, as I have no idea what the transaction is. Sometimes even after logging in to the account it's not obvious. The slightest thing like an inflation adjustment seems to trigger them.
I prefer some specificity as opposed to a totally generic message. In my 529 account, I get emails that say something like, "your transaction has been processed." These drive me crazy, as I have no idea what the transaction is. Sometimes even after logging in to the account it's not obvious. The slightest thing like an inflation adjustment seems to trigger them.
Quod vitae sectabor iter?
Re: Security Issue?
Just FWIW, I think the right solution is for people to set up encryption and supply their public key to Vanguard or whoever when they sign up for email notifications. Supplying an email/public key pair isn't much harder than just supplying an email.
Then it's up to the consumer - if you don't mind plain text, don't provide a key. If you want security, provide the key. Everyone gets what they want.
Then it's up to the consumer - if you don't mind plain text, don't provide a key. If you want security, provide the key. Everyone gets what they want.
Re: Security Issue?
Does Vanguard use public keys if provided to them?