Receiving unexpected SMS security codes

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
Milo
Posts: 229
Joined: Thu Dec 27, 2007 7:24 pm

Receiving unexpected SMS security codes

Post by Milo » Thu Dec 21, 2017 1:15 pm

I've just received two, six-digit verification codes on my phone. They look just like the codes Vanguard sends. I use YubiKey these days to verify my identity on sign-in. Should I be worried?

Edit: I've just received a third. I believe I've answered my own question. I think I'm watching attempts being made to hack something. Could be Vanguard. Could be one of my banks.

Vanguard suggests if I suspect fraud that I should change all user names, passwords and security questions, scan my computer for viruses and malware, notify all three credit bureaus. That's going to take an entire afternoon at least.

ResearchMed
Posts: 5859
Joined: Fri Dec 26, 2008 11:25 pm

Re: Receiving unexpected SMS security codes

Post by ResearchMed » Thu Dec 21, 2017 1:24 pm

Milo wrote:
Thu Dec 21, 2017 1:15 pm
I've just received two, six-digit verification codes on my phone. They look just like the codes Vanguard sends. I use YubiKey these days to verify my identity on sign-in. Should I be worried?
Can't be sure, of course, but chances are someone entered an incorrect number or such, and they system then "thought" it was you.

If you've checked your accounts and there's nothing funny, and no unexpected logins, I wouldn't worry based upon this.

RM
This signature is a placebo. You are in the control group.

Milo
Posts: 229
Joined: Thu Dec 27, 2007 7:24 pm

Re: Receiving unexpected SMS security codes

Post by Milo » Thu Dec 21, 2017 1:59 pm

I just talked with Vanguard. No one has tried to access my account. He said that since the security codes come to my personal phone no one else can use them to log in. Not sure what the YubiKey is for then. And if someone did succeed in logging in they couldn't change my bank to their bank without talking to someone on the phone or filling out paperwork that has to be notarized and sending it in. I've also had him lock access to my account to this computer and only this computer. I didn't even know I could do that. Finally, I think I'll use this scare to motivate me to change my password. I'm still using a password I set up when Vanguard only allowed 8 or 10 character passwords using only letters and numbers.

It has occurred to me that in order to get Vanguard to send me security codes someone had to be able to type in my user name and password. So even if they were doing it by mistake that's not good.

Casper
Posts: 166
Joined: Tue Oct 15, 2013 8:32 pm

Re: Receiving unexpected SMS security codes

Post by Casper » Thu Dec 21, 2017 8:24 pm

If you use Personal Capital or some other financial aggregator, it could also be their auto-update feature triggering the code. I noticed that soon after I set up 2-step authentication on some accounts a few weeks ago. Turned off auto-update on Personal Capital and it hasn't happened since.

Also, in my experience the verification texts usually state the institution they're coming from. If you're just getting random texts with six digits in them, that's kind of strange.

Katietsu
Posts: 1113
Joined: Sun Sep 22, 2013 1:48 am

Re: Receiving unexpected SMS security codes

Post by Katietsu » Thu Dec 21, 2017 9:02 pm

OK. I will fess up. I have made a mistake on one of my usernames and caused some person I will never know to receive codes and have their account locked. I am not denying the possibility of a hacking attempt. But, a mistake by a fellow customer is probably at least as likely.

quantAndHold
Posts: 1354
Joined: Thu Sep 17, 2015 10:39 pm

Re: Receiving unexpected SMS security codes

Post by quantAndHold » Thu Dec 21, 2017 9:08 pm

Katietsu wrote:
Thu Dec 21, 2017 9:02 pm
OK. I will fess up. I have made a mistake on one of my usernames and caused some person I will never know to receive codes and have their account locked. I am not denying the possibility of a hacking attempt. But, a mistake by a fellow customer is probably at least as likely.
I’ve had his happen before. I kept getting codes for a bank that I didn’t even have an account at. Someone had typoed their phone number in the 2FA for their own account. If Vanguard is telling you that nobody has accessed your account, Occam’s razor says that this is what happened.

Yankuba
Posts: 58
Joined: Wed Dec 07, 2016 10:45 am

Re: Receiving unexpected SMS security codes

Post by Yankuba » Thu Dec 21, 2017 9:19 pm

Katietsu wrote:
Thu Dec 21, 2017 9:02 pm
OK. I will fess up. I have made a mistake on one of my usernames and caused some person I will never know to receive codes and have their account locked. I am not denying the possibility of a hacking attempt. But, a mistake by a fellow customer is probably at least as likely.
Once I tried logging into my Vanguard account and I was told to call an 800 number because my account was locked. When I confirmed my identity on the phone they unlocked the account. Someone used my user name but entered the wrong password too often. I think it was an honest mistake - someone thought my user name was theirs. Vanguard said it happens all the time.

Mudpuppy
Posts: 5655
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Receiving unexpected SMS security codes

Post by Mudpuppy » Fri Dec 22, 2017 4:05 pm

Katietsu wrote:
Thu Dec 21, 2017 9:02 pm
OK. I will fess up. I have made a mistake on one of my usernames and caused some person I will never know to receive codes and have their account locked. I am not denying the possibility of a hacking attempt. But, a mistake by a fellow customer is probably at least as likely.
A new person in a different group at work had the same first initial and last name as me, which is used to generate one's username for the agency's system. So she got a username with the number 2 at the end (e.g. jdoe2), but she frequently forgot about the 2 for the first month or two and instead kept trying my username. I'm in IT, but not in the group that maintains the user accounts. It was quite vexing to have to stop my work to call up the user account group to get this sorted every time she did it.

Edit: And this sort of issue is also why my username at Vanguard is NOT my first initial and last name. Just too common to have someone typo that sort of username. Since Vanguard lets one choose a username, I chose one that is less likely to be typoed.

Post Reply