New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
andrewphillipf
Posts: 5
Joined: Mon Apr 16, 2018 2:37 am

Re: New Vanguard Security Code Requirement

Post by andrewphillipf » Tue Jul 17, 2018 2:36 pm

I currently live overseas and don't have an American number, does this mean that I need to get one?

eli80
Posts: 19
Joined: Thu Dec 08, 2016 10:49 am

Re: New Vanguard Security Code Requirement

Post by eli80 » Tue Jul 17, 2018 2:41 pm

I wonder if this requirement will eliminate the ability of Fidelity Full View to connect to Vanguard and update the Vanguard account?

User avatar
Doc
Posts: 8385
Joined: Sat Feb 24, 2007 1:10 pm
Location: Two left turns from Larry

Re: New Vanguard Security Code Requirement

Post by Doc » Tue Jul 17, 2018 2:48 pm

Pale Horse wrote:
Tue Jul 17, 2018 1:52 pm
It also plays havoc on anyone with Mint or Quicken tracking software.
I'm having no problem using Quicken with Vanguard's 2FA. But I have it set up as being required only when I log on from a new device.
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.

User avatar
rob
Posts: 2956
Joined: Mon Feb 19, 2007 6:49 pm
Location: Here

Re: New Vanguard Security Code Requirement

Post by rob » Tue Jul 17, 2018 2:52 pm

It's a cutting edge solution to buggy whip design... exactly what I have come to expect of Vanguard IT over the years. To be fair, 2FA is so common it's easy to stay with the heard and pretend that it provides actual security.
| Rob | Its a dangerous business going out your front door. - J.R.R.Tolkien

Nate79
Posts: 3065
Joined: Thu Aug 11, 2016 6:24 pm
Location: Portland, OR

Re: New Vanguard Security Code Requirement

Post by Nate79 » Tue Jul 17, 2018 3:01 pm

andrewphillipf wrote:
Tue Jul 17, 2018 2:36 pm
I currently live overseas and don't have an American number, does this mean that I need to get one?
How are accessing Vanguard from overseas today?

gmaynardkrebs
Posts: 810
Joined: Sun Feb 10, 2008 11:48 am

Re: New Vanguard Security Code Requirement

Post by gmaynardkrebs » Tue Jul 17, 2018 3:29 pm

I don't like this, because I won't be able to use the aggregator on the Vanguard website (Yodlee).

User avatar
VictoriaF
Posts: 18405
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: New Vanguard Security Code Requirement

Post by VictoriaF » Tue Jul 17, 2018 3:34 pm

Laypeople and cybersecurity experts were asked about their top-3 security priorities. The respondents have provided disjoint sets of responses:

Laypeople:
1) use antivirus software
2) visit only known safe websites
3) change passwords frequently

Experts:
1) install software patches and other updates immediately
2) use two-factor authentication
3) use a password manager

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

c.coyle
Posts: 76
Joined: Thu Aug 03, 2017 5:10 pm

Re: New Vanguard Security Code Requirement

Post by c.coyle » Tue Jul 17, 2018 3:52 pm

2 factor authentication is no biggie for me. I enable it wherever I can. One of my banks doesn't have it, and I'm not thrilled.

I gotta a [boat load --admin LadyGeek] of money sitting at Vanguard. Good for them.

Let's face it, most people aren't going to go to password managers and unique, complex 12 character passwords for each of their accounts.

Jack44
Posts: 29
Joined: Fri Apr 02, 2010 9:21 am
Location: Pennsylvania

Re: New Vanguard Security Code Requirement

Post by Jack44 » Tue Jul 17, 2018 4:29 pm

c.coyle wrote:
Tue Jul 17, 2018 3:52 pm
I gotta a [boat load --admin LadyGeek] of money sitting at Vanguard. Good for them.

Let's face it, most people aren't going to go to password managers and unique, complex 12 character passwords for each of their accounts.
[OT comment removed by admin LadyGeek] I too am glad for any extra measure of security. I don't really understand how a password manager works, but do plan to investigate using one. I am constantly amazed when I hear about security breaches at companies that should know better and anticipate attacks of this nature. I don't understand how these bad actors do what they do, but I don't want them to do it to me.

gmaynardkrebs
Posts: 810
Joined: Sun Feb 10, 2008 11:48 am

Re: New Vanguard Security Code Requirement

Post by gmaynardkrebs » Tue Jul 17, 2018 4:39 pm

Just out of idle curiosity, who is responsible if a Vanguard account is hacked? For example, if an very elderly person is tricked into giving out his credentials by a phishing email, I think Vanguard is still on the hook. I think where Vanguard is not responsible is where the authorized user has been grossly negligent, like giving the password to a person who could not be trusted, eg., a friend or family member with a big time drug habit, who absconds with the money. Even then it might not be black and white, if Vanguard still should have caught it through there monitoring system, assuming they have one.

mptfan
Posts: 4573
Joined: Mon Mar 05, 2007 9:58 am

Re: New Vanguard Security Code Requirement

Post by mptfan » Tue Jul 17, 2018 4:44 pm

Pale Horse wrote:
Tue Jul 17, 2018 1:52 pm
Just got a notification that Vanguard is implementing mandatory 2 factor authentication procedures. I've worked in IT security and absolutely hate this feature.
I don't work in IT but I like 2 factor authentication, I think it's a worthwhile precaution and Vanguard should be praised for taking steps to make accounts more secure.

c.coyle
Posts: 76
Joined: Thu Aug 03, 2017 5:10 pm

Re: New Vanguard Security Code Requirement

Post by c.coyle » Tue Jul 17, 2018 5:28 pm

Jack44 wrote:
Tue Jul 17, 2018 4:29 pm
c.coyle wrote:
Tue Jul 17, 2018 3:52 pm
I gotta a [boat load --admin LadyGeek] of money sitting at Vanguard. Good for them.

Let's face it, most people aren't going to go to password managers and unique, complex 12 character passwords for each of their accounts.
[OT comment removed by admin LadyGeek] I too am glad for any extra measure of security. I don't really understand how a password manager works, but do plan to investigate using one. I am constantly amazed when I hear about security breaches at companies that should know better and anticipate attacks of this nature. I don't understand how these bad actors do what they do, but I don't want them to do it to me.
[OT comment removed by admin LadyGeek] I got married in 1980 and had the first of my 2 kids in '81. I was fortunate to be able to save for college and retirement through the greatest bull market in history.

A password manager is just a single encrypted container file with a master password to decrypt it. You put all your individual account passwords inside it. When you want to log on to, say, Vanguard, the password manager shoots your Vanguard password to it. You don't even have to know what your Vanguard password is (I don't know mine). There are a few advantages to a password manager: All your passwords are in one secure place, you only have to remember one password, and you can use unique and really complex passwords for each site you log on to. Most password managers will generate random complex passwords for you.

c.coyle
Posts: 76
Joined: Thu Aug 03, 2017 5:10 pm

Re: New Vanguard Security Code Requirement

Post by c.coyle » Tue Jul 17, 2018 5:37 pm

gmaynardkrebs wrote:
Tue Jul 17, 2018 4:39 pm
Just out of idle curiosity, who is responsible if a Vanguard account is hacked? For example, if an very elderly person is tricked into giving out his credentials by a phishing email, I think Vanguard is still on the hook. I think where Vanguard is not responsible is where the authorized user has been grossly negligent, like giving the password to a person who could not be trusted, eg., a friend or family member with a big time drug habit, who absconds with the money. Even then it might not be black and white, if Vanguard still should have caught it through there monitoring system, assuming they have one.
I would think that if you get tricked into giving up your password, that's your fault, not Vanguard's. If bad guys break into Vanguard's servers, that's on Vanguard.

In the first scenario, the hackers still fail if you have two factor authentication. Even when they get your password, they still need the temporary 2FA code to get in. That won't happen unless they also have your phone.

gmaynardkrebs
Posts: 810
Joined: Sun Feb 10, 2008 11:48 am

Re: New Vanguard Security Code Requirement

Post by gmaynardkrebs » Tue Jul 17, 2018 6:26 pm

The policy is set out here. What they say leaves wiggle room for both sides. Mostly it's about "negligence." Negligence is a slippery term, the famous "reasonable man" standard. It's not necessarily negligent to get caught by a phishing email. Happens to lots of smart and "reasonable" people. Older people, in particular, are often very trusting, because they didn't grow up in the crazy intranet world we live in today. I'd be curious if there are any cases where this has been litigated. My (hopeful) guess is that Vanguard treats people very fairly, but they want to reserve the right to protect themselves from having to payoff people who were truly irresponsible.

https://personal.vanguard.com/us/help/S ... ontent.jsp

User avatar
pokebowl
Posts: 178
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: New Vanguard Security Code Requirement

Post by pokebowl » Tue Jul 17, 2018 7:09 pm

Pale Horse wrote:
Tue Jul 17, 2018 1:52 pm
It's an overly burdensome solution to a problem easily mitigated with sufficiently-designed password parameters (read >12 characters with complexity requirements).
2FA here is primarily being used to mitigate time-of-use phishing attacks (A one-time-password of >12 characters with complexity is still a password, and it can be disclosed to an attacker). Vanguard addresses this problem perfectly with their 2FA token feature which supports Universal 2nd Factor (U2F). Then they shoot themselves in the foot and offer SMS as a fall back option, which is still susceptible to such attacks.

I am surprised you would be against such security enhancements, I myself have been screaming for financial firms to take information security more seriously for years now.

jalbert
Posts: 3454
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Tue Jul 17, 2018 7:09 pm

Just got a notification that Vanguard is implementing mandatory 2 factor authentication procedures. I've worked in IT security and absolutely hate this feature. It's an overly burdensome solution to a problem easily mitigated with sufficiently-designed password parameters (read >12 characters with complexity requirements).
There are secure authentication mechanisms for authentication over a public network that do not require 2 factors, such as challenge-based authentication using asymmetric key cryptography, but 12 (or however many) character passwords with complexity checks is not one of them.

Password length and complexity checks aside, password-based authentication is susceptible to replay attacks, wherein some system being compromised captures the password when it is typed in or transmitted and then attackers can replay the same authentication session later. This is also a weakness of biometric authentication over a network— at best it is difficult to implement without the risk of replay or hijack attacks.

Password management when you have to have large numbers of distinct passwords also creates risk and expands the attack surface of password-based authentication. If your password safe is compromised, 2FA also gives you time to manage all of the required password changes, in addition to the benefit of defeating replay attacks.
Index fund investor since 1987.

tibbitts
Posts: 7828
Joined: Tue Feb 27, 2007 6:50 pm

Re: New Vanguard Security Code Requirement

Post by tibbitts » Tue Jul 17, 2018 7:20 pm

gmaynardkrebs wrote:
Tue Jul 17, 2018 3:29 pm
I don't like this, because I won't be able to use the aggregator on the Vanguard website (Yodlee).
Vanguard says Yodlee won't be affected when you're using it through Vanguard - that should be fairly easy for Yodlee to accomplish.

maineminder
Posts: 34
Joined: Sat Sep 24, 2011 9:48 am

Re: New Vanguard Security Code Requirement

Post by maineminder » Tue Jul 17, 2018 7:39 pm

VictoriaF wrote:
Tue Jul 17, 2018 3:34 pm
Laypeople and cybersecurity experts were asked about their top-3 security priorities. The respondents have provided disjoint sets of responses:

Laypeople:
1) use antivirus software
2) visit only known safe websites
3) change passwords frequently

Experts:
1) install software patches and other updates immediately
2) use two-factor authentication
3) use a password manager

Victoria
+1

User avatar
BolderBoy
Posts: 3987
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: New Vanguard Security Code Requirement

Post by BolderBoy » Tue Jul 17, 2018 9:36 pm

Pale Horse wrote:
Tue Jul 17, 2018 1:52 pm
Just got a notification that Vanguard is implementing mandatory 2 factor authentication procedures.
Not too bad with VG. Just tell it to only do the 2FA for computers it doesn't recognize. I set it up months ago and once the initial 2FA was accomplished VG hasn't asked for it again. (and I look at my account frequently, too)
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect

User avatar
TheGreyingDuke
Posts: 1480
Joined: Fri Sep 02, 2011 10:34 am

Re: New Vanguard Security Code Requirement

Post by TheGreyingDuke » Tue Jul 17, 2018 10:02 pm

Pale Horse wrote:
Tue Jul 17, 2018 1:52 pm

It also plays havoc on anyone with Mint or Quicken tracking software. Unlike most Bogleheads who look at their balance once a year, I actually do daily monitoring. Not to make changes or react, but just to monitor for unauthorized transactions or errors (across all financial accounts, not just retirement).
You can set your account preferences to get an email whenever there is a transaction.
"Every time I see an adult on a bicycle, I no longer despair for the future of the human race." H.G. Wells

User avatar
Doom&Gloom
Posts: 2097
Joined: Thu May 08, 2014 3:36 pm

Re: New Vanguard Security Code Requirement

Post by Doom&Gloom » Tue Jul 17, 2018 10:23 pm

TheGreyingDuke wrote:
Tue Jul 17, 2018 10:02 pm
Pale Horse wrote:
Tue Jul 17, 2018 1:52 pm

It also plays havoc on anyone with Mint or Quicken tracking software. Unlike most Bogleheads who look at their balance once a year, I actually do daily monitoring. Not to make changes or react, but just to monitor for unauthorized transactions or errors (across all financial accounts, not just retirement).
You can set your account preferences to get an email whenever there is a transaction.
And/or text notification I think.

VG has made the 2FA about as seamless and non-intrusive as possible imo. But if VG doesn't meet OP's needs, perhaps some other outfit will. I'm thankful we have some good options available.

Pacific
Posts: 1228
Joined: Tue Mar 06, 2007 8:19 pm
Location: Lost in the middle of the Pacific

Re: New Vanguard Security Code Requirement

Post by Pacific » Tue Jul 17, 2018 11:10 pm

Nate79 wrote:
Tue Jul 17, 2018 3:01 pm
andrewphillipf wrote:
Tue Jul 17, 2018 2:36 pm
I currently live overseas and don't have an American number, does this mean that I need to get one?
How are accessing Vanguard from overseas today?
Not sure I understand this. I also work overseas. My cell phone has a US SIM and a foreign country SIM. I switch them out depending on where I am. So, when I am in the foreign country is Vanguard going to call me overseas?

User avatar
celia
Posts: 8106
Joined: Sun Mar 09, 2008 6:32 am
Location: SoCal

Re: New Vanguard Security Code Requirement

Post by celia » Tue Jul 17, 2018 11:15 pm

Pale Horse wrote:
Tue Jul 17, 2018 1:52 pm
...I actually do daily monitoring. Not to make changes or react, but just to monitor for unauthorized transactions or errors (across all financial accounts, not just retirement).
Daily monitoring???

Just to look for unauthorized transactions???

Sounds like 2FA would be useful for you. Just think of some of the other things you could do with the time you spend checking up on this every day. Maybe you'll even be able to take a vacation away from your daily routine and just lie on the beach or by a lake for a week without worrying about money.

andrewphillipf
Posts: 5
Joined: Mon Apr 16, 2018 2:37 am

Re: New Vanguard Security Code Requirement

Post by andrewphillipf » Tue Jul 17, 2018 11:51 pm

Nate79 wrote:
Tue Jul 17, 2018 3:01 pm
andrewphillipf wrote:
Tue Jul 17, 2018 2:36 pm
I currently live overseas and don't have an American number, does this mean that I need to get one?
How are accessing Vanguard from overseas today?
By simply logging in.

I'm guessing the easy fix once it's mandated may be using an app that gives me a U.S. phone number.

Nate79
Posts: 3065
Joined: Thu Aug 11, 2016 6:24 pm
Location: Portland, OR

Re: New Vanguard Security Code Requirement

Post by Nate79 » Tue Jul 17, 2018 11:55 pm

andrewphillipf wrote:
Tue Jul 17, 2018 11:51 pm
Nate79 wrote:
Tue Jul 17, 2018 3:01 pm
andrewphillipf wrote:
Tue Jul 17, 2018 2:36 pm
I currently live overseas and don't have an American number, does this mean that I need to get one?
How are accessing Vanguard from overseas today?
By simply logging in.

I'm guessing the easy fix once it's mandated may be using an app that gives me a U.S. phone number.
Are you on VPN? Vanguard is known to block access to overseas and they have locked accounts for many when Vanguard finds out the residential address is outside the US.

User avatar
BL
Posts: 8190
Joined: Sun Mar 01, 2009 2:28 pm

Re: New Vanguard Security Code Requirement

Post by BL » Wed Jul 18, 2018 12:01 am

Can it remember all of your computers if you go through the process once with each one? I tend to use one of several on an almost daily basis so that would be nice to set each one up just once.

pyld76
Posts: 141
Joined: Thu Feb 09, 2012 4:15 pm

Re: New Vanguard Security Code Requirement

Post by pyld76 » Wed Jul 18, 2018 12:52 am

rob wrote:
Tue Jul 17, 2018 2:52 pm
It's a cutting edge solution to buggy whip design... exactly what I have come to expect of Vanguard IT over the years. To be fair, 2FA is so common it's easy to stay with the heard and pretend that it provides actual security.
With respect, a properly designed “what you know and what you have” regime is so much more secure than a password of any length and complexity that it is almost laughable.

I’d prefer they support TOTP based entirely upon he ubiquity of tools to deal with that. The U2F stuff is better but the interface still needs a ton of work prior to mainstream adoption.....

jalbert
Posts: 3454
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Wed Jul 18, 2018 2:00 am

Not too bad with VG. Just tell it to only do the 2FA for computers it doesn't recognize. I set it up months ago and once the initial 2FA was accomplished VG hasn't asked for it again. (and I look at my account frequently, too)
IP addresses in packet headers can be forged, and other machine “fingerprints” are easily simulated. This is not a good strategy.
Index fund investor since 1987.

gostars
Posts: 335
Joined: Mon Oct 09, 2017 7:53 pm

Re: New Vanguard Security Code Requirement

Post by gostars » Wed Jul 18, 2018 2:17 am

jalbert wrote:
Wed Jul 18, 2018 2:00 am
IP addresses in packet headers can be forged, and other machine “fingerprints” are easily simulated. This is not a good strategy.
How exactly do you propose forging a TLS connection? If they allow fallback to an unencrypted login that's one thing, but requiring a secure connection and a secure cookie generated after 2FA is seriously difficult to spoof, especially if the user pays any attention whatsoever to the EV cert upon the initial login.

andrewphillipf
Posts: 5
Joined: Mon Apr 16, 2018 2:37 am

Re: New Vanguard Security Code Requirement

Post by andrewphillipf » Wed Jul 18, 2018 4:56 am

Nate79 wrote:
Tue Jul 17, 2018 11:55 pm
andrewphillipf wrote:
Tue Jul 17, 2018 11:51 pm
Nate79 wrote:
Tue Jul 17, 2018 3:01 pm
andrewphillipf wrote:
Tue Jul 17, 2018 2:36 pm
I currently live overseas and don't have an American number, does this mean that I need to get one?
How are accessing Vanguard from overseas today?
By simply logging in.

I'm guessing the easy fix once it's mandated may be using an app that gives me a U.S. phone number.
Are you on VPN? Vanguard is known to block access to overseas and they have locked accounts for many when Vanguard finds out the residential address is outside the US.
Basically yes. My work computer is on a U.S. network and at home I use a VPN for anti monitoring.

Thanks to the new thread about it here: viewtopic.php?p=4025196#p4025196, I'll figure out a way to get a google voice number.

Jack FFR1846
Posts: 7447
Joined: Tue Dec 31, 2013 7:05 am

Re: New Vanguard Security Code Requirement

Post by Jack FFR1846 » Wed Jul 18, 2018 6:18 am

This thread made me curious so I logged into Vanguard. Instead of the annoying first screen telling me I can link my bank account (not interested), it instead has an annoying screen asking if I want additional security. Just like before, I clicked through to my account and ignored it. Seems the same to me, more or less.
Bogle: Smart Beta is stupid

Fclevz
Posts: 367
Joined: Fri Mar 30, 2007 11:28 am

Re: New Vanguard Security Code Requirement

Post by Fclevz » Wed Jul 18, 2018 8:57 am

Jack FFR1846 wrote:
Wed Jul 18, 2018 6:18 am
...first screen telling me I can link my bank account (not interested)...
Without the bank link, how do you move money into or out of your account?
Isn't the bank link going to be essentially mandatory too, since the invest-by-mail forms are now defunct?

Pale Horse
Posts: 71
Joined: Tue Jul 16, 2013 2:43 pm

Re: New Vanguard Security Code Requirement

Post by Pale Horse » Wed Jul 18, 2018 12:27 pm

celia wrote:
Tue Jul 17, 2018 11:15 pm
Pale Horse wrote:
Tue Jul 17, 2018 1:52 pm
...I actually do daily monitoring. Not to make changes or react, but just to monitor for unauthorized transactions or errors (across all financial accounts, not just retirement).
Daily monitoring???

Just to look for unauthorized transactions???

Sounds like 2FA would be useful for you. Just think of some of the other things you could do with the time you spend checking up on this every day. Maybe you'll even be able to take a vacation away from your daily routine and just lie on the beach or by a lake for a week without worrying about money.
Yes, I monitor daily. Not just for unauthorized transactions, but I track credit card spending, pay bills, transfer funds, etc. (I can also monitor my wife's credit card spending and grill her on why she spent $1.50 at Panera when we have perfectly good bagels in the cupboard.)

I actually enjoy tracking where my money goes and seeing how well I keep to my budget. Besides it keeps me busy for 30 minutes or so at work each day. I used to do a lot of Manufactured Spending and Signup Bonuses, so still have a fair number of accounts active. Maybe when I'm ready to retire and sit around the lake for a week I'll look to simplify everything.

mptfan
Posts: 4573
Joined: Mon Mar 05, 2007 9:58 am

Re: New Vanguard Security Code Requirement

Post by mptfan » Wed Jul 18, 2018 12:51 pm

BL wrote:
Wed Jul 18, 2018 12:01 am
Can it remember all of your computers if you go through the process once with each one?
Yes.

jalbert
Posts: 3454
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Wed Jul 18, 2018 4:54 pm

gostars wrote:
Wed Jul 18, 2018 2:17 am
jalbert wrote:
Wed Jul 18, 2018 2:00 am
IP addresses in packet headers can be forged, and other machine “fingerprints” are easily simulated. This is not a good strategy.
How exactly do you propose forging a TLS connection? If they allow fallback to an unencrypted login that's one thing, but requiring a secure connection and a secure cookie generated after 2FA is seriously difficult to spoof, especially if the user pays any attention whatsoever to the EV cert upon the initial login.
It would be a mistake to assume you need to forge a TLS session or secure cookie to exploit the issue.
Index fund investor since 1987.

mrb55
Posts: 19
Joined: Sun Oct 25, 2015 1:28 pm

Re: New Vanguard Security Code Requirement

Post by mrb55 » Wed Jul 18, 2018 6:00 pm

Hopefully FIDO2 authentication will be along very soon. This will replace U2F and make the usb PKI token (think yubikey) the "primary" authenticator instead of the secondary one it is now (at Vanguard).

Each login authentication to different financial and other secured websites will be unique but will use the same physical usb key. Passwords will go away! Users will be able to use the physical usb key as the primary authenticator and a personal identification number (PIN) as the secondary if additional two factor security is warranted, very similar to an ATM card.

Easy-peasy. Can't wait! :happy

https://fidoalliance.org/fido2/

The site has a nice video that goes over it.

User avatar
Duckie
Posts: 5819
Joined: Thu Mar 08, 2007 2:55 pm

Re: New Vanguard Security Code Requirement

Post by Duckie » Wed Jul 18, 2018 6:29 pm

Fclevz wrote:Isn't the bank link going to be essentially mandatory too, since the invest-by-mail forms are now defunct?
I can still order investment slips to be mailed to me. On my Vanguard Prime Money Market Fund page off to the right under the Buy / Sell / Exchange buttons there is a link to "Order investment slips". You could probably request them by phone, too.

User avatar
BL
Posts: 8190
Joined: Sun Mar 01, 2009 2:28 pm

Re: New Vanguard Security Code Requirement

Post by BL » Wed Jul 18, 2018 11:00 pm

mptfan wrote:
Wed Jul 18, 2018 12:51 pm
BL wrote:
Wed Jul 18, 2018 12:01 am
Can it remember all of your computers if you go through the process once with each one?
Yes.
Thanks.

User avatar
BolderBoy
Posts: 3987
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: New Vanguard Security Code Requirement

Post by BolderBoy » Thu Jul 19, 2018 2:57 pm

jalbert wrote:
Wed Jul 18, 2018 2:00 am
Not too bad with VG. Just tell it to only do the 2FA for computers it doesn't recognize. I set it up months ago and once the initial 2FA was accomplished VG hasn't asked for it again. (and I look at my account frequently, too)
IP addresses in packet headers can be forged, and other machine “fingerprints” are easily simulated. This is not a good strategy.
Then why is VG even bothering to offer it? While what you are suggesting is certainly possible, it is not easy to do in the real world.
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect

jalbert
Posts: 3454
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Fri Jul 20, 2018 1:01 am

That is not clear at all. It is in fact the uncommon exception when a corporation gets the engineering of authentication correct when providing on-line access. Unfortunately, Vanguard is not one of the exceptions.
Index fund investor since 1987.

jalbert
Posts: 3454
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Fri Jul 20, 2018 2:25 am

Allowing 2FA to be skipped by remembering the machine violates the Principle of Least Privilege, which is fundamental to security engineering. One downside in this case is it expands the attack surface. It certainly is vulnerable to amplification attacks, wherein a compromise that allows one login may be exploited to enable repeated logins. Asking Vanguard to remember a machine is not the enabler of that, but rather just having the feature available to an attacker who gets in once is the enabler.

Using remembered machines to circumvent 2FA altogether is harder but certainly may be possible.

What is so hard about using 2FA that would justify a less robust authentication scheme?
Index fund investor since 1987.

gostars
Posts: 335
Joined: Mon Oct 09, 2017 7:53 pm

Re: New Vanguard Security Code Requirement

Post by gostars » Fri Jul 20, 2018 2:43 am

jalbert wrote:
Wed Jul 18, 2018 4:54 pm
gostars wrote:
Wed Jul 18, 2018 2:17 am
jalbert wrote:
Wed Jul 18, 2018 2:00 am
IP addresses in packet headers can be forged, and other machine “fingerprints” are easily simulated. This is not a good strategy.
How exactly do you propose forging a TLS connection? If they allow fallback to an unencrypted login that's one thing, but requiring a secure connection and a secure cookie generated after 2FA is seriously difficult to spoof, especially if the user pays any attention whatsoever to the EV cert upon the initial login.
It would be a mistake to assume you need to forge a TLS session or secure cookie to exploit the issue.
Please elaborate. How does one exploit this system beyond what is already possible with 2FA? This excludes the user's system being compromised, since a compromised system could be used to perform the same actions after a legit login, or situations where the user is tricked into a MITM attack or cipher downgrade. Not trying to be a jerk here, I'm legitimately curious about how this is a problem.

jalbert
Posts: 3454
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Fri Jul 20, 2018 4:25 am

Why would you exclude a user being compromised from the analysis? You don't even need 2FA at all if passwords could never be compromised.

If someone picks up malware, it is unlikely to have implemented a scripted harness for a sophisticated sequence of operations for a financial institution used by the arbitrary, essentially random user who is compromised nor likely to be able to navigate the account configuration of that user even if the specific financial institution actually was targeted at the time the malware was developed.

A more likely scenario would be that a user picks up generic malware say on their phone that has the capability to record keystrokes and read text messages. It relays the data it reads to a rogue site/user who can login with the filtered password and text code and ask for their machine to be remembered.

They then logout and come back in a day or two later with an interactive session to look around to their heart's content to plan an exploit. They can now do this at will until the password is changed. Note that the rogue site is just making a normal TLS connection here.

As far as circumventing an established machine being remembered without use of 2FA If password and machine identity is known...

The FDIC has issued an advisory that member banks should not use "secure" cookies for remembering machines as they can be attacked by just capturing the encrypted cookie and transmitting it from another machine. I assume Vanguard does not use this mechanism. Browser fingerprints are more tedious and labor-intensive to simulate but not more difficult from a technical perspective.

Use of forged IP addresses in packet headers as an attack method is one of the earliest internet-era attacks, and goes back at least 25 years. With a forged IP address you won't get replies. For most operations, you don't need them but can just wait some period of time like 30-60 seconds and then send the next packet.

A TLS handshake protocol does require getting at least one reply back. It is unlikely to be exploited by attacking or forging the cryptography, but attacking the authentication protocol used with TLS may well turn out to be possible. One obvious point is that the TLS handshake completes before the login credentials are even supplied and the remembered machine identified. I don't know if that can be exploited but I certainly would not consider it sound engineering to hang our hats on this one point not being exploitable.

But it is actually incumbent on someone recommending this as an authentication protocol that is secure to demonstrate its robustness. A protocol is not just presumed secure unless and until a compromise is identified. If the protocol of remembering IP addresses were already compromised it would already have been modified or replaced to address that.

Use of multiple layers of protection is an established security principle and there is no reason for Vanguard to weaken that by gratuitously expanding the attack surface. Security risk management is more than just protecting against all known attacks.
Last edited by jalbert on Fri Jul 20, 2018 5:28 pm, edited 3 times in total.
Index fund investor since 1987.

gamboolman
Posts: 41
Joined: Mon Feb 17, 2014 7:32 am

Re: New Vanguard Security Code Requirement

Post by gamboolman » Fri Jul 20, 2018 2:09 pm

Nate79 wrote:
Tue Jul 17, 2018 11:55 pm
andrewphillipf wrote:
Tue Jul 17, 2018 11:51 pm
Nate79 wrote:
Tue Jul 17, 2018 3:01 pm
andrewphillipf wrote:
Tue Jul 17, 2018 2:36 pm
I currently live overseas and don't have an American number, does this mean that I need to get one?
How are accessing Vanguard from overseas today?
By simply logging in.

I'm guessing the easy fix once it's mandated may be using an app that gives me a U.S. phone number.
Are you on VPN? Vanguard is known to block access to overseas and they have locked accounts for many when Vanguard finds out the residential address is outside the US.
We are in Nigeria and cannot access our account from here......not a bad thing.

We can access thru Megacorp business computer to check account.

AlphaPilot
Posts: 38
Joined: Wed Jun 20, 2018 8:29 am

Re: New Vanguard Security Code Requirement

Post by AlphaPilot » Fri Jul 20, 2018 2:21 pm

Does VG use cookies to see if you're coming from a different machine? Or do they use your external IP address? Will their app use 2FA? I haven't tried their app yet, but just curious. The app using 2FA seems useless considering most people using the app already have the phone (unless logging into the app with a different user.)

Wakefield1
Posts: 807
Joined: Mon Nov 14, 2016 10:10 pm

Re: New Vanguard Security Code Requirement

Post by Wakefield1 » Fri Jul 20, 2018 7:13 pm

AlphaPilot wrote:
Fri Jul 20, 2018 2:21 pm
Does VG use cookies to see if you're coming from a different machine? Or do they use your external IP address? Will their app use 2FA? I haven't tried their app yet, but just curious. The app using 2FA seems useless considering most people using the app already have the phone (unless logging into the app with a different user.)
If I try to log in with another computer or even a different user account on my machine than the one I normally use one of my nonsense security questions gets presented-- I think some here are saying that an attacker could circumvent that by spoofing the identity of my computer or browser if they were sufficiently sophisticated. Perhaps by having stolen cookies or other browser identifiers from my machine previously.

User avatar
yatesd
Posts: 522
Joined: Sun Nov 03, 2013 8:19 am
Location: MD

Re: New Vanguard Security Code Requirement

Post by yatesd » Fri Jul 20, 2018 8:04 pm

BolderBoy wrote:
Tue Jul 17, 2018 9:36 pm
Pale Horse wrote:
Tue Jul 17, 2018 1:52 pm
Just got a notification that Vanguard is implementing mandatory 2 factor authentication procedures.
Not too bad with VG. Just tell it to only do the 2FA for computers it doesn't recognize. I set it up months ago and once the initial 2FA was accomplished VG hasn't asked for it again. (and I look at my account frequently, too)
I will admit that I also hate 2FA even though everyone is switching over to it. I've always set my browsers to delete cookies upon closure which means that Vanguard doesn't recognize me every time I log in. Makes the whole thing a pain.

It seems I can get privacy or security easily, but not both without going through this process. I hate it when IT transfers all risk and responsibility to the users. Yes...I also use lastpass since IT insists on long, complex passwords that change regularly and can't be a previous version. Finally forcing me to write it down (transferring responsibility to me) or use a password service.

jalbert
Posts: 3454
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Fri Jul 20, 2018 8:12 pm

I will admit that I also hate 2FA even though everyone is switching over to it. 
Are you expecting any improvements in the status of the global cybersecurity crisis without users being willing to do something as simple as using a mechanism like 2FA that was engineered to improve the security of authentication of your identity?
Index fund investor since 1987.

gostars
Posts: 335
Joined: Mon Oct 09, 2017 7:53 pm

Re: New Vanguard Security Code Requirement

Post by gostars » Sat Jul 21, 2018 12:10 am

jalbert wrote:
Fri Jul 20, 2018 4:25 am
Why would you exclude a user being compromised from the analysis? You don't even need 2FA at all if passwords could never be compromised.

If someone picks up malware, it is unlikely to have implemented a scripted harness for a sophisticated sequence of operations for a financial institution used by the arbitrary, essentially random user who is compromised nor likely to be able to navigate the account configuration of that user even if the specific financial institution actually was targeted at the time the malware was developed.
User's system, not the user. If the computer is compromised, then 2FA doesn't matter because you just wait for a legit login and then do your dirt under the 100% legit session. I'm assuming a targeted attack here though, not just a random malware install. There are still far too many idiots using Windows XP and macOS Yosemite or earlier where gaining system-level access is readily accessible using known vulnerabilities reverse engineered from patches applied to later OSes.
A more likely scenario would be that a user picks up generic malware say on their phone that has the capability to record keystrokes and read text messages. It relays the data it reads to a rogue site/user who can login with the filtered password and text code and ask for their machine to be remembered.

They then logout and come back in a day or two later with an interactive session to look around to their heart's content to plan an exploit. They can now do this at will until the password is changed. Note that the rogue site is just making a normal TLS connection here.
True, at least for people using their phones to access. Now I'm thinking about never accessing accounts from my phone because of this :annoyed.
As far as circumventing an established machine being remembered without use of 2FA If password and machine identity is known...

The FDIC has issued an advisory that member banks should not use "secure" cookies for remembering machines as they can be attacked by just capturing the encrypted cookie and transmitting it from another machine. I assume Vanguard does not use this mechanism. Browser fingerprints are more tedious and labor-intensive to simulate but not more difficult from a technical perspective.

Use of forged IP addresses in packet headers as an attack method is one of the earliest internet-era attacks, and goes back at least 25 years. With a forged IP address you won't get replies. For most operations, you don't need them but can just wait some period of time like 30-60 seconds and then send the next packet.

A TLS handshake protocol does require getting at least one reply back. It is unlikely to be exploited by attacking or forging the cryptography, but attacking the authentication protocol used with TLS may well turn out to be possible. One obvious point is that the TLS handshake completes before the login credentials are even supplied and the remembered machine identified. I don't know if that can be exploited but I certainly would not consider it sound engineering to hang our hats on this one point not being exploitable.
The server isn't relying on TLS to authenticate the client, so I don't see a way for this to be an issue short of breaking the protocol itself. If that happens, we've got bigger problems. It would actually be beneficial if financial systems did switch to a mutual authentication PKI system, where clients could only access if they possessed the correct private key. Eliminates the need to transmit a password to the server, anyway, and it's probably better to store a private key in a hardware-backed vault on a phone. Good luck getting customers to live with this level of security though. We can't even get chip+PIN credit cards in this country.
But it is actually incumbent on someone recommending this as an authentication protocol that is secure to demonstrate its robustness. A protocol is not just presumed secure unless and until a compromise is identified. If the protocol of remembering IP addresses were already compromised it would already have been modified or replaced to address that.

Use of multiple layers of protection is an established security principle and there is no reason for Vanguard to weaken that by gratuitously expanding the attack surface. Security risk management is more than just protecting against all known attacks.
Great point.

zoneinfo
Posts: 22
Joined: Sat Sep 30, 2017 4:32 pm

Re: New Vanguard Security Code Requirement

Post by zoneinfo » Sat Jul 21, 2018 12:41 am

Pale Horse wrote:
Tue Jul 17, 2018 1:52 pm
I've worked in IT security and absolutely hate this feature. It's an overly burdensome solution to a problem easily mitigated with sufficiently-designed password parameters (read >12 characters with complexity requirements).
Honestly, reading things like this makes me silently scream in terror as countless people in charge of security likely feel that way too.

I’m glad Vanguard is enforcing 2FA; it’ll help keep costs down from all the people who have their passwords compromised via meltdown/spectre malicious ad attacks and from all the people who reuse passwords from site to site.

Here’s my PSA for the bogleheads board: enter your email in https://haveibeenpwned.com/ to see how many times you’ve already been compromised from insecure site breaches.

Post Reply