Receiving 2FA codes from Vanguard while overseas

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
Topic Author
Jive Turkey
Posts: 34
Joined: Tue Jun 17, 2008 9:35 pm

Receiving 2FA codes from Vanguard while overseas

Post by Jive Turkey » Wed Jul 18, 2018 3:45 am

It seems that Vanguard will soon be pushing everyone to activate the 2-factor authentication security feature soon:

viewtopic.php?f=10&t=254183&newpost=402 ... ead#unread

I just received a message from Vanguard saying that I will "soon be required to sign up for security codes." No deadline was given, but I figure they'll give one in the next year or so.

I like the idea of added security, but Vanguard's 2FA is something I've avoided activating since I spend most of the year outside the US and I don't keep a US phone number. Vanguard's 2FA either sends codes by SMS , or through an automated voice call. The system will only work for US numbers. I figure one could use a US SIM and pay roaming charges to receive codes, but that looks like a pretty expensive solution.

There are plenty of Bogleheads who spend lots of time overseas. Has anyone found a reliable way to use 2FA while outside the US?

Based on a quick search, I see two potential methods:

1. Use an Anveo US number to receive SMS shortcodes.

2. Get a Skype US phone number, and receive the 2FA code by automated voice call. It seems that Skype cannot receive SMS shortcodes.

Has anyone tried these or other methods to receive 2FA codes outside the US?

tivattom
Posts: 73
Joined: Sat Apr 07, 2007 1:51 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tivattom » Wed Jul 18, 2018 3:47 am

Yes I currently receive SMS codes in Europe while travelling.

I use a google voice number registered with Vanguard and have any SMS messages received by google voice forwarded to my email. As long as I have Email access I can get the codes.

User avatar
JoMoney
Posts: 6641
Joined: Tue Jul 23, 2013 5:31 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by JoMoney » Wed Jul 18, 2018 3:50 am

Yes. Get a U.S. VOIP number that accepts SMS.
Google Voice is free, but you have to set it up in the U.S. (from US IP) with a U.S. number that is active at the time you establish it. After you've established a Google voice number and linked it to a U.S. phone you can disable forwarding to the phone and use the Google Voice number standalone while outside the U.S.
"To achieve satisfactory investment results is easier than most people realize; to achieve superior results is harder than it looks." - Benjamin Graham

jminv
Posts: 729
Joined: Tue Jan 02, 2018 10:58 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by jminv » Wed Jul 18, 2018 3:55 am

Google voice. If you’re outside the us when setting it up use a us vpn up when doing so. You’ll also need someone in USA to use their number to get a validation code. Then you can switch it after validated. I looked at the other providers and they’re not a great value.

I prefer when companies use two factor identification through email. It’s irritating when it’s sms only option.

Topic Author
Jive Turkey
Posts: 34
Joined: Tue Jun 17, 2008 9:35 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by Jive Turkey » Wed Jul 18, 2018 11:57 pm

Thanks to all for the helpful advice. Sounds easy to sort out on my next visit to the US.

bobolink
Posts: 9
Joined: Sun Sep 20, 2015 8:16 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by bobolink » Thu Jul 19, 2018 12:45 pm

Another option would be to buy a YubiKey or similar hardware token. I use this one: https://www.amazon.com/Yubico-Security- ... B07BYSB7FK

They are easy to setup, and much more secure than SMS or email-based 2FA because it is relatively easy for someone to intercept your text messages or break into your email account: https://www.theverge.com/2017/9/18/1632 ... rd-bitcoin

gtd98765
Posts: 167
Joined: Sun Jan 08, 2017 4:15 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by gtd98765 » Thu Jul 19, 2018 3:19 pm

bobolink wrote:
Thu Jul 19, 2018 12:45 pm
Another option would be to buy a YubiKey or similar hardware token. I use this one: https://www.amazon.com/Yubico-Security- ... B07BYSB7FK

They are easy to setup, and much more secure than SMS or email-based 2FA because it is relatively easy for someone to intercept your text messages or break into your email account: https://www.theverge.com/2017/9/18/1632 ... rd-bitcoin
I disagree that it is "relatively easy for sometime to intercept your text messages". It may be relatively easy for the NSA or the GRU, but unless there is some reason these expensive specialized agencies should be after you personally, I think it is non-trivial, and there is certainly not an epidemic of such attacks going around. I would worry more about pfishing and trojans stealing passwords. Certainly for 99% of the population any 2FA is better than no 2FA, and we should not be discouraging people from taking advantage of any 2FA measures that are available, or make them think "it's really no safer." It is, even if it's not perfect.

Thesaints
Posts: 1866
Joined: Tue Jun 20, 2017 12:25 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by Thesaints » Wed Sep 12, 2018 8:22 pm

"2FA is safer than no 2FA", the risk being... ?

User avatar
tuningfork
Posts: 431
Joined: Wed Oct 30, 2013 8:30 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tuningfork » Wed Sep 12, 2018 9:33 pm

gtd98765 wrote:
Thu Jul 19, 2018 3:19 pm
bobolink wrote:
Thu Jul 19, 2018 12:45 pm
Another option would be to buy a YubiKey or similar hardware token. I use this one: https://www.amazon.com/Yubico-Security- ... B07BYSB7FK

They are easy to setup, and much more secure than SMS or email-based 2FA because it is relatively easy for someone to intercept your text messages or break into your email account: https://www.theverge.com/2017/9/18/1632 ... rd-bitcoin
I disagree that it is "relatively easy for sometime to intercept your text messages". It may be relatively easy for the NSA or the GRU, but unless there is some reason these expensive specialized agencies should be after you personally, I think it is non-trivial, and there is certainly not an epidemic of such attacks going around.
Someone does not need NSA hacking skills if they want to target you specifically. It can be done by simply calling or visiting your carrier and impersonating you, convincing them to issue a new SIM. The hard part is getting enough personal details about you to make a plausible social engineering attack. With those details and the right call center agent it could be relatively easy.

Examples here https://www.wired.com/2016/06/hey-stop- ... ntication/

User avatar
tuningfork
Posts: 431
Joined: Wed Oct 30, 2013 8:30 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tuningfork » Wed Sep 12, 2018 9:40 pm

Thesaints wrote:
Wed Sep 12, 2018 8:22 pm
"2FA is safer than no 2FA", the risk being... ?
Hackers who get hold of a cracked password database will go after the low-hanging fruit. If they have 10,000 account passwords and try logging in to one that has 2FA, they'll move on to the next account rather than go to the effort of hacking the 2FA.

Thesaints
Posts: 1866
Joined: Tue Jun 20, 2017 12:25 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by Thesaints » Wed Sep 12, 2018 10:53 pm

tuningfork wrote:
Wed Sep 12, 2018 9:40 pm
Thesaints wrote:
Wed Sep 12, 2018 8:22 pm
"2FA is safer than no 2FA", the risk being... ?
Hackers who get hold of a cracked password database will go after the low-hanging fruit. If they have 10,000 account passwords and try logging in to one that has 2FA, they'll move on to the next account rather than go to the effort of hacking the 2FA.
So, hackers log on my Vanguard account. And then ? The only possible negative consequence I can see is that they start exchanging shares of fund A for Fund B, triggering CG. They still don't make a dime, so it would be purely out of spite.

User avatar
tuningfork
Posts: 431
Joined: Wed Oct 30, 2013 8:30 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tuningfork » Thu Sep 13, 2018 10:52 am

Thesaints wrote:
Wed Sep 12, 2018 10:53 pm
tuningfork wrote:
Wed Sep 12, 2018 9:40 pm
Thesaints wrote:
Wed Sep 12, 2018 8:22 pm
"2FA is safer than no 2FA", the risk being... ?
Hackers who get hold of a cracked password database will go after the low-hanging fruit. If they have 10,000 account passwords and try logging in to one that has 2FA, they'll move on to the next account rather than go to the effort of hacking the 2FA.
So, hackers log on my Vanguard account. And then ? The only possible negative consequence I can see is that they start exchanging shares of fund A for Fund B, triggering CG. They still don't make a dime, so it would be purely out of spite.
The assumption being Vanguard hasn't left any openings in their website or procedures that a determined hacker could exploit. Once they have your password and access to your account, can they change your security questions? See or update beneficiaries? Gain enough info about your account to social engineer a phone rep? Maybe it's impossible, maybe not. There's risk, and like the other poster said, 2FA is safer than no 2FA.

Thesaints
Posts: 1866
Joined: Tue Jun 20, 2017 12:25 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by Thesaints » Thu Sep 13, 2018 1:53 pm

tuningfork wrote:
Thu Sep 13, 2018 10:52 am
The assumption being Vanguard hasn't left any openings in their website or procedures that a determined hacker could exploit. Once they have your password and access to your account, can they change your security questions? See or update beneficiaries? Gain enough info about your account to social engineer a phone rep? Maybe it's impossible, maybe not. There's risk, and like the other poster said, 2FA is safer than no 2FA.
In the same order as your questions:

- Yes. But I'll get notified at my email address of record. Contact Vanguard, establish my identity and have the change reversed.
By doing this hackers don't make a cent, so I'm questioning why "real" hackers would bother doing it.

- Yes. But... same as above.

- Maybe. So a fake phone rep calls me and then what ?

My overall point is that banks don't have 2FA and in the case of those accounts it is certainly possible to transfer funds to a third party. Why would Vanguard bother if it is virtually impossible to subtract funds by gaining unauthorized access ?

annielouise
Posts: 382
Joined: Wed May 14, 2008 4:11 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by annielouise » Thu Sep 13, 2018 2:18 pm

T-Mobile has free text messages in most countries. I think they have a plan or two that doesn't include this, but most plans do. Also free data, although it is slow.

User avatar
tuningfork
Posts: 431
Joined: Wed Oct 30, 2013 8:30 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tuningfork » Thu Sep 13, 2018 6:29 pm

Thesaints wrote:
Thu Sep 13, 2018 1:53 pm
My overall point is that banks don't have 2FA and in the case of those accounts it is certainly possible to transfer funds to a third party. Why would Vanguard bother if it is virtually impossible to subtract funds by gaining unauthorized access ?
I can't speak for Vanguard's or any particular bank's decisions on their security infrastructure, but here's an interesting article about why most banks do not offer 2FA for login. Basically it's a risk assessment, and they're doing the minimum necessary. Vanguard must think the risk is higher than the bank does.

https://gizmodo.com/heres-why-your-bank ... 1683777281
In other words, the banks aren’t doing more because they don’t have to. And so as long as they maintain zero-loss guarantees against fraud, and the amount lost to fraud remains relatively small compared to their deep pockets, the banks won’t do anything more to protect you.

ItDontMeanAThing
Posts: 10
Joined: Tue Oct 06, 2015 7:23 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by ItDontMeanAThing » Mon Dec 10, 2018 7:34 am

I set up 2FA after Vanguard said do it or lose account access. Used it once to verify it works. Didn't use it again until a few days ago. The site responded to my logon as if 2FA didn't exist. I was surprised, to say the least. Anybody have an explanation?

User avatar
JoMoney
Posts: 6641
Joined: Tue Jul 23, 2013 5:31 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by JoMoney » Mon Dec 10, 2018 8:02 am

ItDontMeanAThing wrote:
Mon Dec 10, 2018 7:34 am
I set up 2FA after Vanguard said do it or lose account access. Used it once to verify it works. Didn't use it again until a few days ago. The site responded to my logon as if 2FA didn't exist. I was surprised, to say the least. Anybody have an explanation?
The only time I get a 2FA challenge is when I logon to a computer Vanguard doesn't "recognize" as one I've logged on from before. It gives me a check box to decide whether or not Vanguard should "remember" this computer for future logons.
"To achieve satisfactory investment results is easier than most people realize; to achieve superior results is harder than it looks." - Benjamin Graham

User avatar
HanSolo
Posts: 24
Joined: Thu Jul 19, 2012 3:18 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by HanSolo » Mon Dec 10, 2018 8:44 am

Having the same situation as the OP, I got a thing called "Security Key by Yubico" (two of them, one that I use, plus a backup in case I lose it). I use it with the Chrome browser on a Windows 7 notebook PC and it works for me. You can register up to 4 keys with Vanguard.com. You might want to do the setup before going overseas.

The only trouble I had was in the ordering. I ordered two on Amazon, who said the order qualifies for free shipping, and then they charged me for shipping, so I canceled the order. Then I ordered the two-pack from the Yubico website and the USPS lost it. Yubico then sent me a replacement shipment and I got it within a few days, and lived happily ever after.

User avatar
tadamsmar
Posts: 8085
Joined: Mon May 07, 2007 12:33 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tadamsmar » Mon Dec 10, 2018 2:17 pm

Thesaints wrote:
Wed Sep 12, 2018 10:53 pm
So, hackers log on my Vanguard account. And then ?
Then, for instance, hack, pump, and dump:

Image
A more modern spin on this attack is known as hack, pump, and dump.[5] In this form, a person purchases penny stocks and then uses compromised brokerage accounts to purchase large quantities of that stock. The net result is a price increase, which is often pushed further by day traders seeing a quick advance in a stock. The original stockholder then cashes out at a premium.[6]
https://en.wikipedia.org/wiki/Pump_and_dump
Aleksey Kamardin reaped $13,158 in just 104 minutes buying and selling penny stocks.
http://www.washingtonpost.com/wp-dyn/co ... 01763.html

This was in 2007. As far as I can tell Kamardin fled to Russia and was never arrested and the money was never recovered.

All the major brokerage firms including Vanguard have been hit by hack, pump, and dump:

http://www.washingtonpost.com/wp-dyn/co ... 02240.html

You may lose money in your account during the dump phase when the stock purchased in your account has a price decline.

So, then what happens?

What happens next depends on how soon the hack is detected and how well you live up to your responsibilities:

https://personal.vanguard.com/us/help/S ... ontent.jsp

Perhaps this rarely happens, but investors or reimbursing brokerages have lost money this way.

Here's a hack, pump, and dump that cost the brokerages $600K in reimbursements and reaped the hacker $250K:

https://www.theregister.co.uk/2010/03/1 ... p_hacking/

Here's one involving 2.5M:

https://www.itbusiness.ca/news/man-gets ... scam/15049
Last edited by tadamsmar on Mon Dec 10, 2018 7:00 pm, edited 4 times in total.

User avatar
tadamsmar
Posts: 8085
Joined: Mon May 07, 2007 12:33 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tadamsmar » Mon Dec 10, 2018 2:27 pm

HanSolo wrote:
Mon Dec 10, 2018 8:44 am
Having the same situation as the OP, I got a thing called "Security Key by Yubico" (two of them, one that I use, plus a backup in case I lose it). I use it with the Chrome browser on a Windows 7 notebook PC and it works for me. You can register up to 4 keys with Vanguard.com. You might want to do the setup before going overseas.

The only trouble I had was in the ordering. I ordered two on Amazon, who said the order qualifies for free shipping, and then they charged me for shipping, so I canceled the order. Then I ordered the two-pack from the Yubico website and the USPS lost it. Yubico then sent me a replacement shipment and I got it within a few days, and lived happily ever after.
Can you have more than one key on an account? What do you do if you lose a key?

User avatar
tadamsmar
Posts: 8085
Joined: Mon May 07, 2007 12:33 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tadamsmar » Mon Dec 10, 2018 7:38 pm

Thesaints wrote:
Thu Sep 13, 2018 1:53 pm
My overall point is that banks don't have 2FA and in the case of those accounts it is certainly possible to transfer funds to a third party. Why would Vanguard bother if it is virtually impossible to subtract funds by gaining unauthorized access?
First, it's possible to subtract funds and it happens.

Second, one difference in the case of the banks is that there is a federal law that requires reimbursement (assuming timely reporting by the client) of the client for hacks even if the client login credentials were not secure and were stolen by virtue of no fault of the bank. There is no such law in the case of Vanguard and other brokerages, so perhaps clients tend to demand a higher level of security from brokerages and the brokerage does not want to get bad press about hacks. Bad press about hacks of bank accounts and credit cards would not strike fear in the clients because they are covered. Heck bank and credit card hacks are probably so common that they don't even make the news. I don't think there are public reporting requirements anyway so we probably rarely hear about specific cases.

happenstance
Posts: 71
Joined: Sun Jul 26, 2015 11:24 am
Location: NYC

Re: Receiving 2FA codes from Vanguard while overseas

Post by happenstance » Mon Dec 10, 2018 7:57 pm

tadamsmar wrote:
Mon Dec 10, 2018 2:27 pm
HanSolo wrote:
Mon Dec 10, 2018 8:44 am
Having the same situation as the OP, I got a thing called "Security Key by Yubico" (two of them, one that I use, plus a backup in case I lose it). I use it with the Chrome browser on a Windows 7 notebook PC and it works for me. You can register up to 4 keys with Vanguard.com. You might want to do the setup before going overseas.

The only trouble I had was in the ordering. I ordered two on Amazon, who said the order qualifies for free shipping, and then they charged me for shipping, so I canceled the order. Then I ordered the two-pack from the Yubico website and the USPS lost it. Yubico then sent me a replacement shipment and I got it within a few days, and lived happily ever after.
Can you have more than one key on an account? What do you do if you lose a key?
Yes, you can have more than one key on an account, and you can use the same key on multiple accounts. I register a personal key (on my keyring), one attached to my computer (stays inside the USB port), and one as the emergency backup.

Currently Vanguard will allow you to fall-back to SMS if you lose the key. In the future, hopefully they won't as this is a bit less secure (but it also makes account recovery for a lost key a more difficult proposition).

User avatar
tadamsmar
Posts: 8085
Joined: Mon May 07, 2007 12:33 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tadamsmar » Tue Dec 11, 2018 10:45 am

happenstance wrote:
Mon Dec 10, 2018 7:57 pm
tadamsmar wrote:
Mon Dec 10, 2018 2:27 pm
HanSolo wrote:
Mon Dec 10, 2018 8:44 am
Having the same situation as the OP, I got a thing called "Security Key by Yubico" (two of them, one that I use, plus a backup in case I lose it). I use it with the Chrome browser on a Windows 7 notebook PC and it works for me. You can register up to 4 keys with Vanguard.com. You might want to do the setup before going overseas.

The only trouble I had was in the ordering. I ordered two on Amazon, who said the order qualifies for free shipping, and then they charged me for shipping, so I canceled the order. Then I ordered the two-pack from the Yubico website and the USPS lost it. Yubico then sent me a replacement shipment and I got it within a few days, and lived happily ever after.
Can you have more than one key on an account? What do you do if you lose a key?
Yes, you can have more than one key on an account, and you can use the same key on multiple accounts. I register a personal key (on my keyring), one attached to my computer (stays inside the USB port), and one as the emergency backup.

Currently Vanguard will allow you to fall-back to SMS if you lose the key. In the future, hopefully they won't as this is a bit less secure (but it also makes account recovery for a lost key a more difficult proposition).
Do you have to phone Vanguard to get them to fall-back to SMS?

If you can simply get an SMS message without phoning in and without providing any additional information, then it seems that the key is no more secure than SMS.

ItDontMeanAThing
Posts: 10
Joined: Tue Oct 06, 2015 7:23 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by ItDontMeanAThing » Tue Dec 11, 2018 10:47 am

JoMoney wrote:
Mon Dec 10, 2018 8:02 am
The only time I get a 2FA challenge is when I logon to a computer Vanguard doesn't "recognize" as one I've logged on from before. It gives me a check box to decide whether or not Vanguard should "remember" this computer for future logons.
D'oh! Of course. Thanks.

User avatar
tadamsmar
Posts: 8085
Joined: Mon May 07, 2007 12:33 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tadamsmar » Tue Dec 11, 2018 11:04 am

happenstance wrote:
Mon Dec 10, 2018 7:57 pm
tadamsmar wrote:
Mon Dec 10, 2018 2:27 pm
HanSolo wrote:
Mon Dec 10, 2018 8:44 am
Having the same situation as the OP, I got a thing called "Security Key by Yubico" (two of them, one that I use, plus a backup in case I lose it). I use it with the Chrome browser on a Windows 7 notebook PC and it works for me. You can register up to 4 keys with Vanguard.com. You might want to do the setup before going overseas.

The only trouble I had was in the ordering. I ordered two on Amazon, who said the order qualifies for free shipping, and then they charged me for shipping, so I canceled the order. Then I ordered the two-pack from the Yubico website and the USPS lost it. Yubico then sent me a replacement shipment and I got it within a few days, and lived happily ever after.
Can you have more than one key on an account? What do you do if you lose a key?
Yes, you can have more than one key on an account, and you can use the same key on multiple accounts. I register a personal key (on my keyring), one attached to my computer (stays inside the USB port), and one as the emergency backup.

Currently Vanguard will allow you to fall-back to SMS if you lose the key. In the future, hopefully they won't as this is a bit less secure (but it also makes account recovery for a lost key a more difficult proposition).
Do you have to phone Vanguard to get them to fall-back to SMS?

If you can simply get an SMS message without phoning in and without providing any additional information, then it seems that the key is no more secure than SMS.

happenstance
Posts: 71
Joined: Sun Jul 26, 2015 11:24 am
Location: NYC

Re: Receiving 2FA codes from Vanguard while overseas

Post by happenstance » Tue Dec 11, 2018 8:25 pm

tadamsmar wrote:
Tue Dec 11, 2018 11:04 am
happenstance wrote:
Mon Dec 10, 2018 7:57 pm
tadamsmar wrote:
Mon Dec 10, 2018 2:27 pm
HanSolo wrote:
Mon Dec 10, 2018 8:44 am
Having the same situation as the OP, I got a thing called "Security Key by Yubico" (two of them, one that I use, plus a backup in case I lose it). I use it with the Chrome browser on a Windows 7 notebook PC and it works for me. You can register up to 4 keys with Vanguard.com. You might want to do the setup before going overseas.

The only trouble I had was in the ordering. I ordered two on Amazon, who said the order qualifies for free shipping, and then they charged me for shipping, so I canceled the order. Then I ordered the two-pack from the Yubico website and the USPS lost it. Yubico then sent me a replacement shipment and I got it within a few days, and lived happily ever after.
Can you have more than one key on an account? What do you do if you lose a key?
Yes, you can have more than one key on an account, and you can use the same key on multiple accounts. I register a personal key (on my keyring), one attached to my computer (stays inside the USB port), and one as the emergency backup.

Currently Vanguard will allow you to fall-back to SMS if you lose the key. In the future, hopefully they won't as this is a bit less secure (but it also makes account recovery for a lost key a more difficult proposition).
Do you have to phone Vanguard to get them to fall-back to SMS?

If you can simply get an SMS message without phoning in and without providing any additional information, then it seems that the key is no more secure than SMS.
The website will allow you fallback to SMS (there's a link to "Log on with a security code").

It's a common misconception that this makes it a security key no more secure. A security key still protects you against phishing, which is the far more common threat than someone trying to intercept an SMS code. It would be better if there were no SMS fallback to mitigate the latter, though it does not make using a security key pointless.

Post Reply