Data breaches and security

[pcsrini]

A recent thread on Vanguard outsourcing got me thinking about data privacy and data security. Beyond the obvious external hackers, ransomware & social engineering, the biggest threat vector is perhaps a disgruntled or unscrupulous internal employee who breaches PII (personally identifiable data) either on a case by case basis or en masse. Over the years, a large number of breaches have been reported by major US companies, and I believe the latest one was Equifax. Widespread adoption of the HTTPS protocol and other technologies have since helped since make things safer. For an investor, these are some steps they can take to protect themselves:

1. Strong passwords
2. Two factor authentication with a strong second factor like a Yubikey
3. Never sharing passwords, and being vigilant to online scams and social engineering

If an investor has taken all reasonable precautions, what responsibility do brokerages have if there is a data theft or breach and PII data is shared on the dark web ? It appears that in most recent cases of these breaches, most of the companies where these occurred, emerged unharmed with a light rap on the knuckles. Ironically and opportunistically , Equifax has been selling protection products for data breaches.

Please don't discuss outsourcing on this thread (there are other threads) and focus on steps investors can take to protect themselves.

[megabad]

The way you have asked the question, I would say they have very little responsibility if your personal information ends up on the dark web. Essentially everyone with any financial information already has their info up on the web. It was already compromised. I would be more concerned with protecting my holdings at specific institutions from theft. So making sure the user takes precautions against password theft or cellphone hijacking is important. After that, I would assume the primary risk is from brokerage/fund employees and financial advisors. The brokerage firm would take responsibility for employee theft I assume by paying for SIPC up to the limit. I assume this would apply.

[sycamore]

Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/

[pcsrini]

Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/

Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.

[ChrisBenn]

Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/

Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.

Note that if you use Vanguards iOS application you are automatically in violation of the "your responsibilities" portion of their fraud guarantee - specifically "Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." -- since those products don't meaningfully exist on the iOS app store unless you jailbreak. Will vanguard enforce that? I can't imagine they would, but but regardless you would be in breach.

I did email vanguard about this language, and just got a "thanks for feedback" generic email.

[palanzo]

Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/

Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.

Note that if you use Vanguards iOS application you are automatically in violation of the "your responsibilities" portion of their fraud guarantee - specifically "Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." -- since those products don't meaningfully exist on the iOS app store unless you jailbreak. Will vanguard enforce that? I can't imagine they would, but but regardless you would be in breach.

I did email vanguard about this language, and just got a "thanks for feedback" generic email.

Who puts out the iOS application that supposedly automatically violates the "your responsibilities" portion of their fraud guarantee?

[ChrisBenn]

Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/

Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.

Note that if you use Vanguards iOS application you are automatically in violation of the "your responsibilities" portion of their fraud guarantee - specifically "Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." -- since those products don't meaningfully exist on the iOS app store unless you jailbreak. Will vanguard enforce that? I can't imagine they would, but but regardless you would be in breach.

I did email vanguard about this language, and just got a "thanks for feedback" generic email.

Who puts out the iOS application that supposedly automatically violates the "your responsibilities" portion of their fraud guarantee?

Vanguards own application. It's not an issue with app, it's rather their policy requires the device you use to access your account meet certain criteria, and one is anti-virus, anti-spyware, and a firewall. Those aren't available for iOS - apple's security model would require apple to build those in, as other applications can only work in their sandbox (maybe you could mimic a firewall with a vpn app?).

Ref: https://personal.vanguard.com/us/help/S ... ontent.jsp

[pcsrini]

Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/

Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.

Note that if you use Vanguards iOS application you are automatically in violation of the "your responsibilities" portion of their fraud guarantee - specifically "Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." -- since those products don't meaningfully exist on the iOS app store unless you jailbreak. Will vanguard enforce that? I can't imagine they would, but but regardless you would be in breach.

I did email vanguard about this language, and just got a "thanks for feedback" generic email.

Who puts out the iOS application that supposedly automatically violates the "your responsibilities" portion of their fraud guarantee?

Vanguards own application. It's not an issue with app, it's rather their policy requires the device you use to access your account meet certain criteria, and one is anti-virus, anti-spyware, and a firewall. Those aren't available for iOS - apple's security model would require apple to build those in, as other applications can only work in their sandbox (maybe you could mimic a firewall with a vpn app?).

Ref: https://personal.vanguard.com/us/help/S ... ontent.jsp

Then, perhaps the best option to protect ourselves is to not use mobile apps for banking and brokerages. Keep a dedicated computer (Chromebook ?) that is used to only access brokerage and banking websites.

[ChrisBenn]

(...)

Then, perhaps the best option to protect ourselves is to not use mobile apps for banking and brokerages. Keep a dedicated computer (Chromebook ?) that is used to only access brokerage and banking websites.

I think the iOS device is likely secure (and not the weak link), but there is a potential policy issue (that I'm dubious vanguard would enforce, but I wouldn't want to have to fight that battle).

Very quickly this can get into the realm of "good enough" vs. "perfect".

Really using two factor (with vanguard yubikey / sms fallback is the best option) with a strong password, and not following links but typing in the url / using a bookmark you saved is about as a good as it gets. A separate device is definitely pushing diminishing returns, but still does give some ROI. I personally don't bother - but wouldn't call it useless.

[Mordoch]

with a strong password

This should be clarified as a strong unique password since reuse could conceivably lead to your Vanguard account being compromised if another account elsewhere is first. Generally a password manager would be the best option, but others can potentially work and are generally good enough. (Although if you are creating passwords on your own there tends to be a greater risk they are not as strong as they should if you are not using the right practices.)

[Mr-et-Mrs-R]

This:
https://xkcd.com/936/

Edit:
This is the only time where length matters.

[rim shot]

But in truth here, you can do everything correctly, and just one small slip-up can expose your data.
Equifax's data breach was from using an outdated version of Apache Struts.
Just use really long passwords and hope for the best.

[palanzo]

Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.

Note that if you use Vanguards iOS application you are automatically in violation of the "your responsibilities" portion of their fraud guarantee - specifically "Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." -- since those products don't meaningfully exist on the iOS app store unless you jailbreak. Will vanguard enforce that? I can't imagine they would, but but regardless you would be in breach.

I did email vanguard about this language, and just got a "thanks for feedback" generic email.

Who puts out the iOS application that supposedly automatically violates the "your responsibilities" portion of their fraud guarantee?

Vanguards own application. It's not an issue with app, it's rather their policy requires the device you use to access your account meet certain criteria, and one is anti-virus, anti-spyware, and a firewall. Those aren't available for iOS - apple's security model would require apple to build those in, as other applications can only work in their sandbox (maybe you could mimic a firewall with a vpn app?).

Ref: https://personal.vanguard.com/us/help/S ... ontent.jsp

Then, perhaps the best option to protect ourselves is to not use mobile apps for banking and brokerages. Keep a dedicated computer (Chromebook ?) that is used to only access brokerage and banking websites.

Ahh yes and use Chrome which is the best spyware browser on the market.

[palanzo]

Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/

Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.

Note that if you use Vanguards iOS application you are automatically in violation of the "your responsibilities" portion of their fraud guarantee - specifically "Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." -- since those products don't meaningfully exist on the iOS app store unless you jailbreak. Will vanguard enforce that? I can't imagine they would, but but regardless you would be in breach.

I did email vanguard about this language, and just got a "thanks for feedback" generic email.

Who puts out the iOS application that supposedly automatically violates the "your responsibilities" portion of their fraud guarantee?

Vanguards own application. It's not an issue with app, it's rather their policy requires the device you use to access your account meet certain criteria, and one is anti-virus, anti-spyware, and a firewall. Those aren't available for iOS - apple's security model would require apple to build those in, as other applications can only work in their sandbox (maybe you could mimic a firewall with a vpn app?).

Ref: https://personal.vanguard.com/us/help/S ... ontent.jsp

I am very familiar with Apple's security model. My point is that Vanguard can't put out an app for customers to use and then say it "automatically violates the "your responsibilities" portion of their fraud guarantee". I doubt that would hold up in court. What use is an app if you can't use it?

[ChrisBenn]

(...)
I am very familiar with Apple's security model. My point is that Vanguard can't put out an app for customers to use and then say it "automatically violates the "your responsibilities" portion of their fraud guarantee". I doubt that would hold up in court. What use is an app if you can't use it?

I think thats common sense; unfortunately I don't believe our legal system runs on common sense - at least not without legal fees and time to help adjudicate that common sense.

For me having to defend that in court, even if victory was assured, well I would already consider that a loss.

I also personally find it dubious that vanguard would enforce that provision - but nevertheless it's there, and they seem to be unwilling to clarify/change it.

[palanzo]

(...)
I am very familiar with Apple's security model. My point is that Vanguard can't put out an app for customers to use and then say it "automatically violates the "your responsibilities" portion of their fraud guarantee". I doubt that would hold up in court. What use is an app if you can't use it?

I think thats common sense; unfortunately I don't believe our legal system runs on common sense - at least not without legal fees and time to help adjudicate that common sense.

For me having to defend that in court, even if victory was assured, well I would already consider that a loss.

I also personally find it dubious that vanguard would enforce that provision - but nevertheless it's there, and they seem to be unwilling to clarify/change it.

I agree with you. I am going to send a message to my representative with a copy paste of the above and ask for formal Vanguard clarification. They owe us that much.

[pcsrini]

Just read this ..
https://techcrunch.com/2020/07/15/twitt ... ypto-scam/

[pcsrini]

Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7

[palanzo]

Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7

Of course it could and it probably has. Insider data breaches. Search for it.

[sycamore]

Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7

Not being insiders, we can only speculate.

As regulated financial institutions, Vanguard, Schwab, etc. likely have to follow certain best practices regarding access to the internal tools they use to administer customer accounts. Is it possible for a compromised or determined employee to skirt their employer's safeguards? It's easy to imagine the answer is yes. But what if the answer is yes? What to do about it?

[palanzo]

Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7

Not being insiders, we can only speculate.

As regulated financial institutions, Vanguard, Schwab, etc. likely have to follow certain best practices regarding access to the internal tools they use to administer customer accounts. Is it possible for a compromised or determined employee to skirt their employer's safeguards? It's easy to imagine the answer is yes. But what if the answer is yes? What to do about it?

It has already happened at Vanguard.

https://www.inquirer.com/business/vangu ... 90315.html

[willthrill81]

The way you have asked the question, I would say they have very little responsibility if your personal information ends up on the dark web. Essentially everyone with any financial information already has their info up on the web. It was already compromised. I would be more concerned with protecting my holdings at specific institutions from theft. So making sure the user takes precautions against password theft or cellphone hijacking is important. After that, I would assume the primary risk is from brokerage/fund employees and financial advisors. The brokerage firm would take responsibility for employee theft I assume by paying for SIPC up to the limit. I assume this would apply.

I agree. Assume that your data is already 'out there' and act accordingly.

Freeze your credit with all of the bureaus.

Use 2FA when you can.

Set up alerts on your bank accounts so that you know when electronic transactions and those exceeding a fairly low threshold occur.

Use strong passwords and a password manager.

Protect your cell phone.

[sycamore]

Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7

Not being insiders, we can only speculate.

As regulated financial institutions, Vanguard, Schwab, etc. likely have to follow certain best practices regarding access to the internal tools they use to administer customer accounts. Is it possible for a compromised or determined employee to skirt their employer's safeguards? It's easy to imagine the answer is yes. But what if the answer is yes? What to do about it?

It has already happened at Vanguard.

https://www.inquirer.com/business/vangu ... 90315.html

I'll rephrase my first sentence... Being observant of past events, we don't need to speculate!

What would you do about it? Move assets to another financial provider? Just hold your nose and stay with VG (or whoever)?

[oldfort]

Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7

At some level, you have to trust Vanguard or any other financial institutional to do a good job with their internal security and there's not much you can do about it. How do know Vanguard doesn't store all customer passwords in plaintext? At some point, you have to assume or hope they follow industry best practices.

[pcsrini]

Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7

Not being insiders, we can only speculate.

As regulated financial institutions, Vanguard, Schwab, etc. likely have to follow certain best practices regarding access to the internal tools they use to administer customer accounts. Is it possible for a compromised or determined employee to skirt their employer's safeguards? It's easy to imagine the answer is yes. But what if the answer is yes? What to do about it?

It has already happened at Vanguard.

https://www.inquirer.com/business/vangu ... 90315.html

I'll rephrase my first sentence... Being observant of past events, we don't need to speculate!

What would you do about it? Move assets to another financial provider? Just hold your nose and stay with VG (or whoever)?

I would expect that there are much tougher laws and punitive damages when these breaches occur. Unfortunately, unless the bar is high there will continue to be breaches, and customers will suffer. There is some thinking among security professional that this may have only been the initial attack, and there may be others coming. California introduced a data privacy law last year which was a start, and EU does seem to take this issue more seriously. Even when customers are super vigilant, the hoops they need to go through to get an unauthorized access addressed is painful. The burden should be on these public companies and financial institutions to ensure that their systems are bullet proof.

[oldfort]

Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7

Not being insiders, we can only speculate.

As regulated financial institutions, Vanguard, Schwab, etc. likely have to follow certain best practices regarding access to the internal tools they use to administer customer accounts. Is it possible for a compromised or determined employee to skirt their employer's safeguards? It's easy to imagine the answer is yes. But what if the answer is yes? What to do about it?

It has already happened at Vanguard.

https://www.inquirer.com/business/vangu ... 90315.html

I'll rephrase my first sentence... Being observant of past events, we don't need to speculate!

What would you do about it? Move assets to another financial provider? Just hold your nose and stay with VG (or whoever)?

I would expect that there are much tougher laws and punitive damages when these breaches occur. Unfortunately, unless the bar is high there will continue to be breaches, and customers will suffer. There is some thinking among security professional that this may have only been the initial attack, and there may be others coming. California introduced a data privacy law last year which was a start, and EU does seem to take this issue more seriously. Even when customers are super vigilant, the hoops they need to go through to get an unauthorized access addressed is painful. The burden should be on these public companies and financial institutions to ensure that their systems are bullet proof.

What the law should be is outside the scope of the forum.

[pcsrini]

Perhaps, having accounts at multiple brokerages (each with strong passwords and 2FA) is one way to reduce the impact if one of them is hacked. I would expect if a twitter like attack happened, you would lose access to your account while the company tries to fix the root cause and restore access to account holders.

[palanzo]

Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7

At some level, you have to trust Vanguard or any other financial institutional to do a good job with their internal security and there's not much you can do about it. How do know Vanguard doesn't store all customer passwords in plaintext? At some point, you have to assume or hope they follow industry best practices.

As you know...Hope is not a plan.

[sycamore]

Perhaps, having accounts at multiple brokerages (each with strong passwords and 2FA) is one way to reduce the impact if one of them is hacked. I would expect if a twitter like attack happened, you would lose access to your account while the company tries to fix the root cause and restore access to account holders.

Yep, I've heard some people keep a second brokerage and a second bank account precisely because of the risk that one institution may be hacked and you wouldn't want all your assets at risk (either for theft or when waiting for recovery).

Very reasonable plan, in addition to securing things from an end user's perspective (MFA, don't share passwords, etc.)

[oldfort]

Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7

At some level, you have to trust Vanguard or any other financial institutional to do a good job with their internal security and there's not much you can do about it. How do know Vanguard doesn't store all customer passwords in plaintext? At some point, you have to assume or hope they follow industry best practices.

As you know...Hope is not a plan.

And your point is?