Data breaches and security

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
Topic Author
pcsrini
Posts: 192
Joined: Mon Jan 24, 2011 10:51 pm

Data breaches and security

Post by pcsrini »

A recent thread on Vanguard outsourcing got me thinking about data privacy and data security. Beyond the obvious external hackers, ransomware & social engineering, the biggest threat vector is perhaps a disgruntled or unscrupulous internal employee who breaches PII (personally identifiable data) either on a case by case basis or en masse. Over the years, a large number of breaches have been reported by major US companies, and I believe the latest one was Equifax. Widespread adoption of the HTTPS protocol and other technologies have since helped since make things safer. For an investor, these are some steps they can take to protect themselves:

1. Strong passwords
2. Two factor authentication with a strong second factor like a Yubikey
3. Never sharing passwords, and being vigilant to online scams and social engineering

If an investor has taken all reasonable precautions, what responsibility do brokerages have if there is a data theft or breach and PII data is shared on the dark web ? It appears that in most recent cases of these breaches, most of the companies where these occurred, emerged unharmed with a light rap on the knuckles. Ironically and opportunistically , Equifax has been selling protection products for data breaches.

Please don't discuss outsourcing on this thread (there are other threads) and focus on steps investors can take to protect themselves.
megabad
Posts: 3334
Joined: Fri Jun 01, 2018 4:00 pm

Re: Data breaches and security

Post by megabad »

The way you have asked the question, I would say they have very little responsibility if your personal information ends up on the dark web. Essentially everyone with any financial information already has their info up on the web. It was already compromised. I would be more concerned with protecting my holdings at specific institutions from theft. So making sure the user takes precautions against password theft or cellphone hijacking is important. After that, I would assume the primary risk is from brokerage/fund employees and financial advisors. The brokerage firm would take responsibility for employee theft I assume by paying for SIPC up to the limit. I assume this would apply.
sycamore
Posts: 1562
Joined: Tue May 08, 2018 12:06 pm

Re: Data breaches and security

Post by sycamore »

Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/
Topic Author
pcsrini
Posts: 192
Joined: Mon Jan 24, 2011 10:51 pm

Re: Data breaches and security

Post by pcsrini »

sycamore wrote: Wed Jul 15, 2020 1:54 pm Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/
Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.
ChrisBenn
Posts: 454
Joined: Mon Aug 05, 2019 7:56 pm

Re: Data breaches and security

Post by ChrisBenn »

pcsrini wrote: Wed Jul 15, 2020 2:34 pm
sycamore wrote: Wed Jul 15, 2020 1:54 pm Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/
Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.
Note that if you use Vanguards iOS application you are automatically in violation of the "your responsibilities" portion of their fraud guarantee - specifically "Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." -- since those products don't meaningfully exist on the iOS app store unless you jailbreak. Will vanguard enforce that? I can't imagine they would, but but regardless you would be in breach.

I did email vanguard about this language, and just got a "thanks for feedback" generic email.
palanzo
Posts: 1845
Joined: Thu Oct 10, 2019 4:28 pm

Re: Data breaches and security

Post by palanzo »

ChrisBenn wrote: Wed Jul 15, 2020 2:46 pm
pcsrini wrote: Wed Jul 15, 2020 2:34 pm
sycamore wrote: Wed Jul 15, 2020 1:54 pm Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/
Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.
Note that if you use Vanguards iOS application you are automatically in violation of the "your responsibilities" portion of their fraud guarantee - specifically "Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." -- since those products don't meaningfully exist on the iOS app store unless you jailbreak. Will vanguard enforce that? I can't imagine they would, but but regardless you would be in breach.

I did email vanguard about this language, and just got a "thanks for feedback" generic email.
Who puts out the iOS application that supposedly automatically violates the "your responsibilities" portion of their fraud guarantee?
ChrisBenn
Posts: 454
Joined: Mon Aug 05, 2019 7:56 pm

Re: Data breaches and security

Post by ChrisBenn »

palanzo wrote: Wed Jul 15, 2020 2:48 pm
ChrisBenn wrote: Wed Jul 15, 2020 2:46 pm
pcsrini wrote: Wed Jul 15, 2020 2:34 pm
sycamore wrote: Wed Jul 15, 2020 1:54 pm Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/
Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.
Note that if you use Vanguards iOS application you are automatically in violation of the "your responsibilities" portion of their fraud guarantee - specifically "Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." -- since those products don't meaningfully exist on the iOS app store unless you jailbreak. Will vanguard enforce that? I can't imagine they would, but but regardless you would be in breach.

I did email vanguard about this language, and just got a "thanks for feedback" generic email.
Who puts out the iOS application that supposedly automatically violates the "your responsibilities" portion of their fraud guarantee?
Vanguards own application. It's not an issue with app, it's rather their policy requires the device you use to access your account meet certain criteria, and one is anti-virus, anti-spyware, and a firewall. Those aren't available for iOS - apple's security model would require apple to build those in, as other applications can only work in their sandbox (maybe you could mimic a firewall with a vpn app?).

Ref: https://personal.vanguard.com/us/help/S ... ontent.jsp
Topic Author
pcsrini
Posts: 192
Joined: Mon Jan 24, 2011 10:51 pm

Re: Data breaches and security

Post by pcsrini »

ChrisBenn wrote: Wed Jul 15, 2020 2:52 pm
palanzo wrote: Wed Jul 15, 2020 2:48 pm
ChrisBenn wrote: Wed Jul 15, 2020 2:46 pm
pcsrini wrote: Wed Jul 15, 2020 2:34 pm
sycamore wrote: Wed Jul 15, 2020 1:54 pm Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/
Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.
Note that if you use Vanguards iOS application you are automatically in violation of the "your responsibilities" portion of their fraud guarantee - specifically "Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." -- since those products don't meaningfully exist on the iOS app store unless you jailbreak. Will vanguard enforce that? I can't imagine they would, but but regardless you would be in breach.

I did email vanguard about this language, and just got a "thanks for feedback" generic email.
Who puts out the iOS application that supposedly automatically violates the "your responsibilities" portion of their fraud guarantee?
Vanguards own application. It's not an issue with app, it's rather their policy requires the device you use to access your account meet certain criteria, and one is anti-virus, anti-spyware, and a firewall. Those aren't available for iOS - apple's security model would require apple to build those in, as other applications can only work in their sandbox (maybe you could mimic a firewall with a vpn app?).

Ref: https://personal.vanguard.com/us/help/S ... ontent.jsp
Then, perhaps the best option to protect ourselves is to not use mobile apps for banking and brokerages. Keep a dedicated computer (Chromebook ?) that is used to only access brokerage and banking websites.
ChrisBenn
Posts: 454
Joined: Mon Aug 05, 2019 7:56 pm

Re: Data breaches and security

Post by ChrisBenn »

pcsrini wrote: Wed Jul 15, 2020 2:57 pm
(...)

Then, perhaps the best option to protect ourselves is to not use mobile apps for banking and brokerages. Keep a dedicated computer (Chromebook ?) that is used to only access brokerage and banking websites.
I think the iOS device is likely secure (and not the weak link), but there is a potential policy issue (that I'm dubious vanguard would enforce, but I wouldn't want to have to fight that battle).

Very quickly this can get into the realm of "good enough" vs. "perfect".

Really using two factor (with vanguard yubikey / sms fallback is the best option) with a strong password, and not following links but typing in the url / using a bookmark you saved is about as a good as it gets. A separate device is definitely pushing diminishing returns, but still does give some ROI. I personally don't bother - but wouldn't call it useless.
Mordoch
Posts: 430
Joined: Sat Mar 10, 2007 11:27 am

Re: Data breaches and security

Post by Mordoch »

ChrisBenn wrote: Wed Jul 15, 2020 3:11 pm with a strong password
This should be clarified as a strong unique password since reuse could conceivably lead to your Vanguard account being compromised if another account elsewhere is first. Generally a password manager would be the best option, but others can potentially work and are generally good enough. (Although if you are creating passwords on your own there tends to be a greater risk they are not as strong as they should if you are not using the right practices.)
Mr-et-Mrs-R
Posts: 61
Joined: Thu Dec 05, 2013 10:49 am

Re: Data breaches and security

Post by Mr-et-Mrs-R »

This:
https://xkcd.com/936/

Edit:
This is the only time where length matters.
:P
[rim shot]

But in truth here, you can do everything correctly, and just one small slip-up can expose your data.
Equifax's data breach was from using an outdated version of Apache Struts.
Just use really long passwords and hope for the best.
Last edited by Mr-et-Mrs-R on Wed Jul 15, 2020 3:35 pm, edited 1 time in total.
palanzo
Posts: 1845
Joined: Thu Oct 10, 2019 4:28 pm

Re: Data breaches and security

Post by palanzo »

pcsrini wrote: Wed Jul 15, 2020 2:57 pm
ChrisBenn wrote: Wed Jul 15, 2020 2:52 pm
palanzo wrote: Wed Jul 15, 2020 2:48 pm
ChrisBenn wrote: Wed Jul 15, 2020 2:46 pm
pcsrini wrote: Wed Jul 15, 2020 2:34 pm

Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.
Note that if you use Vanguards iOS application you are automatically in violation of the "your responsibilities" portion of their fraud guarantee - specifically "Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." -- since those products don't meaningfully exist on the iOS app store unless you jailbreak. Will vanguard enforce that? I can't imagine they would, but but regardless you would be in breach.

I did email vanguard about this language, and just got a "thanks for feedback" generic email.
Who puts out the iOS application that supposedly automatically violates the "your responsibilities" portion of their fraud guarantee?
Vanguards own application. It's not an issue with app, it's rather their policy requires the device you use to access your account meet certain criteria, and one is anti-virus, anti-spyware, and a firewall. Those aren't available for iOS - apple's security model would require apple to build those in, as other applications can only work in their sandbox (maybe you could mimic a firewall with a vpn app?).

Ref: https://personal.vanguard.com/us/help/S ... ontent.jsp
Then, perhaps the best option to protect ourselves is to not use mobile apps for banking and brokerages. Keep a dedicated computer (Chromebook ?) that is used to only access brokerage and banking websites.
Ahh yes and use Chrome which is the best spyware browser on the market.
palanzo
Posts: 1845
Joined: Thu Oct 10, 2019 4:28 pm

Re: Data breaches and security

Post by palanzo »

ChrisBenn wrote: Wed Jul 15, 2020 2:52 pm
palanzo wrote: Wed Jul 15, 2020 2:48 pm
ChrisBenn wrote: Wed Jul 15, 2020 2:46 pm
pcsrini wrote: Wed Jul 15, 2020 2:34 pm
sycamore wrote: Wed Jul 15, 2020 1:54 pm Some previous threads discussed this subject:

viewtopic.php?t=253103
viewtopic.php?t=228335
viewtopic.php?t=281236

And a couple of web pages from Vanguard about what you should do, and what Vanguard does:
https://personal.vanguard.com/us/help/S ... ontent.jsp
https://investor.vanguard.com/security/
Thank you! The only concern is maybe if its a large enough breach and they have to compensate a number of account holders, they may find it challenging to cover the losses. If its an isolated one off, they will make you whole. I do realize a lot of data already exists on the dark web, and was mostly concerned about account holdings and transactional data, which to date I don't believe has ever been exposed.
Note that if you use Vanguards iOS application you are automatically in violation of the "your responsibilities" portion of their fraud guarantee - specifically "Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." -- since those products don't meaningfully exist on the iOS app store unless you jailbreak. Will vanguard enforce that? I can't imagine they would, but but regardless you would be in breach.

I did email vanguard about this language, and just got a "thanks for feedback" generic email.
Who puts out the iOS application that supposedly automatically violates the "your responsibilities" portion of their fraud guarantee?
Vanguards own application. It's not an issue with app, it's rather their policy requires the device you use to access your account meet certain criteria, and one is anti-virus, anti-spyware, and a firewall. Those aren't available for iOS - apple's security model would require apple to build those in, as other applications can only work in their sandbox (maybe you could mimic a firewall with a vpn app?).

Ref: https://personal.vanguard.com/us/help/S ... ontent.jsp
I am very familiar with Apple's security model. My point is that Vanguard can't put out an app for customers to use and then say it "automatically violates the "your responsibilities" portion of their fraud guarantee". I doubt that would hold up in court. What use is an app if you can't use it?
ChrisBenn
Posts: 454
Joined: Mon Aug 05, 2019 7:56 pm

Re: Data breaches and security

Post by ChrisBenn »

palanzo wrote: Wed Jul 15, 2020 3:35 pm (...)
I am very familiar with Apple's security model. My point is that Vanguard can't put out an app for customers to use and then say it "automatically violates the "your responsibilities" portion of their fraud guarantee". I doubt that would hold up in court. What use is an app if you can't use it?

I think thats common sense; unfortunately I don't believe our legal system runs on common sense - at least not without legal fees and time to help adjudicate that common sense.

For me having to defend that in court, even if victory was assured, well I would already consider that a loss.

I also personally find it dubious that vanguard would enforce that provision - but nevertheless it's there, and they seem to be unwilling to clarify/change it.
palanzo
Posts: 1845
Joined: Thu Oct 10, 2019 4:28 pm

Re: Data breaches and security

Post by palanzo »

ChrisBenn wrote: Wed Jul 15, 2020 3:42 pm
palanzo wrote: Wed Jul 15, 2020 3:35 pm (...)
I am very familiar with Apple's security model. My point is that Vanguard can't put out an app for customers to use and then say it "automatically violates the "your responsibilities" portion of their fraud guarantee". I doubt that would hold up in court. What use is an app if you can't use it?

I think thats common sense; unfortunately I don't believe our legal system runs on common sense - at least not without legal fees and time to help adjudicate that common sense.

For me having to defend that in court, even if victory was assured, well I would already consider that a loss.

I also personally find it dubious that vanguard would enforce that provision - but nevertheless it's there, and they seem to be unwilling to clarify/change it.
I agree with you. I am going to send a message to my representative with a copy paste of the above and ask for formal Vanguard clarification. They owe us that much.
Topic Author
pcsrini
Posts: 192
Joined: Mon Jan 24, 2011 10:51 pm

Re: Data breaches and security

Post by pcsrini »

Topic Author
pcsrini
Posts: 192
Joined: Mon Jan 24, 2011 10:51 pm

Re: Data breaches and security

Post by pcsrini »

Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7
palanzo
Posts: 1845
Joined: Thu Oct 10, 2019 4:28 pm

Re: Data breaches and security

Post by palanzo »

pcsrini wrote: Thu Jul 16, 2020 3:02 pm Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7
Of course it could and it probably has. Insider data breaches. Search for it.
sycamore
Posts: 1562
Joined: Tue May 08, 2018 12:06 pm

Re: Data breaches and security

Post by sycamore »

pcsrini wrote: Thu Jul 16, 2020 3:02 pm Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7
Not being insiders, we can only speculate.

As regulated financial institutions, Vanguard, Schwab, etc. likely have to follow certain best practices regarding access to the internal tools they use to administer customer accounts. Is it possible for a compromised or determined employee to skirt their employer's safeguards? It's easy to imagine the answer is yes. But what if the answer is yes? What to do about it?
palanzo
Posts: 1845
Joined: Thu Oct 10, 2019 4:28 pm

Re: Data breaches and security

Post by palanzo »

sycamore wrote: Thu Jul 16, 2020 3:15 pm
pcsrini wrote: Thu Jul 16, 2020 3:02 pm Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7
Not being insiders, we can only speculate.

As regulated financial institutions, Vanguard, Schwab, etc. likely have to follow certain best practices regarding access to the internal tools they use to administer customer accounts. Is it possible for a compromised or determined employee to skirt their employer's safeguards? It's easy to imagine the answer is yes. But what if the answer is yes? What to do about it?
It has already happened at Vanguard.

https://www.inquirer.com/business/vangu ... 90315.html
User avatar
willthrill81
Posts: 22672
Joined: Thu Jan 26, 2017 3:17 pm
Location: USA

Re: Data breaches and security

Post by willthrill81 »

megabad wrote: Wed Jul 15, 2020 1:48 pm The way you have asked the question, I would say they have very little responsibility if your personal information ends up on the dark web. Essentially everyone with any financial information already has their info up on the web. It was already compromised. I would be more concerned with protecting my holdings at specific institutions from theft. So making sure the user takes precautions against password theft or cellphone hijacking is important. After that, I would assume the primary risk is from brokerage/fund employees and financial advisors. The brokerage firm would take responsibility for employee theft I assume by paying for SIPC up to the limit. I assume this would apply.
I agree. Assume that your data is already 'out there' and act accordingly.

Freeze your credit with all of the bureaus.

Use 2FA when you can.

Set up alerts on your bank accounts so that you know when electronic transactions and those exceeding a fairly low threshold occur.

Use strong passwords and a password manager.

Protect your cell phone.
“It's a dangerous business, Frodo, going out your door. You step onto the road, and if you don't keep your feet, there's no knowing where you might be swept off to.” J.R.R. Tolkien,The Lord of the Rings
sycamore
Posts: 1562
Joined: Tue May 08, 2018 12:06 pm

Re: Data breaches and security

Post by sycamore »

palanzo wrote: Thu Jul 16, 2020 3:18 pm
sycamore wrote: Thu Jul 16, 2020 3:15 pm
pcsrini wrote: Thu Jul 16, 2020 3:02 pm Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7
Not being insiders, we can only speculate.

As regulated financial institutions, Vanguard, Schwab, etc. likely have to follow certain best practices regarding access to the internal tools they use to administer customer accounts. Is it possible for a compromised or determined employee to skirt their employer's safeguards? It's easy to imagine the answer is yes. But what if the answer is yes? What to do about it?
It has already happened at Vanguard.

https://www.inquirer.com/business/vangu ... 90315.html
I'll rephrase my first sentence... Being observant of past events, we don't need to speculate! :oops:

What would you do about it? Move assets to another financial provider? Just hold your nose and stay with VG (or whoever)?
oldfort
Posts: 2376
Joined: Mon Mar 02, 2020 8:45 pm

Re: Data breaches and security

Post by oldfort »

pcsrini wrote: Thu Jul 16, 2020 3:02 pm Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7
At some level, you have to trust Vanguard or any other financial institutional to do a good job with their internal security and there's not much you can do about it. How do know Vanguard doesn't store all customer passwords in plaintext? At some point, you have to assume or hope they follow industry best practices.
Topic Author
pcsrini
Posts: 192
Joined: Mon Jan 24, 2011 10:51 pm

Re: Data breaches and security

Post by pcsrini »

sycamore wrote: Thu Jul 16, 2020 3:35 pm
palanzo wrote: Thu Jul 16, 2020 3:18 pm
sycamore wrote: Thu Jul 16, 2020 3:15 pm
pcsrini wrote: Thu Jul 16, 2020 3:02 pm Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7
Not being insiders, we can only speculate.

As regulated financial institutions, Vanguard, Schwab, etc. likely have to follow certain best practices regarding access to the internal tools they use to administer customer accounts. Is it possible for a compromised or determined employee to skirt their employer's safeguards? It's easy to imagine the answer is yes. But what if the answer is yes? What to do about it?
It has already happened at Vanguard.

https://www.inquirer.com/business/vangu ... 90315.html
I'll rephrase my first sentence... Being observant of past events, we don't need to speculate! :oops:

What would you do about it? Move assets to another financial provider? Just hold your nose and stay with VG (or whoever)?
I would expect that there are much tougher laws and punitive damages when these breaches occur. Unfortunately, unless the bar is high there will continue to be breaches, and customers will suffer. There is some thinking among security professional that this may have only been the initial attack, and there may be others coming. California introduced a data privacy law last year which was a start, and EU does seem to take this issue more seriously. Even when customers are super vigilant, the hoops they need to go through to get an unauthorized access addressed is painful. The burden should be on these public companies and financial institutions to ensure that their systems are bullet proof.
oldfort
Posts: 2376
Joined: Mon Mar 02, 2020 8:45 pm

Re: Data breaches and security

Post by oldfort »

pcsrini wrote: Thu Jul 16, 2020 3:55 pm
sycamore wrote: Thu Jul 16, 2020 3:35 pm
palanzo wrote: Thu Jul 16, 2020 3:18 pm
sycamore wrote: Thu Jul 16, 2020 3:15 pm
pcsrini wrote: Thu Jul 16, 2020 3:02 pm Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7
Not being insiders, we can only speculate.

As regulated financial institutions, Vanguard, Schwab, etc. likely have to follow certain best practices regarding access to the internal tools they use to administer customer accounts. Is it possible for a compromised or determined employee to skirt their employer's safeguards? It's easy to imagine the answer is yes. But what if the answer is yes? What to do about it?
It has already happened at Vanguard.

https://www.inquirer.com/business/vangu ... 90315.html
I'll rephrase my first sentence... Being observant of past events, we don't need to speculate! :oops:

What would you do about it? Move assets to another financial provider? Just hold your nose and stay with VG (or whoever)?
I would expect that there are much tougher laws and punitive damages when these breaches occur. Unfortunately, unless the bar is high there will continue to be breaches, and customers will suffer. There is some thinking among security professional that this may have only been the initial attack, and there may be others coming. California introduced a data privacy law last year which was a start, and EU does seem to take this issue more seriously. Even when customers are super vigilant, the hoops they need to go through to get an unauthorized access addressed is painful. The burden should be on these public companies and financial institutions to ensure that their systems are bullet proof.
What the law should be is outside the scope of the forum.
Topic Author
pcsrini
Posts: 192
Joined: Mon Jan 24, 2011 10:51 pm

Re: Data breaches and security

Post by pcsrini »

Perhaps, having accounts at multiple brokerages (each with strong passwords and 2FA) is one way to reduce the impact if one of them is hacked. I would expect if a twitter like attack happened, you would lose access to your account while the company tries to fix the root cause and restore access to account holders.
palanzo
Posts: 1845
Joined: Thu Oct 10, 2019 4:28 pm

Re: Data breaches and security

Post by palanzo »

oldfort wrote: Thu Jul 16, 2020 3:49 pm
pcsrini wrote: Thu Jul 16, 2020 3:02 pm Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7
At some level, you have to trust Vanguard or any other financial institutional to do a good job with their internal security and there's not much you can do about it. How do know Vanguard doesn't store all customer passwords in plaintext? At some point, you have to assume or hope they follow industry best practices.
As you know...Hope is not a plan.
sycamore
Posts: 1562
Joined: Tue May 08, 2018 12:06 pm

Re: Data breaches and security

Post by sycamore »

pcsrini wrote: Thu Jul 16, 2020 4:08 pm Perhaps, having accounts at multiple brokerages (each with strong passwords and 2FA) is one way to reduce the impact if one of them is hacked. I would expect if a twitter like attack happened, you would lose access to your account while the company tries to fix the root cause and restore access to account holders.
Yep, I've heard some people keep a second brokerage and a second bank account precisely because of the risk that one institution may be hacked and you wouldn't want all your assets at risk (either for theft or when waiting for recovery).

Very reasonable plan, in addition to securing things from an end user's perspective (MFA, don't share passwords, etc.)
oldfort
Posts: 2376
Joined: Mon Mar 02, 2020 8:45 pm

Re: Data breaches and security

Post by oldfort »

palanzo wrote: Thu Jul 16, 2020 4:23 pm
oldfort wrote: Thu Jul 16, 2020 3:49 pm
pcsrini wrote: Thu Jul 16, 2020 3:02 pm Apparently, the root cause for the twitter hack was that an employee provided access to an internal tool that bypasses authentication.

Could this happen at Vanguard, Schwab or any of the other brokerage sites?

https://www.businessinsider.com/twitter ... ool-2020-7
At some level, you have to trust Vanguard or any other financial institutional to do a good job with their internal security and there's not much you can do about it. How do know Vanguard doesn't store all customer passwords in plaintext? At some point, you have to assume or hope they follow industry best practices.
As you know...Hope is not a plan.
And your point is?
Post Reply