[Vanguard - Unauthorized attempts to access account, change email]

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
User avatar
Topic Author
vectorizer
Posts: 524
Joined: Sat Mar 03, 2007 2:52 pm

[Vanguard - Unauthorized attempts to access account, change email]

Post by vectorizer »

[Title was "first serious Vanguard account takeover attempt" --admin LadyGeek]

Had a few panicked hours this evening when I had my first experience with a serious attempt of an attacker to log in to my accounts. Vanguard customer for at least 25 years, FWIW. I'll describe what I saw, then ask for advice.

To Vangaurd's credit, I got a password change notification by text and email, followed a minute later by two text messages with 6-digit codes. Looking at the raw text of the email it looked legit. What made this attack effective (against me at least) was that at the time of the notifications, I was getting phone calls from European numbers about every 5 or so seconds. I was so focused on trying to reduce the phone call barage that I missed the notifications. No way that was a conincidence.

I could quiet the calls somewhat by setting the iPhone to not ring for unknown numbers (a setting I had explicitly turned off a year ago because of needing to answer important medical calls), though I still got distracting phone notifications for every call. That's when I noticed and could concentrate on the password change notification from Vanguard. The text of the password-change notification was infuriating: Vanguard says I should call immediately if I didn't change my password--only it was after 8pm, so I couldn't do the most logical thing first. (I did try to call despite knowing this and got a "call back during business hours" message.) Good gosh Vanguard, why don't you have a 24-hour hotline for security issues??

I have a Yubikey 2nd factor, but I'm away from home and didn't take one of them with me because I thought that was safer since I didn't need to execute transactions. Won't leave home without it after this! I had my wonderful daughter drive to our home to attempt to log in. She couldn't get past the username/password step, so that confirmed my password was indeed changed by the attacker. So, we went through the "forgot password" online process, which needed only easy to obtain information which (if I remember) was last four SSN and birthdate. No account number, no recent transactions or balances, nothing that only I should know as a Vanguard customer. This was so disappointing, but at least I was able to change my password back from whatever the attacker put in.

My daughter was able to log in with the new password and by touching the Yubikey. Then she verified that personal info like address and phone number was not changed, and that there was no new or in-process bank changes.

In retrospect, I think the attackers:
  • Started the phone call barrage
  • Changed my password using easily obtained leaked personal info
  • Got the Yubikey challenge
  • Asked for a SMS code (twice) instead of Yubikey
  • I got the SMS codes but of course didn't respond
  • The phone call barrage stopped as suddenly as it started
I think I was saved by both SMS and the Yubikey. I am aware that Yubikey users who registered at least two keys (I have) can turn off using SMS as an alternative 2nd factor, but haven't set that option. I've established a PIN with my phone provider to help protect against SIM swap attacks, FWIW.

Throughout the multiple password change events, I could continue to access my accounts via the Vanguard iPhone app with "Face ID". Not sure if that's good or bad.

If you've read this far, thanks. Now I'm not sure what to do tomorrow when Vanguard phones open again at 8am. Given my experiences the few times I've called the last couple years, I don't have confidence that whomever I talk to will have good suggestions either. I'm thinking maybe I should re-register to change my username? What else can I do? One problem with any change that involves a delay in access is that I'm in my "distribution" retirement phase, so I need to make withdrawals from Vanguard regularly to pay bills.

Thanks in advance for your suggestions.
PersonalFinanceJam
Posts: 1090
Joined: Tue Aug 24, 2021 8:32 am

Re: first serious Vanguard account takeover attempt

Post by PersonalFinanceJam »

vectorizer wrote: Thu Jan 23, 2025 10:50 pm ...
I have a Yubikey 2nd factor, but I'm away from home and didn't take one of them with me because I thought that was safer since I didn't need to execute transactions. Won't leave home without it after this! I had my wonderful daughter drive to our home to attempt to log in. She couldn't get past the username/password step, so that confirmed my password was indeed changed by the attacker. So, we went through the "forgot password" online process, which needed only easy to obtain information which (if I remember) was last four SSN and birthdate. No account number, no recent transactions or balances, nothing that only I should know as a Vanguard customer. This was so disappointing, but at least I was able to change my password back from whatever the attacker put in.

My daughter was able to log in with the new password and by touching the Yubikey. Then she verified that personal info like address and phone number was not changed, and that there was no new or in-process bank changes.
...
I don't have a Vanguard account anymore but shouldn't the forgot password process send an email to the registered address with a link so you can reset the password? If so, then I'd change my email passwords and make sure it's secured because I can't see how the hackers could change your password without access to your email.

If the Vanguard process does not do this email verification step then that's somewhat concerning.
User avatar
Topic Author
vectorizer
Posts: 524
Joined: Sat Mar 03, 2007 2:52 pm

Re: first serious Vanguard account takeover attempt

Post by vectorizer »

PersonalFinanceJam wrote: Thu Jan 23, 2025 11:06 pm I don't have a Vanguard account anymore but shouldn't the forgot password process send an email to the registered address with a link so you can reset the password? If so, then I'd change my email passwords and make sure it's secured because I can't see how the hackers could change your password without access to your email.

If the Vanguard process does not do this email verification step then that's somewhat concerning.
No, there was no email sent to complete the forgot password process. The change was made totally on Vanguard's site. I did get a notification after the password changes by the attacker then by me, but it was only a notification, not a verification of receipt of email before making the change.
User avatar
MoneyIsTime
Posts: 165
Joined: Tue Jan 23, 2024 6:11 pm
Location: Wisconsin

Re: first serious Vanguard account takeover attempt

Post by MoneyIsTime »

Yikes, scary story! So you think your password must have leaked somehow? With the great wash of hacks out there maybe that’s how it happened. Forgive the dumb question, but did you re-use your password anywhere else? I have heard of password databases leaking (like Lastpass, etc). Hard to tell how something like this might have happened. If you have a diagnosis of how this might have happened it might of use to us other users.

I think I will be changing my password as a precautionary measure. It's been a while since I've changed it, can't hurt.
Last edited by MoneyIsTime on Thu Jan 23, 2025 11:36 pm, edited 1 time in total.
“You are free to do whatever you like. You need only face the consequences.” — Sheldon B. Kopp | | AA 60/40 = Stock/Bond+Cash. MFJ, Ages 60/59, Retired 6/2023, Still figuring out retirement.
Diluted Waters
Posts: 306
Joined: Sun Sep 13, 2020 7:35 pm

Re: first serious Vanguard account takeover attempt

Post by Diluted Waters »

I don’t understand from your post how the perpetrators effected the password change without a successful sign on to your account.

[Edit: rereading I’m now understanding they must have used the password recovery mechanism with leaked SSN and other personal info but could not actually access the account without the second factor (Yubikey or SMS code). Meaning the second factor worked but you were subject to social engineering efforts which also failed but could have succeeded in gaining your sms code if you had fallen for it. This suggests weaknesses are at least: guessable or compromised username, and compromised email or other communication pathway used to receive the password recovery message. As mentioned earlier, you must lock down your email with two factor authentication. It’s the gateway to password recovery on many platforms, not just Vanguard’s.]

Given: a Yubikey or the correct SMS code, in addition to the correct username and password, is required to sign on, and a successful sign on is required to change the password to the account, and they did not have the Yubikey and they did not get the sms code from you or your cell phone due to a sim swap attack, how did they change the password?

Also, how might they have obtained your correct account password? And username?

These factors suggest you have a leak of confidential account information somewhere. Or did they in fact fail to change the password but you misread the attempt as a successful change?

Otherwise, does Vanguard somehow allow an account password change without a successful account sign-on? If so, how does this work? This would be an exceptionally grave vulnerability in their account security, if true.

Answers to these questions are important for a correct path forward.

At a minimum, your password should be randomized, unlike any other password you have, and no less than 20 characters long. More length is better.

Even so, we need more information for this to add up and to enable someone to make a solid diagnosis of what failed.

It’s also uncomfortable to consider, but could there be an insider with access to the username, password and SMS codes or Yubikey, who changed the password using the code or key?
Last edited by Diluted Waters on Thu Jan 23, 2025 11:48 pm, edited 2 times in total.
Mckerchie
Posts: 3
Joined: Fri Jan 03, 2025 7:35 pm

Re: first serious Vanguard account takeover attempt

Post by Mckerchie »

Hi Op, sorry to hear about this "near miss."

IIUC, it sounds like you believe the perps went through a "forgot password" workflow using PII that is available on the dark web.

It is smart that you had the Yubikey, I have similar setup. It sounds like this worked as intended to prevent a full account signon.

I have not tried this, but FWIW there is a web page at https://investor.vanguard.com/trust-security (click "Suspect Fraud") that repeats the instruction to call or email immediately, with a phone number and special email address. That page lists some specific steps including changing username.
Last edited by Mckerchie on Thu Jan 23, 2025 11:51 pm, edited 1 time in total.
PersonalFinanceJam
Posts: 1090
Joined: Tue Aug 24, 2021 8:32 am

Re: first serious Vanguard account takeover attempt

Post by PersonalFinanceJam »

Just looked at the password reset form for Vanguard. It’s all basic info that’s already publicly out there for most of us. Anyone can just jam the info in and reset someone’s password.

Is 2fa a requirement for Vanguard accounts? If not then I would think this is a serious vulnerability. It would be easy to create a system to just robotically spray this stuff into the form hoping to hit on accounts without 2fa to take them over.
clip651
Posts: 1827
Joined: Thu Oct 02, 2014 11:02 am

Re: first serious Vanguard account takeover attempt

Post by clip651 »

Is your username your email address or something else that's easy to guess? If so, consider changing your username to a random set of characters instead. I think having your username be something no on else knows (or could guess from public info) would reduce the risk a little, at least, since I think one at least needs a username to be requesting a password change on the website.
PersonalFinanceJam
Posts: 1090
Joined: Tue Aug 24, 2021 8:32 am

Re: first serious Vanguard account takeover attempt

Post by PersonalFinanceJam »

PersonalFinanceJam wrote: Thu Jan 23, 2025 11:46 pm Just looked at the password reset form for Vanguard. It’s all basic info that’s already publicly out there for most of us. Anyone can just jam the info in and reset someone’s password.

Is 2fa a requirement for Vanguard accounts? If not then I would think this is a serious vulnerability. It would be easy to create a system to just robotically spray this stuff into the form hoping to hit on accounts without 2fa to take them over.
Answering my own questions. 2fa is required. So attacker can easily reset a password but would then need to use a sim swap or social engineering to get the second factor.
tibbitts
Posts: 26793
Joined: Tue Feb 27, 2007 5:50 pm

Re: first serious Vanguard account takeover attempt

Post by tibbitts »

clip651 wrote: Thu Jan 23, 2025 11:47 pm Is your username your email address or something else that's easy to guess? If so, consider changing your username to a random set of characters instead. I think having your username be something no on else knows (or could guess from public info) would reduce the risk a little, at least, since I think one at least needs a username to be requesting a password change on the website.
A couple of decades ago I'm pretty sure I changed a username at Vanguard and it was trivial to do so. I wanted to change my username again a year or two ago and it seemed like I would have basically had to create a new account, wait for days, and then re-establish everything including all my Yodlee configuration. So I gave up.
lazydavid
Posts: 5888
Joined: Wed Apr 06, 2016 1:37 pm

Re: first serious Vanguard account takeover attempt

Post by lazydavid »

Diluted Waters wrote: Thu Jan 23, 2025 11:31 pm Also, how might they have obtained your correct account password? And username?
By resetting it from whatever it was to something that they created. If they already had his prior password, he wouldn't have gotten password update notifications.
Mrbogleheads
Posts: 216
Joined: Sun Sep 22, 2024 8:22 am

Re: first serious Vanguard account takeover attempt

Post by Mrbogleheads »

PersonalFinanceJam wrote: Thu Jan 23, 2025 11:46 pm Just looked at the password reset form for Vanguard. It’s all basic info that’s already publicly out there for most of us. Anyone can just jam the info in and reset someone’s password.

Is 2fa a requirement for Vanguard accounts? If not then I would think this is a serious vulnerability. It would be easy to create a system to just robotically spray this stuff into the form hoping to hit on accounts without 2fa to take them over.
I need 2fa to log in, every time.
We hold these truths to be self-evident: all men and women are created, by the, you know the, you know the thing. 'JB'
rkhusky
Posts: 20748
Joined: Thu Aug 18, 2011 8:09 pm

Re: first serious Vanguard account takeover attempt

Post by rkhusky »

Mrbogleheads wrote: Fri Jan 24, 2025 6:50 am
PersonalFinanceJam wrote: Thu Jan 23, 2025 11:46 pm Just looked at the password reset form for Vanguard. It’s all basic info that’s already publicly out there for most of us. Anyone can just jam the info in and reset someone’s password.

Is 2fa a requirement for Vanguard accounts? If not then I would think this is a serious vulnerability. It would be easy to create a system to just robotically spray this stuff into the form hoping to hit on accounts without 2fa to take them over.
I need 2fa to log in, every time.
There is an option to bypass 2FA if the computer is recognized. Recognition involves a cookie on the computer and maybe a digital fingerprint.

I use semi-randomized usernames to help thwart these account denial attacks.
Last edited by rkhusky on Fri Jan 24, 2025 7:14 am, edited 2 times in total.
Mrbogleheads
Posts: 216
Joined: Sun Sep 22, 2024 8:22 am

Re: first serious Vanguard account takeover attempt

Post by Mrbogleheads »

rkhusky wrote: Fri Jan 24, 2025 7:11 am
Mrbogleheads wrote: Fri Jan 24, 2025 6:50 am

I need 2fa to log in, every time.
There is an option to bypass 2FA if the computer is recognized. Recognition involves a cookie and maybe a digital fingerprint.
Yes. But I leave it off because not logging in often.
We hold these truths to be self-evident: all men and women are created, by the, you know the, you know the thing. 'JB'
lazydavid
Posts: 5888
Joined: Wed Apr 06, 2016 1:37 pm

Re: first serious Vanguard account takeover attempt

Post by lazydavid »

rkhusky wrote: Fri Jan 24, 2025 7:11 am
Mrbogleheads wrote: Fri Jan 24, 2025 6:50 am

I need 2fa to log in, every time.
There is an option to bypass 2FA if the computer is recognized. Recognition involves a cookie on the computer and maybe a digital fingerprint.
That is still 2FA. "Something I have".
rjbraun
Posts: 2424
Joined: Sun Sep 09, 2012 8:22 pm

Re: first serious Vanguard account takeover attempt

Post by rjbraun »

tibbitts wrote: Fri Jan 24, 2025 12:08 am
clip651 wrote: Thu Jan 23, 2025 11:47 pm Is your username your email address or something else that's easy to guess? If so, consider changing your username to a random set of characters instead. I think having your username be something no on else knows (or could guess from public info) would reduce the risk a little, at least, since I think one at least needs a username to be requesting a password change on the website.
A couple of decades ago I'm pretty sure I changed a username at Vanguard and it was trivial to do so. I wanted to change my username again a year or two ago and it seemed like I would have basically had to create a new account, wait for days, and then re-establish everything including all my Yodlee configuration. So I gave up.
I tried to change my Vanguard username many years ago (at least 10 years ago, likely more, I think). My recollection is that Vanguard made it seem not so straightforward, as in I would need to speak with someone who would then do who knows what.

While I was motivated as my user name is more obvious than I would like, it seemed difficult and I gave up. And, fwiw, I didn't get the sense that Vanguard was necessarily supportive of my efforts. I kind of feel like if it was 'yes, absolutely, that is a prudent thing to do and we can help you to get it done', I think I would have proceeded.

In any case, if Vanguard has a process now to change one's user name, I would definitely appreciate knowing. Thanks.
Lastrun
Posts: 2117
Joined: Wed May 03, 2017 6:46 pm

Re: first serious Vanguard account takeover attempt

Post by Lastrun »

I understand the unique username information, but is it really that important of a factor?

I would assume that once you have the email address that will be enough to reek havoc.

Stated differently, is there a difference in a takeover attempt on a forgotten password, or forgotten username? In my experience, both will just default to email.
rkhusky
Posts: 20748
Joined: Thu Aug 18, 2011 8:09 pm

Re: first serious Vanguard account takeover attempt

Post by rkhusky »

lazydavid wrote: Fri Jan 24, 2025 7:20 am
rkhusky wrote: Fri Jan 24, 2025 7:11 am
There is an option to bypass 2FA if the computer is recognized. Recognition involves a cookie on the computer and maybe a digital fingerprint.
That is still 2FA. "Something I have".
Could be, unless your computer/browser is set to automatically login with stored username/password.
User avatar
alpenglow
Posts: 2075
Joined: Tue May 31, 2011 12:02 pm

Re: first serious Vanguard account takeover attempt

Post by alpenglow »

The phone call barrage at the time of takeover is a good factor to be aware of. Thank you for sharing this. Good luck.
“The less I needed, the better I felt.” — Charles Bukowski
User avatar
Topic Author
vectorizer
Posts: 524
Joined: Sat Mar 03, 2007 2:52 pm

Re: first serious Vanguard account takeover attempt

Post by vectorizer »

OP here. Thanks everyone who took the time to read and respond. Clarifying a few points after sleeping and calming down:
  • This was definitely (AFAICT) a password reset attack. Did not involve exposure or use of my pre-attack password nor the email address I use with Vanguard exclusively.
  • A key part of the attempt was flooding me with foreign phone calls so I'd be distracted during the attack. That part worked, to my embarrassment.
  • The password reset process at Vanguard asks for ridiculously common leaked info like DOB and last-4-SSN. Anyone with modest skills at getting general leaked info (name+DOB+SSN) can easily change a Vanguard user's password if the username can be guessed (i.e. tyring variations of the user's name or knowing usernames used by the victim on other websites). There is no Vanguard-exclusive information required, no real-time 2FA confirmation to complete the password change by an attacker.
  • The attacker was prevented from using the password created by the attacker by Yubikey and SMS 2nd factor. I've always been challenged at home for Yubikey 2FA authentication, so the attacker couldn't get past that. If they also controlled my phone they would have gotten in via SMS 2FA.
  • The fact that the password reset process is ridiculously easy allowed me to change the account password to a new one, even though I don't know the attacker's password. (FWIW, I always use a password manager program to generate long & random passwords.)
My working assumption is that my information was leaked from any number of seemingly-monthly massive breaches from other companies incompently protecting our personal info. Among these were my name, DOB, and last-4-SSN. The attackers were able to make a guess of my username because it is a weak combo of my name. That's the key change I need to make to help prevent a similar attack in the future--I have to "change" my Vanguard username to something that's unguessable from any other info associated with me. At least that's my conclusion--thoughts?

As at least one of you mentioned, one does not simply log in to Vanguard and change ones username. You have to go through a de-registration process followed by registering for web access from scratch. I don't know if there's a money hold associated with that process, which is a concern given the withdrawals I need to pay expenses in retirement. Making it more difficult is that I'm currently away from home without my main computer and its Yubikey.
stan1
Posts: 16184
Joined: Mon Oct 08, 2007 4:35 pm

Re: first serious Vanguard account takeover attempt

Post by stan1 »

Update: I see that you wrote while I was typing this that your username was derived from your name. What was your Vanguard username? Was it similar to an email address? If your gmail address is JohnQ@gmail.com then someone might assume your Vanguard login is JohnQ and start the password reset process. That's the first place to anonymize. I use a unique username that is not associated with any email or other online account. I use an English word followed by 5 numbers. I don't see a significant advantage to using random characters in this field and it is slightly easier to use something that I can easily type if I need to.

I think you are also writing that Vanguard did not require an SMS text, app notification, or email confirmation to complete the password change? I'd agree that is not good, and they should require that to do a password change online otherwise force a US mail PIN if someone does not have access to SMS, mobile app, or email. Password resets have to be done, but they are the Achilles heel of authentication. I think you are also writing that you do not believe the email account you had associated with the Vanguard account was compromised. The problem is that customers become irate, abusive to employees, and leave Vanguard if it isn't easy to reset a password. Tough problem to solve.

Vanguard now supports sign in authentication using their mobile app, which is probably more secure than SMS these days given breach of mobile phone carriers by a nation state. So that's a reason to have the mobile app protected by FaceID and maybe also PIN on your phone.
Last edited by stan1 on Fri Jan 24, 2025 10:25 am, edited 1 time in total.
Cletus Davenport
Posts: 164
Joined: Sat Dec 14, 2024 6:07 pm

Re: first serious Vanguard account takeover attempt

Post by Cletus Davenport »

Here’s a related thought exercise.

Suppose somebody successfully compromised my vanguard account? How would they get the money out, and how long would it take them?

From memory,it took me about a week to add a “fully linked” bank account. And during that time, I received both emails and paper mails to the house that this was happening. In an odd sort of way, I remember thinking this “slowness” was also beneficial in a “stealing my money” sort of way.

Can they quickly wire the money out before I got any emails?
prd1982
Posts: 1976
Joined: Sun Jan 08, 2017 3:43 pm

Re: first serious Vanguard account takeover attempt

Post by prd1982 »

I setup 2 Yubikeys and disabled SMS. I then tested “forgot password”. It let me reset the password without using the Yubikey. However, when I went to logon, I was required to use the key. So my account was protected. I give this a B+. This agrees with what a previous poster said. Also, the phone app (Android) would not let me log on, which is an improvement over earlier versions of the app,
stan1
Posts: 16184
Joined: Mon Oct 08, 2007 4:35 pm

Re: first serious Vanguard account takeover attempt

Post by stan1 »

vectorizer wrote: Thu Jan 23, 2025 10:50 pm Good gosh Vanguard, why don't you have a 24-hour hotline for security issues??
I'm pretty sure they don't do this because people would call it for non-security reasons, such as the website being down or the website showing incorrect information that will settle the next business day.
User avatar
Watty
Posts: 30602
Joined: Wed Oct 10, 2007 3:55 pm

Re: first serious Vanguard account takeover attempt

Post by Watty »

vectorizer wrote: Thu Jan 23, 2025 10:50 pm Good gosh Vanguard, why don't you have a 24-hour hotline for security issues??
Vanguard not having 24 hour support for security problems is one of the reasons I left them.

It was a couple of years ago but I also called their 800 number during normal hours and as I recall it would have been about a 45 minute wait to talk to someone.
Cletus Davenport wrote: Fri Jan 24, 2025 10:25 am Suppose somebody successfully compromised my vanguard account? How would they get the money out, and how long would it take them?
One way which I have heard of is that they buy some obscure thinly traded penny stock for hundreds of dollars a share at the same time that they also offer that stock for sale from a different account in a different country where unwinding the transaction can take a long time and the money is long gone by then.
KneePartsPro
Posts: 862
Joined: Tue Dec 29, 2020 10:52 am

Re: first serious Vanguard account takeover attempt

Post by KneePartsPro »

vectorizer wrote: Fri Jan 24, 2025 10:09 am OP here. Thanks everyone who took the time to read and respond. Clarifying a few points after sleeping and calming down:
  • This was definitely (AFAICT) a password reset attack. Did not involve exposure or use of my pre-attack password nor the email address I use with Vanguard exclusively.
  • A key part of the attempt was flooding me with foreign phone calls so I'd be distracted during the attack. That part worked, to my embarrassment.
  • The password reset process at Vanguard asks for ridiculously common leaked info like DOB and last-4-SSN. Anyone with modest skills at getting general leaked info (name+DOB+SSN) can easily change a Vanguard user's password if the username can be guessed (i.e. tyring variations of the user's name or knowing usernames used by the victim on other websites). There is no Vanguard-exclusive information required, no real-time 2FA confirmation to complete the password change by an attacker.
  • The attacker was prevented from using the password created by the attacker by Yubikey and SMS 2nd factor. I've always been challenged at home for Yubikey 2FA authentication, so the attacker couldn't get past that. If they also controlled my phone they would have gotten in via SMS 2FA.
  • The fact that the password reset process is ridiculously easy allowed me to change the account password to a new one, even though I don't know the attacker's password. (FWIW, I always use a password manager program to generate long & random passwords.)
My working assumption is that my information was leaked from any number of seemingly-monthly massive breaches from other companies incompently protecting our personal info. Among these were my name, DOB, and last-4-SSN. The attackers were able to make a guess of my username because it is a weak combo of my name. That's the key change I need to make to help prevent a similar attack in the future--I have to "change" my Vanguard username to something that's unguessable from any other info associated with me. At least that's my conclusion--thoughts?

As at least one of you mentioned, one does not simply log in to Vanguard and change ones username. You have to go through a de-registration process followed by registering for web access from scratch. I don't know if there's a money hold associated with that process, which is a concern given the withdrawals I need to pay expenses in retirement. Making it more difficult is that I'm currently away from home without my main computer and its Yubikey.
Thank you very much for posting this experience in detail as well as posting your clarifying points after sleeping on it. Your doing so enables everyone here not only to better understand how these things happen but also to scrutinize and improve upon our individual account security. I'm glad you were able to thwart this fraud and wish you the very best in working through the resulting inconveniences.
Ask me anything about the artificial knees used in knee replacement. Tell me everything about investing.
User avatar
warner25
Posts: 1296
Joined: Wed Oct 29, 2014 4:38 pm

Re: first serious Vanguard account takeover attempt

Post by warner25 »

prd1982 wrote: Fri Jan 24, 2025 10:30 am I setup 2 Yubikeys and disabled SMS. I then tested “forgot password”. It let me reset the password without using the Yubikey. However, when I went to logon, I was required to use the key. So my account was protected. I give this a B+. This agrees with what a previous poster said.
Thanks for sharing. I was getting ready to try to reproduce or confirm what the OP described for myself. I am surprised that this is the "forgot password" flow, but I agree that it's not an attack in itself (it's just part of a more complex social engineering attack).

Can anyone here describe the "forgot password" flow at Fidelity or another competitor for comparison?
Cletus Davenport wrote: Fri Jan 24, 2025 10:25 am From memory,it took me about a week to add a “fully linked” bank account. And during that time, I received both emails and paper mails to the house that this was happening. In an odd sort of way, I remember thinking this “slowness” was also beneficial in a “stealing my money” sort of way.
Yes, my past experience with Vanguard is that a password change or any account profile change would be followed up with a paper letter notifying me of the change, and typically a hold on any transactions for a week or so.

I actually changed my Vanguard username to a long random string many years ago, thinking this was a good idea for security. Later (but still years ago) I decided to change it back to something I could remember, but found that another change would require notarizing and mailing some paperwork, so I didn't bother.
User avatar
MoneyIsTime
Posts: 165
Joined: Tue Jan 23, 2024 6:11 pm
Location: Wisconsin

Re: first serious Vanguard account takeover attempt

Post by MoneyIsTime »

OP-
Thanks for the update, that helps the context. Agreed, it appears your username being a routine combo of your real name is the weak link, coupled with the WAY too easy password reset method by Vang made it so the attacker could do that.

I agree, Vang should have a 24/7 telephone contact for such hacking type emergencies. Also, their password reset process should be way less trivial.

Other than complaining to Vang about their reset process, not sure I see a great option in such a situation. Ugh!
“You are free to do whatever you like. You need only face the consequences.” — Sheldon B. Kopp | | AA 60/40 = Stock/Bond+Cash. MFJ, Ages 60/59, Retired 6/2023, Still figuring out retirement.
JD2775
Posts: 1541
Joined: Thu Jul 09, 2015 10:47 pm

Re: first serious Vanguard account takeover attempt

Post by JD2775 »

Wait, so to change a password on Vanguard all you need is your DOB and last 4 of SSN? They don't even email you a password reset link, or even send an SMS?

What is the point of setting up a strong password if that's the case? All the hacker needs is your DOB and SSN to reset it.

Crazy
PersonalFinanceJam
Posts: 1090
Joined: Tue Aug 24, 2021 8:32 am

Re: first serious Vanguard account takeover attempt

Post by PersonalFinanceJam »

warner25 wrote: Fri Jan 24, 2025 11:40 am Can anyone here describe the "forgot password" flow at Fidelity or another competitor for comparison?
The below post from 2022 went through some processes but it's not entirely clear if the poster was always describing the process to reset the password or recover a user ID. Based on the poster's description in the 2022 thread it seems like Vanguard would require access to the phone # for a verification code before resetting the password. However, the OP in this thread is seemingly saying that might not be true. It's hard to understand.

viewtopic.php?t=385253

I'll leave any further testing to someone else. I'm not going to risk angering the Schwab or Fidelity security gods by testing their password reset process unless I really need to.
User avatar
Rocinante Rider
Posts: 1276
Joined: Fri Aug 19, 2022 12:52 pm

Re: first serious Vanguard account takeover attempt

Post by Rocinante Rider »

JD2775 wrote: Fri Jan 24, 2025 12:04 pm Wait, so to change a password on Vanguard all you need is your DOB and last 4 of SSN? They don't even email you a password reset link, or even send an SMS?

What is the point of setting up a strong password if that's the case? All the hacker needs is your DOB and SSN to reset it.

Crazy
It sounds like they'd also need your username. Even then, it appears that although they could change your password they still could not access your account without your 2nd factor authentication.

Nevertheless, I agree that being able to change your password with only your username, name, DOB, and SSN without needing a password reset link sent to your registered email address is a problem.

The take-home message for me is that having a unique and strong username is also important.
Warren
Posts: 27
Joined: Fri Jan 21, 2022 10:28 am

Re: first serious Vanguard account takeover attempt

Post by Warren »

Thank you for sharing your scary story. Most who have read it, will benefit from your stressful experience, and probably think what to do to avert a similar scenario. Very beneficial for all.
rkhusky
Posts: 20748
Joined: Thu Aug 18, 2011 8:09 pm

Re: first serious Vanguard account takeover attempt

Post by rkhusky »

Rocinante Rider wrote: Fri Jan 24, 2025 12:21 pm
JD2775 wrote: Fri Jan 24, 2025 12:04 pm Wait, so to change a password on Vanguard all you need is your DOB and last 4 of SSN? They don't even email you a password reset link, or even send an SMS?

What is the point of setting up a strong password if that's the case? All the hacker needs is your DOB and SSN to reset it.

Crazy
It sounds like they'd also need your username. Even then, it appears that although they could change your password they still could not access your account without your 2nd factor authentication.

Nevertheless, I agree that being able to change your password with only your username, name, DOB, and SSN without needing a password reset link sent to your registered email address is a problem.

The take-home message for me is that having a unique and strong username is also important.
To create a denial of service, all anyone needs is your username and to try and login multiple times with the wrong password. That will get you locked out.
Last edited by rkhusky on Fri Jan 24, 2025 12:25 pm, edited 1 time in total.
Weathering
Posts: 973
Joined: Sun Oct 15, 2017 4:20 pm

Re: first serious Vanguard account takeover attempt

Post by Weathering »

I haven't seen this mentioned in the thread, so I'll toss it in.
The phone calls may have been an attempt to get the SMS code and thereby complete the breach. For example if you had answered the call a voice may have said, "This is Vanguard calling because of a security incident on your account. A passcode is being sent to your phone to verify your identity. Please read me the code to proceed."
stan1
Posts: 16184
Joined: Mon Oct 08, 2007 4:35 pm

Re: first serious Vanguard account takeover attempt

Post by stan1 »

Regarding user name changes, every other financial institution I use (Fidelity, Chase, Bank of America, Cap One, Discover, etc) allowed me to change the user name online. Only Vangaurd requires a phone call to do this. Rather than changing the username they disestablish online access and you have to re-enable it with your new username as if you were a new customer. At the time I did it (around 2023) I did not require a US mail PIN. They did send a US mail confirmation.
stan1
Posts: 16184
Joined: Mon Oct 08, 2007 4:35 pm

Re: first serious Vanguard account takeover attempt

Post by stan1 »

Weathering wrote: Fri Jan 24, 2025 12:25 pm I haven't seen this mentioned in the thread, so I'll toss it in.
The phone calls may have been an attempt to get the SMS code and thereby complete the breach. For example if you had answered the call a voice may have said, "This is Vanguard calling because of a security incident on your account. A passcode is being sent to your phone to verify your identity. Please read me the code to proceed."
Great explanation, and almost certainly correct.
prd1982
Posts: 1976
Joined: Sun Jan 08, 2017 3:43 pm

Re: first serious Vanguard account takeover attempt

Post by prd1982 »

JD2775 wrote: Fri Jan 24, 2025 12:04 pm Wait, so to change a password on Vanguard all you need is your DOB and last 4 of SSN? They don't even email you a password reset link, or even send an SMS?

What is the point of setting up a strong password if that's the case? All the hacker needs is your DOB and SSN to reset it.

Crazy
I have 2 Yubikeys and no SMS for login. I just tried the forgot pasword / userid flow. I had to enter my name, DOB, last 4 characters of my SSN and my zip code. VG then told me my userid. If I didn't know my password, it would send me a temp password to my email address of record. I stopped at that point. Based on previous testing, I could use the temp password to change my password without using the Yubikey. However, after changing my password, i had to log on again. At that point, i needed to use the Yubikey. So my account was protected.
rkhusky
Posts: 20748
Joined: Thu Aug 18, 2011 8:09 pm

Re: first serious Vanguard account takeover attempt

Post by rkhusky »

Watty wrote: Fri Jan 24, 2025 10:39 am One way which I have heard of is that they buy some obscure thinly traded penny stock for hundreds of dollars a share at the same time that they also offer that stock for sale from a different account in a different country where unwinding the transaction can take a long time and the money is long gone by then.
Has that ever happened with any of the big US brokerages or is it just a theoretical idea?
User avatar
Rocinante Rider
Posts: 1276
Joined: Fri Aug 19, 2022 12:52 pm

Re: first serious Vanguard account takeover attempt

Post by Rocinante Rider »

PersonalFinanceJam wrote: Fri Jan 24, 2025 12:20 pm
warner25 wrote: Fri Jan 24, 2025 11:40 am Can anyone here describe the "forgot password" flow at Fidelity or another competitor for comparison?
The below post from 2022 went through some processes but it's not entirely clear if the poster was always describing the process to reset the password or recover a user ID. Based on the poster's description in the 2022 thread it seems like Vanguard would require access to the phone # for a verification code before resetting the password. However, the OP in this thread is seemingly saying that might not be true. It's hard to understand.

viewtopic.php?t=385253

I'll leave any further testing to someone else. I'm not going to risk angering the Schwab or Fidelity security gods by testing their password reset process unless I really need to.
I don't know about Fidelity retail accounts, but Fidelity NetBenefits accounts can be easily accessed knowing only your name and SSN. A fraudster does not need to have your username, password, or 2fa device to completely take over control of a NetBenefits account.
PersonalFinanceJam
Posts: 1090
Joined: Tue Aug 24, 2021 8:32 am

Re: first serious Vanguard account takeover attempt

Post by PersonalFinanceJam »

Weathering wrote: Fri Jan 24, 2025 12:25 pm I haven't seen this mentioned in the thread, so I'll toss it in.
The phone calls may have been an attempt to get the SMS code and thereby complete the breach. For example if you had answered the call a voice may have said, "This is Vanguard calling because of a security incident on your account. A passcode is being sent to your phone to verify your identity. Please read me the code to proceed."
That's my thinking too. There are reports of more sophisticated attackers doing such things but spoofing the caller ID of the financial institution to make it seem more legitimate. Lots of reports out there about people falling for these scams because "the bank called and needed the info." With something like a brokerage account your immediate threat even with an account take over is probably small. It takes time for an attacker to actually be able to move money in most cases. Unfortunately, it seems like some people will fall for these types of scams and then let the attacker string them along for days. Not the OP of course so good on them but we've had discussions here about various news articles where that happened with other financial institutions.
JD2775
Posts: 1541
Joined: Thu Jul 09, 2015 10:47 pm

Re: first serious Vanguard account takeover attempt

Post by JD2775 »

I just turned on "SIM Protection" via Verizon app. Didn't know that was a thing, but maybe that will help with SIM swapping. Or not, who knows. Since I dont have a Yubikey I use SMS with Vanguard, for now anyway.
Last edited by JD2775 on Fri Jan 24, 2025 12:40 pm, edited 2 times in total.
stan1
Posts: 16184
Joined: Mon Oct 08, 2007 4:35 pm

Re: first serious Vanguard account takeover attempt

Post by stan1 »

From Vanguard website on changing username:
Change username
If you need to change your username, give us a call at 877-662-7447 to reregister. We're available Monday through Friday, 8 a.m. to 8 p.m., Eastern time. For individuals with speech or hearing limitations, please utilize relay service, video relay service, and/or 711 to call us. For your security, reregistration will initiate a seven day hold on certain web transactions.
User avatar
warner25
Posts: 1296
Joined: Wed Oct 29, 2014 4:38 pm

Re: first serious Vanguard account takeover attempt

Post by warner25 »

PersonalFinanceJam wrote: Fri Jan 24, 2025 12:20 pm
warner25 wrote: Fri Jan 24, 2025 11:40 am Can anyone here describe the "forgot password" flow at Fidelity or another competitor for comparison?
The below post from 2022 went through some processes but it's not entirely clear if the poster was always describing the process to reset the password or recover a user ID... viewtopic.php?t=385253
Great find, and a great write up by VictorStarr, thank you. So it seems that not much would be gained here by moving to another brokerage.
PersonalFinanceJam wrote: Fri Jan 24, 2025 12:20 pm Based on the poster's description in the 2022 thread it seems like Vanguard would require access to the phone # for a verification code before resetting the password. However, the OP in this thread is seemingly saying that might not be true. It's hard to understand.
Yes, there's a subtle difference; maybe this has changed since 2022. VictorStarr said that the password change couldn't be completed without the 2FA, whereas now it can. However, the 2FA is ultimately still needed to login, so an attacker doesn't gain much by completing a password change without it.
stan1
Posts: 16184
Joined: Mon Oct 08, 2007 4:35 pm

Re: first serious Vanguard account takeover attempt

Post by stan1 »

JD2775 wrote: Fri Jan 24, 2025 12:38 pm I just turned on "SMS Protection" via Verizon app. Didn't know that was a thing, but maybe that will help with SIM swapping. Or not, who knows. Since I dont have a Yubikey, I use SMS with Verizon, for now anyway.
It probably is "more secure" to use the Vanguard mobile app for authentication with FaceID enabled or equivalent on Android. This is a newly enabled feature at Vanguard within the last few weeks. Fidelity has had it for 1-2 years.
Last edited by stan1 on Fri Jan 24, 2025 12:43 pm, edited 1 time in total.
User avatar
Rocinante Rider
Posts: 1276
Joined: Fri Aug 19, 2022 12:52 pm

Re: first serious Vanguard account takeover attempt

Post by Rocinante Rider »

prd1982 wrote: Fri Jan 24, 2025 12:31 pm just tried the forgot pasword / userid flow. I had to enter my name, DOB, last 4 characters of my SSN and my zip code. VG then told me my userid.
Did VG tell you your username by sending you a message to your registered email address or sending you a text message to your registered device, or did VG simply reveal your username to you on-line?
JD2775
Posts: 1541
Joined: Thu Jul 09, 2015 10:47 pm

Re: first serious Vanguard account takeover attempt

Post by JD2775 »

stan1 wrote: Fri Jan 24, 2025 12:42 pm
JD2775 wrote: Fri Jan 24, 2025 12:38 pm I just turned on "SMS Protection" via Verizon app. Didn't know that was a thing, but maybe that will help with SIM swapping. Or not, who knows. Since I dont have a Yubikey, I use SMS with Verizon, for now anyway.
It probably is "more secure" to use the Vanguard mobile app for authentication with FaceID enabled or equivalent on Android.
FaceID on Vanguard app acts as the 2FA piece? Didn't know that. I'll enable that if so.
stan1
Posts: 16184
Joined: Mon Oct 08, 2007 4:35 pm

Re: first serious Vanguard account takeover attempt

Post by stan1 »

JD2775 wrote: Fri Jan 24, 2025 12:43 pm
stan1 wrote: Fri Jan 24, 2025 12:42 pm

It probably is "more secure" to use the Vanguard mobile app for authentication with FaceID enabled or equivalent on Android.
FaceID on Vanguard app acts as the 2FA piece? Didn't know that. I'll enable that if so.
Yes, they just enabled it a few weeks ago. Fidelity has had it for years.
prd1982
Posts: 1976
Joined: Sun Jan 08, 2017 3:43 pm

Re: first serious Vanguard account takeover attempt

Post by prd1982 »

Rocinante Rider wrote: Fri Jan 24, 2025 12:42 pm
prd1982 wrote: Fri Jan 24, 2025 12:31 pm just tried the forgot pasword / userid flow. I had to enter my name, DOB, last 4 characters of my SSN and my zip code. VG then told me my userid.
Did VG tell you your username by sending you a message to your registered email address or sending you a text message to your registered device, or did VG simply reveal your username to you on-line?
It showed me the userid on the web page. I realize some folks will not like this. However i don't focus on hiding my userid.
User avatar
warner25
Posts: 1296
Joined: Wed Oct 29, 2014 4:38 pm

Re: first serious Vanguard account takeover attempt

Post by warner25 »

prd1982 wrote: Fri Jan 24, 2025 12:31 pm I have 2 Yubikeys and no SMS for login. I just tried the forgot pasword / userid flow. I had to enter my name, DOB, last 4 characters of my SSN and my zip code. VG then told me my userid. If I didn't know my password, it would send me a temp password to my email address of record. I stopped at that point. Based on previous testing, I could use the temp password to change my password without using the Yubikey. However, after changing my password, i had to log on again. At that point, i needed to use the Yubikey. So my account was protected.
Wait, in your previous post you didn't mention the temp password being sent to email. That's a significant detail. This would imply that the OP's email had to be compromised for someone else to compete a password change. Edited to add: Or the attacker already had the OP's password? But then how did they bypass the 2FA to login and change it? Something still doesn't add up.
JD2775
Posts: 1541
Joined: Thu Jul 09, 2015 10:47 pm

Re: first serious Vanguard account takeover attempt

Post by JD2775 »

warner25 wrote: Fri Jan 24, 2025 12:48 pm
prd1982 wrote: Fri Jan 24, 2025 12:31 pm I have 2 Yubikeys and no SMS for login. I just tried the forgot pasword / userid flow. I had to enter my name, DOB, last 4 characters of my SSN and my zip code. VG then told me my userid. If I didn't know my password, it would send me a temp password to my email address of record. I stopped at that point. Based on previous testing, I could use the temp password to change my password without using the Yubikey. However, after changing my password, i had to log on again. At that point, i needed to use the Yubikey. So my account was protected.
Wait, in your previous post you didn't mention the temp password being sent to email. That's a significant detail. This would imply that the OP's email had to be compromised for someone else to compete a password change. Edited to add: Or the attacker already had the OP's password? But then how did they bypass the 2FA to login and change it? Something still doesn't add up.
Umm yea, that is a big detail. Hopefully OP can confirm.
Post Reply