Had a few panicked hours this evening when I had my first experience with a serious attempt of an attacker to log in to my accounts. Vanguard customer for at least 25 years, FWIW. I'll describe what I saw, then ask for advice.
To Vangaurd's credit, I got a password change notification by text and email, followed a minute later by two text messages with 6-digit codes. Looking at the raw text of the email it looked legit. What made this attack effective (against me at least) was that at the time of the notifications, I was getting phone calls from European numbers about every 5 or so seconds. I was so focused on trying to reduce the phone call barage that I missed the notifications. No way that was a conincidence.
I could quiet the calls somewhat by setting the iPhone to not ring for unknown numbers (a setting I had explicitly turned off a year ago because of needing to answer important medical calls), though I still got distracting phone notifications for every call. That's when I noticed and could concentrate on the password change notification from Vanguard. The text of the password-change notification was infuriating: Vanguard says I should call immediately if I didn't change my password--only it was after 8pm, so I couldn't do the most logical thing first. (I did try to call despite knowing this and got a "call back during business hours" message.) Good gosh Vanguard, why don't you have a 24-hour hotline for security issues??
I have a Yubikey 2nd factor, but I'm away from home and didn't take one of them with me because I thought that was safer since I didn't need to execute transactions. Won't leave home without it after this! I had my wonderful daughter drive to our home to attempt to log in. She couldn't get past the username/password step, so that confirmed my password was indeed changed by the attacker. So, we went through the "forgot password" online process, which needed only easy to obtain information which (if I remember) was last four SSN and birthdate. No account number, no recent transactions or balances, nothing that only I should know as a Vanguard customer. This was so disappointing, but at least I was able to change my password back from whatever the attacker put in.
My daughter was able to log in with the new password and by touching the Yubikey. Then she verified that personal info like address and phone number was not changed, and that there was no new or in-process bank changes.
In retrospect, I think the attackers:
- Started the phone call barrage
- Changed my password using easily obtained leaked personal info
- Got the Yubikey challenge
- Asked for a SMS code (twice) instead of Yubikey
- I got the SMS codes but of course didn't respond
- The phone call barrage stopped as suddenly as it started
Throughout the multiple password change events, I could continue to access my accounts via the Vanguard iPhone app with "Face ID". Not sure if that's good or bad.
If you've read this far, thanks. Now I'm not sure what to do tomorrow when Vanguard phones open again at 8am. Given my experiences the few times I've called the last couple years, I don't have confidence that whomever I talk to will have good suggestions either. I'm thinking maybe I should re-register to change my username? What else can I do? One problem with any change that involves a delay in access is that I'm in my "distribution" retirement phase, so I need to make withdrawals from Vanguard regularly to pay bills.
Thanks in advance for your suggestions.