Vanguard's fraud policy

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
User avatar
Topic Author
Oicuryy
Posts: 1429
Joined: Thu Feb 22, 2007 10:29 pm

Vanguard's fraud policy

Post by Oicuryy » Thu May 13, 2010 10:54 pm

Here is quote from a Vanguard prospectus.
Responsibility for Fraud
Vanguard will not be responsible for any account losses because of fraud if we reasonably believe that the person transacting business on an account is authorized to do so. Please take precautions to protect yourself from fraud. Keep your account information private, and immediately review any account statements that we provide to you. It is important that you contact Vanguard immediately about any transactions or changes to your account that you believe to be unauthorized.
If your Vanguard account is stolen you will have to prove that Vanguard's belief was not reasonable.

Ron
Money is fungible | Abbreviations and Acronyms

mhalley
Posts: 8311
Joined: Tue Nov 20, 2007 6:02 am

Post by mhalley » Thu May 13, 2010 11:03 pm

After reading the thread about the stolen Vanguard funds, I decided it was high time I perused their security policy. I am sure I must have done so when I first opened my accounts years ago, but a refresher on such an important topic is never out of line.
https://personal.vanguard.com/us/help/S ... ontent.jsp
Mike
How many people would like to see an Authenticator for their accounts?
For those that don't know, an Authenticator is either a program (such as iphone or android app) or a small device that is tied to your account that creates a unique pin every 60 seconds or so. Link to the Etrade one:
https://us.etrade.com/e/t/jumppage/view ... reid_enter
Mike

User avatar
HoldenCaulfield
Posts: 18
Joined: Thu May 13, 2010 9:45 pm
Location: Philly

Post by HoldenCaulfield » Thu May 13, 2010 11:05 pm

You will find the same language in the 'Terms and Conditions' for Vanguard's website.

Basically it amounts to: "We can't stop you from sharing your personal information and passwords with other people - we strongly recommend that you don't share either. PS - Review the mail we send you". Sounds pretty reasonable.

There is a tiny blue link at the bottom of most pages (including the opening page) that says 'Security Center' - it has a lot of good info.

Bobalude
Posts: 207
Joined: Sun Feb 28, 2010 12:43 am

Post by Bobalude » Thu May 13, 2010 11:25 pm

All finance firms have risk management controls in place to minimize liability and loss.

Common one's I've seen are as mentioned in that recent post by someone claiming fraud... Address changes result in mail to the old address and restrictions on checks being mailed to the new location. Adding electronic bank information for withdrawals results in a piece of snail mail to the address and a restriction for a period of time before money can be deposited to the bank (time for you to get snail mail notification). Signature guarantee requirements for things that are out of the ordinary.

Finance firms have a common interest to protect your account and themselves.

What I see are clients who do not do their due diligence with reading mail that comes in, account change statements, quarterly statements, transaction confirms, etc.... and cry foul later to fully blame the finance firm for their losses.

User avatar
Prokofiev
Posts: 1043
Joined: Mon Feb 19, 2007 9:45 pm
Location: New Orleans

Post by Prokofiev » Fri May 14, 2010 12:40 am

Just tried to Log-In to my account. Sez "Data Not Available", but then shows "Your account balance =$0".

Now I assume the site is undergoing maintenance, but WHY would they even dream of telling you that your account balance was $0 if no data was available? That is very poor bedside manners - unless it really is zero?

Just what I wanted to see after reading the other - probably bogus thread on stealing from a VG account. Go figure . . .


EDIT: 30 minutes later and now the money is back. An unavailable account balance should not show as $0! Just say "Unavailable".
Everything should be made as simple as possible, but not simpler - Einstein

MWCA
Posts: 2820
Joined: Fri Nov 30, 2007 4:21 pm
Location: A wonderful place

Post by MWCA » Fri May 14, 2010 1:33 am

Prokofiev wrote:Just tried to Log-In to my account. Sez "Data Not Available", but then shows "Your account balance =$0".

Now I assume the site is undergoing maintenance, but WHY would they even dream of telling you that your account balance was $0 if no data was available? That is very poor bedside manners - unless it really is zero?

Just what I wanted to see after reading the other - probably bogus thread on stealing from a VG account. Go figure . . .


EDIT: 30 minutes later and now the money is back. An unavailable account balance should not show as $0! Just say "Unavailable".
Did you send them this complaint in some form of feedback to VG?
We are all worms. But I believe that I am a glow-worm.

User avatar
at
Posts: 545
Joined: Thu May 24, 2007 12:10 am
Location: Singapore
Contact:

Post by at » Fri May 14, 2010 5:22 am

mhalley wrote: How many people would like to see an Authenticator for their accounts?
For those that don't know, an Authenticator is either a program (such as iphone or android app) or a small device that is tied to your account that creates a unique pin every 60 seconds or so. Link to the Etrade one:
https://us.etrade.com/e/t/jumppage/view ... reid_enter
Mike
Yes, this security device plus the fact that it has an office in my hometown is what draw me to have an account with etrade. Now that free trades are a common deal, my guess is etrade will follow shortly or it will lose a major part of its client base. The world is never the same since WellsTrade and Zecco fire off this marketing gimmick.

User avatar
modal
Posts: 1243
Joined: Tue Feb 20, 2007 3:57 pm
Location: USA

Post by modal » Fri May 14, 2010 8:08 am

I wish Vanguard offered a security token with a onetime pass sequence in addition to a password.

The Wizard
Posts: 13356
Joined: Tue Mar 23, 2010 1:45 pm
Location: Reading, MA

Post by The Wizard » Fri May 14, 2010 8:39 am

When I login to my employer's website from away, and access my work PC via Remote Desktop, I have to supply the 6-digit # from an RSA authenticator similar to the ETrade one, along with conventional passwords, of course.
So yes, this makes it "impossible" for anyone else to login to that site as me.

The question arises: are there ANY reported instances of fraudulent online access to someone's personal VG account with the present level of security?
Any first-hand or even 2nd-hand stories to relate?
If not, then maybe things are "OK"?

Sidney
Posts: 6749
Joined: Thu Mar 08, 2007 6:06 pm

Post by Sidney » Fri May 14, 2010 8:48 am

mhalley wrote:After reading the thread about the stolen Vanguard funds, I decided it was high time I perused their security policy. I am sure I must have done so when I first opened my accounts years ago, but a refresher on such an important topic is never out of line.
https://personal.vanguard.com/us/help/S ... ontent.jsp
Mike
How many people would like to see an Authenticator for their accounts?
For those that don't know, an Authenticator is either a program (such as iphone or android app) or a small device that is tied to your account that creates a unique pin every 60 seconds or so. Link to the Etrade one:
https://us.etrade.com/e/t/jumppage/view ... reid_enter
Mike
Why not create a poll and send the results to VG.
I always wanted to be a procrastinator.

jbdiver
Posts: 128
Joined: Wed Feb 24, 2010 12:58 pm

Post by jbdiver » Fri May 14, 2010 8:50 am

The Wizard wrote:When I login to my employer's website from away, and access my work PC via Remote Desktop, I have to supply the 6-digit # from an RSA authenticator similar to the ETrade one, along with conventional passwords, of course.
So yes, this makes it "impossible" for anyone else to login to that site as me.
It is possible to proxy this type of access in such a way that your access is stolen. There are trojans out there that can proxy two-factor authentication mechanisms used by financial institutions. If someone gains access to your system then that little key fob isn't going to do much good.

I'm not saying the two factor authentication is worthless. I use it. It's just one part of the security layer.

User avatar
at
Posts: 545
Joined: Thu May 24, 2007 12:10 am
Location: Singapore
Contact:

Post by at » Fri May 14, 2010 10:54 am

Hi jbdiver,

I understand what you mean - no system is fool proof. But, I like more layers of security protection rather than less. Having an access security token makes breaking into an account much harder than just installing a plain vanilla keyboard logger. Breaking a token is seldom heard of compared to username/password -pair security.

bluemonday
Posts: 263
Joined: Fri Dec 05, 2008 10:26 pm

Post by bluemonday » Fri May 14, 2010 10:58 am

This probably won't help those who need to regularly take money out of Vanguard, but you can place a security freeze on withdrawals from VG that can only be lifted by sending VG a bank verified signature guarantee letter( can be overnighted if necessary, and VG expedites the processing). I've done this since I rarely need to take out funds( home purchase being one example), it works fine, and let's me transact all other business on their website. So, the worst that could happen is someone hacks my account and shuffles money around, irksome, but not fatal. For me the extra piece of mind is worth the minor hassle.

User avatar
Lbill
Posts: 4997
Joined: Thu Mar 13, 2008 11:25 pm
Location: Somewhere between Up and Down

Post by Lbill » Fri May 14, 2010 11:06 am

bluemonday - if you have multiple accounts at Vanguard do you know if you can put a withdrawal freeze just on designated accounts? I will need to start RMD withdrawals from my IRA soon, but have a Roth that I would like to freeze.
"Life can only be understood backward; but it must be lived forward." ~ Søren Kierkegaard | | "You can't connect the dots looking forward; but only by looking backwards." ~ Steve Jobs

Path
Posts: 76
Joined: Fri Feb 20, 2009 12:23 am

Post by Path » Fri May 14, 2010 11:14 am

WellsFargo and some other institution have explicit Guarantee.

From WellsFargo site "https://www.wellsfargo.com/privacy_secu ... /guarantee"
"Our Guarantee
We guarantee that you will be covered for 100% of funds removed from your Wells Fargo accounts in the unlikely event that someone you haven’t authorized removes those funds through our Online Services....We will respond to you within 10 business days after we receive your claim."


Does anyone know if VG has any such guarantee?

We spend so much time in diversifying portfolio across different asset class. I guess it is better to apply the same diversification concept across different brokerage... especially if VG does not have explicit guarantee for online fraud.

EyeDee
Posts: 1337
Joined: Tue Feb 20, 2007 12:15 am

Vanguard Online Fraud Policy

Post by EyeDee » Fri May 14, 2010 1:25 pm

.
Path,

See the Vanguard's online fraud policy link at the link provided by Mike (MHalley) above:

https://personal.vanguard.com/us/help/S ... ontent.jsp

"Vanguard's online fraud policy

Our commitment regarding online security is simple. If assets are taken from your account in an unauthorized online transaction on Vanguard.com®—and you've followed the steps described in the Your responsibilities section below—we will reimburse the assets taken from your account in the unauthorized transaction.

By working together, we can help maximize the safety of your accounts and your personal information.

Your responsibilities

At a minimum, in order for this protection to apply, you must take the following steps:

Review your accounts regularly.

* Check your account frequently. Promptly and completely review all information we send you.
* Report any errors or discrepancies in your account and any suspected unauthorized transactions or account changes to Vanguard immediately.

Protect your Vanguard.com user name, password, and other account-related information.

* Make sure your user name, password, and answers to your security questions are unique and strong.
* Never share your user name, password, or other account-related information with anyone.
* Never store your user name, password, or answers to security questions in your browser.
* Clear any temporarily . . .

Protect your computer.

* Make certain that . . .

Do not reply to e-mail requests for personal or financial information.

* Do not . . .

Cooperate with us and stay informed.

* Cooperate . . .

As an added precaution, . . .

Details regarding this protection: This protection applies only to the following types of Vanguard® accounts: Vanguard nonretirement mutual fund accounts; Vanguard individual retirement accounts (IRAs); accounts maintained with Vanguard Brokerage Services®, a division of Vanguard Marketing Corporation; and participant accounts in retirement plans for which Vanguard provides recordkeeping and administrative services. Accordingly, this protection does not apply to annuities or to 529 college savings plan accounts.

This protection does not apply to unauthorized activity caused in whole or in part by your fraudulent, intentional, or negligent acts or omissions, including . . .

Vanguard will determine . . .

Vanguard may seek restitution . . . "
Randy

WannaBeMiniDave
Posts: 53
Joined: Sat Apr 10, 2010 4:29 pm

Post by WannaBeMiniDave » Fri May 14, 2010 1:31 pm

I don't know if vangaurd does this or not (I don't have an account there) But any institution that doesn't have an RSA token (or equivalent) is just stupid. They're cheap, last for years, and usually the "user" like ourselves would be more then happy to cover the cost.

User avatar
Opponent Process
Posts: 5157
Joined: Tue Sep 18, 2007 9:19 pm

Post by Opponent Process » Fri May 14, 2010 1:33 pm

unfortunately Vanguard does not have an explicit guarantee. if they did, I'd have all my money there. they have a conditional guarantee, so it would depend on what transpired.
30/30/20/20 | US/International/Bonds/TIPS | Average Age=37

WannaBeMiniDave
Posts: 53
Joined: Sat Apr 10, 2010 4:29 pm

Post by WannaBeMiniDave » Fri May 14, 2010 1:34 pm

Path wrote:WellsFargo and some other institution have explicit Guarantee.

From WellsFargo site "https://www.wellsfargo.com/privacy_secu ... /guarantee"
"Our Guarantee
We guarantee that you will be covered for 100% of funds removed from your Wells Fargo accounts in the unlikely event that someone you haven’t authorized removes those funds through our Online Services....We will respond to you within 10 business days after we receive your claim."


Does anyone know if VG has any such guarantee?

We spend so much time in diversifying portfolio across different asset class. I guess it is better to apply the same diversification concept across different brokerage... especially if VG does not have explicit guarantee for online fraud.
Institutional diversification (*insert better concept name here) is the most underused concept I see on this board.

User avatar
tc101
Posts: 3333
Joined: Tue Feb 20, 2007 3:18 pm
Location: Atlanta - Retired in 2004 at age 54

Post by tc101 » Fri May 14, 2010 1:36 pm

This probably won't help those who need to regularly take money out of Vanguard, but you can place a security freeze on withdrawals from VG that can only be lifted by sending VG a bank verified signature guarantee letter( can be overnighted if necessary, and VG expedites the processing).
I did that, but there is a major flaw in the system and it is easy to get around. I am not going to post it here for security reasons. If someone from Vanguard wants to contact me I will tell them about it.
. | The most important thing you should know about me is that I am not an expert.

mikep
Posts: 3723
Joined: Wed Apr 22, 2009 9:27 pm

Post by mikep » Fri May 14, 2010 1:47 pm

Would we all want to pay a higher ER so that Vanguard would make you whole no matter what? I think it's perfectly fine to have a conditional guarantee. Remember we all pay the costs for fraud indirectly as Vanguard is a non-profit. I think it's clear from VG polcy that if you enact some common sense you'll be fine.

If you log into your Vanguard acct from a public computer, leave a sticky note with your SSN saying clean me out, what do you expect?

Certainly better than Treasury Direct's "no matter what, you eat the loss" policy. Sure hope those electrons holding your electronic I-bonds don't get altered by a photon particle or something.

Path
Posts: 76
Joined: Fri Feb 20, 2009 12:23 am

Post by Path » Fri May 14, 2010 1:55 pm

tc101 wrote: I am not going to post it here for security reasons. If someone from Vanguard wants to contact me I will tell them about it.
I understand you don't want to post here for security reason, but why not call VG and tell them the flaw. I doubt any one from VG will read this and contact you.

richard
Posts: 7961
Joined: Tue Feb 20, 2007 3:38 pm
Contact:

Post by richard » Fri May 14, 2010 2:00 pm

Path wrote:WellsFargo and some other institution have explicit Guarantee.

From WellsFargo site "https://www.wellsfargo.com/privacy_secu ... /guarantee"
"Our Guarantee
We guarantee that you will be covered for 100% of funds removed from your Wells Fargo accounts in the unlikely event that someone you haven’t authorized removes those funds through our Online Services....We will respond to you within 10 business days after we receive your claim."
You omitted a key part of WellsFargo's guarantee:
To qualify for this guarantee, you must follow Your Responsibilities below.
This is not unconditional. As a practical matter, seems the same as VG's guarantee.

The Wizard
Posts: 13356
Joined: Tue Mar 23, 2010 1:45 pm
Location: Reading, MA

Post by The Wizard » Fri May 14, 2010 2:18 pm

jbdiver wrote: It is possible to proxy this type of access in such a way that your access is stolen. There are trojans out there that can proxy two-factor authentication mechanisms used by financial institutions. If someone gains access to your system then that little key fob isn't going to do much good.
I'm not a total expert in this area, but I find this hard to believe.
My RSA SecurID gizmo is a credit-card size chunk of metal where the 6-digit number changes every 30 seconds.
I usually have a dynamic IP address on my home PC, so I'm guessing it's possible for someone to intercept my open on-going session somehow, but I've never heard of that being done.
But for someone to initiate a new secure session without having the SecurID gizmo, no, I'd say that's "impossible".

I'd be interested in any infolinks that discuss this further...

bluemonday
Posts: 263
Joined: Fri Dec 05, 2008 10:26 pm

Post by bluemonday » Fri May 14, 2010 2:56 pm

Lbill wrote:bluemonday - if you have multiple accounts at Vanguard do you know if you can put a withdrawal freeze just on designated accounts? I will need to start RMD withdrawals from my IRA soon, but have a Roth that I would like to freeze.

Lbill, I believe the answer is yes. I have a freeze on all my accounts, but I was able to temp lift the freeze on one to do a withdrawal.

User avatar
mas
Posts: 1461
Joined: Tue Feb 20, 2007 12:54 pm

Post by mas » Fri May 14, 2010 2:58 pm


jbdiver
Posts: 128
Joined: Wed Feb 24, 2010 12:58 pm

Post by jbdiver » Fri May 14, 2010 3:06 pm

The Wizard wrote:
jbdiver wrote: It is possible to proxy this type of access in such a way that your access is stolen. There are trojans out there that can proxy two-factor authentication mechanisms used by financial institutions. If someone gains access to your system then that little key fob isn't going to do much good.
I'm not a total expert in this area, but I find this hard to believe.
My RSA SecurID gizmo is a credit-card size chunk of metal where the 6-digit number changes every 30 seconds.
I usually have a dynamic IP address on my home PC, so I'm guessing it's possible for someone to intercept my open on-going session somehow, but I've never heard of that being done.
But for someone to initiate a new secure session without having the SecurID gizmo, no, I'd say that's "impossible".

I'd be interested in any infolinks that discuss this further...
Wizard, the Zeus trojan uses an attack vector that can defeat two-factor authentication:

Type this into google search: "online banking two-factor authentication trojan"

Basically, a trojan is installed on your computer. You open up your web browser and type in your bank website. What is actually happening is the trojan is proxying the web connection to your browser. Anything you type in your browser is intercepted by the trojan -- including your 6 digit key fob code. Once the trojan has your password and pin the hackers have it. Now they have 30-60 seconds to log into your account. You access your account as usual. In the meantime the bad guys begin draining funds. You don't know what's happening because the trojan fakes out your browser and doesn't show the funds being removed from your account.

This is a tough problem is solve. Use anti-virus software. Use trojan detection software. Use key scrambler software. Use common sense.

bluemonday
Posts: 263
Joined: Fri Dec 05, 2008 10:26 pm

Post by bluemonday » Fri May 14, 2010 3:08 pm

tc101 wrote:
This probably won't help those who need to regularly take money out of Vanguard, but you can place a security freeze on withdrawals from VG that can only be lifted by sending VG a bank verified signature guarantee letter( can be overnighted if necessary, and VG expedites the processing).
I did that, but there is a major flaw in the system and it is easy to get around. I am not going to post it here for security reasons. If someone from Vanguard wants to contact me I will tell them about it.
Well unless you actually followed this through to its conclusion( exploited the flaw ), how can you be sure that it would not be caught by VG? And if you did, then VG would already be aware of it, right?
Outside of having a fraudulent bank ( or a crooked employee of the bank ) involved, or someone successfully impersonating you, I'm not sure how this would be pulled off. if the bank is culpable, then I suppose one would go after the bank. I got the letter through my bank, which "knows" me. I'm not sure just any bank would give out such a letter, but I could be wrong there.
It may ( may not ) be foolproof, but I think this freeze option is another layer of defense against thieves, and lowers the odds of disaster striking. It's like protecting your house against burglers, just make it less of a target than your neighbors.

Deguello
Posts: 79
Joined: Wed Jun 06, 2007 6:45 am

Post by Deguello » Fri May 14, 2010 4:31 pm

jbdiver wrote:Basically, a trojan is installed on your computer. You open up your web browser and type in your bank website. What is actually happening is the trojan is proxying the web connection to your browser. Anything you type in your browser is intercepted by the trojan -- including your 6 digit key fob code. Once the trojan has your password and pin the hackers have it. Now they have 30-60 seconds to log into your account. You access your account as usual. In the meantime the bad guys begin draining funds. You don't know what's happening because the trojan fakes out your browser and doesn't show the funds being removed from your account.
Then what happens? Vanguard transfers money to my pre-designated bank account or sends a check to my address? Even if someone is able to insert themselves inside the browser traffic, how do they get access to the money? It's been so long since I've done it I don't remember but can you set up a new bank account at vanguard.com and immediately transfer money into it?

rustymutt
Posts: 3950
Joined: Sat Mar 07, 2009 12:03 pm

Post by rustymutt » Fri May 14, 2010 4:56 pm

mhalley wrote:After reading the thread about the stolen Vanguard funds, I decided it was high time I perused their security policy. I am sure I must have done so when I first opened my accounts years ago, but a refresher on such an important topic is never out of line.
https://personal.vanguard.com/us/help/S ... ontent.jsp
Mike
How many people would like to see an Authenticator for their accounts?
For those that don't know, an Authenticator is either a program (such as iphone or android app) or a small device that is tied to your account that creates a unique pin every 60 seconds or so. Link to the Etrade one:
https://us.etrade.com/e/t/jumppage/view ... reid_enter
Mike
The use of a secure ID would work. You would have to put the right pin showing on the ID device in order to login to you account.
Even educators need education. And some can be hard headed to the point of needing time out.

User avatar
tc101
Posts: 3333
Joined: Tue Feb 20, 2007 3:18 pm
Location: Atlanta - Retired in 2004 at age 54

Post by tc101 » Fri May 14, 2010 5:01 pm

bluemonday wrote:
tc101 wrote:
This probably won't help those who need to regularly take money out of Vanguard, but you can place a security freeze on withdrawals from VG that can only be lifted by sending VG a bank verified signature guarantee letter( can be overnighted if necessary, and VG expedites the processing).
I did that, but there is a major flaw in the system and it is easy to get around. I am not going to post it here for security reasons. If someone from Vanguard wants to contact me I will tell them about it.
Well unless you actually followed this through to its conclusion( exploited the flaw ), how can you be sure that it would not be caught by VG? And if you did, then VG would already be aware of it, right?
Outside of having a fraudulent bank ( or a crooked employee of the bank ) involved, or someone successfully impersonating you, I'm not sure how this would be pulled off. if the bank is culpable, then I suppose one would go after the bank. I got the letter through my bank, which "knows" me. I'm not sure just any bank would give out such a letter, but I could be wrong there.
It may ( may not ) be foolproof, but I think this freeze option is another layer of defense against thieves, and lowers the odds of disaster striking. It's like protecting your house against burglers, just make it less of a target than your neighbors.
I was able to transfer money from Vanguard to my bank account after I sent in the letter and they supposedly froze my accounts.

I was able to transfer money to my bank account. I did not try to transfer it to a fraudulent bank account, and I know there are additional safeguards in place for that. The point is that you can get around the freeze without sending them a bank certified letter. I am still pretty comfortable with Vanguard security and their guarantee's, but the security freeze on withdrawals is not much good.
. | The most important thing you should know about me is that I am not an expert.

rustymutt
Posts: 3950
Joined: Sat Mar 07, 2009 12:03 pm

Post by rustymutt » Fri May 14, 2010 5:53 pm


Running scared of the internet? Use common sense and a good firewall, virus, malware, and protection and stop freaking out. It is imposible when smart people are running things.

User avatar
mas
Posts: 1461
Joined: Tue Feb 20, 2007 12:54 pm

Post by mas » Fri May 14, 2010 7:10 pm

rcasement wrote:
Running scared of the internet? Use common sense and a good firewall, virus, malware, and protection and stop freaking out. It is imposible when smart people are running things.
I'm not sure if your response is directed at me, but I'm neither freaking out nor "running scared". Wizard had asked for links related to attacks against a certain security measure and I provided some.

Personally I'd rather know the limitations and risks than believe that I was invulnerable. Two factor authentication via the kind of device mentioned does improve security, but that doesn't make it a security panacea.

User avatar
LadyGeek
Site Admin
Posts: 64031
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Post by LadyGeek » Fri May 14, 2010 7:42 pm

Don't forget about POTS. That "old" technology is still around. Especially mobile.

Are telephone transfers more or less secure than online? Tele-Account I don't know how the authentication process works.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

bluemonday
Posts: 263
Joined: Fri Dec 05, 2008 10:26 pm

Post by bluemonday » Fri May 14, 2010 10:50 pm

tc101 wrote:
bluemonday wrote:
tc101 wrote:
This probably won't help those who need to regularly take money out of Vanguard, but you can place a security freeze on withdrawals from VG that can only be lifted by sending VG a bank verified signature guarantee letter( can be overnighted if necessary, and VG expedites the processing).
I did that, but there is a major flaw in the system and it is easy to get around. I am not going to post it here for security reasons. If someone from Vanguard wants to contact me I will tell them about it.
Well unless you actually followed this through to its conclusion( exploited the flaw ), how can you be sure that it would not be caught by VG? And if you did, then VG would already be aware of it, right?
Outside of having a fraudulent bank ( or a crooked employee of the bank ) involved, or someone successfully impersonating you, I'm not sure how this would be pulled off. if the bank is culpable, then I suppose one would go after the bank. I got the letter through my bank, which "knows" me. I'm not sure just any bank would give out such a letter, but I could be wrong there.
It may ( may not ) be foolproof, but I think this freeze option is another layer of defense against thieves, and lowers the odds of disaster striking. It's like protecting your house against burglers, just make it less of a target than your neighbors.
I was able to transfer money from Vanguard to my bank account after I sent in the letter and they supposedly froze my accounts.

I was able to transfer money to my bank account. I did not try to transfer it to a fraudulent bank account, and I know there are additional safeguards in place for that. The point is that you can get around the freeze without sending them a bank certified letter. I am still pretty comfortable with Vanguard security and their guarantee's, but the security freeze on withdrawals is not much good.

Well then I would suggest that whoever was tasked with doing your freeze, did not do it correctly( or some other issue is at work here ). After my freeze was imposed ( and again after I did a temp lift on one account ), I tested my accounts by attempting to do a transfer, and was blocked from doing so, as it should have been. If the "major flaw" is that your freeze wasn't done correctly, then I feel better( I can understand why you would not). So, why not contact VG, and speak with a supervisor to get it resolved?

The Wizard
Posts: 13356
Joined: Tue Mar 23, 2010 1:45 pm
Location: Reading, MA

Post by The Wizard » Fri May 14, 2010 11:46 pm

mas wrote:Wizard had asked for links related to attacks against a certain security measure and I provided some.

Personally I'd rather know the limitations and risks than believe that I was invulnerable. Two factor authentication via the kind of device mentioned does improve security, but that doesn't make it a security panacea.
The links showed some impressive problems with two-factor security and that Zeus trojan. Smaller businesses were especially vulnerable due, I suspect, to cost cutting and lack of a full time IT department.
I have a shortcut to my VirusScan Console on my desktop and check it from time to time to make sure I'm up to date.
For now, I'm not chickening out and will continue to do online $$$ transfers between my checking account, my internet savings accounts, and my mutual fund accounts.
Just don't tell the Russians, thx...

The Wizard
Posts: 13356
Joined: Tue Mar 23, 2010 1:45 pm
Location: Reading, MA

Post by The Wizard » Fri May 14, 2010 11:56 pm

rcasement wrote: The use of a secure ID would work. You would have to put the right pin showing on the ID device in order to login to you account.
We would hope so, but unfortunately they have ManInTheMiddle trojans to steal that info now and redirect access in realtime to a band of unshaven thugs in foreign countries.
They use Money Mules to launder fraudulent disbursements from your account.
http://www.blueridgenetworks.com/produc ... nsfers.php

User avatar
at
Posts: 545
Joined: Thu May 24, 2007 12:10 am
Location: Singapore
Contact:

Post by at » Sun May 16, 2010 2:09 am

Trojans can be written to crack 2FA tokens. But, such trojan software is:

1. much more difficult to write. Many complex technologies are involved.
2. machine specific. It only works on the machine that you login.
3. session specific. After you click on the logout button, the crack stops working.
4. specific to a certain financial institution, i.e. if you want to crack etrade, you've to write a trojan specifically for etrade. An etrade trojan won't work with another 2FA institution.
5. specialised. There's no off-the-shelve software available unlike keylogger software. Your teenagers at home can't pull off the trick using opensource freewares.
6. fragile. The hackers need effort to maintain the trojan codebase. The trojan can be invalidated by an simple update on the financial institution's software.

Once you login to a machine using a token password, you cannot capture and use the token again on an alternative machine. The financial institution's server will invalidate the token password. It can only be used once.

Given the complexity involved in cracking such accounts, the hacker would just quit and move on to trying his luck on ones without 2FA tokens, such as VG's accounts. Capturing just the username/password pairs are orders of magnitude simpler, why would hackers want to make their life harder is nobody's guess.

I would think that if I'm a hacker (I'm not), I would place my efforts on gaining access to random computers on the internet rather than hacking etrade's accounts. Trying to gain access to random computers is already a task that's hard enough.

We are playing a game of police-and-thief here, but then, 2FA tokens when used in conjunction with other technologies such as firewalls and virus/malware scanners make hacking almost impossible. Not impossible but almost impossible. With the lack of a better security measure, I suggest it's high time for VG to adopt the 2FA technology.

Bobalude
Posts: 207
Joined: Sun Feb 28, 2010 12:43 am

Post by Bobalude » Sun May 16, 2010 2:58 am

tc101 wrote: I was able to transfer money from Vanguard to my bank account after I sent in the letter and they supposedly froze my accounts.

I was able to transfer money to my bank account. I did not try to transfer it to a fraudulent bank account, and I know there are additional safeguards in place for that. The point is that you can get around the freeze without sending them a bank certified letter. I am still pretty comfortable with Vanguard security and their guarantee's, but the security freeze on withdrawals is not much good.
You need to speak to someone at Vanguard to ask on a technical level what system facilities or options can be turned off, and then do so from there. They probably are in the format of "online transactions, yes/no", "telephone transactions yes/no", "electronic/bank deposits, yes/no", or something like that.

Individual options can be switched on or off at the system level. Asking a company to "freeze" an account is broad and cannot be interpreted explicitly. What is considered "freeze" to you may not be the same for someone else. I bet the processor did not know what specific options you were referring to and thus you were able to do something on your account later that was not turned off.


The use of an all-stop "freeze" I would guess is only typically used for legal related issues (i.e. IRS levy) and not for client requests.

comdy1
Posts: 69
Joined: Tue Jun 09, 2009 7:38 am

Post by comdy1 » Sun May 16, 2010 6:44 am

Vanguard has an option to "restrict unrecognized computers from accessing my accounts". Not sure how effective that is...

User avatar
magellan
Posts: 3474
Joined: Fri Mar 09, 2007 4:12 pm

Post by magellan » Sun May 16, 2010 8:17 am

comdy1 wrote:Vanguard has an option to "restrict unrecognized computers from accessing my accounts". Not sure how effective that is...
IMO, this is a useful feature, but it's not foolproof. It can't protect you from attacks that are launched from your own infected computer. Still, computer security is best implemented in layers and this layer seems very valuable.

One thing I wish Vanguard would implement is a "limited access" login feature. I login to my Vanguard account to check on things and pay bills 20-30 times more often than I login to buy, sell or exchange funds.

A limited access login, that only allows me to view my accounts and pay bills would greatly reduce potential damage from an unauthorized login.

Nowadays, the biggest unchecked threat isn't theft by fraudulent wire transfer. The latest scheme is to hack into your brokerage account and use your funds to bid up the value of a penny stock. The attacker will simultaneously sell shares of the same (inflated) penny stock in a separate account and pocket the gain.

I probably buy/sell/exchange funds 5-10 times a year and I'd have no problem doing something special for these transactions (different login or extra password) if it would reduce this risk.

Jim

rustymutt
Posts: 3950
Joined: Sat Mar 07, 2009 12:03 pm

"restrict unrecognized computers from accessing my acco

Post by rustymutt » Sun May 16, 2010 8:37 am

Would be worth Vanguard's time to set this feature up allowing us to program in a range of IP's that could be used to access our accounts.
For example, we could tell them our service provider issued IP, and range of local IP's to be used within that range. Or even a VPN connection. Security could be improved allot if Vanguard had the will to do so. If they receive a packet outside this personally setup parameter, then access is denied.
This with the use of an secure ID device would be fool proof, unless someone was holding a gun to the clients head, or was very close to the client, such as family member.
Even educators need education. And some can be hard headed to the point of needing time out.

markpa
Posts: 187
Joined: Fri Feb 22, 2008 11:55 am

Post by markpa » Sun May 16, 2010 10:35 pm

Etrade's implementation of the RSA Secure ID has huge flaws.

Any third party tool (Quicken,Turbotax, etc) does not need the code that changes every 60 seconds appended to your password. Calling in to get account info or trade does not need the code either.

User avatar
at
Posts: 545
Joined: Thu May 24, 2007 12:10 am
Location: Singapore
Contact:

Post by at » Sun May 16, 2010 11:07 pm

I don't use Quicken or TurboTax. Do Quicken and Turbotax allow you to trade or withdraw money from etrade? That's my main concern. And do you have to register with the 3rd-party companies first to use the software? Thanks for any answer.

O.Randy
Posts: 8
Joined: Thu May 13, 2010 3:55 am

Post by O.Randy » Sun May 16, 2010 11:51 pm

At best we can take the basic security measures mentioned and wait and watch for more advanced “Trojan” fighting utilities in the market.

User avatar
at
Posts: 545
Joined: Thu May 24, 2007 12:10 am
Location: Singapore
Contact:

Post by at » Mon May 17, 2010 12:28 am

comdy1 wrote:Vanguard has an option to "restrict unrecognized computers from accessing my accounts". Not sure how effective that is...
So, are those cybercafe PCs in foreign countries considered as recognised or unrecognised? How about those PCs at the airport or shopping mall or hotel lounge? Or stolen cell phones that are net enabled?

User avatar
at
Posts: 545
Joined: Thu May 24, 2007 12:10 am
Location: Singapore
Contact:

Post by at » Mon May 17, 2010 2:06 am

jbdiver wrote:Basically, a trojan is installed on your computer. You open up your web browser and type in your bank website. What is actually happening is the trojan is proxying the web connection to your browser. Anything you type in your browser is intercepted by the trojan -- including your 6 digit key fob code. Once the trojan has your password and pin the hackers have it. Now they have 30-60 seconds to log into your account. You access your account as usual. In the meantime the bad guys begin draining funds. You don't know what's happening because the trojan fakes out your browser and doesn't show the funds being removed from your account.
This hacking technique won't work cos the financial institution would just invalidate the security code the moment you execute a login. The security code can be made to only be used once.

User avatar
at
Posts: 545
Joined: Thu May 24, 2007 12:10 am
Location: Singapore
Contact:

Post by at » Mon May 17, 2010 2:51 am

Morgan wrote:That's true, except that in sophisticated trojan proxy techniques your security code is passed directly to the hacker and it's he who logs in. So, the bank never gets the security code in the first place. You get a "fakeout" screen, do your thing, and log out none the wiser.
I'm a software developer and trust me, it's really difficult to fake a financial institution's website. You might as well print fake dollar bills. These websites comprise of many man-years of work.

User avatar
at
Posts: 545
Joined: Thu May 24, 2007 12:10 am
Location: Singapore
Contact:

Post by at » Mon May 17, 2010 4:16 am

Please fake me etrade website and show me your sample. 5,000 USD for you if you can fool an etrade investor.

neverknow
Posts: 2392
Joined: Fri Jun 05, 2009 4:45 am

Post by neverknow » Mon May 17, 2010 7:40 am

..
Last edited by neverknow on Mon Jan 17, 2011 1:22 pm, edited 1 time in total.

Post Reply