How do high networth individuals protect their money from

[firewynd]

How do high networth individuals protect their money from hackers?

A recent hack which has made a lot of headlines:
http://www.wired.com/gadgetlab/2012/08/ ... n-hacking/

had my co-workers and I discussing hacking. Then I mentioned how I always wondered why most hacking I hear about are people losing their WoW (World of Warcraft), Eve-Online or other MMO accounts / characters to hackers.

Maybe it's just the kind of sites i visit / friends I keep (video gamers / software developers). But I never hear about people getting their online brokerage accounts hacked, the hackers selling all their stock, and transferring it to an overseas account in some 3rd world country. Online hacking in the video game community is rampant. My personal take is that most of the hacks are not because someone got their personal computer hacked - but because they practice poor online security practices - like using the same password everywhere. Then one of the websites they use, gets hacked, rainbow table to lookup their password (if it was even hashed) and because they used the same password everywhere, now the hackers break into their MMO accounts and wreck havoc.

So anyhow. It's a rampant problem. A recent notable big breakin was at LinkedIn where lots of password hashes were posted publically along with the matching email address.

Ok so back to the original question-ish...

- How come there are not more people losing their money to their online bank accounts getting hacked?
- How do high net worth people protect themselves against this problem? Say you have a brokerage account with a decent amount of money in it. It becomes impractical past a certain denomination to keep creating more brokerage accounts at different brokerages.

[midareff]

Interesting subject..... many investment houses and banks use multifactor log-in procedures now which seem pretty safe. That helps, so does a longer alphanumeric passoword. While I use a specific alphanumeric password for $$ accounts, brokerage, banks, credit cards, I use a completely different one for everything else. I use a hardwire computer hookup for money transactions (not wifi). For miscellaneous online purchases I use Paypal. I use a window washer to remove images from IE and my computer after financial transactions. I check balances and accounts at least weekly, credit cards more often, and have all financial accounts instructed to email me with every transaction, when such feature is available. Brokerages and such can only transfer funds to my bank(s). .... and, I stay far away from social media accounts .. unless you count this site. LOL, 64 years old and retired. If you were looking for me you would have found me by now, and why do you think I want to be found? Where I must use an email address for something I use one I don't value and save for such occasional uses, be it yahoo or hotmail. When I don't trust an establishment I buy somewhere else or use cash and keep the credit card in my pocket.

That is about it for me. I'll be reading to see if I can pickup any tips as well. Remember, you are not paranoid if they REALLY ARE out to get you.

Edited for additional thoughts...... Very careful about incoming mail and don't download or open anything I am not very familiar (safe) with. Trojan horse and virus avoidance and software for same. Agree with Valuthinker on dedicated reps at VG for HNWI and agents are easy to get on the phone for Ally bank and credit card services but that is after the fact, not avoidance.

[Valuethinker]

How do high networth individuals protect their money from hackers?

A recent hack which has made a lot of headlines:
http://www.wired.com/gadgetlab/2012/08/ ... n-hacking/

had my co-workers and I discussing hacking. Then I mentioned how I always wondered why most hacking I hear about are people losing their WoW (World of Warcraft), Eve-Online or other MMO accounts / characters to hackers.

Maybe it's just the kind of sites i visit / friends I keep (video gamers / software developers). But I never hear about people getting their online brokerage accounts hacked, the hackers selling all their stock, and transferring it to an overseas account in some 3rd world country. Online hacking in the video game community is rampant. My personal take is that most of the hacks are not because someone got their personal computer hacked - but because they practice poor online security practices - like using the same password everywhere. Then one of the websites they use, gets hacked, rainbow table to lookup their password (if it was even hashed) and because they used the same password everywhere, now the hackers break into their MMO accounts and wreck havoc.

So anyhow. It's a rampant problem. A recent notable big breakin was at LinkedIn where lots of password hashes were posted publically along with the matching email address.

Ok so back to the original question-ish...

- How come there are not more people losing their money to their online bank accounts getting hacked?
- How do high net worth people protect themselves against this problem? Say you have a brokerage account with a decent amount of money in it. It becomes impractical past a certain denomination to keep creating more brokerage accounts at different brokerages.

Basically real high net worths have 'private bankers'. You get a person at the end of the phone. So at least in theory, if strange things happen to your account, you ring your 'personal banker' and she puts a stop to it.

Never having availed myself of such services (which are not cheap) I don't know if it works that way in practice.

[gd]

I believe you're mixing apples and oranges. The posted hack description did not involve financial account loss, as far as I can determine. It seems to have been primarily social networking, email and online file storage. The online financial services I use have significantly higher security than my email accounts.

The more transparent and interconnected your online activities are, the more susceptible they are likely to be. Social networking and gamer fans strive for that, and this is the price. They seem to be a bit blinded by their enthusiasm on this point.

[firewynd]

I believe you're mixing apples and oranges. The posted hack description did not involve financial account loss, as far as I can determine. It seems to have been primarily social networking, email and online file storage.

I posted that article as a general reference about a very recent hack that occurred and what the hackers did to accomplish it. I knew it didn't involve finances, and only posted it as a broad reference for recent hacks.

However I am still curious as to why more financial hacks do not occur. Not everyone out there follows good security practices. There are likely hundreds of thousands, if not more, of folks who use the same password for their online bank account as some other site that got hacked. So again:

What is stopping hackers from simply logging into someone's bank account / brokerage - selling all of the stock / or transferring all of the money out to a foreign bank account?

I get that most online financial institutions have higher security (like asking challenge questions if it doesn't recognize your computer). But honestly. Good hackers can get around that. Some challenge questions are incredibly lame / easy for hackers to find the answer to. Like: What High School did you go to? What was the mascot for your High School teams football team? What is your favorite color (most people will pick one of like 8 colors)? When did you graduate college? What is your best friends name? All of these can easily be found out via some research online.

Basically, in my opinion, some bank's security is hardly much better (if at all) than say: Amazon, Apple, or MMO accounts which are frequently subject to hacking.

And so taking this a step further, how are people protecting against this? If you have a single brokerage account with all of your money in there it seems like all of your eggs are in one basket - ripe for the taking. But then is the alternative to create 20 separate brokerage accounts at different institutions? That seems insane... So what is being done?

[Sidney]

I get that most online financial institutions have higher security (like asking challenge questions if it doesn't recognize your computer). But honestly. Good hackers can get around that. Some challenge questions are incredibly lame / easy for hackers to find the answer to. Like: What High School did you go to? What was the mascot for your High School teams football team? What is your favorite color (most people will pick one of like 8 colors)? When did you graduate college? What is your best friends name? All of these can easily be found out via some research online.

Keep in mind that there is nothing that requires you to answer these "secret questions" honestly. The answers to these fixed questions should be made as complex as possible and then stored with your passwords in a secure place. Just make your favorite color "jaguarXKE_with_chocolate_raisins"

[firewynd]

I agree with you about how your suggested method for security questions is much more secure, however what % of people do that? Very small.

Oh and while mentioning hacking. Another huge hack happened today. Again, not financial related. Battle.net got hacked and all North American accounts exposed including email addresses, password hashes and security question answers. That's a few million accounts right there.

http://us.blizzard.com/en-us/securityupdate.html

[Mudpuppy]

Financial hacks do occur, just look up the Zeus trojan to see one that has wide-spread infection and is targeted at recovering financial information. According to the FBI, one Eastern European criminal ring using the Zeus trojan were able to steal over $70 million dollars from US citizens (http://www.fbi.gov/news/stories/2010/oc ... king-fraud). Another Zeus variant has been able to by-pass two-factor authentication used by many European financial institutions (http://www.dailymail.co.uk/sciencetech/ ... sleep.html). There is also the Gauss malware that was discovered this week, although it is a targeted piece of malware likely being used as part of a government cyber-espionage program.

The average citizen who is harmed by a piece of malware like Zeus, or a more traditional attack like what happened to the Wired writer, have to rely on standard consumer protections to kick in and make them whole again. That may or may not happen, depending on the particular financial institutions involved and what level of regulatory protection one has. One can always protect oneself by employing logical separation (a different machine, a Linux live CD, etc.) and good security practices for all banking transactions, but even that is no guarantee against fiscal fraud.

But your question was specifically about high net worth individuals. They don't bank like the average citizen does. I sincerely doubt most high net worth individuals use just a website to manage their financials. At that level of assets, they can have their own personal banker or a specialized service like Vanguard's Flagship services. They can also be selective at that level of assets, and select banks and financial companies which employ the highest levels of online and backend security. And of course, they can have lawyers throw a proverbial bus of books at financial institutions if an illegitimate transaction were to steal a significant chunk of their assets.

[Smyrnian]

Vanguard's password limitation to 10 characters is woefully inadequate. It is completely inexplicable to me how this company can be so backward in this respect.

Vanguard's "Create a Strong Security Profile" page offers some tips on setting a Vanguard password. Unfortunately, the 10 character limitation makes it impossible to have anything approaching a strong password.

Here are the Vanguard suggestions for passwords, followed by the time estimated for said password to be "cracked" by a single personal computer tasked with discovering the password, as determined at the site: howsecureismypassword.net. (Those interested in a quick look at some of the issues related to passwords might like: http://preshing.com/20110811/xkcd-password-generator)

cpu34chip = 7 hours

swm20lps = 11 minutes

1gw2al3tj = 7 hours

irmb50mes = 7 hours

Password "security" of the level noted above is laughable...especially for a company like Vanguard that has care of billions upon billions of dollars of investor's money.

For example, here are two passwords (simply using four words, as suggested at the "preshing" web site referenced above) which are much better...not to mention much easier to remember:

staythecourse = 19 years

manyroadstodublin = 8 million years

But even these pale compared to the kind of security that can be achieved. Here for example is a password of four randomly generated words at the "preshing" site:

wishsyllableyourselfyellow = 48 quintillion years

The root of the problem is Vanguard's 10 character limitation. That quite simply puts Vanguard far from where they should be in the area of online security.

[johnny72]

10 characters is short but don't forget capitals and symbols:

Eat6-7Chip

There you go. 10 characters, fully allowed by Vanguard that will take 58 years to crack.

[harikaried]

10 characters is short but don't forget capitals and symbols

It seems like finance related passwords tend to be case insensitive and not allow symbols. Just try your Vanguard password with the wrong casing for each letter.

[mrpotatoheadsays]

- How come there are not more people losing their money to their online bank accounts getting hacked?
- How do high net worth people protect themselves against this problem?

There are accounts getting hacked; you just don't hear about it; it's not good for business. Take for example when Ameritrade got hacked; they didn't tell anyone; we found-out after someone sued them. By then, Ameritrade customers we being spammed by penny stock scammers 10 times a day.

I'm sure these companies all have insurance also.

High net worth people protect themselves by not using a lot of Internet-based capabilities, for example Facebook...

e.g. http://www.spectrem.com/news/non-millio ... cebook-423

The more you put out there, the more likely you are going to get hacked.

[aspiringboglehead]

The root of the problem is Vanguard's 10 character limitation. That quite simply puts Vanguard far from where they should be in the area of online security.

This isn't really a problem; brute-force attacks on online systems can be easily monitored and prevented, and they're significantly slower than "offline" attacks. If Vanguard locks your account after a few bad login attempts, or even if someone on their IT staff notices that an attack is occurring after 50,000 attempts on your account or others, it doesn't matter that your password could be cracked in only half an hour with 200 billion attempts. Vanguard has much more of a (proper) interest in preventing your password from being "password" or "1234" and thus being undetectably caught in a stray attack; much beyond that, non-password elements of their approach to security will be more important.

As to the broader question about the dangers of online attacks in general, one significant reason that more people don't lose money in online attacks is that it's hard to move large amounts of money to arbitrary third parties using online services in the first place. With your password, a spiteful neighbor could log into your brokerage account and sell all your holdings, causing you possibly to incur some trading costs in repurchasing them (although the more likely event is that the broker's insurance or simply their customer-service policy would reverse the trades, particularly if the activity didn't come from your typical location or had other hallmarks of an illegal attack), but he or she couldn't easily transfer the money to her own account; in many contexts, transfers are approved only to identically titled accounts, and in many cases they even need to be accompanied with signed and Medallion-guaranteed paperwork. Even in cases where an attacker could obtain control over your money temporarily, it's very hard to do that without a record; there likely isn't an easy way for attacker to move your money from your online money-market account, for example, to an untraceable account in Switzerland. This ends up acting as a kind of natural deterrent: even if Alliant Credit Union, for example, makes it easy to transfer money online to unrelated parties that hold Alliant accounts, it's very hard for an attacker to take advantage of that without being detected. (A far more likely scenario, as far as the technology is concerned, involves errant children and other family members compromising accounts in ways that are much harder to detect.)

As to the other question, high-net-worth people aren't a monolithic class. Many have more or less what a typical person with $500,000 in assets has, just with more money and more accounts. Of course, those who have complex portfolios often have to accept that it becomes difficult to monitor the details more closely; it's far easier to steal $450 from some high-net-worth individuals than to do that from a careful person with $30,000 in the bank. (Many credit-card scams take advantage of this fact at least implicitly; a very common approach with a stolen credit-card number is to make a charge for something like $16 and see if anyone notices.) Others take charge of their relationships with various banking providers, insist on using those that have (not uncommon) broad anti-fraud guarantees backed by an insurance policy or a large institutional asset base, and avoid doing things that people with more average assets would do routinely (like log into a brokerage account from a hotel business center). Past a certain point -- once we're talking about people that have institution-sized accounts of their own -- their solutions approach those of institutions themselves; someone with a $300 million personal worth, trust, or foundation will ordinarily end up employing many people to manage it, or have the equivalent in services from a larger institution, and with that will come those who specialize in risk management and who prevent and detect fraud.

[khh]

-snip-

Here are the Vanguard suggestions for passwords, followed by the time estimated for said password to be "cracked" by a single personal computer tasked with discovering the password, as determined at the site: howsecureismypassword.net. (Those interested in a quick look at some of the issues related to passwords might like: http://preshing.com/20110811/xkcd-password-generator)

cpu34chip = 7 hours

swm20lps = 11 minutes

1gw2al3tj = 7 hours

irmb50mes = 7 hours

-snip-

Here's a novice's question. I would think there would have to be a lot of hacking attempts in a short amount of time in order for the password to be discovered. Is it possible to limit the number of password attempts to, say, one every two minutes?

[carolinaman]

-snip-

Here are the Vanguard suggestions for passwords, followed by the time estimated for said password to be "cracked" by a single personal computer tasked with discovering the password, as determined at the site: howsecureismypassword.net. (Those interested in a quick look at some of the issues related to passwords might like: http://preshing.com/20110811/xkcd-password-generator)

cpu34chip = 7 hours

swm20lps = 11 minutes

1gw2al3tj = 7 hours

irmb50mes = 7 hours

-snip-

Here's a novice's question. I would think there would have to be a lot of hacking attempts in a short amount of time in order for the password to be discovered. Is it possible to limit the number of password attempts to, say, one every two minutes?

There are numerous ways to gain access to accounts. One is to put a keystroke logger on your PC that will give thieves passwords and much more. Also, many people will use the same or similar password for all online accounts including social websites or Amazon or others. Some of these are much easier to deal with than Vanguard or other financial websites. Once you have the person's password for other websites, you have access to their financial ones too. Furthermore, corporate databases are hacked frequently giving hackers access to millions of email addresses, ids, and passwords. Hackers can use these to go after more lucrative websites and resources.

I believe it is much more feasible for thieves to steal money from accounts than previous poster indicated, especially for smart thieves. The theives in the article were not sophisticated hackers. The financial institution may restore the funds unless you have been negligent but why take the risk. As the OP's article states, the best way to protect yourself is to use strong and different passwords for each sensitive website and use 2 factor authentication. That is a little bit of trouble but most people do not change their password or profile often anyway.

[HomerJ]

the best way to protect yourself is to use strong and different passwords for each sensitive website and use 2 factor authentication.

Does Vanguard offer two-factor authentication?

I do like that I can set it up so only computers that have already logged into my account can log into it again. So even if someone steals my password, they can't log in from their machine, right? Of course, they could call Vanguard and change that setting over the phone. How tough is Vanguard when you call in for account changes?

I'm not too worried about the money getting stolen, because changing banks takes a good week or two and they usually send mail and email. Even if a hacker changes my email address and my street address, they send notifications to the old addresses, don't they?

A hacker COULD get in and cause me some serious tax issues by selling all my funds (maybe using all my money to buy a penny stock to drive up the price making himself money), maybe even moving all my IRA money over to taxable. I don't know what all the risks are.

[TA_Lurker]

In the United States wealth is concentrated in the older generations. Anectodotally we can say that, perhaps, those generations do not utilize the Internet for money management purposes at nearly the same rate as younger generations. So perhaps the era of grand hacking heists has yet to dawn?

[damjam]

I'm not sure but I don't think what Vanguard does is two factor authentication.

See wikipedia page on two factor authentication.

Following the U.S. Federal Financial Institutions Examination Council's publication advising the use of multi-factor authentication, numerous vendors began offering authentication solutions that are not compliant with the FFIEC's definition of "true multifactor authentication". Most notable of these approaches is the challenge/response approach, often coupled with a shared secret image. Soliciting personal information in response to challenge questions simply solicits more of "something the user knows", similar to a login, a password, or a PIN. All are multiple solutions from the same authentication category. Unless you combine these with something from the other two factors (i.e. "something the user has" or "something the user is", it does not constitute multi-factor authentication.

Anyone can log into your account if they have your password and know the answers to the challenge questions. Registering your machine only lets you skip the challenge questions. It does not prevent log in from a "new" machine.

[HomerJ]

I'm not sure but I don't think what Vanguard does is two factor authentication.

See wikipedia page on two factor authentication.

Following the U.S. Federal Financial Institutions Examination Council's publication advising the use of multi-factor authentication, numerous vendors began offering authentication solutions that are not compliant with the FFIEC's definition of "true multifactor authentication". Most notable of these approaches is the challenge/response approach, often coupled with a shared secret image. Soliciting personal information in response to challenge questions simply solicits more of "something the user knows", similar to a login, a password, or a PIN. All are multiple solutions from the same authentication category. Unless you combine these with something from the other two factors (i.e. "something the user has" or "something the user is", it does not constitute multi-factor authentication.

Anyone can log into your account if they have your password and know the answers to the challenge questions. Registering your machine only lets you skip the challenge questions. It does not prevent log in from a "new" machine.

If you go to My Accounts --> Account Maintenance --> Computer access restrictions, you can set it to "Restrict unrecognized computers from accessing my account"

And then if you log on from another computer (I just tested this), it won't let you log on. It won't even ask for a password or show you your little picture; it just tells you that that account is restricted from unrecognized computers...

Now, how does it recognize computers? Maybe just a web-page cookie, which I guess a hacker could steal if they've infected your computer (But not if they just guessed your account name), or maybe it's more complicated than that. I don't know.

I feel better with it on...

But I guess I should test Vanguard and try calling them to see how hard it is to change that setting over the phone.

[Random Poster]

If you go to My Accounts --> Account Maintenance --> Computer access restrictions, you can set it to "Restrict unrecognized computers from accessing my account"

And then if you log on from another computer (I just tested this), it won't let you log on. It won't even ask for a password or show you your little picture; it just tells you that that account is restricted from unrecognized computers...

With my luck, the day that I set that restriction is the day that my home computer breaks....

[ThatGuy]

Now, how does it recognize computers? Maybe just a web-page cookie, which I guess a hacker could steal if they've infected your computer (But not if they just guessed your account name), or maybe it's more complicated than that. I don't know.

I don't know about Vanguard, but PenFed stores it somewhere in the various browser files. I always use Firefox's privacy mode. It doesn't matter if I tell PenFed to remember my computer, as soon as I try to log in with a new browser I have to go through the challenge questions.

[damjam]

If you go to My Accounts --> Account Maintenance --> Computer access restrictions, you can set it to "Restrict unrecognized computers from accessing my account"

And then if you log on from another computer (I just tested this), it won't let you log on. It won't even ask for a password or show you your little picture; it just tells you that that account is restricted from unrecognized computers...

Thanks, I didn't know that.

My question is the same as yours: how do they recognize it's the same computer? If Vanguard uses cookies...well I delete my cookies regularly.

Edit to add: I guess Vanguard might not want to give away the secret. It would just make it easier for hackers.

[carolinaman]

the best way to protect yourself is to use strong and different passwords for each sensitive website and use 2 factor authentication.

Does Vanguard offer two-factor authentication?

I do like that I can set it up so only computers that have already logged into my account can log into it again. So even if someone steals my password, they can't log in from their machine, right? Of course, they could call Vanguard and change that setting over the phone. How tough is Vanguard when you call in for account changes?

I'm not too worried about the money getting stolen, because changing banks takes a good week or two and they usually send mail and email. Even if a hacker changes my email address and my street address, they send notifications to the old addresses, don't they?

A hacker COULD get in and cause me some serious tax issues by selling all my funds (maybe using all my money to buy a penny stock to drive up the price making himself money), maybe even moving all my IRA money over to taxable. I don't know what all the risks are.

Gmail has a 2 factor authentication system that can be used for access to your Gmail account. It adds an extra layer of security to your account by requiring you to sign in with something you know (your password) and something you have (a code sent to your phone). You must enter the code sent to your cell or smartphone in order to get access to your email account. The idea is to have a unique Gmail account used solely for this type of purpose. If you or someone else requests a changed password from Vanguard (or some other financial account), you set up your profile to send the new password to this unique Gmail email account. It is very unlikely the hacker would also have access to your phone, so they would be unable to gain access to your Gmail account to get the new password.

Vanguard does require answering security questions which makes it harder to get a new password. I have never tried to contact Vanguard to see how difficult it is to get a new password without answering the questions but my guess it is difficult. However, if someone gets access to personal information it is feasible.

Anytime I have changed my Vanguard profile or password, I have received a letter a few days letter informing me of such. So it seems harder to hack accounts of attentive people unless you did not access your mail for a while (out of town, in hospital, etc.).

I have a lot of confidence in Vanguard but there have been many security breaches of credible companies, so IMO I think we need to take reasonable precautions online to protect ourselves.

[damjam]

Gmail has a 2 factor authentication system that can be used for access to your Gmail account. It adds an extra layer of security to your account by requiring you to sign in with something you know (your password) and something you have (a code sent to your phone). You must enter the code sent to your cell or smartphone in order to get access to your email account. The idea is to have a unique Gmail account used solely for this type of purpose. If you or someone else requests a changed password from Vanguard (or some other financial account), you set up your profile to send the new password to this unique Gmail email account. It is very unlikely the hacker would also have access to your phone, so they would be unable to gain access to your Gmail account to get the new password.

Another e-mail account? Ugh. I guess it's a small annoyance worth considering. sigh.
Although to be completely paranoid, a hacker could get access to your mobile/smart phone. The hacker could even clone it and receive your messages on another phone. But it is another layer of protection

[Dan999]

Someone above stated that Vanguard sends changes to your address on file.
I think I read several months ago that if you change your address, they send the change to the current address (the new one).
Isn't this a weakness, if someone changes your mailing address? Vanguard sends a notice to the new mailing address, which is fraudulent, then any changes to your account thereafter (such as new checking accounts, exchanges etc ) are sent to the fraudulent address and you will never know what happened until it is too late.

If this is true, then Vanguard should send address changes to both addresses.

Am I wrong here?

Any thoughts?

[HomerJ]

Someone above stated that Vanguard sends changes to your address on file.
I think I read several months ago that if you change your address, they send the change to the current address (the new one).
Isn't this a weakness, if someone changes your mailing address? Vanguard sends a notice to the new mailing address, which is fraudulent, then any changes to your account thereafter (such as new checking accounts, exchanges etc ) are sent to the fraudulent address and you will never know what happened until it is too late.

If this is true, then Vanguard should send address changes to both addresses.

Am I wrong here?

Any thoughts?

They send the notification mail to the OLD address. I moved a few years ago, made the change on Vanguard's web-site and they sent a notification to the old address. I also changed banks, it took a week (which is GOOD - I want a change like that to take a long time), and Vanguard sent a notification to my address.

So I feel pretty safe about someone trying to change the bank account to their own, and then taking all my money. I suppose if they timed when I was on vacation, it might work.

[Jack]

If you go to My Accounts --> Account Maintenance --> Computer access restrictions, you can set it to "Restrict unrecognized computers from accessing my account"

And then if you log on from another computer (I just tested this), it won't let you log on. It won't even ask for a password or show you your little picture; it just tells you that that account is restricted from unrecognized computers...

Thanks, I didn't know that.

My question is the same as yours: how do they recognize it's the same computer? If Vanguard uses cookies...well I delete my cookies regularly.

Edit to add: I guess Vanguard might not want to give away the secret. It would just make it easier for hackers.

Vanguard also uses so-called "Flash cookies". These are Local Shared Objects that are stored in the Flash Macromedia directory that function sort of like cookies and are not removed when you delete normal cookies. They were originally intended for storing data for Flash applications, but lots of sites use it for storing "cookie" information so that it won't be easily deleted.

You can read about it here:

http://en.wikipedia.org/wiki/Local_Shared_Object

If you want to delete your Vanguard Flash objects go to:

C:\Documents and Settings\<user name>\application data\Macromedia\Flash Player\#SharedObjects. Somewhere in a directory below there you will find vanguard.com. The object is a file with the extension .SOL. You can just delete the .SOL file or the entire vanguard.com directory if you like. This directory will be recreated the next time your log on.

Disclaimer: I don't know what other information Vanguard stores in the Flash cookie. You may lose any customization of views and/or preferences that you set for your web view.

[HomerJ]

If you go to My Accounts --> Account Maintenance --> Computer access restrictions, you can set it to "Restrict unrecognized computers from accessing my account"

And then if you log on from another computer (I just tested this), it won't let you log on. It won't even ask for a password or show you your little picture; it just tells you that that account is restricted from unrecognized computers...

Thanks, I didn't know that.

My question is the same as yours: how do they recognize it's the same computer? If Vanguard uses cookies...well I delete my cookies regularly.

Edit to add: I guess Vanguard might not want to give away the secret. It would just make it easier for hackers.

Vanguard also uses so-called "Flash cookies". These are Local Shared Objects that are stored in the Flash Macromedia directory that function sort of like cookies and are not removed when you delete normal cookies. They were originally intended for storing data for Flash applications, but lots of sites use it for storing "cookie" information so that it won't be easily deleted.

You can read about it here:

http://en.wikipedia.org/wiki/Local_Shared_Object

If you want to delete your Vanguard Flash objects go to:

C:\Documents and Settings\<user name>\application data\Macromedia\Flash Player\#SharedObjects. Somewhere in a directory below there you will find vanguard.com. The object is a file with the extension .SOL. You can just delete the .SOL file or the entire vanguard.com directory if you like. This directory will be recreated the next time your log on.

Disclaimer: I don't know what other information Vanguard stores in the Flash cookie. You may lose any customization of views and/or preferences that you set for your web view.

The question I have is can someone just copy that .SOL file from my PC to their PC, and they be granted access as a "recognized computer"?

[investnoob]

I suspect that hacking of video game accounts is more rampant due to the low consequences. My guess is that authorities are less likely to investigate the theft of a virtual item (even if it is sold for real currency on the black market) than they are to investigate the theft of actual money.

That makes sense to me, but I don't really have a source to cite.

[Dan999]

Thanks HomerJ for the info. This makes sense as the way to do it.
Dan

[Maid of the Mist]

Last year, when the Bogleheads visited Vanguard, they were asked about security. Interestingly, at Vanguard they said most theft occurs from relatives and friends than from outside hackers.

[btenny]

Individuals don't get hacked very often at this time because it is easier and more profitable to hack small and mid-sized businesses. See here

http://www.cbsnews.com/8301-505124_162- ... usinesses/

and here

http://www.huffingtonpost.com/2011/10/2 ... 28781.html

A run of the mill small business will have $100K to $1M cash laying aound in a bank account around the first of the month. These companies practice mediocre to poor computer security. They have low cost labor running lots of computer stuff who are easy to social engineer. There accounts are not insured by anyone including the banks so no big company will come looking for the bad guy. The banks don't have special security for these small guys. So net net it is just easy to steal this money and run and plan on never getting caught.

Bill

[grabiner]

Someone above stated that Vanguard sends changes to your address on file.
I think I read several months ago that if you change your address, they send the change to the current address (the new one).
Isn't this a weakness, if someone changes your mailing address? Vanguard sends a notice to the new mailing address, which is fraudulent, then any changes to your account thereafter (such as new checking accounts, exchanges etc ) are sent to the fraudulent address and you will never know what happened until it is too late.

They actually send confirmation to both the new and old addresses, because that maximizes the chance that you will receive one of the two. If you didn't move (and either there was fraud or you haven't yet occupied the new address), you will receive the confirmation at your old address; if you did move, you will get the confirmation at the new address.