How good is vanguard website security?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: How good is vanguard website security?

Post by tadamsmar »

Alskar wrote: EDIT: Defuse Security lists Vanguard in their "Password Policy Hall of Shame": https://defuse.ca/password-policy-hall-of-shame.htm They apparently believe Vanguard passwords might be stored as plain text. I am dubious of this claim.
Vanguard uses industry best practices for hashing and salting passwords:

http://www.bogleheads.org/forum/viewtop ... e#p1545627

Since the web site you cite obviously did not even make the effort to ask for a statement from the firms they smeared, the web site should be in the "Posting Crap Without Research It First Hall of Shame"
In any case, according to this Wiki article Vanguard passwords (10 character single-case) can be cracked in less than a day: http://en.wikipedia.org/wiki/Password_strength. Read the paragraph labeled "Password guess validation".
That's for merely breaking a 10 character hashed string. It does not get you a password if salting and/or extension and/or encryption is used. There are encryption methods that used dedicated external hardware so that the keys are not accessible by mere cyber-hacking. We don't know what Vanguard does. See here as to the possibilities:

http://crackstation.net/hashing-security.htm
ftobin
Posts: 1071
Joined: Fri Mar 20, 2009 3:28 pm

Re: How good is vanguard website security?

Post by ftobin »

tadamsmar wrote:That's for merely breaking a 10 character hashed string. It does not get you a password if salting and/or extension and/or encryption is used.
The time expense noted of breaking of a 10-char hashed string would be with salting implemented (i.e., not using rainbow tables). If salting was not used, a password would be broken in no time at all (just a dictionary lookup).
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: How good is vanguard website security?

Post by tadamsmar »

ftobin wrote:
tadamsmar wrote:That's for merely breaking a 10 character hashed string. It does not get you a password if salting and/or extension and/or encryption is used.
The time expense noted of breaking of a 10-char hashed string would be with salting implemented (i.e., not using rainbow tables). If salting was not used, a password would be broken in no time at all (just a dictionary lookup).
True but irrelevant to the fact that there are ways to make a 10 character password hard to crack assuming the cracker has hacked Vanguard's servers.
Alex Frakt
Founder
Posts: 11589
Joined: Fri Feb 23, 2007 12:06 pm
Location: Chicago
Contact:

Re: How good is vanguard website security?

Post by Alex Frakt »

Alskar wrote:Here's where I am coming from: In the late 90's I was part of the Digital Display Working Group (DDWG), the group that created the Digital Visual Display (DVI) standard. The Motion Picture Association of America (MPAA) was very troubled by the idea of their copyrighted content being sent over an unencrypted digital interface. Intel, the promoter of DVI, created the High-Bandwidth Digital Content Protection (HDCP) standard to assuage their fears. I sat in numerous meetings where "cryptology experts" expounded on the difficulty of cracking HDCP. They put into place elaborate key revocation and protection methods. The MPAA was happy. DVI rolled out (if my memory serves) in 1999. On November 5, 2001, Scott Crosby from Carnegie Mellon and some others from Berkley presented a paper "A Cryptanalysis of the High-bandwidth Digital Content Protection System" (http://www.cypherpunks.ca/~iang/pubs/hdcp-drm01.pdf) that outlined how to get around HDCP. HDCP lasted less than two years before it was compromised. In 2010 the HDCP master key was hacked with $250 worth of hardware (http://www.engadget.com/2010/09/14/hdcp ... y-protect/). At this point HDCP is nearly useless.

During roughtly the same time frame, I was also sitting on the IEEE 802.11 committee. Wireless security was a huge concern. I sat in the audience during one presentation on the new "unbreakable" encryption system. Apparently unfamiliar with the term "hubris", they named the new standard "Wired Equivalent Privacy" or WEP. In less than 18 months I sat in another conference room and watched another "crypto expert" hack the WEP password and break into a random audience member's laptop in less than 8 minutes. That led to TKIP which led to WPA. I understand that WPA can now be hacked in less than 1 minute: http://www.pcmag.com/article2/0,2817,2352231,00.asp

Numerous other encryption systems have fallen. The Content Scrambling System (CSS) used to encrypt DVD's is now considered worthless. The RSA tokens were hacked. Just today the WSJ and the NY Times announced they were hacked (http://www.cnn.com/2013/01/31/tech/chin ... index.html
You are missing the point that for a financial institution security is a multi-layered system. All of your examples are of security in a single layer system that rely solely on encryption. I agree that all such systems are susceptible to being broken. But that is not what we are dealing with here. For one thing, unlike all of your examples you can't merely throw computing power at decrypting the password, the system won't let you do it directly and other parts of the system are in place to keep you from doing it indirectly. Real security professionals have also read Mitnick's book, those holes are no longer so easy to find. Also, by the way, there is no such thing as a password hash file that can be easily removed when we are discussing systems like this. Generally speaking the hashed and salted passwords reside in protected databases that can only be addressed via the web through a middleman application that is only allowed to ask a limited set of questions. Of course, there will be some people with direct, internal access to the database. But if you can suborn the database administrators, then access to the password hashes is immaterial.

And that's just the start of it. Even if you somehow manage to get in, say through a phishing attack in which you get the customer to simply give you the username and password, you still can't steal anything due to Vanguard's process requirements. If you change the address or bank, you have to wait two weeks before they will transfer any funds. During which time they notify you via e-mail and mail of the change. They also won't transfer into banks unless the names on the accounts match (there are exceptions for trusts and the like, but they require jumping through several hoops such as getting bank signature guarantees). I'm sure the MPAA could live with a system where, if a DVD were decrypted, they were immediately notified and they decryptor couldn't do anything with it for two weeks.

Finally, your own examples show the futility of relying on just stronger encryption for security. WEP-128 passwords are 26 characters, WPA is 63. HDCP is weaker than WEP-128. The point is that anything long enough to make decryption truly difficult actually decreases security, since most users would have to store the passwords on a file on their computers which makes them vulnerable to all sorts of trojan attacks.

Again, for the security system that financial institutions must have, 10 characters is enough.

Consider your ATM card. It relies on passwords of just 4 numbers. That's just 10,000 possibilities (as opposed to the 26,559,922,791,424 of Vanguard passwords). Why is this acceptable? Because the ATM card is part of a security system that is designed to not let you get through those 10,000 possibilities.
User avatar
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: How good is vanguard website security?

Post by Alskar »

Alex Frakt wrote:And that's just the start of it. Even if you somehow manage to get in, say through a phishing attack in which you get the customer to simply give you the username and password, you still can't steal anything due to Vanguard's process requirements. If you change the address or bank, you have to wait two weeks before they will transfer any funds. During which time they notify you via e-mail and mail of the change. They also won't transfer into banks unless the names on the accounts match (there are exceptions for trusts and the like, but they require jumping through several hoops such as getting bank signature guarantees). I'm sure the MPAA could live with a system where, if a DVD were decrypted, they were immediately notified and they decryptor couldn't do anything with it for two weeks.
I really appreciate the insight. It has giving me some food for thought. You're correct that my experience has been with single-layered systems.

I offer the following: You're assuming that the goal of breaking into one's account is to steal money directly from the account. That's not necessary true. Hackers seem to break into different accounts and by using the information from one break-in in combination with other information, they build up enough information to steal from another source. I'm thinking of Mat Honan's article in Wired (http://www.wired.com/gadgetlab/2012/08/ ... n-hacking/). My Vanguard account contains links to other accounts (including account numbers) and the DoB for all of my beneficiaries. This information could be aggregated with data from other break-ins to enable a larger break-in somewhere else.
Alex Frakt wrote:Consider your ATM card. It relies on passwords of just 4 numbers. That's just 10,000 possibilities (as opposed to the 26,559,922,791,424 of Vanguard passwords). Why is this acceptable? Because the ATM card is part of a security system that is designed to not let you get through those 10,000 possibilities.
That's not really an apples-to-apples comparison. The ATM card you're using in an example of two-factor authentication. The first factor ("something you know") is the PIN. The second factor ("something you have") is the ATM card itself. Admittedly, ATM cards can be copied rather easily, but however weak it may be, the card is still a second factor.

So what would be wrong with Vanguard offering two-factor authentication (such as VeriSign VIP Access for example) to those customers that want it? My credit union offers it, so it can't be that expensive. Ebay, PayPal, and Fidelity are all using VIP Access. eTrade offers SecureID. There are numerous other two-factor systems (grid, Sesame, etc) if VIP Access isn't acceptable for some reason.

Two-factor authentication adds another layer to the "layered" security system "just in case" there is a hidden flaw in the current system. My experience with security systems has taught me humility. Modern computer systems are very complex. The complexity makes it impossible for anybody to understand them completely.
Lagom är bäst
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: How good is vanguard website security?

Post by tadamsmar »

Alskar,

You seem to be worried about someone logging into your account to get your personal information after they have already accessed Vanguard servers to get the information required to crack your login credentials to access your account?

Seems to me that the barn door is already open when they access Vanguard's servers.
ftobin
Posts: 1071
Joined: Fri Mar 20, 2009 3:28 pm

Re: How good is vanguard website security?

Post by ftobin »

tadamsmar wrote:You seem to be worried about someone logging into your account to get your personal information after they have already accessed Vanguard servers to get the information required to crack your login credentials to access your account?
Being able to access trading is different than being able to access logon credentials. The latter does not imply the former, especially if audit trails trigger alarms if a trade isn't initiated from a logged-on web user.

Additionally, it's a fact of life that many people (likely the most vulnerable) use the same password on multiple sites. Access to a password (or security question) on one site can compromise credentials on other sites.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: How good is vanguard website security?

Post by tadamsmar »

ftobin wrote:
tadamsmar wrote:You seem to be worried about someone logging into your account to get your personal information after they have already accessed Vanguard servers to get the information required to crack your login credentials to access your account?
Being able to access trading is different than being able to access logon credentials. The latter does not imply the former, especially if audit trails trigger alarms if a trade isn't initiated from a logged-on web user.
Can you give an example, I have no idea what you are talking about.
Additionally, it's a fact of life that many people (likely the most vulnerable) use the same password on multiple sites. Access to a password (or security question) on one site can compromise credentials on other sites.
Vanguard website security should be the least of the worries of people who do that on their financial sites.
ftobin
Posts: 1071
Joined: Fri Mar 20, 2009 3:28 pm

Re: How good is vanguard website security?

Post by ftobin »

tadamsmar wrote:
Being able to access trading is different than being able to access logon credentials. The latter does not imply the former, especially if audit trails trigger alarms if a trade isn't initiated from a logged-on web user.
Can you give an example, I have no idea what you are talking about.
A security analysis tool should be able to link a trade or funds request back to the origination. That is, if the backend sees "sell shares of a mutual fund", that should be linked to one or more middle-ware application requests, which in the end links to some entry that says the details of the user's web request. Any failure to chain this information all the way through would trigger an alarm. An attacker may have gotten access to the password database and possibly the trading system, but unless they can create all these links, an attempt to actually fraudulently trade may be discovered.

Furthermore, access to the security authentication systems does not mean access to the trading system, by simple network isolation.
Vanguard website security should be the least of the worries of people who do that on their financial sites.
I'm just stating the nature of the passwords as they are currently exist, and explaining the risks with exposure. People often have a "secure" password and an "insecure" password. They use the secure one at Vanguard & Ameritradeetc and a different one at forums. Vulnerabilities at one of these financial sites compromises security at another financial site.
User avatar
stvyreb
Posts: 159
Joined: Sat Nov 05, 2016 8:57 pm

Re: How good is vanguard website security?

Post by stvyreb »

I'd be more worried about pw recovery, I just did "forgot my pw" on my online bank, a simple SSN, BD and the CVV on a credit card and your in.

that is unless I notice a email to me informing my of my change pw, so since SSN and BD seem to be known or buyable by every Cracker nowadays, that leaves 3 digits to guess on the CVV

another new priviledged ID seems to be phone numbers, though not sure it is worth $5 / month for the Apps to spoof your own ......
Post Reply