Vanguard offers login security code

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
indexfundfan
Posts: 1964
Joined: Tue Feb 20, 2007 11:21 am
Contact:

Vanguard offers login security code

Post by indexfundfan » Fri Nov 21, 2014 3:48 pm

If your account is enabled, you can find it under Account Maintenance:

Image
My signature has been deleted.

ddunca1944
Posts: 926
Joined: Fri Apr 01, 2011 1:49 pm

Re: Vanguard offers login security code

Post by ddunca1944 » Fri Nov 21, 2014 5:02 pm

Thanks for posting this. I've just activated mine.

User avatar
FelixTheCat
Posts: 1476
Joined: Sat Sep 24, 2011 12:39 am

Re: Vanguard offers login security code

Post by FelixTheCat » Fri Nov 21, 2014 5:15 pm

ddunca1944 wrote:Thanks for posting this. I've just activated mine.

+1 on thanks!
Felix is a wonderful, wonderful cat.

User avatar
Phineas J. Whoopee
Posts: 6810
Joined: Sun Dec 18, 2011 6:18 pm

Re: Vanguard offers login security code

Post by Phineas J. Whoopee » Fri Nov 21, 2014 5:24 pm

Enrolled. Thanks for telling us it's become available.
PJW

lululu
Posts: 1378
Joined: Thu Apr 10, 2014 4:23 pm

Re: Vanguard offers login security code

Post by lululu » Fri Nov 21, 2014 5:26 pm

Suck eggs, you people with no text capabilities, signed Vanguard.

User avatar
Rob5TCP
Posts: 2962
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Vanguard offers login security code

Post by Rob5TCP » Fri Nov 21, 2014 5:28 pm

Thank you - just signed up.
I have been waiting for this for a long time.
I set mine to send a code every time.

xenial
Posts: 2566
Joined: Tue Feb 27, 2007 1:36 am
Location: USA

Re: Vanguard offers login security code

Post by xenial » Fri Nov 21, 2014 5:31 pm

Works great. Thanks for the heads up, indexfundfan!

Incidentally, Google Voice is listed in Vanguard's instructions as an approved carrier. So a cell phone isn't needed to use the service.

toto238
Posts: 1877
Joined: Wed Feb 05, 2014 2:39 am

Re: Vanguard offers login security code

Post by toto238 » Fri Nov 21, 2014 6:00 pm

lululu wrote:Suck eggs, you people with no text capabilities, signed Vanguard.


You can use Google Voice with it. Or alternatively, join the 21st century and get a cell phone.

User avatar
GerryL
Posts: 1523
Joined: Fri Sep 20, 2013 11:40 pm

Re: Vanguard offers login security code

Post by GerryL » Fri Nov 21, 2014 6:07 pm

toto238 wrote:
lululu wrote:Suck eggs, you people with no text capabilities, signed Vanguard.


You can use Google Voice with it. Or alternatively, join the 21st century and get a cell phone.


Some people have plans that cost extra for texting. I not only did not pay to add unlimited texting, I asked them to turn off the texting capability so I would not be paying for spam texts. Anyone I want to "text" with has an iPhone. Now, if Vanguard would offer the iPhone IM option ....

User avatar
tfb
Posts: 7754
Joined: Mon Feb 19, 2007 5:46 pm
Contact:

Re: Vanguard offers login security code

Post by tfb » Fri Nov 21, 2014 7:31 pm

GerryL wrote:Some people have plans that cost extra for texting. I not only did not pay to add unlimited texting, I asked them to turn off the texting capability so I would not be paying for spam texts. Anyone I want to "text" with has an iPhone. Now, if Vanguard would offer the iPhone IM option ....

Google Voice delivers incoming text to the Google Voice number as a message in the Google Voice app. Not text needed on the phone.
Harry Sit, taking a break from the forums.

User avatar
siamond
Posts: 3567
Joined: Mon May 28, 2012 5:50 am

Re: Vanguard offers login security code

Post by siamond » Fri Nov 21, 2014 7:36 pm

ddunca1944 wrote:Thanks for posting this. I've just activated mine.

+1. Just did it. I feel a tiny bit safer now.

User avatar
John151
Posts: 308
Joined: Fri Mar 02, 2007 6:03 pm

Re: Vanguard offers login security code

Post by John151 » Fri Nov 21, 2014 8:05 pm

I wish that Vanguard would accommodate those of us who don't have cell phones or Google Voice by sending security codes to us via email. Granted, it wouldn't be as secure as two-factor authentication, but it would be more secure than having no security codes at all.

ResearchMed
Posts: 5674
Joined: Fri Dec 26, 2008 11:25 pm

Re: Vanguard offers login security code

Post by ResearchMed » Fri Nov 21, 2014 8:11 pm

John151 wrote:I wish that Vanguard would accommodate those of us who don't have cell phones or Google Voice by sending security codes to us via email. Granted, it wouldn't be as secure as two-factor authentication, but it would be more secure than having no security codes at all.


Potential problem there is "someone else has your computer, and is trying to log on to your Vanguard account", and they also have the device (your computer) that has your email loaded.

Some places allow a phone call to a REGULAR phone. That's great, IF one is "at home", but not so much otherwise, although I guess one could arrange to forward the calls to that number temporarily. But that wouldn't work - if it has to be forwarded to a hotel switchboard, since it would probably be a recorded voice with the code.

RM
This signature is a placebo. You are in the control group.

miles monroe
Posts: 1143
Joined: Mon Jan 20, 2014 12:14 pm

Re: Vanguard offers login security code

Post by miles monroe » Fri Nov 21, 2014 8:13 pm

hey vanguard...why am i reading about this on an internet forum and not in an email from you????

xenial
Posts: 2566
Joined: Tue Feb 27, 2007 1:36 am
Location: USA

Re: Vanguard offers login security code

Post by xenial » Fri Nov 21, 2014 8:18 pm

John151 wrote:I wish that Vanguard would accommodate those of us who don't have cell phones or Google Voice by sending security codes to us via email. Granted, it wouldn't be as secure as two-factor authentication, but it would be more secure than having no security codes at all.

Google Voice is free, and I remember it being easy to sign up.

User avatar
tfb
Posts: 7754
Joined: Mon Feb 19, 2007 5:46 pm
Contact:

Re: Vanguard offers login security code

Post by tfb » Fri Nov 21, 2014 8:22 pm

Ken Schwartz wrote:
John151 wrote:I wish that Vanguard would accommodate those of us who don't have cell phones or Google Voice by sending security codes to us via email. Granted, it wouldn't be as secure as two-factor authentication, but it would be more secure than having no security codes at all.

Google Voice is free, and I remember it being easy to sign up.

And it can deliver the text by email. https://support.google.com/voice/answer/160203?hl=en
Harry Sit, taking a break from the forums.

User avatar
John151
Posts: 308
Joined: Fri Mar 02, 2007 6:03 pm

Re: Vanguard offers login security code

Post by John151 » Fri Nov 21, 2014 8:53 pm

Many thanks, Ken and tfb. I'll check this out.

indexmeasap
Posts: 137
Joined: Wed Jul 18, 2012 11:20 pm

Re: Vanguard offers login security code

Post by indexmeasap » Fri Nov 21, 2014 9:32 pm

Lets Recap VG security features (feel free to correct/add any features):

1. Username has been updated to 12 characters (still does not recognize upper/lower case)
2. Password has been updated to 20 characters (still does not recognize upper/lower case)
3. 2 factor/step verification is being rolled out
4. Computer/device specific restriction may be turned on (enables login from only 1 designated device/PC)
5. Voice recognition verification is offered (instead of security pass phrases)
6. paperless billing/statement option (prevents possible mail theft)

Is there anything else VG can do?

toto238
Posts: 1877
Joined: Wed Feb 05, 2014 2:39 am

Re: Vanguard offers login security code

Post by toto238 » Fri Nov 21, 2014 9:34 pm

indexmeasap wrote:Lets Recap VG security features (feel free to correct/add any features):

1. Username has been updated to 12 characters (still does not recognize upper/lower case)
2. Password has been updated to 20 characters (still does not recognize upper/lower case)
3. 2 factor/step verification is being rolled out
4. Computer/device specific restriction may be turned on (enables login from only 1 designated device/PC)
5. Voice recognition verification is offered (instead of security pass phrases)
6. paperless billing/statement option (prevents possible mail theft)

Is there anything else VG can do?


Password IS case sensitive and you can use most symbols. Username is not.

investor1
Posts: 1040
Joined: Thu Mar 15, 2012 8:15 pm

Re: Vanguard offers login security code

Post by investor1 » Fri Nov 21, 2014 10:07 pm

Thanks!

User avatar
rob
Posts: 2871
Joined: Mon Feb 19, 2007 6:49 pm
Location: Here

Re: Vanguard offers login security code

Post by rob » Fri Nov 21, 2014 10:23 pm

indexmeasap wrote:Is there anything else VG can do?

Yeah.... Better 2 factor instead of SMS - via either an app (RSA, ENIX or a million others) or via a hardware token that a lot of us already have for other things.
| Rob | Its a dangerous business going out your front door. - J.R.R.Tolkien

stlutz
Posts: 4080
Joined: Fri Jan 02, 2009 1:08 am

Re: Vanguard offers login security code

Post by stlutz » Fri Nov 21, 2014 10:34 pm

Lets Recap VG security features (feel free to correct/add any features):

1. Username has been updated to 12 characters (still does not recognize upper/lower case)
2. Password has been updated to 20 characters (still does not recognize upper/lower case)
3. 2 factor/step verification is being rolled out
4. Computer/device specific restriction may be turned on (enables login from only 1 designated device/PC)
5. Voice recognition verification is offered (instead of security pass phrases)
6. paperless billing/statement option (prevents possible mail theft)


I have to say they are actually ahead of the other financial firms that I do business with on this front.

lululu
Posts: 1378
Joined: Thu Apr 10, 2014 4:23 pm

Re: Vanguard offers login security code

Post by lululu » Fri Nov 21, 2014 10:44 pm

ResearchMed wrote:Some places allow a phone call to a REGULAR phone. That's great, IF one is "at home", but not so much otherwise, although I guess one could arrange to forward the calls to that number temporarily. But that wouldn't work - if it has to be forwarded to a hotel switchboard, since it would probably be a recorded voice with the code.

RM


It's fine for people at home, though. Dinky little credit unions can do this, Vanguard should be able to.

toto238 wrote:
lululu wrote:Suck eggs, you people with no text capabilities, signed Vanguard.


You can use Google Voice with it. Or alternatively, join the 21st century and get a cell phone.


Oh, gosh, 2014 here I come, with my existing cell phone that I don't waste money paying for text on. And I don't waste time installing a package because Vanguard did a half-deleted implementation.

toto238
Posts: 1877
Joined: Wed Feb 05, 2014 2:39 am

Re: Vanguard offers login security code

Post by toto238 » Sat Nov 22, 2014 1:13 am

Did somebody find out what happens if your phone number changes? How do you change it so you can log onto your account?

User avatar
Phineas J. Whoopee
Posts: 6810
Joined: Sun Dec 18, 2011 6:18 pm

Re: Vanguard offers login security code

Post by Phineas J. Whoopee » Sat Nov 22, 2014 1:44 am

toto238 wrote:Did somebody find out what happens if your phone number changes? How do you change it so you can log onto your account?

Therein lies the rub, and a reason one might consider not requiring the code when using a known-to-Vanguard computer. Either way, Vanguard has to have a procedure to use things one knows, or documentation one can obtain (which of course can be counterfeited), rather than strictly what one has or is, including voice verification, because both one's computer and one's phone might be destroyed in a fire or such. If in the same incident one's throat was injured by smoke inhalation, access to assets still should not become impossible.

It ain't pretty, but it has to be allowed for in advance, because in a sufficiently large population it will happen.

In all of computer security, including in our present certificate system, one can't escape the principle that "you have to trust somebody."

On the other hand, outside of emergency circumstances, you can make yourself a difficult target, or mark, to encourage the pickpockets to focus on somebody else. I'm against the practice of picking pockets, but so long as I'm powerless to end it I may as well render myself difficult to rob. As the old joke goes, I don't have to outrun the grizzly bear. I only have to outrun you.

PJW

xenial
Posts: 2566
Joined: Tue Feb 27, 2007 1:36 am
Location: USA

Re: Vanguard offers login security code

Post by xenial » Sat Nov 22, 2014 1:46 am

toto238 wrote:Did somebody find out what happens if your phone number changes? How do you change it so you can log onto your account?

You can edit your phone number under Account maintenance / Security code. Of course, you'll need to make the change before losing access to the old phone number. You can also disable the security feature on that same webpage. This could be useful as a temporary measure while you're in the process of changing phone numbers.

If your change in phone number is unplanned (maybe due to a lost or stolen phone), I suppose you'd need to call Vanguard and have a rep update your information.

toto238
Posts: 1877
Joined: Wed Feb 05, 2014 2:39 am

Re: Vanguard offers login security code

Post by toto238 » Sat Nov 22, 2014 1:53 am

Ken Schwartz wrote:
toto238 wrote:Did somebody find out what happens if your phone number changes? How do you change it so you can log onto your account?

You can edit your phone number under Account maintenance / Security code. Of course, you'll need to make the change before losing access to the old phone number. You can also disable the security feature on that same webpage. This could be useful as a temporary measure while you're in the process of changing phone numbers.

If your change in phone number is unplanned (maybe due to a lost or stolen phone), I suppose you'd need to call Vanguard and have a rep update your information.


So here's the security issue. Hacker calls Vanguard with my personal info and says "my phone was stolen, change my phone number to this new number." Now the security code is going to the hacker's cell. Security defeated.

It can't be as easy as just calling in. I imagine you'd have to do voice verification or something like that for them to be able to change it over the phone. Maybe sending in a letter of instruction with a signature guarantee or notary may do the trick.

So DEFINITELY make sure you have voice verification set up before doing this. Just in case.

lazyday
Posts: 3033
Joined: Wed Mar 14, 2007 10:27 pm

Re: Vanguard offers login security code

Post by lazyday » Sat Nov 22, 2014 3:56 am

I'd hope that if you lose your phone and didn't choose the "only when we don't recognize your computer" option, then you can't get into the account until you write or call Vanguard, and wait for a reset code to arrive in the mail.

Or toto's security guarantee would be nice.

scooterdog
Posts: 138
Joined: Fri Mar 29, 2013 7:42 am
Location: Potomac MD

Re: Vanguard offers login security code

Post by scooterdog » Sat Nov 22, 2014 5:27 am

Many thanks for this!

For those not aware of Two Factor Authentication (TFA), here's a Gizmodo piece on the sites that offer it from about a month ago. Link

The list includes: Apple, Google, Facebook, Microsoft, Twitter, Dropbox, Yahoo, Evernote and PayPal. (One not listed is LinkedIn.)

One of the most important logins to protect is your email account (in addition to the financial ones) - so if you use online Gmail, Hotmail or Yahoo Mail you should at least have TFA activated on these. (Yes it takes a few extra moments to receive the code via text but is completely worth it. If you want to read of a person's experience with a hacked email account. How Apple and Amazon Security Flaws Led to My Epic Hacking

For those who want to use something else other than text messages (say you have a limited text message plan), there's a great app called Authy that's a nice alternative to Google Authenticator. (Both do app-based TFA as a program that runs on a smartphone, and you plug in a number generated by the app.) I'v found that Authy has a lot more websites compatible with it (namely Microsoft, Facebook, Dropbox, Google, Evernoote, Lastpass and Hootsuite). Authy is here.

Lastly if you write a WordPress blog TFA is also available for free. Duo Security is a WordPress plug-in that also has a smartphone counterpart app. (I needed to install this as even though I had other security features to the blog it was getting lots of login attempts from places in Eastern Europe, India, SE Asia etc.)

lazyday
Posts: 3033
Joined: Wed Mar 14, 2007 10:27 pm

Re: Vanguard offers login security code

Post by lazyday » Sat Nov 22, 2014 5:55 am

Here's a post on a site that lists banks, brokers, email, etc with 2FA: viewtopic.php?f=10&t=150266

VirginiaBob
Posts: 94
Joined: Wed Nov 12, 2014 9:04 am

Re: Vanguard offers login security code

Post by VirginiaBob » Sat Nov 22, 2014 6:36 am

No thanks. This will only make it harder to day trade with my Vanguard account while at work. :P

Grasshopper
Posts: 840
Joined: Sat Oct 09, 2010 3:52 pm

Re: Vanguard offers login security code

Post by Grasshopper » Sat Nov 22, 2014 8:06 am

Signed up, but every logon won't work with Quicken only recognised device. :oops:

Bob.Beeman
Posts: 85
Joined: Mon Dec 12, 2011 5:32 pm

Re: Vanguard offers login security code

Post by Bob.Beeman » Sat Nov 22, 2014 8:57 am

What this thread seems to be concentrating on is security against theft or misuse of your password and/or your computer. Secondarily, we need to have some plan in case Vanguard accidentally exposes their half: the hashed (and hopefully salted) passwords and hints. This secondary issue is important. The eHarmony and LinkedIn disasters were due to storing user's login credentials on their servers without salt. "Salting" passwords was old hat in the mid-1970s and makes the hacker's job almost infinitely more difficult. It only takes a few lines of code. Organizations are stupid and dishonest. Even ones like eHarmony and LinkedIn.

Here is what I did to protect myself. Note that while I happen to use a Mac, all of these are possible steps for PCs:

  1. Use a long password that I never write down or record anywhere, even in a key manager like Keychain or LastPass. The password uses lower-case letters and decimal digits, and is really long.
  2. Manage my "Hints" for account recovery. For example, my first girlfriend was someone named "G8XQ9ABZN". It wasn't "Heather", or "Judy", or any normal name. If your financial institution won't accept non-pronouncable things make up a name that appears to be pronounceable. A google search can help you with this.
  3. Buy an external hard drive (1TB cost me $99) and create two partitions: one encrypted and one non-encrypted. Install the latest OSX (Windows/Linux) on the encrypted partition with a really long password different from the Vanguard password. The unencrypted partition is where you move things like financial statements to. Then, after you finish your financial transactions and shut down your computer, you can re-boot from your normal drive and the items you wanted to reference on your normal account are accessible from the non-encrypted partition, provided you leave the disk plugged in. Obviously, don't move sensitive info to the unencrypted partition. Equally obviously you never move any information from the unencrypted disk to the encrypted disk.
  4. The first account on a new encrypted boot partition is, of necessity, an administrative account. Make a non-administrative account for actual use. Never use the administrative account for ANYTHING except to set up the non-administrative account. This means that if you get malware installed, it won't have administrative privileges on your computer. This is a very good idea even if you don't do any of the other things.
  5. Disable all applications that you won't be using. No mail, especially no "Apps". You need a browser. Maybe a text editor. That's about it.
  6. Eliminate ALL bookmarks from the browser. Add one each for Vanguard and any other secure financial institutions you use. You might consider turning on Parental Controls so that you CAN'T go anywhere else, especially if you are absent-minded or weak-willed.
  7. Always reboot your computer from this special encrypted disk/partition when accessing financial transactions.
  8. Never use this disk and login for anything other than your secure financial transactions.
  9. If you MUST write down your passwords, write them on an index card and put it in a book somewhere. Don't label what the passwords are for. If possible encrypt them in some way, like
    reverse pairs of symbols (mypassword -> ymapssowdr)
    or reverse the whole thing (mypassword ->drowssapym)
    or both (mypassword -> rdwosspamy)
    or get creative. You will only use this in the event of a real problem, so its OK to be complicated.

Yes, this is a real pain, at least at first, but it gets pretty easy to use once you are set up.
You expected that some magic talisman would replace due diligence? Think again.

Security and Convenience are mortal enemies.

-Bob. Beeman.
Last edited by Bob.Beeman on Sat Nov 22, 2014 9:23 am, edited 5 times in total.

lazyday
Posts: 3033
Joined: Wed Mar 14, 2007 10:27 pm

Re: Vanguard offers login security code

Post by lazyday » Sat Nov 22, 2014 9:11 am

I've started to write up a security plan, like Bob has above, but very different strategies.

Does anyone know of a good electronic security forum where I can post it for critique?

xenial
Posts: 2566
Joined: Tue Feb 27, 2007 1:36 am
Location: USA

Re: Vanguard offers login security code

Post by xenial » Sat Nov 22, 2014 9:23 am

toto238 wrote:
Ken Schwartz wrote:
toto238 wrote:Did somebody find out what happens if your phone number changes? How do you change it so you can log onto your account?

You can edit your phone number under Account maintenance / Security code. Of course, you'll need to make the change before losing access to the old phone number. You can also disable the security feature on that same webpage. This could be useful as a temporary measure while you're in the process of changing phone numbers.

If your change in phone number is unplanned (maybe due to a lost or stolen phone), I suppose you'd need to call Vanguard and have a rep update your information.


So here's the security issue. Hacker calls Vanguard with my personal info and says "my phone was stolen, change my phone number to this new number." Now the security code is going to the hacker's cell. Security defeated.

It can't be as easy as just calling in. I imagine you'd have to do voice verification or something like that for them to be able to change it over the phone. Maybe sending in a letter of instruction with a signature guarantee or notary may do the trick.

So DEFINITELY make sure you have voice verification set up before doing this. Just in case.

You're absolutely right about the security issue here. I didn't mean to imply the rep would change the phone number without authentication. I would hope either voice verification or answers to a bunch of tough questions would be required.

Sidney
Posts: 6648
Joined: Thu Mar 08, 2007 6:06 pm

Re: Vanguard offers login security code

Post by Sidney » Sat Nov 22, 2014 9:30 am

Grasshopper wrote:Signed up, but every log on won't work with Quicken only recognized device. :oops:

I don't like the idea of giving software access to my financial accounts.
I always wanted to be a procrastinator.

lazyday
Posts: 3033
Joined: Wed Mar 14, 2007 10:27 pm

Re: Vanguard offers login security code

Post by lazyday » Sat Nov 22, 2014 9:43 am

Sidney, I'm not sure about Vanguard but some brokers allow you to set up a separate read only ID.

I've never tried this but might if I had a lot of tax data to input.

It would be nice if you could download the data into a format that TaxAct could read, so that you don't need to give the software any password at all.

whadyaknow
Posts: 122
Joined: Sun Mar 10, 2013 11:51 am

Re: Vanguard offers login security code

Post by whadyaknow » Sat Nov 22, 2014 10:16 am

Sweet. This is a great start. Another way to do this is automated voice calls; but that's more expensive than sending texts. In the spirit of keeping costs low, I'll gladly accept this text-only implementation from Vanguard.

@Bob.Beeman, How about using a Virtual Machine instead of what you described? All financial transactions happen in the VM. Will that be as secure?
80/20 Stock/Bond

Silence Dogood
Posts: 699
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard offers login security code

Post by Silence Dogood » Sat Nov 22, 2014 10:20 am

indexmeasap wrote:Lets Recap VG security features (feel free to correct/add any features):

1. Username has been updated to 12 characters (still does not recognize upper/lower case)
2. Password has been updated to 20 characters (still does not recognize upper/lower case)
3. 2 factor/step verification is being rolled out
4. Computer/device specific restriction may be turned on (enables login from only 1 designated device/PC)
5. Voice recognition verification is offered (instead of security pass phrases)
6. paperless billing/statement option (prevents possible mail theft)

Is there anything else VG can do?


1. I'm pretty sure the username has always been 12 characters. I don't think that's been updated in a long time. I wish it were because the username I prefer is slightly longer than 12 characters long.

2. I use Lastpass for my password so I feel pretty secure on that front. I would prefer to have an even longer password though.

3. Appreciate the 2 step verification but I would like the ability to use the Google Authenticator app.

4. I really like this feature but it would be much better if I could see (and edit) a list of all the recognized devices. Lastpass does a great job with this. I can see a list of all the devices that are currently recognized and can delete any that I no longer wish to be recognized. Lastpass also allows me to restrict access from other countries (and tor).

5. I really like the voice verification. I wish they would get rid of the security questions altogether. If someone fails the voice verification are they then asked the security questions? If so, that would defeat the purpose.

6. Definitely signed up for this.

Bob.Beeman
Posts: 85
Joined: Mon Dec 12, 2011 5:32 pm

Re: Vanguard offers login security code

Post by Bob.Beeman » Sat Nov 22, 2014 10:33 am

whadyaknow wrote:@Bob.Beeman, How about using a Virtual Machine instead of what you described? All financial transactions happen in the VM. Will that be as secure?
Several of my friends do this. Whether it is as good depends on how much you trust the Virtual Machine software. I would tend to trust that.

The other thing is that if you do it my way and you lose the disk the whole thing is encrypted and probably only some federal agency could recover the data. When you run a virtual machine my understanding is that any files you save and browser cookies are not encrypted once you boot out of the VM.

If the VM encrypts the entire virtual disk, then yes, it is probably just as good. Just don't forget the other items, no mail client, no Apps, no bookmarks for anything other than your financial organizations, etc. Also, I have Java and Flash turned off in the browser. Any financial institution that requires those is run by people who are astoundingly (stupid/inattentive/dishonest). Flash and Java (not JavaScript) browser plugins are famous as security risks. Fonts of Dis-Knowledge.

You have to find your own comfort level. The one in my previous post represents mine. Yours may legitimately differ.

- Bob.Beeman

User avatar
dcnut
Posts: 159
Joined: Fri Mar 02, 2007 1:00 pm
Location: Illinois

Re: Vanguard offers login security code

Post by dcnut » Sat Nov 22, 2014 10:58 am

I have a question. My wife and I have a single cell phone, but we each have our own Vanguard accounts.
Can we use the same cell phone number for 2-factor authorization? Glenn

xenial
Posts: 2566
Joined: Tue Feb 27, 2007 1:36 am
Location: USA

Re: Vanguard offers login security code

Post by xenial » Sat Nov 22, 2014 11:21 am

dcnut wrote:I have a question. My wife and I have a single cell phone, but we each have our own Vanguard accounts.
Can we use the same cell phone number for 2-factor authorization? Glenn

I don't see why not. Try it.

User avatar
dcnut
Posts: 159
Joined: Fri Mar 02, 2007 1:00 pm
Location: Illinois

Re: Vanguard offers login security code

Post by dcnut » Sat Nov 22, 2014 4:52 pm

Ken Schwartz wrote:
dcnut wrote:I have a question. My wife and I have a single cell phone, but we each have our own Vanguard accounts.
Can we use the same cell phone number for 2-factor authorization? Glenn

I don't see why not. Try it.


Well it turns out that Vanguard's terms and conditions require that the cell phone be registered in your name, and not your spouse's. Since our cell phone is registered to my wife, I cannot use that phone for my Vanguard account.

xenial
Posts: 2566
Joined: Tue Feb 27, 2007 1:36 am
Location: USA

Re: Vanguard offers login security code

Post by xenial » Sat Nov 22, 2014 5:26 pm

dcnut wrote:
Ken Schwartz wrote:
dcnut wrote:I have a question. My wife and I have a single cell phone, but we each have our own Vanguard accounts.
Can we use the same cell phone number for 2-factor authorization? Glenn

I don't see why not. Try it.


Well it turns out that Vanguard's terms and conditions require that the cell phone be registered in your name, and not your spouse's. Since our cell phone is registered to my wife, I cannot use that phone for my Vanguard account.

Good catch, but I think there's a way around that rule. The 3rd item in "Additional Terms and Conditions" states
The mobile phone number you provide to sign up for the Service is registered in your name, and you will not initiate messages to the phone or other access device of any other person or entity.

Notice that Vanguard's putting a requirement on the phone number, not the phone itself. Your wife can sign up to receive security codes in the straightforward way. You, on the other hand, can sign up for a Google Voice phone number in your name, and forward texts received at that number to your wife's phone. You would then provide Vanguard with your phone number.

I'm not absolutely sure this approach would really work, nor am I sure it's within the rules, but it is a thought . . .

Edit: This is a bad idea. I think it runs afoul of the "you will not initiate messages to the phone or other access device of any other person or entity" rule.
Last edited by xenial on Sat Nov 22, 2014 5:45 pm, edited 1 time in total.

Sidney
Posts: 6648
Joined: Thu Mar 08, 2007 6:06 pm

Re: Vanguard offers login security code

Post by Sidney » Sat Nov 22, 2014 5:28 pm

Ken Schwartz wrote:Notice that Vanguard's putting a requirement on the phone number, not the phone itself. Your wife can sign up to receive security codes in the straightforward way. You, on the other hand, can sign up for a Google Voice phone number in your name, and forward texts received at that number to your wife's phone. You would then provide Vanguard with your phone number.

Or you could use Google Voice directly since you will be right there at a computer that you trust enough to log in to VG.
I always wanted to be a procrastinator.

xenial
Posts: 2566
Joined: Tue Feb 27, 2007 1:36 am
Location: USA

Re: Vanguard offers login security code

Post by xenial » Sat Nov 22, 2014 5:46 pm

I retract my idea from 2 messages above. (See my edit.) Sidney's approach looks good.

User avatar
dcnut
Posts: 159
Joined: Fri Mar 02, 2007 1:00 pm
Location: Illinois

Re: Vanguard offers login security code

Post by dcnut » Sat Nov 22, 2014 10:18 pm

Sidney wrote:
Ken Schwartz wrote:Notice that Vanguard's putting a requirement on the phone number, not the phone itself. Your wife can sign up to receive security codes in the straightforward way. You, on the other hand, can sign up for a Google Voice phone number in your name, and forward texts received at that number to your wife's phone. You would then provide Vanguard with your phone number.

Or you could use Google Voice directly since you will be right there at a computer that you trust enough to log in to VG.


This is, in fact, what I will do. I spent this afternoon getting familiar with Google Voice, and then I signed up for a Google account with a Google Voice number. I also verified that I could send a text message to this number which can be read in the Google Voice inbox. Tomorrow, I will use this number to enable 2-factor authorization for my Vanguard account. My daughter, a Google software engineer in CA would approve.

Glenn

Ninegrams
Posts: 557
Joined: Sun Aug 17, 2014 6:12 pm

Re: Vanguard offers login security code

Post by Ninegrams » Sat Nov 22, 2014 11:02 pm

Bob.Beeman wrote:What this thread seems to be concentrating on is security against theft or misuse of your password and/or your computer. Secondarily, we need to have some plan in case Vanguard accidentally exposes their half: the hashed (and hopefully salted) passwords and hints. This secondary issue is important. The eHarmony and LinkedIn disasters were due to storing user's login credentials on their servers without salt. "Salting" passwords was old hat in the mid-1970s and makes the hacker's job almost infinitely more difficult. It only takes a few lines of code. Organizations are stupid and dishonest. Even ones like eHarmony and LinkedIn.

Here is what I did to protect myself. Note that while I happen to use a Mac, all of these are possible steps for PCs:

  1. Use a long password that I never write down or record anywhere, even in a key manager like Keychain or LastPass. The password uses lower-case letters and decimal digits, and is really long.
  2. Manage my "Hints" for account recovery. For example, my first girlfriend was someone named "G8XQ9ABZN". It wasn't "Heather", or "Judy", or any normal name. If your financial institution won't accept non-pronouncable things make up a name that appears to be pronounceable. A google search can help you with this.
  3. Buy an external hard drive (1TB cost me $99) and create two partitions: one encrypted and one non-encrypted. Install the latest OSX (Windows/Linux) on the encrypted partition with a really long password different from the Vanguard password. The unencrypted partition is where you move things like financial statements to. Then, after you finish your financial transactions and shut down your computer, you can re-boot from your normal drive and the items you wanted to reference on your normal account are accessible from the non-encrypted partition, provided you leave the disk plugged in. Obviously, don't move sensitive info to the unencrypted partition. Equally obviously you never move any information from the unencrypted disk to the encrypted disk.
  4. The first account on a new encrypted boot partition is, of necessity, an administrative account. Make a non-administrative account for actual use. Never use the administrative account for ANYTHING except to set up the non-administrative account. This means that if you get malware installed, it won't have administrative privileges on your computer. This is a very good idea even if you don't do any of the other things.
  5. Disable all applications that you won't be using. No mail, especially no "Apps". You need a browser. Maybe a text editor. That's about it.
  6. Eliminate ALL bookmarks from the browser. Add one each for Vanguard and any other secure financial institutions you use. You might consider turning on Parental Controls so that you CAN'T go anywhere else, especially if you are absent-minded or weak-willed.
  7. Always reboot your computer from this special encrypted disk/partition when accessing financial transactions.
  8. Never use this disk and login for anything other than your secure financial transactions.
  9. If you MUST write down your passwords, write them on an index card and put it in a book somewhere. Don't label what the passwords are for. If possible encrypt them in some way, like
    reverse pairs of symbols (mypassword -> ymapssowdr)
    or reverse the whole thing (mypassword ->drowssapym)
    or both (mypassword -> rdwosspamy)
    or get creative. You will only use this in the event of a real problem, so its OK to be complicated.

Yes, this is a real pain, at least at first, but it gets pretty easy to use once you are set up.
You expected that some magic talisman would replace due diligence? Think again.

Security and Convenience are mortal enemies.

-Bob. Beeman.


That's all fine and works well I'm sure, but you could just setup a second system ( any older system would work fine for the purpose ) and dedicate it for financial use only. I have an ancient desktop ( Dell 4700 ) that fills that role nicely.

lululu
Posts: 1378
Joined: Thu Apr 10, 2014 4:23 pm

Re: Vanguard offers login security code

Post by lululu » Sat Nov 22, 2014 11:13 pm

whadyaknow wrote:Sweet. This is a great start. Another way to do this is automated voice calls; but that's more expensive than sending texts. In the spirit of keeping costs low, I'll gladly accept this text-only implementation from Vanguard.


How much more expensive can it be, when no humans are involved? And yet financial institutions in my state with 1/1000 the assets of Vanguard can manage to provide this service to all their customers, not just people with text capability.

ccieemeritus
Posts: 509
Joined: Thu Mar 06, 2014 10:43 pm

Re: Vanguard offers login security code

Post by ccieemeritus » Sun Nov 23, 2014 12:52 am

OP: thanks for posting about the login security code. I signed up and set it to always send a text to my phone when accessing my Vanguard account.
+1 financial account protected with 2-factor authentication without adding to my physical token collection. That puts me at about 50%.

I already have a similar "text message code plus static password" feature from BankOfAmerica. I've used it for years without issue (although one advantage
there is that BofA has my DW's phone as well, so one lost phone won't lock us out of our Bank.

Post Reply