lostInFinance wrote:Let's assume the worst case: Vanguard loses a billion dollars in a year. Note that vastly exceeds any documented computer fraud anywhere. Spread over Vanguard's AUM, that adds about 5 basis points to that year's expense ratio, which isn't great news, but most investors wouldn't even notice the difference on their statements. The other question is a billion dollars in fraud even slightly plausible. I bet if Vanguard had anywhere close to a billion dollars in fraud, the FBI and other government agencies would be taking very aggressive actions to unwind the transactions. I doubt anyone could get away with fraud on that scale.
Yeah, that could be true. Although I'm not sure why we should assume the worst case scenario has to be limited to a billion dollar loss. Why couldn't it be a lot more? I assume that we don't really know what the worst case scenario is and that if/when it happens it will potentially be something that no one anticipated.
Here's an interesting article, I posted elsewhere, about how large U.S. corporations, including financial institutions, are increasingly coming under large scale cyber attacks that they're not really prepared for:
http://www.nytimes.com/2013/03/29/techn ... -data.html. One interesting element here is that the attackers are not interested in fraud, but rather simply in destruction. The potential for harm there may be even worse than with fraud. And it wouldn't really be relevant if the FBI could "catch" the attackers or not.
But I was thinking after the last post I wrote that the most insidious scenario may not be some huge scandalous fraud, but a certain low but increasing level of relatively minor fraud that financial institutions decide to tolerate in the name of preserving features of convenience for customers (which is basically already how credit cards work--convenience is deliberately chosen over fraud).
In this case, naive customers, who do not assiduously follow all of the security protocols that Vanguard suggests in the fine print and that Vanguard does not enforce as a requirement either, may on a regular basis find themselves defrauded and not getting reimbursed. Because the level of fraud isn't large enough and scandalous enough, institutions like Vanguard won't be forced to change their system to protect these cusotmers.
But in essence, by not requiring better security, Vanguard and other financial institutions have set up the more ignorant and naive amongst us to potentially suffer devastating losses, for which they will not be reimbursed (even though Vanguard knew it was going to happen to some people and could have prevented it with different security protocols). A business decision is essentially made to let some people fall through the cracks, in order not to alienate other customers with more onerous security protocols.
Indeed, I would not be surprised if this is not basically already what happens. I'm sure Vanguard is not going to advertise when customers are defrauded, let alone when it happens and Vanguard refuses to reimburse them. So who really knows what the level of this sort of activity is. All we can know is what Vanguard's website security protocols are and based on their outdated nature guess that this leaves the door open to a certain level of fraud.
In the end, I'm not making any assumptions about what may or may not happen in the future or be happening now. I don't understand the logic of accepting security protocols based on the assumption that's eveyrhing must be okay the way it is, otherwise it would be different. That is an argument for never changing or improving anything. There are plenty of long known better security protocols for websites out there. Vanguard is demonstrably way behind the times. They should do better. They should require customers to use better passwords, etc. I don't know why anyone would prefer worse security and unreasonably lenient requirements. We're not talking about our Facebook accounts. We're talking about people's life savings.