New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
User avatar
pokebowl
Posts: 205
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: New Vanguard Security Code Requirement

Post by pokebowl » Sat Jul 21, 2018 2:01 am

zoneinfo wrote:
Sat Jul 21, 2018 12:41 am

Honestly, reading things like this makes me silently scream in terror as countless people in charge of security likely feel that way too.
There are just as many of us (information security professionals), that would force you all to use hardware 2FA if we could. :beer

That being said, Vanguard does allow a nuclear option if you take the proper safeguards.
There is nothing more expensive than something offered for free.

jalbert
Posts: 3683
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Sat Jul 21, 2018 2:49 am

The server isn't relying on TLS to authenticate the client, so I don't see a way for this to be an issue short of breaking the protocol itself. If that happens, we've got bigger problems.
If the TLS handshake uses a forged IP address in the packet header, replies won't be received at the rogue site, and the session key exchange will fail as noted already. The best implementation of "remember my machine" should remember for the duration of any TLS session, the IP address of any client for which it executes a TLS handshake. When login credentials are sent, the remembered IP address is retrieved and if the IP address used for the TLS fails to match it, or fails to match any subsequent IP address in a packet header, the session is terminated immediately.

I have no idea if Vanguard implements it that way, nor whether there may be some clever way to circumvent such a safeguard.
It would actually be beneficial if financial systems did switch to a mutual authentication PKI system, where clients could only access if they possessed the correct private key. Eliminates the need to transmit a password to the server, anyway, and it's probably better to store a private key in a hardware-backed vault on a phone.
This could be implemented as challenge-based authentication that I referred to above. The server generates a challenge consisting of a random string concatenated with a sequence number in a non-repeating numerical sequence. The challenge is encrypted with the user's public key and sent to the user. The user decrypts the challenge, concatenates it to a randomly generated session key, encrypts with the service's public key and returns to the server.

The server decrypts the response with the service's private key and if the correct cleartext challenge was returned, the user authenticates and server and user use the session key to continue the session in encrypted format. No passwords to manage, no TLS, maybe still certificate authorities to manage the distribution of server public keys, as they will change over time. The non-repeating sequence ensures there are no replay attacks: each encrypted challenge and encrypted response will be unique.

This was first published in 1978. That's only 40 years ago. No need to rush here.

I think yubikey now supports a similar protocol (called Fido2?). Financial services ideally would implement this or something comparable without fallback to a weaker standard upon failure. 2FA with yubikey or hard RSA tokens and no fallbacks would also be fine.
Good luck getting customers to live with this level of security though. We can't even get chip+PIN credit cards in this country.
Or in Europe. Apparently self-service payment kiosks like train ticket machines are the only time you will be asked for a pin.
Risk is not a guarantor of return.

jalbert
Posts: 3683
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Sat Jul 21, 2018 2:55 am

pokebowl wrote:
Sat Jul 21, 2018 2:01 am
zoneinfo wrote:
Sat Jul 21, 2018 12:41 am

Honestly, reading things like this makes me silently scream in terror as countless people in charge of security likely feel that way too.
There are just as many of us (information security professionals), that would force you all to use hardware 2FA if we could. :beer

That being said, Vanguard does allow a nuclear option if you take the proper safeguards.
Regardless, you need to set up either voice authentication or an enhanced phone security password even if you do everything online as an attacker may still try to call in.
Last edited by jalbert on Sat Jul 21, 2018 5:55 am, edited 1 time in total.
Risk is not a guarantor of return.

jalbert
Posts: 3683
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Sat Jul 21, 2018 3:06 am

Developers don't have to be security experts to get the security engineering right. The "remember my machine" feature after 2FA violates a fundamental principle of security, the Principle of Least Privilege, which posits that one should always use or favor configurations with the least privileges or fewest system capabilities needed to enable a solution. Based on this alone, the "remember my machine" feature should have been dismissed promptly without much discussion during the design phase of the authentication mechanism.
Risk is not a guarantor of return.

User avatar
pokebowl
Posts: 205
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: New Vanguard Security Code Requirement

Post by pokebowl » Sat Jul 21, 2018 3:16 am

jalbert wrote:
Sat Jul 21, 2018 2:55 am

Regardless, you need to set up either voice authentication or an enhanced phone security password even if you do everything online as an attacker may still try to call in.
The weakest link will always be the human. Be that the end customer or Vanguard employees. When its the latter you have legal options. I wouldn't go down the rabbit hole of attempting to obtain 100% security (it doesnt exist). If I were allowed free reign to put on a black hat and given a blank slate, I could probably terrify you all with what is truly possible, both in the realm of online attacks and social engineering humans :twisted: , however at the end of the day most everyone isn't that important to receive such targeted focus. While its nice to know whats out there, 99.99% of end users will mostly have to worry about phishing emails and local malware infections which Vanguard does help mitigate to various degrees.

I've made it clear I am not a fan of Vangaurd's default 2FA offerings, that being said, they do allow alternative options for the security conscientious and mandating 2FA overall regardless of the medium used is better than no 2FA. :beer
There is nothing more expensive than something offered for free.

User avatar
GoldStar
Posts: 533
Joined: Wed May 23, 2018 10:59 am

Re: New Vanguard Security Code Requirement

Post by GoldStar » Sat Jul 21, 2018 5:13 am

OP - you are an anomaly - most people that work in IT security like 2FA (in part due to some of the threats that jalbert mentioned).

dknightd
Posts: 849
Joined: Wed Mar 07, 2018 11:57 am

Re: New Vanguard Security Code Requirement

Post by dknightd » Sat Jul 21, 2018 6:05 am

I'm not a vanguard customer. I'm not a fan of 2fa but understand it helps serve a need. It can't hurt to try to make things more secure, even though it is a little less convenient for users.

What I'm curious about is how people prefer to receive their second factor code.
I prefer to have mine emailed to me. Partially becuase I'm likely already on a computer, and have access to email.
Also then I can just copy and paste.
Do you think having it sent via text, or an actual phone call, is better or worse then using email?
If somebody called me, then I'd need 4 things: computer, telephone, paper, pencil (so I could write down the code and not forget it ;)
A text message is fine, as long as I have my phone handy. But is it more secure than an email?

I used to do some computing at a site that required a USB dongle. Very inconvenient if you want to get some work done at home, but you left your dongle at work.

I really do not want to have a chip inserted in me, but I can see one day that might happen to people.

Chip
Posts: 2203
Joined: Wed Feb 21, 2007 4:57 am

Re: New Vanguard Security Code Requirement

Post by Chip » Sat Jul 21, 2018 6:13 am

dknightd wrote:
Sat Jul 21, 2018 6:05 am
What I'm curious about is how people prefer to receive their second factor code.
I prefer to have mine emailed to me. Partially becuase I'm likely already on a computer, and have access to email.
I recently enabled 2FA at Fidelity, after procrastinating for quite a while, thinking it would be a hassle. Fidelity uses the Symantec VIP app. I have it installed on my phone.

It's turned out not to be a hassle at all. My phone is always near the computer I use to access Fidelity. By the time the Fido web site loads up I've opened the Symantec app and have the six digit code I need.

I have another account where they send a code by email. It seems to always take too much time to receive the email. That's annoying.

dknightd
Posts: 849
Joined: Wed Mar 07, 2018 11:57 am

Re: New Vanguard Security Code Requirement

Post by dknightd » Sat Jul 21, 2018 6:39 am

Chip wrote:
Sat Jul 21, 2018 6:13 am

I have another account where they send a code by email. It seems to always take too much time to receive the email. That's annoying.
True

User avatar
pokebowl
Posts: 205
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: New Vanguard Security Code Requirement

Post by pokebowl » Sat Jul 21, 2018 6:50 am

dknightd wrote:
Sat Jul 21, 2018 6:05 am

I used to do some computing at a site that required a USB dongle. Very inconvenient if you want to get some work done at home, but you left your dongle at work.

As the crypto exchanges showed us during the mania in late 2017 having those usb dongles for 2FA, would have saved many of their customers from heartburn due to time-of-use phishing attacks. Email and phone SMS OTP would not have protected you there.
There is nothing more expensive than something offered for free.

dknightd
Posts: 849
Joined: Wed Mar 07, 2018 11:57 am

Re: New Vanguard Security Code Requirement

Post by dknightd » Sat Jul 21, 2018 11:07 am

pokebowl wrote:
Sat Jul 21, 2018 6:50 am
dknightd wrote:
Sat Jul 21, 2018 6:05 am

I used to do some computing at a site that required a USB dongle. Very inconvenient if you want to get some work done at home, but you left your dongle at work.

As the crypto exchanges showed us during the mania in late 2017 having those usb dongles for 2FA, would have saved many of their customers from heartburn due to time-of-use phishing attacks. Email and phone SMS OTP would not have protected you there.
I was just crunching numbers for scientific reasons. I guess they were concerned that some people might have crunched numbers to make bitcoin.

tibbitts
Posts: 8006
Joined: Tue Feb 27, 2007 6:50 pm

Re: New Vanguard Security Code Requirement

Post by tibbitts » Sat Jul 21, 2018 11:18 am

jalbert wrote:
Sat Jul 21, 2018 3:06 am
Developers don't have to be security experts to get the security engineering right. The "remember my machine" feature after 2FA violates a fundamental principle of security, the Principle of Least Privilege, which posits that one should always use or favor configurations with the least privileges or fewest system capabilities needed to enable a solution. Based on this alone, the "remember my machine" feature should have been dismissed promptly without much discussion during the design phase of the authentication mechanism.
But the issue is whether 2FA with remembering is worse than 1FA, not whether it violates a fundamental principal of security. It seems like an improvement to me, no? You can disable online access completely if security is a huge concern.

tibbitts
Posts: 8006
Joined: Tue Feb 27, 2007 6:50 pm

Re: New Vanguard Security Code Requirement

Post by tibbitts » Sat Jul 21, 2018 11:23 am

pokebowl wrote:
Sat Jul 21, 2018 6:50 am
dknightd wrote:
Sat Jul 21, 2018 6:05 am

I used to do some computing at a site that required a USB dongle. Very inconvenient if you want to get some work done at home, but you left your dongle at work.

As the crypto exchanges showed us during the mania in late 2017 having those usb dongles for 2FA, would have saved many of their customers from heartburn due to time-of-use phishing attacks. Email and phone SMS OTP would not have protected you there.
Yes but since the dongle idea is obviously unacceptable we need some alternative technology. Dongles seem like the equivalent of the hand-crank era in automobiles.

FactualFran
Posts: 729
Joined: Sat Feb 21, 2015 2:29 pm

Re: New Vanguard Security Code Requirement

Post by FactualFran » Sat Jul 21, 2018 11:45 am

AlphaPilot wrote:
Fri Jul 20, 2018 2:21 pm
Does VG use cookies to see if you're coming from a different machine? Or do they use your external IP address? Will their app use 2FA? I haven't tried their app yet, but just curious. The app using 2FA seems useless considering most people using the app already have the phone (unless logging into the app with a different user.)
According to the What is a Flash Object? secion of Vanguard's web page on Cookie Policy:
Macromedia Flash objects store data on your computer, similar to cookies. If you deleted all your cookies and you have Macromedia Flash installed, we can use Flash objects to recognize your computer. This allows us to identify you without you having to answer one of your security questions.

jalbert
Posts: 3683
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Sat Jul 21, 2018 1:56 pm

What I'm curious about is how people prefer to receive their second factor code.
I prefer to have mine emailed to me. Partially becuase I'm likely already on a computer, and have access to email.
Also then I can just copy and paste. 
Do you think having it sent via text, or an actual phone call, is better or worse then using email?
If 2FA is implemented to send a code electronically, it is preferable not to receive it on the device with which you are logging in. Thus, a text code on your phone when logging in with a computer is preferable to an email on the computer. Having no other internet connections open when you login to a financial site is also a good idea so not having email connected on the computer is also preferred even if not using it for 2FA.
Risk is not a guarantor of return.

jalbert
Posts: 3683
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Sat Jul 21, 2018 2:20 pm

tibbitts wrote:
Sat Jul 21, 2018 11:18 am
jalbert wrote:
Sat Jul 21, 2018 3:06 am
Developers don't have to be security experts to get the security engineering right. The "remember my machine" feature after 2FA violates a fundamental principle of security, the Principle of Least Privilege, which posits that one should always use or favor configurations with the least privileges or fewest system capabilities needed to enable a solution. Based on this alone, the "remember my machine" feature should have been dismissed promptly without much discussion during the design phase of the authentication mechanism.
But the issue is whether 2FA with remembering is worse than 1FA, not whether it violates a fundamental principal of security. It seems like an improvement to me, no? You can disable online access completely if security is a huge concern.
I would agree if Vanguard implemented a cheaper and easier solution of something to improve security relative to the prior status quo but less well than a more expensive solution. But the remember my computer feature involves spending significant engineering resources on extra features that are not trivial to implement and make the implementation less secure.

Any feature becomes an on-going issue requiring ongoing software development resources for maintenance and support, e.g. I doubt the macromedia flash capability described above was in their first release/version of "remember my computer". This is not where Vanguard should be using security engineering resources. It could instead be spent on improving security procedures and training for customer service staff.
Last edited by jalbert on Sat Jul 21, 2018 2:35 pm, edited 2 times in total.
Risk is not a guarantor of return.

jalbert
Posts: 3683
Joined: Fri Apr 10, 2015 12:29 am

Re: New Vanguard Security Code Requirement

Post by jalbert » Sat Jul 21, 2018 2:29 pm

tibbitts wrote:
Sat Jul 21, 2018 11:23 am
pokebowl wrote:
Sat Jul 21, 2018 6:50 am
dknightd wrote:
Sat Jul 21, 2018 6:05 am

I used to do some computing at a site that required a USB dongle. Very inconvenient if you want to get some work done at home, but you left your dongle at work.

As the crypto exchanges showed us during the mania in late 2017 having those usb dongles for 2FA, would have saved many of their customers from heartburn due to time-of-use phishing attacks. Email and phone SMS OTP would not have protected you there.
Yes but since the dongle idea is obviously unacceptable we need some alternative technology. Dongles seem like the equivalent of the hand-crank era in automobiles.
Keep the usb dongle for work on the same key ring as the hardware dongles that replaced hand cranks in automobiles. If you have your house key dongle to get into the home in which you will work you will also have the dongle to login to your work machine.
Risk is not a guarantor of return.

mrb55
Posts: 20
Joined: Sun Oct 25, 2015 1:28 pm

Re: New Vanguard Security Code Requirement

Post by mrb55 » Sat Jul 21, 2018 2:33 pm

dknightd wrote:
Sat Jul 21, 2018 6:05 am
What I'm curious about is how people prefer to receive their second factor code.
I prefer to have mine emailed to me. Partially becuase I'm likely already on a computer, and have access to email.
Also then I can just copy and paste.
Do you think having it sent via text, or an actual phone call, is better or worse then using email?
If somebody called me, then I'd need 4 things: computer, telephone, paper, pencil (so I could write down the code and not forget it ;)
A text message is fine, as long as I have my phone handy. But is it more secure than an email?

I used to do some computing at a site that required a USB dongle. Very inconvenient if you want to get some work done at home, but you left your dongle at work.
Email and sms codes can easily be intercepted (assuming the hacker has already compromised your computer/smartphone with a keylogger for the username/password portion of the login).

https://www.wired.com/story/two-factor- ... icator/amp

I guess if you left your keys at work, you wouldn't be able to get in your house either....or heck, even get into your car to drive home to the house.

Use a physical usb key (acting much like an ATM card does) attached to your other keys and use it as the second factor. That way you won't lose it or forget it and it's only in the computer when you need it.

With FIDO2 on the horizon, that usb key will become the primary factor.
Last edited by mrb55 on Sun Jul 22, 2018 4:06 pm, edited 1 time in total.

TravelGeek
Posts: 2291
Joined: Sat Oct 25, 2014 3:23 pm

Re: New Vanguard Security Code Requirement

Post by TravelGeek » Sat Jul 21, 2018 2:56 pm

FactualFran wrote:
Sat Jul 21, 2018 11:45 am
Macromedia Flash objects store data on your computer, similar to cookies. If you deleted all your cookies and you have Macromedia Flash installed, we can use Flash objects to recognize your computer. This allows us to identify you without you having to answer one of your security questions.
How old is that FAQ? Adobe acquired Macromedia in 2005 :shock:

User avatar
Doc
Posts: 8605
Joined: Sat Feb 24, 2007 1:10 pm
Location: Two left turns from Larry

Re: New Vanguard Security Code Requirement

Post by Doc » Sun Jul 22, 2018 9:01 am

TravelGeek wrote:
Sat Jul 21, 2018 2:56 pm
FactualFran wrote:
Sat Jul 21, 2018 11:45 am
Macromedia Flash objects store data on your computer, similar to cookies. If you deleted all your cookies and you have Macromedia Flash installed, we can use Flash objects to recognize your computer. This allows us to identify you without you having to answer one of your security questions.
How old is that FAQ? Adobe acquired Macromedia in 2005 :shock:
Now you tell us. I spent a good ten minutes yesterday trying to find the "settings" screen for macromedia. :D

That said I think I cleared my cookies since starting 2FA and I didn't have to refresh IIRC.
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.

rBogfFor
Posts: 2
Joined: Sun Jul 22, 2018 10:34 am

Security code [Vanguard website access]

Post by rBogfFor » Sun Jul 22, 2018 10:57 am

[Thread merged into here, see below. --admin LadyGeek]

There is a related topic about this here, but not quite to my point (I think), so here are my questions about Vanguard website access:
1) When will this 2-step Security Code process be mandatory? As of today (7/22/18) it is not yet.
2) Why isn't there an email option included? Why being forced to use yet another device and another service provider? Phones are definitely not safer than real computers.
And they can get lost (and hacked) much more easily. TreasuryDirect or other brokers all offer email option.
3) Can I chose/change the phone number to be called on at any time? Asking because might be abroad where my phone does not work, thus using a local foreign number.

I do like Vanguard philosophy and investment options and their cost very much, but the administrative framework (website, phone support, lack of physical offices) is just lousy. And the lack of above mentioned email option for security codes can not be excused with cost savings.

User avatar
HueyLD
Posts: 6067
Joined: Mon Jan 14, 2008 10:30 am

Re: Security code [Vanguard website access]

Post by HueyLD » Sun Jul 22, 2018 11:50 am

According to the very recent Vanguard webinar on data security, Vanguard’s experts consider email to be a poor method for sending security codes. However, many other companies seem to disagree with Vanguard’s assessment.

And if you use the device that you have previously used to access the VG site, it will be recognized even in another country. You need not worry about receiving the security code then. However, you do need to set it so that it only sends a security code when you use a unrecognized device.

You can always call Vanguard to temporarily disable the code sending option if using your own device is not an option in another country.

And yes you can change the linked phone numbers as you wish.

gostars
Posts: 439
Joined: Mon Oct 09, 2017 7:53 pm

Re: New Vanguard Security Code Requirement

Post by gostars » Sun Jul 22, 2018 7:47 pm

Flash is disabled by default in Chrome, Edge, and Safari, and will be disabled by default in Firefox starting next year. I highly doubt that's what they're using at this point, as it just wouldn't work for the majority of users.

User avatar
pokebowl
Posts: 205
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: New Vanguard Security Code Requirement

Post by pokebowl » Mon Jul 23, 2018 10:16 am

Figured this was a great recent article to link to this topic in particular due to its related to 2FA and Yubikey, which Vanguard supports, and ties into my phishing prevention soap box commentary above:

Source: krebsonsecurity.com
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device). A Google spokesperson said Security Keys now form the basis of all account access at Google. “We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
There is nothing more expensive than something offered for free.

FactualFran
Posts: 729
Joined: Sat Feb 21, 2015 2:29 pm

Re: New Vanguard Security Code Requirement

Post by FactualFran » Mon Jul 23, 2018 2:15 pm

TravelGeek wrote:
Sat Jul 21, 2018 2:56 pm
How old is that FAQ? Adobe acquired Macromedia in 2005 :shock:
I don't know how old it is. You should ask Vanguard.

User avatar
jeffyscott
Posts: 7224
Joined: Tue Feb 27, 2007 9:12 am
Location: Wisconsin

Re: New Vanguard Security Code Requirement

Post by jeffyscott » Tue Jul 24, 2018 1:44 pm

Chip wrote:
Sat Jul 21, 2018 6:13 am
dknightd wrote:
Sat Jul 21, 2018 6:05 am
What I'm curious about is how people prefer to receive their second factor code.
I prefer to have mine emailed to me. Partially becuase I'm likely already on a computer, and have access to email.
I recently enabled 2FA at Fidelity, after procrastinating for quite a while, thinking it would be a hassle. Fidelity uses the Symantec VIP app. I have it installed on my phone.

It's turned out not to be a hassle at all. My phone is always near the computer I use to access Fidelity. By the time the Fido web site loads up I've opened the Symantec app and have the six digit code I need.

I have another account where they send a code by email. It seems to always take too much time to receive the email. That's annoying.
Not Fido, but I recently started using that VIP thing for an account too. I also thought it might be a hassle, but it's great.

I would not want to be dependent on getting a code by email or text every time, but with that app it's no problem. I may ask for a hardware device as an additional option for getting the code, if you can have both that and the app authorized.
press on, regardless - John C. Bogle

rBogfFor
Posts: 2
Joined: Sun Jul 22, 2018 10:34 am

Re: Security code [Vanguard website access]

Post by rBogfFor » Fri Jul 27, 2018 5:20 pm

As a physicist and computer engineer I disagree with Vanguard as well. I asked them for a detailed technical explanation, no luck, of course.

A registered device is registered only as long as internet history, cache and cookies etc. are in place. I one wipes all that out, as every halfway intelligent user should do frequently, FOR SECURITY REASONS, then the device becomes a 'new' device again.

Today Vanguard actually told me that they would work on an email option. Maybe just to calm me down, but they better really do if they like my business (and that of my wife).

Vanguard also blessed me with the information that they do not have regular non-800 phone numbers, meaning they are unreachable from abroad. They had the guts to recommend me to sign up for some AT&T International Traveler service, or Skype (very secure!), i.e. yet another entity in the game, at my cost of course.

No other broker does all that, including the US Treasury of all people, which of course has an email option. The Social Security Administration tried the same nonsense Vanguard tries here, and they got ripped a new one, et voila, there was an email option soon after.

So, I urge Vanguard users to do the same, to force them to an email option.

jebmke
Posts: 8365
Joined: Thu Apr 05, 2007 2:44 pm

Re: Security code [Vanguard website access]

Post by jebmke » Fri Jul 27, 2018 5:28 pm

When I lived in Europe (2003-6) I had no problem dialing into the US 800 numbers. It was a long time ago so I don't recall how I did it. I think there are some equivalent codes to "800" that make the connection -- unless they have eliminated all that.
When you discover that you are riding a dead horse, the best strategy is to dismount.

Engineer250
Posts: 1045
Joined: Wed Jun 22, 2016 1:41 pm

Re: Security code [Vanguard website access]

Post by Engineer250 » Fri Jul 27, 2018 6:00 pm

I thought i remembered seeing an email option when I signed up. However, I’m perfectly okay with a text only system. It’s more secure. If my email is compromised, they could easily compromise all my financial accounts. At least now that won’t include VG. Using your phone is far more secure.

I don’t need to bank from abroad. If I did, I’d probably go with a different broker that has offices and banking for travelers. That’s not what VG’s business model is. I thought I remembered reading on here that Schwab has stuff for travelers that a lot of members utilize? I wouldn’t have any qualms about switching to Schwab or Fidelity if I thought they offered specific services I wanted.
Where the tides of fortune take us, no man can know.

User avatar
Doc
Posts: 8605
Joined: Sat Feb 24, 2007 1:10 pm
Location: Two left turns from Larry

Re: Security code [Vanguard website access]

Post by Doc » Fri Jul 27, 2018 6:40 pm

rBogfFor wrote:
Fri Jul 27, 2018 5:20 pm
A registered device is registered only as long as internet history, cache and cookies etc. are in place. I one wipes all that out, as every halfway intelligent user should do frequently, FOR SECURITY REASONS, then the device becomes a 'new' device again.
Yesterday I wiped the cookies and maybe the rest. Could still log on without getting new code. :?:
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.

2015
Posts: 1992
Joined: Mon Feb 10, 2014 2:32 pm

Re: Security code [Vanguard website access]

Post by 2015 » Fri Jul 27, 2018 6:42 pm

They do provide another option. It's called Yubikey. I use it all the time.

I would never access anything even remotely financial on any device other than a single laptop using a dedicated browser in Bank Mode whose session vanishes after being wiped and closed out, and certainly wouldn't access any sensitive information in another country.

I disagree VG's administrative systems are "lousy", but I do love all the bash VG threads. If so unhappy, why not choose another vendor? Complaining is an activity, not to be confused with an outcome (switching vendors).

JBTX
Posts: 4043
Joined: Wed Jul 26, 2017 12:46 pm

Re: Security code [Vanguard website access]

Post by JBTX » Fri Jul 27, 2018 7:50 pm

An email seems more hackable to me.

As to sms code pitfalls:

- some phone companies like ATT have at least now required you to have a PIN that you have to recite before making changes (like stealing your phone number to intercept sms 2fa codes

- the big weakness I saw with sms is the sequence of changing forgotten passwords. My recollection is a combination of security questions is asked and then an sms 2fa code is sent. To the extent you change the security questions to unique secure non sensical answers greatly remedies that entry point.

tibbitts
Posts: 8006
Joined: Tue Feb 27, 2007 6:50 pm

Re: Security code [Vanguard website access]

Post by tibbitts » Fri Jul 27, 2018 7:56 pm

Unlike many 2-factor solutions, Vanguard doesn't disallow Google Voice numbers, so you don't need a second device (besides your computer.) It would be nice to have a direct email option, however.

User avatar
HueyLD
Posts: 6067
Joined: Mon Jan 14, 2008 10:30 am

Re: Security code [Vanguard website access]

Post by HueyLD » Fri Jul 27, 2018 8:31 pm

Doc wrote:
Fri Jul 27, 2018 6:40 pm
rBogfFor wrote:
Fri Jul 27, 2018 5:20 pm
A registered device is registered only as long as internet history, cache and cookies etc. are in place. I one wipes all that out, as every halfway intelligent user should do frequently, FOR SECURITY REASONS, then the device becomes a 'new' device again.
Yesterday I wiped the cookies and maybe the rest. Could still log on without getting new code. :?:
Same here. Apparently, clearing cookies does not eliminate Vanguard's sign-in memory.

Jim Beaux
Posts: 37
Joined: Sun Jul 23, 2017 4:29 pm

Re: Security code [Vanguard website access]

Post by Jim Beaux » Fri Jul 27, 2018 8:34 pm

As some above have mentioned, Vanguard offers the option of using a security key & I am probably going to go that route. Seems our cell phones can be hacked.
Port out scam—an expression derived from the concept of porting a number from one carrier to another—and is also known as SIM swapping or hijacking.
DON’T LINK YOUR NUMBER TO YOUR ONLINE ACCOUNTS

Once hackers steal your phone number, they leverage it to reset the password on any online account that’s linked to the number. In many cases, this bypasses two-factor authentication. That’s why having control of a phone number is so powerful.
https://motherboard.vice.com/en_us/arti ... ping-hacks
The ultimate goal was to hijack or "swap" the victim's SIM cards. This gives the criminals a chance to take over their phone number and then move onto targeting other online accounts that might have been linked to the number, such as email and banking accounts,
https://motherboard.vice.com/en_us/arti ... -card-hack

Yubi Keys start at $20.
https://www.yubico.com/product/security-key-by-yubico/

Dead Man Walking
Posts: 698
Joined: Wed Nov 07, 2007 6:51 pm

Re: Security code [Vanguard website access]

Post by Dead Man Walking » Fri Jul 27, 2018 10:01 pm

I prefer the voice option for the 2 factor authentication requirement. My phone rings immediately after I log on with my computer.

DMW

User avatar
pokebowl
Posts: 205
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: Security code [Vanguard website access]

Post by pokebowl » Sat Jul 28, 2018 1:44 am

JBTX wrote:
Fri Jul 27, 2018 7:50 pm
An email seems more hackable to me.

As to sms code pitfalls:

- some phone companies like ATT have at least now required you to have a PIN that you have to recite before making changes (like stealing your phone number to intercept sms 2fa codes

- the big weakness I saw with sms is the sequence of changing forgotten passwords. My recollection is a combination of security questions is asked and then an sms 2fa code is sent. To the extent you change the security questions to unique secure non sensical answers greatly remedies that entry point.

From my own professional experience (Infosec guy here), email, SMS, and any other One-time-password device (OTP) is not secure from phishing techniques, as we observed during the crypto mania last year. Users were getting their accounts compromised even with two-factor enabled due to what we call "time of use" phishing attacks. These are attacks that do a very good job of spoofing the login pages of their target websites. By allowing the user to enter their user name, password and the Two-factor (2FA) token provided via the above methods, the attacker site on the backend forwards the information to say Vanguard on the user's behalf and gains access (and in the case of crypto exchanges, drains the account).

While email, SMS and OTP will protect you against a comprised user account password, it will not protect you from common financial phishing techniques already out there in the wild. This is why even Google has mandated their employees stop OTP 2FA and have moved to hardware based tokens.

The best means to protect yourself is to acquire a hardware token that supports Universal 2nd Factor (U2F) and FIDO2 protocols. Vanguard supports one vendor that provides this, Yubikey. :beer Now if only they would allow options to limit the amount of fall back access methods...
There is nothing more expensive than something offered for free.

PCOwner
Posts: 5
Joined: Thu Aug 09, 2018 6:38 pm

Vanguard req. Two Factor Authentication, pros and cons

Post by PCOwner » Thu Aug 09, 2018 7:11 pm

Hello,

I recently logged in to my Vanguard account and it seems Vanguard forces to one to use his/her phone to get a token. The reason for this post is to help people be more aware that a secure key, such as yubikey is much more secure way to implement 2FA, but to my surprise as of 8/9/18 reps do not know about the key method.

I was not aware of the deadline that in a few days you MUST have it. Tried to reason w/ a supervisor, but not successful (it is a forced implementation in a few days to a phone token), she needed to also: "drive into it more deeply." It seems that Vanguard has not thought it though. She didn't know if yubikey can be used instead of a phone token and needs to research. She did suggest recording my voice, but I opted out of this too and would not want to expand on yet another topic of discussion.

Here are some considerable downsides of using a phone method.

1) The phone can be lost, cell reception can be down (a rep confirmed that he got a number of calls about this issue), your OS is stuck updating itself, but more importantly,
2) Your sim card can be switched pretty easy, especially if you use a third party cell providers. I personally had done so, just call in and sound like you're in a rush. I switched a sim card just by providing my phone number.
3) "Through over-the-air (OTA) updates deployed via SMS, the cards are even extensible through custom Java software. While this extensibility is rarely used so far, its existence already poses a critical hacking risk.
Cracking SIM update keys/ Deploying SIM malware" https://srlabs.de/bites/rooting-sim-cards/, "SIM swap" attacks
4) Fake cell phone towers known as IMSI catchers or "stingrays" can intercept text messages, too. And the security community has recently been calling attention to weaknesses in SS7, the protocol that allows telecom networks to communicate with each other. Hackers can exploit SS7 to spoof a change to a user's phone number, intercepting their calls or text messages. https://www.wired.com/2016/06/hey-stop- ... ntication/
5) National Institute of Standards and Technology (NIST) recently issued new proposed digital authentication guidelines urging organizations to favor other forms of two-factor — such as time-base one-time passwords generated by mobile apps — over text messaging. https://krebsonsecurity.com/2017/08/is- ... kest-link/

Looking forward if any of you had experienced this issue and what steps did you take.

User avatar
LadyGeek
Site Admin
Posts: 48040
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: New Vanguard Security Code Requirement

Post by LadyGeek » Thu Aug 09, 2018 7:38 pm

I merged rBogfFor's thread into here.

PCOwner, Welcome! I have also moved your post into the on-going discussion.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

matt1882
Posts: 54
Joined: Sun Jun 03, 2007 6:24 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by matt1882 » Thu Aug 09, 2018 8:33 pm

I am troubled by the fact that in order to sign on to the two-factor authentication thing--and thus to use Vanguard's website--you are forced to agree to indemnify Vanguard (including by paying its attorneys) not only for your own "improper use of the Service," but also for any damages caused by any "individual using your phone, password, computer, or other access device." If someone misappropriates my computer and manages to sign onto my Vanguard account and cause Vanguard to expend money or incur damages, Vanguard will be able to sue me for unlimited damages. Here is the provision that Vanguard wants me to agree to:


"You hereby agree to indemnify and hold harmless Vanguard and its affiliates, subsidiaries, directors, officers, employees, agents, licensors, and any third-party information providers and vendors upon demand from and against any and all claims, losses, expenses, demands or liabilities, including attorneys' fees and costs, demanded of or incurred by such Vanguard parties in connection with any claim by a third party (including any intellectual property claim) arising out of (i) your improper use of the Service, (ii) your violation of these Terms of Use or of any applicable law, or (ii) the infringement, misappropriation, or violation by you, or other individual using your phone, password, computer, or other access device, of any intellectual property, privacy or other right of any person. You further agree that you will cooperate fully in the defense of any such claims. Vanguard reserves the right to assume the exclusive defense and control of any matter otherwise subject to indemnification by you, and you shall not in any event settle any such claim or matter without the written consent of Vanguard."

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: Vanguard req. Two Factor Authentication, pros and cons

Post by SpaethCo » Fri Aug 10, 2018 10:16 am

SMS wouldn't be entirely terrible if it was only the 2nd authentication factor, at least the attacker would still need to know your (hopefully) complex password to even get to the 2FA prompt. So many news articles are so quick to point out the weakness of SMS for 2FA that they skip over the most vulnerable place it gets used: password reset.

Go to the Vanguard site, click "Need logon help?"

Given the quantity of widely leaked data from various breaches, how much effort do you think a potential attacker would need to invest to be able to tie together name, DOB, last 4 of SSN, ZIP, and email address? (hint: not much)

Then there's this:
For your password, we can either email you a temporary one or send a security code to your phone (if you're enrolled in that service).
So all an attacker needs to do is run this simple scheme:
PCOwner wrote:
Thu Aug 09, 2018 7:11 pm
2) Your sim card can be switched pretty easy, especially if you use a third party cell providers. I personally had done so, just call in and sound like you're in a rush. I switched a sim card just by providing my phone number.
.. and now they can take over your Vanguard account. No knowledge of your original password required! Vanguard will text them the code to get into your account and change your password.

gmaynardkrebs
Posts: 889
Joined: Sun Feb 10, 2008 11:48 am

Re: Vanguard req. Two Factor Authentication, pros and cons

Post by gmaynardkrebs » Fri Aug 10, 2018 10:22 am

SpaethCo wrote:
Fri Aug 10, 2018 10:16 am
SMS wouldn't be entirely terrible if it was only the 2nd authentication factor, at least the attacker would still need to know your (hopefully) complex password to even get to the 2FA prompt. So many news articles are so quick to point out the weakness of SMS for 2FA that they skip over the most vulnerable place it gets used: password reset.

Go to the Vanguard site, click "Need logon help?"

Given the quantity of widely leaked data from various breaches, how much effort do you think a potential attacker would need to invest to be able to tie together name, DOB, last 4 of SSN, ZIP, and email address? (hint: not much)

Then there's this:
For your password, we can either email you a temporary one or send a security code to your phone (if you're enrolled in that service).
So all an attacker needs to do is run this simple scheme:
PCOwner wrote:
Thu Aug 09, 2018 7:11 pm
2) Your sim card can be switched pretty easy, especially if you use a third party cell providers. I personally had done so, just call in and sound like you're in a rush. I switched a sim card just by providing my phone number.
.. and now they can take over your Vanguard account. No knowledge of your original password required! Vanguard will text them the code to get into your account and change your password.
So, should I remove my cell phone as the secondary security code/temporary password?
Doesn't Vanguard also require the answers to some secret questions on a pw reset?

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: Vanguard req. Two Factor Authentication, pros and cons

Post by SpaethCo » Fri Aug 10, 2018 11:00 am

gmaynardkrebs wrote:
Fri Aug 10, 2018 10:22 am
So, should I remove my cell phone as the secondary security code/temporary password?
Probably. There are numerous potential ways to gain access to that endpoint with varying degrees of difficulty (SS7 intercept, SIM swap, number port).

You could use a service like Google Voice (free) which gives you a number that can receive SMS, and is locked for porting. Since it's not tied to a device you don't have to worry about the SIM swap problem, but you're still vulnerable for things like SS7 intercept. Of course, that still comes down to the security of your Google account as well, so in some ways you maybe just moved the problem around a bit.
gmaynardkrebs wrote:
Fri Aug 10, 2018 10:22 am
Doesn't Vanguard also require the answers to some secret questions on a pw reset?
Fire up incognito/private mode in your favorite browser and try it out. I wasn't prompted for any questions, but it might be a function of my account. You should also consider how "secret" your security questions really are -- for simple things like "What is your mother's maiden name?" it doesn't provide much security if you answered the question honestly. Facebook users who participate in quizzes supply all kinds of great information like the name of their first pet, first job, high school, etc.

PCOwner
Posts: 5
Joined: Thu Aug 09, 2018 6:38 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by PCOwner » Fri Aug 10, 2018 5:10 pm

I also use Google voice. For some reason, DCU (Digital Credit Union) codes don't get forwarded to my physical flip phone, but they do show up in my online portal. I like google voice, used it for 10 yrs. , no telemarketers (and if they call, I easily can block them.) Just DO NOT tell banks that you're using this service. They do not allow it.

I'm off the phone, just now, with Vanguard. Pleasantry surprised, a supervisor brought an IT staff and they went through my feedback. They do not allow to implement the key method before the code method. You must have a working cell phone to send codes, then set-up a key. Also, there is no way to create a 2nd back-up key if you loose the original. We had come to a win-win resolution, they allowed me to opt-out of the phone code method, but in turn I agreed to restrict some functions on the site (not really restrictions), like adding a bank or changing my address. All I care is that I can access my trades and execute (not a day trader, but still).

I pointed out that lastpass.com has a number of creative ways to beef up your cloud account, like Grid Multifactor Authentication, one time passwords, Seasame, a file that you download to any flash drive and it generates codes, you don't have to buy yubikey. I use lastpass for 10 yrs to store my passwords, but not all, my brokerage credentials stay w/ me, are offline, off the cloud. Here is a link to a number of ways a LP user can beef up his/her account. It does list a number of apps to complement your authentication, but what if you loose your phone can a person who finds it launch the apps, I don't know? https://www.lastpass.com/multifactor-authentication
Last edited by PCOwner on Fri Aug 10, 2018 5:55 pm, edited 5 times in total.

Elbukari
Posts: 24
Joined: Fri Mar 09, 2018 6:01 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by Elbukari » Fri Aug 10, 2018 5:34 pm

Does Vanguard offer 2FA via token? If not, you guys can perhaps petition for it. I personally use Fidelity and log in through Symantec VIP access. Where ever I can, I've called and set up voice recognition (can't change your sims card now). For apps, fingerprints, if available. Token log in over SMS. But 2FA over no 2FA. In any case, nothing substitutes common sense. Any make sure you've set up alerts. The point is to make it as hard as possible for someone to exploit you.

Good passwords with entropy (i.e. DoG..... over xyz7458Trymg). Surprising to find that some websites do not allow entropy considering its harder during brute force.

PCOwner
Posts: 5
Joined: Thu Aug 09, 2018 6:38 pm

Re: Vanguard req. Two Factor Authentication, pros and cons

Post by PCOwner » Fri Aug 10, 2018 6:03 pm

SpaethCo wrote:
Fri Aug 10, 2018 11:00 am
gmaynardkrebs wrote:
Fri Aug 10, 2018 10:22 am
Doesn't Vanguard also require the answers to some secret questions on a pw reset?
Fire up incognito/private mode in your favorite browser and try it out. I wasn't prompted for any questions, but it might be a function of my account. You should also consider how "secret" your security questions really are -- for simple things like "What is your mother's maiden name?" it doesn't provide much security if you answered the question honestly. Facebook users who participate in quizzes supply all kinds of great information like the name of their first pet, first job, high school, etc.
If incognito doesn't prompt for additional questions, it might be because a cookie is stored from a non incognito access. I had this happen. I accessed Vanguard from a library or a brand new browser (I have Brave, just in case) and the system prompted me for an additional question.

As far as online users' security etiquette, yeah that is something... I remember when I opened my first Blockbuster account (way back when I was at MS/HS) and they asked for my SSN !?

gmaynardkrebs
Posts: 889
Joined: Sun Feb 10, 2008 11:48 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by gmaynardkrebs » Fri Aug 10, 2018 6:05 pm

Elbukari wrote:
Fri Aug 10, 2018 5:34 pm
Does Vanguard offer 2FA via token? If not, you guys can perhaps petition for it. I personally use Fidelity and log in through Symantec VIP access. Where ever I can, I've called and set up voice recognition (can't change your sims card now). For apps, fingerprints, if available. Token log in over SMS. But 2FA over no 2FA. In any case, nothing substitutes common sense. Any make sure you've set up alerts. The point is to make it as hard as possible for someone to exploit you.

Good passwords with entropy (i.e. DoG..... over xyz7458Trymg). Surprising to find that some websites do not allow entropy considering its harder during brute force.
What if you lose your token at LAX, and before you even realize it is gone, some bad guy finds it, and plugs it into his laptop. Can he then log in to your fidelity or Vanguard account?

thx1138
Posts: 777
Joined: Fri Jul 12, 2013 2:14 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by thx1138 » Fri Aug 10, 2018 6:06 pm

gmaynardkrebs wrote:
Fri Aug 10, 2018 6:05 pm
Elbukari wrote:
Fri Aug 10, 2018 5:34 pm
Does Vanguard offer 2FA via token? If not, you guys can perhaps petition for it. I personally use Fidelity and log in through Symantec VIP access. Where ever I can, I've called and set up voice recognition (can't change your sims card now). For apps, fingerprints, if available. Token log in over SMS. But 2FA over no 2FA. In any case, nothing substitutes common sense. Any make sure you've set up alerts. The point is to make it as hard as possible for someone to exploit you.

Good passwords with entropy (i.e. DoG..... over xyz7458Trymg). Surprising to find that some websites do not allow entropy considering its harder during brute force.
What if you lose your token at LAX, and before you even realize it is gone, some bad guy finds it, and plugs it into his laptop. Can he then log in to your fidelity or Vanguard account?
Not unless you drop your password on the ground at the same time.

That's why its called TWO factor after all...

EDIT: Some sites stupidly allow password reset with only the token which means they are actually implementing one factor security based on the token. Of course the person that picked up your token would still need to know your account name and such in order to even do that.

Elbukari
Posts: 24
Joined: Fri Mar 09, 2018 6:01 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by Elbukari » Fri Aug 10, 2018 6:15 pm

gmaynardkrebs wrote:
Fri Aug 10, 2018 6:05 pm
Elbukari wrote:
Fri Aug 10, 2018 5:34 pm
Does Vanguard offer 2FA via token? If not, you guys can perhaps petition for it. I personally use Fidelity and log in through Symantec VIP access. Where ever I can, I've called and set up voice recognition (can't change your sims card now). For apps, fingerprints, if available. Token log in over SMS. But 2FA over no 2FA. In any case, nothing substitutes common sense. Any make sure you've set up alerts. The point is to make it as hard as possible for someone to exploit you.

Good passwords with entropy (i.e. DoG..... over xyz7458Trymg). Surprising to find that some websites do not allow entropy considering its harder during brute force.
What if you lose your token at LAX, and before you even realize it is gone, some bad guy finds it, and plugs it into his laptop. Can he then log in to your fidelity or Vanguard account?
A physical token is another great option (I use this on some of the bank accounts that offer it). The token i was referring to is a one time code generated by an app (like google authenticator) that generates a new code every 30 sec. Based on what I have heard these codes are more secure and more difficult to intercept than one time codes sent via SMS. Recently some reddit accounts were hacked; one time codes sent via SMS were intercepted. Reddit recommend people switch over to tokens (not all websites offer physical tokens that you carry with you, and if they youd have to buy one), but many more offer 2FA via an app code that resets every 30 seconds (i call them tokens as well).

PCOwner
Posts: 5
Joined: Thu Aug 09, 2018 6:38 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by PCOwner » Fri Aug 10, 2018 6:22 pm

thx1138 wrote:
Fri Aug 10, 2018 6:06 pm
gmaynardkrebs wrote:
Fri Aug 10, 2018 6:05 pm
What if you lose your token at LAX, and before you even realize it is gone, some bad guy finds it, and plugs it into his laptop. Can he then log in to your fidelity or Vanguard account?
Not unless you drop your password on the ground at the same time.

That's why its called TWO factor after all...
[/quote]

Agreed. That is THE reason I have a flip phone. We sacrifice convenience for security. All those smartphones are walking treasure troves of ALL YOUR INFO. All the browser history and (maybe, saved passwords). If someone finds your phone, he/she gains access to this knowledge what accounts you do have through which sites you visit. We may pledge not to access banks from a mobile device, but it's like a forbidden apple, you have the means, you'll access the sites. Oh, yes and the tokens that Vanguard sent you. It clearly shows that you are the Vanguard customer.

W/ the key, no one knows what accounts you have and where you bank. My former supervisor used to disconnect his Internet at night to his computer, you did hear about "magic packet wake on lan" !?
Last edited by PCOwner on Fri Aug 10, 2018 6:34 pm, edited 2 times in total.

Post Reply