New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
gmaynardkrebs
Posts: 886
Joined: Sun Feb 10, 2008 11:48 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by gmaynardkrebs » Fri Aug 10, 2018 6:33 pm

[
Elbukari wrote:
Fri Aug 10, 2018 5:34 pm
EDIT: Some sites stupidly allow password reset with only the token which means they are actually implementing one factor security based on the token. Of course the person that picked up your token would still need to know your account name and such in order to even do that.
I believe that is exactly the concern with Vanguard, according to one poster. Personally, I have no idea about that, but I have no doubt I could lose my physical token at LAX. Vanguard recommends a physical token called Yubikey. Amazingly, the Vanguard website does not include this seemingly obvious question in their FAQs, which suggests to me they can't be trusted.

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by SpaethCo » Fri Aug 10, 2018 6:35 pm

Elbukari wrote:
Fri Aug 10, 2018 5:34 pm
Does Vanguard offer 2FA via token? ... The point is to make it as hard as possible for someone to exploit you.
Even offline token or authenticator app code generators don't really offer much in the way of real world protection.

The most likely way your credentials are going to be stolen is phishing. According to research conducted by Google, the account takeover instances resulting from phishing were a full order of magnitude more common than credentials gained through data breaches or malware/keyloggers. (Reference: https://ai.google/research/pubs/pub46437 )

This works because there are always ways to make phishing sites look real. Earlier this year people were exploiting browser unicode character representation to take letters from non-english languages that look like english letters when rendered in a browser: https://www.thesslstore.com/blog/unicod ... -phishing/ So you go to a site that looks like apple.com, but isn't really apple.com.

As I type this message right now, semi-plausible domains like vanguardsecuritycheck.com are still unregistered and available for someone to grab. Chances are, with a properly crafted campaign you could probably get at least 20-30% of people to click through that domain and login, maybe more.

"But I have 2FA!" you say. The problem is that your password and short-term code are exchanged for a longer-lived session cookie. Attackers don't really care about the codes, they care about account access, so having a valid session gets them what they need. Once you're directed to a phishing site, your attacker can just proxy the authentication to the real site, get a valid session, and present the unsuspecting user a "temporary login error, please try again" and direct them back to the real site. In most cases, the person never knew that something nefarious just took place.

This site describes the rather simple proxy authentication attack: https://www.wandera.com/bypassing-2fa/

There's been a lot of discussion over the pages of this thread about theoretical benefits of 2FA, but I feel like it misses the point of how accounts are actually being compromised in the real world. If you're manually typing your passwords and codes into websites, you're going to lose the war at some point.
  1. Phishing represents your biggest risk. Browser-integrated password managers help because they match URLs and won't fill in credentials on sites that don't have expected URLs. (unless people are coping/pasting passwords into login pages anyway....)
  2. When it comes to 2FA, unless you're using mutually authenticated methods like U2F the additional security you gain is thinner than index fund ERs.
  3. Password recovery mechanisms are a weakness that far too many services overlook.
So why does everyone say to enable 2FA?
Because almost everyone is terrible at picking passwords: https://www.troyhunt.com/86-of-password ... tatistics/
When new data breaches are finding an 80+% overlap of existing leaked passwords, it shows how dire the situation is out there. 2FA isn't great in and of itself, it just becomes the only thing that prevents a super majority of users from having the same password on multiple sites.

Elbukari
Posts: 24
Joined: Fri Mar 09, 2018 6:01 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by Elbukari » Fri Aug 10, 2018 7:01 pm

PCOwner wrote:
Fri Aug 10, 2018 6:22 pm
thx1138 wrote:
Fri Aug 10, 2018 6:06 pm
gmaynardkrebs wrote:
Fri Aug 10, 2018 6:05 pm
What if you lose your token at LAX, and before you even realize it is gone, some bad guy finds it, and plugs it into his laptop. Can he then log in to your fidelity or Vanguard account?
Not unless you drop your password on the ground at the same time.

That's why its called TWO factor after all...
Agreed. That is THE reason I have a flip phone. We sacrifice convenience for security. All those smartphones are walking treasure troves of ALL YOUR INFO. All the browser history and (maybe, saved passwords). If someone finds your phone, he/she gains access to this knowledge what accounts you do have through which sites you visit. We may pledge not to access banks from a mobile device, but it's like a forbidden apple, you have the means, you'll access the sites. Oh, yes and the tokens that Vanguard sent you. It clearly shows that you are the Vanguard customer.

W/ the key, no one knows what accounts you have and where you bank. My former supervisor used to disconnect his Internet at night to his computer, you did hear about "magic packet wake on lan" !?
[/quote]

Paranoid much? I mean, lock your phone as soon as you lose it. That will give you some time at least, and most people on this planet won't have a clue how to get into your phone after you've locked it. Besides, what's the chance that the person who finds your phone is also a professional black hat whose intentions were to get in YOUR phone? Do you have someone following you and waiting for your to drop your phone?
SpaethCo wrote:
Fri Aug 10, 2018 6:35 pm
Elbukari wrote:
Fri Aug 10, 2018 5:34 pm
Does Vanguard offer 2FA via token? ... The point is to make it as hard as possible for someone to exploit you.
Even offline token or authenticator app code generators don't really offer much in the way of real world protection.

The most likely way your credentials are going to be stolen is phishing. According to research conducted by Google, the account takeover instances resulting from phishing were a full order of magnitude more common than credentials gained through data breaches or malware/keyloggers. (Reference: https://ai.google/research/pubs/pub46437 )

This works because there are always ways to make phishing sites look real. Earlier this year people were exploiting browser unicode character representation to take letters from non-english languages that look like english letters when rendered in a browser: https://www.thesslstore.com/blog/unicod ... -phishing/ So you go to a site that looks like apple.com, but isn't really apple.com.

As I type this message right now, semi-plausible domains like vanguardsecuritycheck.com are still unregistered and available for someone to grab. Chances are, with a properly crafted campaign you could probably get at least 20-30% of people to click through that domain and login, maybe more.

"But I have 2FA!" you say. The problem is that your password and short-term code are exchanged for a longer-lived session cookie. Attackers don't really care about the codes, they care about account access, so having a valid session gets them what they need. Once you're directed to a phishing site, your attacker can just proxy the authentication to the real site, get a valid session, and present the unsuspecting user a "temporary login error, please try again" and direct them back to the real site. In most cases, the person never knew that something nefarious just took place.

This site describes the rather simple proxy authentication attack: https://www.wandera.com/bypassing-2fa/

There's been a lot of discussion over the pages of this thread about theoretical benefits of 2FA, but I feel like it misses the point of how accounts are actually being compromised in the real world. If you're manually typing your passwords and codes into websites, you're going to lose the war at some point.
  1. Phishing represents your biggest risk. Browser-integrated password managers help because they match URLs and won't fill in credentials on sites that don't have expected URLs. (unless people are coping/pasting passwords into login pages anyway....)
  2. When it comes to 2FA, unless you're using mutually authenticated methods like U2F the additional security you gain is thinner than index fund ERs.
  3. Password recovery mechanisms are a weakness that far too many services overlook.
So why does everyone say to enable 2FA?
Because almost everyone is terrible at picking passwords: https://www.troyhunt.com/86-of-password ... tatistics/
When new data breaches are finding an 80+% overlap of existing leaked passwords, it shows how dire the situation is out there. 2FA isn't great in and of itself, it just becomes the only thing that prevents a super majority of users from having the same password on multiple sites.
I don't disagree necessarily with any of what you said. But, i don't think you should be brushing off 2FA as if it provides no additional benefit. The website you've mentioned- wandera- clearly states that they agree 2FA adds further security.

I do agree that many people pick shitty passwords, which is why it's a good idea to get a password manager. Personally, my google account password is many many characters long, so is my Amazon password. But intercepting SMS codes is not something every black hat concerns themselves with, so you are effectively removing a portion of potential threats by having 2FA.

Malware bytes will effectively screen out many phishing websites.
Looking for the HTTPS (or downloading the extensions) will further reduce your risk
Changing your passwords every several months is a good idea too
Going through your security settings and setting up alerts.

Even in the event that you get hacked, you wanna be able to maximize your chance of detecting that something is wrong and knowing who the call and how to put a hold on it. My impression is that most people simply do not have the knowledge, for whatever reason, perhaps they don't think it's a big deal, and therefore do not concern themselves with this.

I am much less concerned with dropping my offline token at LAX however. I mean, can it happen? Sure. But as you've said, it's more likely that the person will click on a phishing website.

And again, common sense when browsing the internet. Be mindful of what you are doing. If you don't know anything, maybe it's time to do some learning, just like we've all learned about indexing.

Cheers!
We'll be fine.

superhawk
Posts: 13
Joined: Thu Jan 16, 2014 2:32 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by superhawk » Sat Aug 11, 2018 11:05 am

What happens if you tell Vanguard to "Restrict unrecognized computers, browsers, or mobile devices from accessing my accounts" and you have to get a new computer to replace the one that just died?

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by SpaethCo » Sat Aug 11, 2018 1:14 pm

Elbukari wrote:
Fri Aug 10, 2018 7:01 pm
Malware bytes will effectively screen out many phishing websites.
Malware bytes will only help with wide-net "spray and pray" phishing campaigns -- you need enough people to see it, know it's false, and report it for it to end up being listed. That's only somewhat useful, especially as more targeted schemes are becoming far more common. Since the data from breaches of entities like Equifax has now been widely distributed, it's not hard to put together campaigns based on vulnerabilities.

Take another financial institution that uses SMS 2FA: Wells Fargo. When you registered your mobile phone number with the bank for 2FA (or even just for text alerts), it also enabled that number to be used for password resets. Around the end of last year, it was also discovered that T-mobile's SIM-swap or number port security was basically nonexistent. So it appears some enterprising hackers sorted through some of the leaked information that's now widely available, figured out who had T-mobile cell phones, and proceeded to takeover accounts and drain them out using Zelle payments.

Mapping numbers to cell companies isn't hard -- you can bulk process requests and get nicely formatted return information. A freely available demo of this is type of service is available here: https://apeiron.io/lrn

A reddit link that includes some of the news stories about the WF/T-mobile hack is here: https://www.reddit.com/r/tmobile/commen ... rself_now/

WellsFargo appears to have made improvements to their password recovery process now, but it shows that huge financial companies with substantial security teams are getting this wrong.

The more we participate online, the more information we're producing to help someone create a targeted attack. Just by being on this forum, we're informing potential attackers that a Vanguard, Fidelity, or Schwab phishing campaign has a fair chance to work on anyone reading this sentence.

One of the security engineers from Stripe (online payment processor) presented at BlackHat last summer and gave a great overview of modern phishing campaigns and how she was able to successfully phish other security engineers within the company (let that one sink in for a sec).
https://www.youtube.com/watch?v=Z20XNp-luNA

This is why Google reporting that U2F cut phishing account compromises to ZERO was such big news: https://www.engadget.com/2018/07/24/sec ... -phishing/
Elbukari wrote:
Fri Aug 10, 2018 7:01 pm
Looking for the HTTPS (or downloading the extensions) will further reduce your risk
As was pointed out in the Blackhat talk, HTTPS isn't really an indicator of much anymore. Anyone can instantly get an SSL cert for free using https://letsencrypt.org/ There's a "build-a-phishing-site" toolkit on Github that shows just how easy this is -- it even automatically gets the SSL certificate for you as part of the initial setup: https://github.com/ustayready/CredSniper

The hardest part of this process is picking domain names that people will find plausible enough to click on. Building believable login page phishing sites is within the capability of anyone who loosely understands programming and can use Google to help with syntax.
Elbukari wrote:
Fri Aug 10, 2018 7:01 pm
Changing your passwords every several months is a good idea too
NIST has actually changed their mind about this. https://nvlpubs.nist.gov/nistpubs/Speci ... 00-63b.pdf
If people are remembering passwords, having them change the password regularly just encourages them to use much less complex passwords. It also has the problem of encouraging a common password rotation set across sites, rather than remembering a new set of passwords across multiple sites every x days.

The best practice is still to use a unique password on every single site. That way a compromise of "Site A" can never lead to access on any other sites.

Password rotation (outside of a known compromise event) ends up being something that "feels" secure while actually providing a minimal amount of actual security benefit.
Elbukari wrote:
Fri Aug 10, 2018 7:01 pm
Going through your security settings and setting up alerts.
This I agree with 100%.
Elbukari wrote:
Fri Aug 10, 2018 7:01 pm
And again, common sense when browsing the internet. Be mindful of what you are doing.
What makes it really hard is that things change, but security "best practices" live on beyond the problems that inspired them.

For instance: antivirus software. It would be reckless to even think about operating a computer without it 10 years ago. Now? It's a piece of legacy software that runs with full system privileges, and actually gives your computer a bigger attack surface than relying on operating system protections alone. Operating systems got better, but our security recommendations were never re-evaluated. https://arstechnica.com/information-tec ... us-is-bad/

Same thing with password managers that fill in credentials, including browser built-in password managers. These have had a checkered past of exploits and vulnerabilities, but year by year they keep getting better. It used to be that filling in your password was billed as being a "convenience" feature to prevent you from having to type passwords, but now it's actually a security feature because it will only fill in your password for the site on which it was originally learned. 10 years ago people who manually typed their passwords were thought to be the most secure, now the people who manually type their passwords are actually the most vulnerable.

User avatar
jeffyscott
Posts: 7208
Joined: Tue Feb 27, 2007 9:12 am
Location: Wisconsin

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by jeffyscott » Sat Aug 11, 2018 4:28 pm

SpaethCo wrote:
Sat Aug 11, 2018 1:14 pm
Take another financial institution that uses SMS 2FA: Wells Fargo. When you registered your mobile phone number with the bank for 2FA (or even just for text alerts), it also enabled that number to be used for password resets. Around the end of last year, it was also discovered that T-mobile's SIM-swap or number port security was basically nonexistent. So it appears some enterprising hackers sorted through some of the leaked information that's now widely available, figured out who had T-mobile cell phones, and proceeded to takeover accounts and drain them out using Zelle payments.
This example would seem most feasible only for money that is actually in a bank account right now? Invested assets would first have to be liquidated and moved to a bank account before someone could do this. I think doing that would take at least a day or two and I would be getting notifications of the account activities.
press on, regardless - John C. Bogle

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by SpaethCo » Sat Aug 11, 2018 5:51 pm

jeffyscott wrote:
Sat Aug 11, 2018 4:28 pm
This example would seem most feasible only for money that is actually in a bank account right now? Invested assets would first have to be liquidated and moved to a bank account before someone could do this. I think doing that would take at least a day or two and I would be getting notifications of the account activities.
I think it would depend on your investments — money market funds in particular could be the most vulnerable. Some of the notices of account changes are sent via USPS letter, and depending on the scam that is being run that timeline might not be acceptable.

No matter what, having someone take over your account is going to be a headache to deal with.

Jim Beaux
Posts: 37
Joined: Sun Jul 23, 2017 4:29 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by Jim Beaux » Sat Aug 11, 2018 10:10 pm

I spoke with a VG IT/Security tech earlier in the week regarding the YubiKey. He said I could use it if I wanted, but since I was enrolled in VPA services any transactions would be via phone using voice authentication.

He also said that a request to transfer funds to a bank or mailing address not on record would be flagged.

Currently I use voice authentication, an encrypted password generator/vault and (will continue to use) 2FA via SMS.

Comments/suggestions?

Elbukari
Posts: 24
Joined: Fri Mar 09, 2018 6:01 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by Elbukari » Sat Aug 11, 2018 11:36 pm

SpaethCo wrote:
Sat Aug 11, 2018 1:14 pm
Elbukari wrote:
Fri Aug 10, 2018 7:01 pm
Malware bytes will effectively screen out many phishing websites.
Malware bytes will only help with wide-net "spray and pray" phishing campaigns -- you need enough people to see it, know it's false, and report it for it to end up being listed. That's only somewhat useful, especially as more targeted schemes are becoming far more common. Since the data from breaches of entities like Equifax has now been widely distributed, it's not hard to put together campaigns based on vulnerabilities.

Take another financial institution that uses SMS 2FA: Wells Fargo. When you registered your mobile phone number with the bank for 2FA (or even just for text alerts), it also enabled that number to be used for password resets. Around the end of last year, it was also discovered that T-mobile's SIM-swap or number port security was basically nonexistent. So it appears some enterprising hackers sorted through some of the leaked information that's now widely available, figured out who had T-mobile cell phones, and proceeded to takeover accounts and drain them out using Zelle payments.

Mapping numbers to cell companies isn't hard -- you can bulk process requests and get nicely formatted return information. A freely available demo of this is type of service is available here: https://apeiron.io/lrn

A reddit link that includes some of the news stories about the WF/T-mobile hack is here: https://www.reddit.com/r/tmobile/commen ... rself_now/

WellsFargo appears to have made improvements to their password recovery process now, but it shows that huge financial companies with substantial security teams are getting this wrong.

The more we participate online, the more information we're producing to help someone create a targeted attack. Just by being on this forum, we're informing potential attackers that a Vanguard, Fidelity, or Schwab phishing campaign has a fair chance to work on anyone reading this sentence.

One of the security engineers from Stripe (online payment processor) presented at BlackHat last summer and gave a great overview of modern phishing campaigns and how she was able to successfully phish other security engineers within the company (let that one sink in for a sec).
https://www.youtube.com/watch?v=Z20XNp-luNA

This is why Google reporting that U2F cut phishing account compromises to ZERO was such big news: https://www.engadget.com/2018/07/24/sec ... -phishing/
Elbukari wrote:
Fri Aug 10, 2018 7:01 pm
Looking for the HTTPS (or downloading the extensions) will further reduce your risk
As was pointed out in the Blackhat talk, HTTPS isn't really an indicator of much anymore. Anyone can instantly get an SSL cert for free using https://letsencrypt.org/ There's a "build-a-phishing-site" toolkit on Github that shows just how easy this is -- it even automatically gets the SSL certificate for you as part of the initial setup: https://github.com/ustayready/CredSniper

The hardest part of this process is picking domain names that people will find plausible enough to click on. Building believable login page phishing sites is within the capability of anyone who loosely understands programming and can use Google to help with syntax.
Elbukari wrote:
Fri Aug 10, 2018 7:01 pm
Changing your passwords every several months is a good idea too
NIST has actually changed their mind about this. https://nvlpubs.nist.gov/nistpubs/Speci ... 00-63b.pdf
If people are remembering passwords, having them change the password regularly just encourages them to use much less complex passwords. It also has the problem of encouraging a common password rotation set across sites, rather than remembering a new set of passwords across multiple sites every x days.

The best practice is still to use a unique password on every single site. That way a compromise of "Site A" can never lead to access on any other sites.

Password rotation (outside of a known compromise event) ends up being something that "feels" secure while actually providing a minimal amount of actual security benefit.
Elbukari wrote:
Fri Aug 10, 2018 7:01 pm
Going through your security settings and setting up alerts.
This I agree with 100%.
Elbukari wrote:
Fri Aug 10, 2018 7:01 pm
And again, common sense when browsing the internet. Be mindful of what you are doing.
What makes it really hard is that things change, but security "best practices" live on beyond the problems that inspired them.

For instance: antivirus software. It would be reckless to even think about operating a computer without it 10 years ago. Now? It's a piece of legacy software that runs with full system privileges, and actually gives your computer a bigger attack surface than relying on operating system protections alone. Operating systems got better, but our security recommendations were never re-evaluated. https://arstechnica.com/information-tec ... us-is-bad/

Same thing with password managers that fill in credentials, including browser built-in password managers. These have had a checkered past of exploits and vulnerabilities, but year by year they keep getting better. It used to be that filling in your password was billed as being a "convenience" feature to prevent you from having to type passwords, but now it's actually a security feature because it will only fill in your password for the site on which it was originally learned. 10 years ago people who manually typed their passwords were thought to be the most secure, now the people who manually type their passwords are actually the most vulnerable.
I think you misunderstood the point here. Nothing we do will ever be 100% secure and we will always be vulnerable online, that is an undeniable fact. But the impression I get from you is that because all security is vulnerable to some extent, don't use it?

You've advocated just now that we should get rid of antivirus, while presenting half asinine source. How many websites do you think I could present in favor of antivirus? You did the same thing with Malware bytes.

Here is the point that I am making, in case it wasn't clear. While nothing is 100% secure, there are steps that we can take, such as 2FA, antivirus, malwarebytes, only going on HTTPS websites, using password managers for more complex passwords, etc. IN ORDER to reduce the risk of being hacked.

Why are you continuing to tell me the vulnerabilities that exist with these securities? I am not telling people that if they do the aforementioned steps that they will be 100% protected from all the threats out there, but I am telling them, as many would agree, that such steps will reduce their chance of being a victim of hacking.

Which part of this do you not agree with? And what do you suggest the average person does?

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by SpaethCo » Sun Aug 12, 2018 2:23 am

Elbukari wrote:
Sat Aug 11, 2018 11:36 pm
While nothing is 100% secure, there are steps that we can take, such as 2FA, antivirus, malwarebytes, only going on HTTPS websites, using password managers for more complex passwords, etc. IN ORDER to reduce the risk of being hacked.

Which part of this do you not agree with?
It's not that these are bad things to recommend individually, but I think it's important to understand what attacks you are facing so you can make a good informed decision on how to defend against them. 2FA stands out on that list; by definition it is the second authentication factor. The big question is what method caused the first factor to be compromised, and does that second factor provide a different type of defense?

I know I buried this link in the middle of my overzealous block of text, but I'm going to post this youtube link again because I think she does a great job explaining the threat landscape in a very consumable way:

https://www.youtube.com/watch?v=Z20XNp-luNA

The problem we're trying to solve: unauthorized account access by malicious actors

The most likely pathway for compromise: Phishing

The problem is that SMS or time-based one-time passwords (TOTP) offer no explicit phishing protection.

Things that actually add significantly to security:
  • Using the longest unique password each site will allow
  • Using a password manager that fills in credentials based on URL matching (phishing protection)
  • Non-phishable second factors like the voiceprint validation that was mentioned above, or U2F tokens that tie authentication to specific URLs
Things that have a perception of adding more security than they actually provide:
  • Code or push notification 2FA. (Google Prompt, SMS codes, Google authenticator, RSA FOB)
  • Regular password rotation
Several people in this thread have already pointed out why SMS is problematic as an identification mechanism, but I see frustratingly few news articles point out all the problems associated with password recovery mechanisms. I'm particularly surprised at just how bad both Vanguard and Fidelity are with the password reset process: neither require any piece of information not trivially available to a hacker in addition to an SMS or email to gain account access. At least my credit union asks for a couple things not openly found in public records, like a membership number.

On the antivirus front, I didn't expect that comment to be so controversial. Last year DoubleAgent and AVGator were major exploit vectors that were only possible because of 3rd party anti-virus software. The number of high severity CVEs against common AV software products is staggering. I'll throw out a few more relevant links:
https://www.digitaltrends.com/computing ... to-spread/
https://www.wired.com/2017/03/clever-do ... s-malware/
http://www.slate.com/articles/technolog ... ymore.html
https://www.darkreading.com/endpoint/le ... id/1332309

At best, AV isn't doing much for you. At worst, it's adding attack vectors to your system. Personally, for Windows 10 I'd stick with Windows Defender and call it a day. At least Microsoft has figured out how important it is to sandbox the AV inspection process.
Elbukari wrote:
Sat Aug 11, 2018 11:36 pm
And what do you suggest the average person does?
  1. Stay up to date on software patching, particularly your operating system and web browser.
  2. Use a password manager, have unique random passwords for every site, never type your passwords into sites by hand. (Let your password manager alert you by not filling in your credentials if you do end up on a phishing page)
  3. Check password recovery methods for critical services. Find ways to disable password reset via SMS, and if security questions are used, make sure answers aren't easily discoverable.

passiveTiger
Posts: 72
Joined: Tue Apr 17, 2018 9:22 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by passiveTiger » Sun Aug 12, 2018 2:33 am

Elbukari wrote:
Sat Aug 11, 2018 11:36 pm
And what do you suggest the average person does?
A better DNS. Nothing to install. Type in a few numbers for the access point.

I use a configured openDNS that blocks known hijacked, compromised, and bad actor domains. Emphasis on “known.” Even a basic unconfigured openDNS will block many known bad sites.

There are other similar providers.

It’s not nearly enough, but it’s a zero dollar cost, low maintenance, and relatively permanent implementation even if connecting devices change (and the access point doesn’t).

For more:

https://www.dni.gov/files/NCSC/document ... Secure.pdf

User avatar
linenfort
Posts: 2094
Joined: Sat Sep 22, 2007 9:22 am
Location: #96151D

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by linenfort » Sun Aug 12, 2018 5:42 am

passiveTiger wrote:
Sun Aug 12, 2018 2:33 am
Elbukari wrote:
Sat Aug 11, 2018 11:36 pm
And what do you suggest the average person does?
A better DNS. Nothing to install. Type in a few numbers for the access point.
...
For more:

https://www.dni.gov/files/NCSC/document ... Secure.pdf
I looked at the pdf and it has good advice, but could not find a single mention of “DNS.” This thread has grown large. Can you tell me where I should be looking if I want to understand what “a better DNS” means?
bogleheads, don't knock state lotteries. They helped defund the mafia.

User avatar
linenfort
Posts: 2094
Joined: Sat Sep 22, 2007 9:22 am
Location: #96151D

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by linenfort » Sun Aug 12, 2018 6:07 am

Elbukari wrote: That is THE reason I have a flip phone.

May I know which model?
Is texting limited to the primitive means of input we had in the 90s like T9?
bogleheads, don't knock state lotteries. They helped defund the mafia.

gmaynardkrebs
Posts: 886
Joined: Sun Feb 10, 2008 11:48 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by gmaynardkrebs » Sun Aug 12, 2018 8:47 am

Vanguard says that if I choose the option "Restrict unrecognized computers, browsers, or mobile devices from accessing my accounts,"... if you change browsers or delete cookies or offline content, your computer may become unrecognized. To access your accounts using an unrecognized device, you'll need to disable this feature from a recognized device."

Normally, I do use just one computer, so this seems good. But what happens if my hard disk crashes, or for some reason the cookies get deleted by mistake? (I've done that in the past.) I really don't want to register another device for the sole purpose of guarding against this, since that seems to increase my risk if that gets stolen. Can you call them up and get your new device registered if your original device fails?

User avatar
jeffyscott
Posts: 7208
Joined: Tue Feb 27, 2007 9:12 am
Location: Wisconsin

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by jeffyscott » Sun Aug 12, 2018 9:18 am

gmaynardkrebs wrote:
Sun Aug 12, 2018 8:47 am
... if you change browsers or delete cookies or offline content, your computer may become unrecognized.
I don't know the answer to your actual question, but even without changing computers I think your device can become unrecognized just due to updates (along with those other things Vanguard lists)?

I don't have that restriction just have 2FA, but it seems to me that periodically my computer has become unrecognized and I have to get a code by text message to log on. I don't know if it becomes unrecognized due to browser and/or OS updates but it has happened without having deleted cookies. Unless, perhaps they just randomly periodically require the extra 2FA step even for recognized devices?
press on, regardless - John C. Bogle

gmaynardkrebs
Posts: 886
Joined: Sun Feb 10, 2008 11:48 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by gmaynardkrebs » Sun Aug 12, 2018 10:26 am

jeffyscott wrote:
Sun Aug 12, 2018 9:18 am
gmaynardkrebs wrote:
Sun Aug 12, 2018 8:47 am
... if you change browsers or delete cookies or offline content, your computer may become unrecognized.
I don't know the answer to your actual question, but even without changing computers I think your device can become unrecognized just due to updates (along with those other things Vanguard lists)?

I don't have that restriction just have 2FA, but it seems to me that periodically my computer has become unrecognized and I have to get a code by text message to log on. I don't know if it becomes unrecognized due to browser and/or OS updates but it has happened without having deleted cookies. Unless, perhaps they just randomly periodically require the extra 2FA step even for recognized devices?
Yes, that happens to me too, every once in a while, and I have no idea why. So, that's a negative if it's a big deal restoring access.

Jim Beaux
Posts: 37
Joined: Sun Jul 23, 2017 4:29 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by Jim Beaux » Sun Aug 12, 2018 1:01 pm

I agree we will never be 100% secure, but the bad guys generally focus on low hanging fruit. Why would they spend a lot of time & effort trying to break through 5 doors when there are so many having but 1?

Remember the old joke about the hungry bear charging up a mountain after 2 hikers. One says to the other, why are you putting on your running shoes? You cant outrun a bear! And the buddy says, I dont have to out run the bear, I only have to out run you. :mrgreen:

Locking as many doors as we can gives us a better chance.

Jim Beaux
Posts: 37
Joined: Sun Jul 23, 2017 4:29 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by Jim Beaux » Sun Aug 12, 2018 1:25 pm

gmaynardkrebs wrote:
Sun Aug 12, 2018 8:47 am
Vanguard says that if I choose the option "Restrict unrecognized computers, browsers, or mobile devices from accessing my accounts,"... if you change browsers or delete cookies or offline content, your computer may become unrecognized. To access your accounts using an unrecognized device, you'll need to disable this feature from a recognized device."

Normally, I do use just one computer, so this seems good. But what happens if my hard disk crashes, or for some reason the cookies get deleted by mistake? (I've done that in the past.) I really don't want to register another device for the sole purpose of guarding against this, since that seems to increase my risk if that gets stolen. Can you call them up and get your new device registered if your original device fails?
I have voice authentication with VG. When calling I dont have to answer security questions, I only have to repeat, "At Vanguard, my voice is my password" and then I am able to discuss business.

A while back a VG advisor called in regards to balancing my holdings. At first he asked one of my security questions and I told him I was concerned about a phish attempt and would call him back through the VG number. He agreed. I called, authenticated via my voice, and we discussed the purpose of his call.

Contact VG about this.

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by SpaethCo » Sun Aug 12, 2018 1:42 pm

Jim Beaux wrote:
Sun Aug 12, 2018 1:01 pm
I agree we will never be 100% secure, but the bad guys generally focus on low hanging fruit. Why would they spend a lot of time & effort trying to break through 5 doors when there are so many having but 1?
2FA isn't really a "second door."

I know my earlier posts had a lot of text, so if you take away nothing else, I just want to distill it down to 2 points:
  1. 2FA offers a significant security gain only when you use the same password on every site. The 2FA code becomes the key thing that prevents a leak of passwords from "Site A" to allow people to gain access to "Site B" once your password is discovered.
  2. The changing code of TOTP/SMS 2FA has one somewhat beneficial attribute: it will limit someone to a single login session when it is stolen. That's it. That's the only protection it really gives you.
Outside of those benefits, for almost all likely scenarios where an attacker is able to obtain your password, they are also going to be able to obtain at least 1 working 2FA code as well. Once your attacker is in to your account, it's trivial to do things like disable 2FA or even register a 2nd 2FA method that they control from the security settings of that account so they can continue get access.

Bruce Schneier (famed security expert) pointed out the problems with 2FA for online authentication over a decade ago: https://www.schneier.com/blog/archives/ ... re_of.html

Bottom line: The most likely way your account is going to be compromised is if you click the wrong link. If you click the wrong link and type in your credentials, you're cooked even if your account has SMS / authenticator app 2FA. In that scenario you get almost zero extra protection.

gmaynardkrebs
Posts: 886
Joined: Sun Feb 10, 2008 11:48 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by gmaynardkrebs » Sun Aug 12, 2018 2:02 pm

SpaethCo wrote:
Sun Aug 12, 2018 1:42 pm
Outside of those benefits, for almost all likely scenarios where an attacker is able to obtain your password, they are also going to be able to obtain at least 1 working 2FA code as well.
I don't follow. Suppose my password is qwerty, which I only use for Vanguard, and they get that somehow. They then try to log in from from their own device using my username and qwerty. Vanguard tells them they need a security code. Vanguard will then call the number registered on my account, my home telephone (111) 222-3333, which rings only in my house. How do the get that code?

Jim Beaux
Posts: 37
Joined: Sun Jul 23, 2017 4:29 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by Jim Beaux » Sun Aug 12, 2018 2:05 pm

SpaethCo wrote:
Sun Aug 12, 2018 1:42 pm
Jim Beaux wrote:
Sun Aug 12, 2018 1:01 pm
I agree we will never be 100% secure, but the bad guys generally focus on low hanging fruit. Why would they spend a lot of time & effort trying to break through 5 doors when there are so many having but 1?
2FA isn't really a "second door."

I know my earlier posts had a lot of text, so if you take away nothing else, I just want to distill it down to 2 points:
  1. 2FA offers a significant security gain only when you use the same password on every site. The 2FA code becomes the key thing that prevents a leak of passwords from "Site A" to allow people to gain access to "Site B" once your password is discovered.
  2. The changing code of TOTP/SMS 2FA has one somewhat beneficial attribute: it will limit someone to a single login session when it is stolen. That's it. That's the only protection it really gives you.
Outside of those benefits, for almost all likely scenarios where an attacker is able to obtain your password, they are also going to be able to obtain at least 1 working 2FA code as well. Once your attacker is in to your account, it's trivial to do things like disable 2FA or even register a 2nd 2FA method that they control from the security settings of that account so they can continue get access.

Bruce Schneier (famed security expert) pointed out the problems with 2FA for online authentication over a decade ago: https://www.schneier.com/blog/archives/ ... re_of.html

Bottom line: The most likely way your account is going to be compromised is if you click the wrong link. If you click the wrong link and type in your credentials, you're cooked even if your account has SMS / authenticator app 2FA. In that scenario you get almost zero extra protection.
I used the term 'doors' hypothetically- ie, a burglar breaking into a building.

thx1138
Posts: 777
Joined: Fri Jul 12, 2013 2:14 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by thx1138 » Sun Aug 12, 2018 2:30 pm

SpaethCo wrote:
Sun Aug 12, 2018 1:42 pm
Bottom line: The most likely way your account is going to be compromised is if you click the wrong link.
No, that’s the most likely way the *average* user is going to be compromised. You need to be a victim of social engineering and phishing to have that happen. It is extremely effective against most users. But is something that can be avoided through proper education and behavior.
If you click the wrong link and type in your credentials, you're cooked even if your account has SMS / authenticator app 2FA. In that scenario you get almost zero extra protection.
Absolutely true. Which is why behavior modification is the very first step to security.

User avatar
jeffyscott
Posts: 7208
Joined: Tue Feb 27, 2007 9:12 am
Location: Wisconsin

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by jeffyscott » Sun Aug 12, 2018 2:40 pm

thx1138 wrote:
Sun Aug 12, 2018 2:30 pm
SpaethCo wrote:
Sun Aug 12, 2018 1:42 pm
Bottom line: The most likely way your account is going to be compromised is if you click the wrong link.
No, that’s the most likely way the *average* user is going to be compromised. You need to be a victim of social engineering and phishing to have that happen. It is extremely effective against most users. But is something that can be avoided through proper education and behavior.
If you click the wrong link and type in your credentials, you're cooked even if your account has SMS / authenticator app 2FA. In that scenario you get almost zero extra protection.
Absolutely true. Which is why behavior modification is the very first step to security.
Why am I clicking a random link to go to the website?

If I want to log on to vanguard, I type "v" or "p" and maybe a few additional letters in my browser, then pick the site from the list that drops down.
press on, regardless - John C. Bogle

passiveTiger
Posts: 72
Joined: Tue Apr 17, 2018 9:22 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by passiveTiger » Sun Aug 12, 2018 2:40 pm

linenfort wrote:
Sun Aug 12, 2018 5:42 am
passiveTiger wrote:
Sun Aug 12, 2018 2:33 am
Elbukari wrote:
Sat Aug 11, 2018 11:36 pm
And what do you suggest the average person does?
A better DNS. Nothing to install. Type in a few numbers for the access point.
...
For more:

https://www.dni.gov/files/NCSC/document ... Secure.pdf
I looked at the pdf and it has good advice, but could not find a single mention of “DNS.” This thread has grown large. Can you tell me where I should be looking if I want to understand what “a better DNS” means?
I use openDNS. It blocks many KNOWN problem sites.

https://www.opendns.com

It is not a replacement for antivirus and other protective measures. It’s just an easy layer of depth to defense. There are others.

An earlier guide for users mentioned it, but I guess people didn’t understand it so they removed that one. After all, you don’t know what it even is, and so that may indicate it’s too much for most users even though it’s atguably the easiest to implement.

https://dodcio.defense.gov/Portals/0/Do ... update.pdf

Keep in mind that with the CLAIMED exception of one DNS provider, whoever does the resolving will have a record of where you go. For most people, it’s their ISP DNS and it provides no protection.

So, openDNS or a similar provider will know your site visits and provide you some protection in exchange.

Want DNS privacy over bad site blocking? Try https://blog.cloudflare.com/dns-resolver-1-1-1-1/

User avatar
jeffyscott
Posts: 7208
Joined: Tue Feb 27, 2007 9:12 am
Location: Wisconsin

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by jeffyscott » Sun Aug 12, 2018 2:44 pm

gmaynardkrebs wrote:
Sun Aug 12, 2018 2:02 pm
SpaethCo wrote:
Sun Aug 12, 2018 1:42 pm
Outside of those benefits, for almost all likely scenarios where an attacker is able to obtain your password, they are also going to be able to obtain at least 1 working 2FA code as well.
I don't follow. Suppose my password is qwerty, which I only use for Vanguard, and they get that somehow. They then try to log in from from their own device using my username and qwerty. Vanguard tells them they need a security code. Vanguard will then call the number registered on my account, my home telephone (111) 222-3333, which rings only in my house. How do the get that code?
I don't understand either, 2FA may not be everything but it's not nothing either.

Also regarding this: "Once your attacker is in to your account, it's trivial to do things like disable 2FA or even register a 2nd 2FA method that they control from the security settings of that account so they can continue get access."

Okay, but I believe that I would also get emails telling me that these things have been changed.
press on, regardless - John C. Bogle

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by SpaethCo » Sun Aug 12, 2018 2:47 pm

gmaynardkrebs wrote:
Sun Aug 12, 2018 2:02 pm
I don't follow. Suppose my password is qwerty, which I only use for Vanguard, and they get that somehow. They then try to log in from from their own device using my username and qwerty. Vanguard tells them they need a security code. Vanguard will then call the number registered on my account, my home telephone (111) 222-3333, which rings only in my house. How do the get that code?
The important thing to keep in mind is that there are almost always systems in place to keep people from randomly trying passwords until they find one that works. People who are getting into accounts have the password on the first try, which means they most likely got your password through one of 3 ways:
  1. You use the same password everywhere, and so a password leak from another site revealed your password.
  2. You have a malware/keylogger infection on your system
  3. You clicked a phishing link, and directly gave your attacker your credentials
On the malware front, there have been a couple variants we've seen that cause the browser to crash immediately when you click "submit" after typing the 2FA code. This works if the malware is coded to look for logins to a specific site, and submits the credentials to a controller so they can attempt the login and get a session before you can re-launch your browser. This is pretty rare though.

On the magnitude of something like 500:1, the most likely way the password is obtained is through phishing.

Here's how this usually plays out:

You get a text message or email that says "We detected potential unusual activity on your account, please click this link to review this transaction" with a link that looks like it could be authentic -- say "https://vanguardfraudalerts.com/verify=laskdhjf7829lalf" This works particularly well when the alert messages are formatted exactly the same as the real service account alerts. (worth noting: at the time of this posting, vanguardfraudalerts.com is unregistered and available for any attacker to grab for this purpose)

You click the link, you're presented with a login page that is cloned from the real Vanguard page, so there are no visual queues to make you think this isn't authentic. Your browser will have a green lock indicating a valid SSL certificate, because anyone can get a free domain-validated SSL certificate instantly through the automatic systems of services like LetsEncrypt. You enter your user and password, and in real time that site takes that user and password and logs into Vanguard's site. This causes Vanguard's system to call/text you with the code (this is a real call or text from the real Vanguard) -- you enter that code into the site. The phishing site then submits the code to Vanguard's site and the takeover script has now has an authenticated web session to work with. The phishing site sends you a message that says something like "Temporary authentication error. Please try logging in again" and directs you to the real Vanguard site.

That last part isn't altogether unexpected -- lots of sites hit points where they dump you back out to a password prompt if the system loses your session somehow. That's why this method is so effective - from your perspective it looks just like the typical portal glitch that everyone runs into from time to time, but in reality your credentials were just swiped.

The plausible website problem is extremely pervasive and hard to address through any kind of security training. Heck, following the Equifax breach even Equifax's own social media team was convinced to send out a plausible link to a non-Equifax controlled site: https://www.nytimes.com/2017/09/20/busi ... bsite.html

gmaynardkrebs
Posts: 886
Joined: Sun Feb 10, 2008 11:48 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by gmaynardkrebs » Sun Aug 12, 2018 2:52 pm

You click the link, you're presented with a login page that is cloned from the real Vanguard page, so there are no visual queues to make you think this isn't authentic. Your browser will have a green lock indicating a valid SSL certificate, because anyone can get a free domain-validated SSL certificate instantly through the automatic systems of services like LetsEncrypt. You enter your user and password, and in real time that site takes that user and password and logs into Vanguard's site. This causes Vanguard's system to call/text you with the code (this is a real call or text from the real Vanguard) -- you enter that code into the site. The phishing site then submits the code to Vanguard's site and the takeover script has now has an authenticated web session to work with.
Would checking the box that permits me to only log in from my laptop prevent this?

SpaethCo
Posts: 115
Joined: Thu Jan 14, 2016 12:58 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by SpaethCo » Sun Aug 12, 2018 3:22 pm

gmaynardkrebs wrote:
Sun Aug 12, 2018 2:52 pm
Would checking the box that permits me to only log in from my laptop prevent this?
Most likely, yes.

It would probably be worth validating with Vanguard that they can disable that setting if you call in and authenticate with voiceprint authentication, just to eliminate the single point of failure.

gmaynardkrebs
Posts: 886
Joined: Sun Feb 10, 2008 11:48 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by gmaynardkrebs » Mon Aug 13, 2018 12:31 pm

SpaethCo wrote:
Sun Aug 12, 2018 3:22 pm
gmaynardkrebs wrote:
Sun Aug 12, 2018 2:52 pm
Would checking the box that permits me to only log in from my laptop prevent this?
Most likely, yes.

It would probably be worth validating with Vanguard that they can disable that setting if you call in and authenticate with voiceprint authentication, just to eliminate the single point of failure.
I checked with Vanguard. They say that if you call in, they can change that setting. If you can answer the security questions or use voiceprint, they will change it for you. However, he pointed out that when the crook goes back and tries to log in, he will still need the 2FA security code, which is only sent to my home landline phone. So, I think it's safe, and if your cookies get cleared or change browsers of computers, it's not a probkem. Of course, you can also change the setting if you have another regsitered device, such as a second laptop.

User avatar
Doc
Posts: 8578
Joined: Sat Feb 24, 2007 1:10 pm
Location: Two left turns from Larry

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by Doc » Mon Aug 13, 2018 6:48 pm

gmaynardkrebs wrote:
Mon Aug 13, 2018 12:31 pm
So, I think it's safe, and if your cookies get cleared or change browsers of computers, it's not a probkem.
I keep seeing this cookies clear thing. I periodically clear cookies but have not had a 2FA problem. Either cookies are not an issue or I have screwed up somewhere.

Help me.
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.

gmaynardkrebs
Posts: 886
Joined: Sun Feb 10, 2008 11:48 am

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by gmaynardkrebs » Mon Aug 13, 2018 6:59 pm

Doc wrote:
Mon Aug 13, 2018 6:48 pm
gmaynardkrebs wrote:
Mon Aug 13, 2018 12:31 pm
So, I think it's safe, and if your cookies get cleared or change browsers of computers, it's not a probkem.
I keep seeing this cookies clear thing. I periodically clear cookies but have not had a 2FA problem. Either cookies are not an issue or I have screwed up somewhere.

Help me.
It's only a "problem" if you check the box to not allow access from unrecognized computers. Even with a 2F, you cannot log in from a "new" computer. BTW, I set it all up today, it worked fine the first time, and then I was locked out with the computer not recognized. I had to call them to regain access. Quite annoying.

rkhusky
Posts: 5514
Joined: Thu Aug 18, 2011 8:09 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by rkhusky » Tue Aug 14, 2018 10:34 am

Doc wrote:
Mon Aug 13, 2018 6:48 pm
gmaynardkrebs wrote:
Mon Aug 13, 2018 12:31 pm
So, I think it's safe, and if your cookies get cleared or change browsers of computers, it's not a probkem.
I keep seeing this cookies clear thing. I periodically clear cookies but have not had a 2FA problem. Either cookies are not an issue or I have screwed up somewhere.

Help me.
My browser deletes cookies whenever I quit and I quit the browser before and after logging in to any financial web site. Vanguard must use something else besides cookies to identify the computer. Perhaps a browser fingerprint?

User avatar
Doc
Posts: 8578
Joined: Sat Feb 24, 2007 1:10 pm
Location: Two left turns from Larry

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by Doc » Tue Aug 14, 2018 10:41 am

rkhusky wrote:
Tue Aug 14, 2018 10:34 am
My browser deletes cookies whenever I quit. Vanguard must use something else besides cookies to identify the computer. Perhaps a browser fingerprint?
Yes. I investigated and also asked. Forget the asked. He wasn't sure. With Internet Explorer resetting cookies triggers a new code requirement. Chrome does not. Quicken doesn't care about cookies.

I don't know if this matters.
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.

rkhusky
Posts: 5514
Joined: Thu Aug 18, 2011 8:09 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by rkhusky » Tue Aug 14, 2018 10:45 am

Doc wrote:
Tue Aug 14, 2018 10:41 am
rkhusky wrote:
Tue Aug 14, 2018 10:34 am
My browser deletes cookies whenever I quit. Vanguard must use something else besides cookies to identify the computer. Perhaps a browser fingerprint?
Yes. I investigated and also asked. Forget the asked. He wasn't sure. With Internet Explorer resetting cookies triggers a new code requirement. Chrome does not. Quicken doesn't care about cookies.

I don't know if this matters.
I use Firefox. I will see if upgrading to a new version causes a new code or adding a new extension.

Silence Dogood
Posts: 710
Joined: Tue Feb 01, 2011 9:22 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by Silence Dogood » Tue Aug 14, 2018 11:27 am

rkhusky wrote:
Tue Aug 14, 2018 10:34 am
Doc wrote:
Mon Aug 13, 2018 6:48 pm
gmaynardkrebs wrote:
Mon Aug 13, 2018 12:31 pm
So, I think it's safe, and if your cookies get cleared or change browsers of computers, it's not a probkem.
I keep seeing this cookies clear thing. I periodically clear cookies but have not had a 2FA problem. Either cookies are not an issue or I have screwed up somewhere.

Help me.
My browser deletes cookies whenever I quit and I quit the browser before and after logging in to any financial web site. Vanguard must use something else besides cookies to identify the computer. Perhaps a browser fingerprint?
This thread may be helpful to you:

viewtopic.php?t=205031&start=50#p3534585

rkhusky
Posts: 5514
Joined: Thu Aug 18, 2011 8:09 pm

Re: New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by rkhusky » Wed Aug 15, 2018 9:00 pm

rkhusky wrote:
Tue Aug 14, 2018 10:45 am
Doc wrote:
Tue Aug 14, 2018 10:41 am
rkhusky wrote:
Tue Aug 14, 2018 10:34 am
My browser deletes cookies whenever I quit. Vanguard must use something else besides cookies to identify the computer. Perhaps a browser fingerprint?
Yes. I investigated and also asked. Forget the asked. He wasn't sure. With Internet Explorer resetting cookies triggers a new code requirement. Chrome does not. Quicken doesn't care about cookies.

I don't know if this matters.
I use Firefox. I will see if upgrading to a new version causes a new code or adding a new extension.
I upgraded Firefox and also deleted one of my extensions and was not asked for a new code.

Post Reply