Receiving 2FA codes from Vanguard while overseas

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
Jive Turkey
Posts: 34
Joined: Tue Jun 17, 2008 9:35 pm

Receiving 2FA codes from Vanguard while overseas

Post by Jive Turkey » Wed Jul 18, 2018 3:45 am

It seems that Vanguard will soon be pushing everyone to activate the 2-factor authentication security feature soon:

viewtopic.php?f=10&t=254183&newpost=402 ... ead#unread

I just received a message from Vanguard saying that I will "soon be required to sign up for security codes." No deadline was given, but I figure they'll give one in the next year or so.

I like the idea of added security, but Vanguard's 2FA is something I've avoided activating since I spend most of the year outside the US and I don't keep a US phone number. Vanguard's 2FA either sends codes by SMS , or through an automated voice call. The system will only work for US numbers. I figure one could use a US SIM and pay roaming charges to receive codes, but that looks like a pretty expensive solution.

There are plenty of Bogleheads who spend lots of time overseas. Has anyone found a reliable way to use 2FA while outside the US?

Based on a quick search, I see two potential methods:

1. Use an Anveo US number to receive SMS shortcodes.

2. Get a Skype US phone number, and receive the 2FA code by automated voice call. It seems that Skype cannot receive SMS shortcodes.

Has anyone tried these or other methods to receive 2FA codes outside the US?

tivattom
Posts: 70
Joined: Sat Apr 07, 2007 1:51 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tivattom » Wed Jul 18, 2018 3:47 am

Yes I currently receive SMS codes in Europe while travelling.

I use a google voice number registered with Vanguard and have any SMS messages received by google voice forwarded to my email. As long as I have Email access I can get the codes.

User avatar
JoMoney
Posts: 6116
Joined: Tue Jul 23, 2013 5:31 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by JoMoney » Wed Jul 18, 2018 3:50 am

Yes. Get a U.S. VOIP number that accepts SMS.
Google Voice is free, but you have to set it up in the U.S. (from US IP) with a U.S. number that is active at the time you establish it. After you've established a Google voice number and linked it to a U.S. phone you can disable forwarding to the phone and use the Google Voice number standalone while outside the U.S.
"To achieve satisfactory investment results is easier than most people realize; to achieve superior results is harder than it looks." - Benjamin Graham

jminv
Posts: 577
Joined: Tue Jan 02, 2018 10:58 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by jminv » Wed Jul 18, 2018 3:55 am

Google voice. If you’re outside the us when setting it up use a us vpn up when doing so. You’ll also need someone in USA to use their number to get a validation code. Then you can switch it after validated. I looked at the other providers and they’re not a great value.

I prefer when companies use two factor identification through email. It’s irritating when it’s sms only option.

Jive Turkey
Posts: 34
Joined: Tue Jun 17, 2008 9:35 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by Jive Turkey » Wed Jul 18, 2018 11:57 pm

Thanks to all for the helpful advice. Sounds easy to sort out on my next visit to the US.

bobolink
Posts: 9
Joined: Sun Sep 20, 2015 8:16 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by bobolink » Thu Jul 19, 2018 12:45 pm

Another option would be to buy a YubiKey or similar hardware token. I use this one: https://www.amazon.com/Yubico-Security- ... B07BYSB7FK

They are easy to setup, and much more secure than SMS or email-based 2FA because it is relatively easy for someone to intercept your text messages or break into your email account: https://www.theverge.com/2017/9/18/1632 ... rd-bitcoin

gtd98765
Posts: 104
Joined: Sun Jan 08, 2017 4:15 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by gtd98765 » Thu Jul 19, 2018 3:19 pm

bobolink wrote:
Thu Jul 19, 2018 12:45 pm
Another option would be to buy a YubiKey or similar hardware token. I use this one: https://www.amazon.com/Yubico-Security- ... B07BYSB7FK

They are easy to setup, and much more secure than SMS or email-based 2FA because it is relatively easy for someone to intercept your text messages or break into your email account: https://www.theverge.com/2017/9/18/1632 ... rd-bitcoin
I disagree that it is "relatively easy for sometime to intercept your text messages". It may be relatively easy for the NSA or the GRU, but unless there is some reason these expensive specialized agencies should be after you personally, I think it is non-trivial, and there is certainly not an epidemic of such attacks going around. I would worry more about pfishing and trojans stealing passwords. Certainly for 99% of the population any 2FA is better than no 2FA, and we should not be discouraging people from taking advantage of any 2FA measures that are available, or make them think "it's really no safer." It is, even if it's not perfect.

Thesaints
Posts: 1619
Joined: Tue Jun 20, 2017 12:25 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by Thesaints » Wed Sep 12, 2018 8:22 pm

"2FA is safer than no 2FA", the risk being... ?

User avatar
tuningfork
Posts: 399
Joined: Wed Oct 30, 2013 8:30 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tuningfork » Wed Sep 12, 2018 9:33 pm

gtd98765 wrote:
Thu Jul 19, 2018 3:19 pm
bobolink wrote:
Thu Jul 19, 2018 12:45 pm
Another option would be to buy a YubiKey or similar hardware token. I use this one: https://www.amazon.com/Yubico-Security- ... B07BYSB7FK

They are easy to setup, and much more secure than SMS or email-based 2FA because it is relatively easy for someone to intercept your text messages or break into your email account: https://www.theverge.com/2017/9/18/1632 ... rd-bitcoin
I disagree that it is "relatively easy for sometime to intercept your text messages". It may be relatively easy for the NSA or the GRU, but unless there is some reason these expensive specialized agencies should be after you personally, I think it is non-trivial, and there is certainly not an epidemic of such attacks going around.
Someone does not need NSA hacking skills if they want to target you specifically. It can be done by simply calling or visiting your carrier and impersonating you, convincing them to issue a new SIM. The hard part is getting enough personal details about you to make a plausible social engineering attack. With those details and the right call center agent it could be relatively easy.

Examples here https://www.wired.com/2016/06/hey-stop- ... ntication/

User avatar
tuningfork
Posts: 399
Joined: Wed Oct 30, 2013 8:30 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tuningfork » Wed Sep 12, 2018 9:40 pm

Thesaints wrote:
Wed Sep 12, 2018 8:22 pm
"2FA is safer than no 2FA", the risk being... ?
Hackers who get hold of a cracked password database will go after the low-hanging fruit. If they have 10,000 account passwords and try logging in to one that has 2FA, they'll move on to the next account rather than go to the effort of hacking the 2FA.

Thesaints
Posts: 1619
Joined: Tue Jun 20, 2017 12:25 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by Thesaints » Wed Sep 12, 2018 10:53 pm

tuningfork wrote:
Wed Sep 12, 2018 9:40 pm
Thesaints wrote:
Wed Sep 12, 2018 8:22 pm
"2FA is safer than no 2FA", the risk being... ?
Hackers who get hold of a cracked password database will go after the low-hanging fruit. If they have 10,000 account passwords and try logging in to one that has 2FA, they'll move on to the next account rather than go to the effort of hacking the 2FA.
So, hackers log on my Vanguard account. And then ? The only possible negative consequence I can see is that they start exchanging shares of fund A for Fund B, triggering CG. They still don't make a dime, so it would be purely out of spite.

User avatar
tuningfork
Posts: 399
Joined: Wed Oct 30, 2013 8:30 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tuningfork » Thu Sep 13, 2018 10:52 am

Thesaints wrote:
Wed Sep 12, 2018 10:53 pm
tuningfork wrote:
Wed Sep 12, 2018 9:40 pm
Thesaints wrote:
Wed Sep 12, 2018 8:22 pm
"2FA is safer than no 2FA", the risk being... ?
Hackers who get hold of a cracked password database will go after the low-hanging fruit. If they have 10,000 account passwords and try logging in to one that has 2FA, they'll move on to the next account rather than go to the effort of hacking the 2FA.
So, hackers log on my Vanguard account. And then ? The only possible negative consequence I can see is that they start exchanging shares of fund A for Fund B, triggering CG. They still don't make a dime, so it would be purely out of spite.
The assumption being Vanguard hasn't left any openings in their website or procedures that a determined hacker could exploit. Once they have your password and access to your account, can they change your security questions? See or update beneficiaries? Gain enough info about your account to social engineer a phone rep? Maybe it's impossible, maybe not. There's risk, and like the other poster said, 2FA is safer than no 2FA.

Thesaints
Posts: 1619
Joined: Tue Jun 20, 2017 12:25 am

Re: Receiving 2FA codes from Vanguard while overseas

Post by Thesaints » Thu Sep 13, 2018 1:53 pm

tuningfork wrote:
Thu Sep 13, 2018 10:52 am
The assumption being Vanguard hasn't left any openings in their website or procedures that a determined hacker could exploit. Once they have your password and access to your account, can they change your security questions? See or update beneficiaries? Gain enough info about your account to social engineer a phone rep? Maybe it's impossible, maybe not. There's risk, and like the other poster said, 2FA is safer than no 2FA.
In the same order as your questions:

- Yes. But I'll get notified at my email address of record. Contact Vanguard, establish my identity and have the change reversed.
By doing this hackers don't make a cent, so I'm questioning why "real" hackers would bother doing it.

- Yes. But... same as above.

- Maybe. So a fake phone rep calls me and then what ?

My overall point is that banks don't have 2FA and in the case of those accounts it is certainly possible to transfer funds to a third party. Why would Vanguard bother if it is virtually impossible to subtract funds by gaining unauthorized access ?

annielouise
Posts: 344
Joined: Wed May 14, 2008 4:11 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by annielouise » Thu Sep 13, 2018 2:18 pm

T-Mobile has free text messages in most countries. I think they have a plan or two that doesn't include this, but most plans do. Also free data, although it is slow.

User avatar
tuningfork
Posts: 399
Joined: Wed Oct 30, 2013 8:30 pm

Re: Receiving 2FA codes from Vanguard while overseas

Post by tuningfork » Thu Sep 13, 2018 6:29 pm

Thesaints wrote:
Thu Sep 13, 2018 1:53 pm
My overall point is that banks don't have 2FA and in the case of those accounts it is certainly possible to transfer funds to a third party. Why would Vanguard bother if it is virtually impossible to subtract funds by gaining unauthorized access ?
I can't speak for Vanguard's or any particular bank's decisions on their security infrastructure, but here's an interesting article about why most banks do not offer 2FA for login. Basically it's a risk assessment, and they're doing the minimum necessary. Vanguard must think the risk is higher than the bank does.

https://gizmodo.com/heres-why-your-bank ... 1683777281
In other words, the banks aren’t doing more because they don’t have to. And so as long as they maintain zero-loss guarantees against fraud, and the amount lost to fraud remains relatively small compared to their deep pockets, the banks won’t do anything more to protect you.

Post Reply