What is the risk of using Vanguard's 4-hour log-in option?

[CenTexan]

Vanguard offers the option to choose whether your log in automatically times out after 15 minutes (of inactivity) or 4 hours (regardless of activity).

For a desktop user (Windows/Chrome) in one's home, what are the security risks of choosing the 4 hour time-out?

Is the risk only on my interfacing end of the connection (ie, someone gets access to the browser I left open and signed in to Vanguard)? Or is there some extra vulnerability from leaving the "connection" to Vanguard open (not on my end, but somewhere along the internet route and the Vanguard access port)?

Thanks.

[CenTexan]

(bump - in hope that someone has an answer!)

[joe-kr]

I think the only danger is that the connection is open on your browser. And someone could come along, sit down and use that logged in connection.

The connection is encrypted end to end using https - so anyone in the “middle” of the connection (like your ISP) cannot see your data.

[edge]

Increased risk of cross site scripting if you don’t log out and browse around to other sites.

[hoofaman]

Typically when you login to website, the website gives you (your browser) an access token that your browser sends with all it's requests to that website, that token will allow you to access resources from the website, the website knows who the requestor is based on that token, it will work for some pre-determined amount of time, then you need to login again to get a new token when it expires. It sounds like Vanguard is giving you the option to allow that token to work for either 15 minutes, or 4 hours

If someone had access to your local computer, or they somehow managed to intercept the token (your sending it each time you make a request to their website, although your requests should be encrypted as it's an HTTPS website) it's theoretically possible they could take that access token, and then use it to access the website using your session. Personally that's not something I worry about myself, but to each their own

[CenTexan]

Increased risk of cross site scripting if you don’t log out and browse around to other sites.

I had to look up cross site scripting:

Cross-site scripting (XSS) is a type of cyber attack where a threat actor inserts malicious code into content from trusted websites. The malicious code is then included with dynamic content delivered to a victim's browser. The victim's browser has no way of knowing that the malicious scripts can't be trusted and therefore executes them.

Are you saying that malicious code can be inserted into my Vanguard session while it is active? If so, then you're saying the less time I spend on a website the more secure? Hence, don't stay connected longer than my immediate need?

[CenTexan]

Typically when you login to website, the website gives you (your browser) an access token that your browser sends with all it's requests to that website, that token will allow you to access resources from the website, the website knows who the requestor is based on that token, it will work for some pre-determined amount of time, then you need to login again to get a new token when it expires. It sounds like Vanguard is giving you the option to allow that token to work for either 15 minutes, or 4 hours

If someone had access to your local computer, or they somehow managed to intercept the token (your sending it each time you make a request to their website, although your requests should be encrypted as it's an HTTPS website) it's theoretically possible they could take that access token, and then use it to access the website using your session. Personally that's not something I worry about myself, but to each their own

Thanks for explanation. In theory, then, one long session (say 4 hours) might be more secure than multiple short sessions (say 15 minutes), since there is less of chance of the token being intercepted - correct? Or does the long session give them more time to get the token and use it?

[Mike Scott]

If you are concerned about risk, just log out when you are finished with whatever you are doing. There is no need to leave it open for 15 minutes or 4 hours.

[typical.investor]

Vanguard offers the option to choose whether your log in automatically times out after 15 minutes (of inactivity) or 4 hours (regardless of activity).

For a desktop user (Windows/Chrome) in one's home, what are the security risks of choosing the 4 hour time-out?

I don't know.

I do know that Vanguard has a guarantee against unauthorized online transaction on vanguard.com provided you take certain precautions.

I presume the 4 hour time out period doesn't violate their guarantee.

I presume Vanguard wouldn't implement that policy if they believed it would result in real losses to them.

[gavinsiu]

The risk is if you leave your computer unlock, someone could access your account before you log out. You can mitigate this if you just lock your computer.

I usually favor keeping the timeout short and use a password manager to login.

[Northern Flicker]

Increased risk of cross site scripting if you don’t log out and browse around to other sites.

I had to look up cross site scripting:

Cross-site scripting (XSS) is a type of cyber attack where a threat actor inserts malicious code into content from trusted websites. The malicious code is then included with dynamic content delivered to a victim's browser. The victim's browser has no way of knowing that the malicious scripts can't be trusted and therefore executes them.

Are you saying that malicious code can be inserted into my Vanguard session while it is active? If so, then you're saying the less time I spend on a website the more secure? Hence, don't stay connected longer than my immediate need?

It is not possible to enumerate all possible risks. Instead, invoke the well established principle of least privilege and only stay logged in while you are using the service.

The post I replied to is subtly different from your original question, which concerned the timeout to set. The main risks of a long timeout are forgetting to logout when you are done using the service and inadvertently leaving your session unattended.

[Northern Flicker]

1. You should close all browser sessions before logging in to a financial site.

2. Open a browser session only for the financial site.

3. Login and take care of what you need.

4. Log out when done.

5. Close browser session.

It is not a bad idea to configure your browser to clear cookies when it is closed. It also is not a bad idea to ensure that your daily antivirus software virus signature update completed before logging in.

[edge]

No, the longer session is riskier. You should log out when you are done with whatever you were doing.

I think your understanding of XSS isn’t quite right. Keep in mind that when your browser sees a request for the vanguard.com domain it will automatically include the (live, in the case of four hours) session cookie. So an attacker can take advantage of this if you land on their website which has links back to VG which execute commands using the live cookie.

Typically when you login to website, the website gives you (your browser) an access token that your browser sends with all it's requests to that website, that token will allow you to access resources from the website, the website knows who the requestor is based on that token, it will work for some pre-determined amount of time, then you need to login again to get a new token when it expires. It sounds like Vanguard is giving you the option to allow that token to work for either 15 minutes, or 4 hours

If someone had access to your local computer, or they somehow managed to intercept the token (your sending it each time you make a request to their website, although your requests should be encrypted as it's an HTTPS website) it's theoretically possible they could take that access token, and then use it to access the website using your session. Personally that's not something I worry about myself, but to each their own

Thanks for explanation. In theory, then, one long session (say 4 hours) might be more secure than multiple short sessions (say 15 minutes), since there is less of chance of the token being intercepted - correct? Or does the long session give them more time to get the token and use it?

[AspirationalBH]

The risk is that you navigate knowingly or unknowingly to a malicious website which then re-uses the session to the Vanguard site. You may unknowingly be directed to a malicious website via malvertising (malware via advertising).

By using an ad-blocker like "uBlock Origin" and a dedicated browser and you can mitigate the risk of session hijacking. When I say dedicated browser I mean a browser which you only use for financial transactions.

Your computer comes with one browser by default so download Firefox from mozilla.org install uBlock Origin from addons.mozilla.org. By using a dedicated browser you will mitigate browser session hijacking since you'll only visit a limited number of websites.

If you download pirated software or videos with your main browser, this strategy will not help as you'll likely be downloading malware which may include keyloggers or intercepting proxies which are installed at the operating system level.

[vnatale]

Vanguard offers the option to choose whether your log in automatically times out after 15 minutes (of inactivity) or 4 hours (regardless of activity).

For a desktop user (Windows/Chrome) in one's home, what are the security risks of choosing the 4 hour time-out?

I don't know.

I do know that Vanguard has a guarantee against unauthorized online transaction on vanguard.com provided you take certain precautions.

I presume the 4 hour time out period doesn't violate their guarantee.

I presume Vanguard wouldn't implement that policy if they believed it would result in real losses to them.

What are these "certain precautions"

[typical.investor]

Vanguard offers the option to choose whether your log in automatically times out after 15 minutes (of inactivity) or 4 hours (regardless of activity).

For a desktop user (Windows/Chrome) in one's home, what are the security risks of choosing the 4 hour time-out?

I don't know.

I do know that Vanguard has a guarantee against unauthorized online transaction on vanguard.com provided you take certain precautions.

I presume the 4 hour time out period doesn't violate their guarantee.

I presume Vanguard wouldn't implement that policy if they believed it would result in real losses to them.

What are these "certain precautions"

Read their policies … it’s different for each firm.

Generally it’s don’t share the password and watch for account notifications and inform them in a timely manner (EFT protections give you 60 days after statement issuance).

Vanguard might require keeping your computer up-to-date.