Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Old 08-23-2014, 12:37 PM   #21
Thinks s/he gets paid by the post
 
Join Date: May 2008
Posts: 2,250
One thing I've noticed is that whenever I call Vanguard, they toggle two of my security questions as 2nd level of verification. I should probably change the security questions occasionally.
__________________

__________________
tmm99 is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 08-23-2014, 01:09 PM   #22
Thinks s/he gets paid by the post
Onward's Avatar
 
Join Date: Jul 2009
Posts: 1,663
Quote:
Originally Posted by mpeirce View Post
I'd never answer a security question truthfully. There are just too many ways to figure out the real answer to many of these "security" questions.
How do you keep track of the fictional answers you gave?
__________________

__________________
And if I claim to be a wise man, it surely means that I don't know.
Onward is offline   Reply With Quote
Old 08-23-2014, 01:17 PM   #23
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
braumeister's Avatar
 
Join Date: Feb 2010
Location: Northern Kentucky
Posts: 8,582
Quote:
Originally Posted by Onward View Post
How do you keep track of the fictional answers you gave?
That's just one of the reasons why password manager software is so valuable.

Personally, I use 1Password and I'm very heavily reliant on it.
__________________
braumeister is offline   Reply With Quote
Old 08-23-2014, 01:53 PM   #24
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,255
Quote:
Originally Posted by TromboneAl View Post
A key logger is unlikely. Note that I don't type the user name for the VG site. It is entered via my password system.

...
I don't know - do these passwiod systems actually bypass keyloggers, or do they simulate keypresses that would look the same to a system like this?



Quote:
My current hypotheses are:

1. A dictionary attack. Boris tried a succession of user names. My user name was only eight characters long.
OK, when I read 'It isn't possible that someone entered my user name by mistake', I took that to mean it was a very long and complex one. Eight char could be a brute force attack.

-ERD50
__________________
ERD50 is offline   Reply With Quote
Old 08-23-2014, 03:33 PM   #25
Thinks s/he gets paid by the post
mpeirce's Avatar
 
Join Date: Feb 2012
Location: Columbus area
Posts: 1,589
Quote:
Originally Posted by Onward View Post
How do you keep track of the fictional answers you gave?
braumeister mentioned 1Password which is good. I keep my account info in an encrypted note inside the Keychain on my Mac (built into OS X).

I change all these about once a year and after doing so I update the note and print it out, putting a copy into my safe deposit box.
__________________
mpeirce is offline   Reply With Quote
Old 08-23-2014, 04:24 PM   #26
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
TromboneAl's Avatar
 
Join Date: Jun 2006
Posts: 11,194
Quote:
Originally Posted by ERD50 View Post
I don't know - do these passwiod systems actually bypass keyloggers, or do they simulate keypresses that would look the same to a system like this?





OK, when I read 'It isn't possible that someone entered my user name by mistake', I took that to mean it was a very long and complex one. Eight char could be a brute force attack.

-ERD50
I read that keyloggers can't read the apps entries.

VG allows up to 12 chars for a user name, and now I use all 12 and include numbers. I found it's easy to change: just do it before you log in. Choose to register and it will understand that you are reregistering. Nothing is lost.

Sent from my Nexus 7 using Early Retirement Forum mobile app
__________________
Al
TromboneAl is offline   Reply With Quote
Old 08-23-2014, 05:19 PM   #27
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,705
Quote:
Originally Posted by TromboneAl View Post

I read that keyloggers can't read the apps entries.

VG allows up to 12 chars for a user name, and now I use all 12 and include numbers. I found it's easy to change: just do it before you log in. Choose to register and it will understand that you are reregistering. Nothing is lost.
When I first signed up I picked 12 random characters. There could be an attacker that gets it right, but not likely.

Is it possible your browser or even pass program had a momentary glitch?

I would ask Vanguard to verify whether the attempt came from my IP address or not.

Might something like quicken or mint be downloading data for you? Maybe a hiccup there.
__________________
target2019 is offline   Reply With Quote
Old 08-25-2014, 01:54 PM   #28
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
TromboneAl's Avatar
 
Join Date: Jun 2006
Posts: 11,194
Quote:
Originally Posted by target2019 View Post
Is it possible your browser or even pass program had a momentary glitch?

I would ask Vanguard to verify whether the attempt came from my IP address or not.

Might something like quicken or mint be downloading data for you? Maybe a hiccup there.
1. I would have noticed if that had happened.
2. Great idea. I just called and asked, and he's going to have someone look into it. I think the answer has to be "another IP address" because otherwise it wouldn't have asked the questions. If they can tell me where the IP address came from, it will really help.
3. No, I don't do that, and anyway I would have noticed.
__________________
Al
TromboneAl is offline   Reply With Quote
Old 08-25-2014, 01:58 PM   #29
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
TromboneAl's Avatar
 
Join Date: Jun 2006
Posts: 11,194
Quote:
Originally Posted by easysurfer View Post
While I was at Vanguard, I noticed they have a voice verification system:

https://personal.vanguard.com/us/XHT...JumpPage.xhtml
The rep mentioned that, but here's the story:

I have a password ("enhanced security") for when I call VG.

If the voice thing fails, they use the password. So, that makes the voice thing pretty useless. OTOH, if the caller fails the voice test, it could make the rep suspicious.
__________________
Al
TromboneAl is offline   Reply With Quote
Old 08-25-2014, 03:07 PM   #30
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,705
Quote:
Originally Posted by TromboneAl View Post
1. I would have noticed if that had happened.
2. Great idea. I just called and asked, and he's going to have someone look into it. I think the answer has to be "another IP address" because otherwise it wouldn't have asked the questions. If they can tell me where the IP address came from, it will really help.
3. No, I don't do that, and anyway I would have noticed.
Trying to think if I've ever gotten the challenge questions with Vanguard. Probably not. But I do get them with other companies when Firefox browser updates itself, which is a frequent occurrence.

It sounds like you're on a safer path, so just a question of knowing how it might have happened.
__________________
target2019 is offline   Reply With Quote
Old 08-25-2014, 03:41 PM   #31
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
Quote:
Originally Posted by braumeister View Post
That's just one of the reasons why password manager software is so valuable.
+1

After Heartbleed virus, began using KeePass, and absolutely love it. Generates very secure encrypted passwords, which I used to change passwords on all my sites. Now logging in to all financial sites is so much faster/easier, and safer. I copy encrypted passwords into each of my sites when logging in, and there's a setting to vary how long the entry stays in the clipboard to defeat keyloggers.

Was originally going to use LastPass, but didn't like that it's cloud based. I keep KeePass on two thumb drives (one for backup) which I only plug into the computer when accessing sites. All my data is vastly safer now.
__________________
Options is offline   Reply With Quote
Old 08-27-2014, 06:53 PM   #32
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
TromboneAl's Avatar
 
Join Date: Jun 2006
Posts: 11,194
Vanguard called me back with the answer. They found that someone with a similar user name had typed in my user name by mistake, and therefore had trouble with the security questions.

I still find it a little surprising, because my user name at the time was something like this:

UOTTGERO

So, if they are telling the truth, then everything is OK, and my new user name with 12 characters and digits should prevent this happening again.

I say "telling the truth," because if Russia mobsters were doing dictionary attacks on Vanguard, they wouldn't want to admit that. I guess I'm cynical.
__________________
Al
TromboneAl is offline   Reply With Quote
Old 08-28-2014, 12:20 PM   #33
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,883
What does UOTTGERO mean in Russian?

At least the challenge question worked as planned which is much better than the alternative.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is offline   Reply With Quote
Old 08-28-2014, 12:41 PM   #34
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,560
Quote:
Originally Posted by TromboneAl View Post
l
I say "telling the truth," because if Russia mobsters were doing dictionary attacks on Vanguard, they wouldn't want to admit that. I guess I'm cynical.
Agree they wouldn't tell you, individually, of an attack. They probably wouldn't have given any answer.

The fact they called you back and gave a plausible explanation would suggest you got the truth(IMHO). Web servers or application servers log invalid authentication requests(given proper configuration). Those logs are generally available for research for weeks or longer, just for incidents like yours.

The next to last thing Vanguard or any financial services provider wants is for you not to trust their security. The last thing they want is their name on the front page of WSJ saying a breach occurred.
__________________
MRG is offline   Reply With Quote
Old 08-28-2014, 01:29 PM   #35
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,315
Most likely Vanguard could tell from where the phone call came from if Boris was trying sneak into your account. "Why is Trombone Al calling from Babushba in Siberia?"
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 08-28-2014, 03:13 PM   #36
Thinks s/he gets paid by the post
veremchuka's Avatar
 
Join Date: Oct 2010
Location: irradiated - too close to the nuclear furnace
Posts: 1,294
Quote:
Originally Posted by ERD50 View Post

which reminds me, Vanguards security sucks. You enter username and password on separate pages, so a bad guy gets confirmation of the username, and can then try the password. When they are on one page, they need to get BOTH right at the same attempt. And their PW are too short, I had to use a simpler system than my usual one for secure sights.

-ERD50
Having both on the same page would be better as the hacker wouldn't know which was incorrect. But why say their security sucks? I think it is very good. The userid can be 12 positions so maybe 16 or 20 is better but 12 is good. The password can be 20, since when is 20 positions for a password too short? Mix up upper and lower case, numbers and symbols and you have a safe user id and password. They use an icon on the password page so you know you are really on their site. Then there are the security questions that should be nonsense answers that only you would know not the correct answers to the questions. It seems to me Vanguard is doing a good job.

Quote:
Originally Posted by Options View Post
+1

I copy encrypted passwords into each of my sites when logging in, and there's a setting to vary how long the entry stays in the clipboard to defeat keyloggers.

Was originally going to use LastPass, but didn't like that it's cloud based. I keep KeePass on two thumb drives (one for backup) which I only plug into the computer when accessing sites. All my data is vastly safer now.
Yep I copy and drop userids and passwords from the safe. Like you I didn't care for keeping this in the cloud. I've used KeePass for 2 or 3 years now. And like you I deleted the database off the c drive and put it on 2 flash drives. I'd like to keep a 3rd in my safe deposit box but I'd have to have a 4th to bring and return with the one that was in the SDB, maybe all that is over kill. I have a print out of the entire database in the SDB and that is always up to date.
__________________
veremchuka is offline   Reply With Quote
Old 08-28-2014, 03:34 PM   #37
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,255
Quote:
Originally Posted by veremchuka View Post
Having both on the same page would be better as the hacker wouldn't know which was incorrect. But why say their security sucks? ...
For one, the reason you just mentioned.


Quote:
I think it is very good. The userid can be 12 positions so maybe 16 or 20 is better but 12 is good. The password can be 20, since when is 20 positions for a password too short?
Unless they changed it, or I screwed up, I could not get it to take a long password, and by 'long', I still mean less than 20.

-ERD50
__________________
ERD50 is offline   Reply With Quote
Old 08-28-2014, 07:57 PM   #38
Thinks s/he gets paid by the post
veremchuka's Avatar
 
Join Date: Oct 2010
Location: irradiated - too close to the nuclear furnace
Posts: 1,294
I changed mine from whatever the max was, maybe 10 positions?, to the full 20 a few months ago. If you can't I'd call Vanguard.
__________________
veremchuka is offline   Reply With Quote
Old 08-28-2014, 08:44 PM   #39
Recycles dryer sheets
 
Join Date: Feb 2014
Location: SF Bay Area
Posts: 252
+1 on keepass. I've been using it forever. It's FREE. It's safe. It's secure. From years of using it and in my previous life in technology...I used to research just how secure it might be. While nothing I suppose can be guaranteed at 100%, the general consensus from those "in the know" has always been, "you lose or forget your entry password into the program, you are toast (=secure)

I have no concerns storing my Database in the cloud. I drop it in my OneDrive folder so I have it locally and also the MS site.

Versions: 1.x (older version, still supported, perfectly fine)
2.x newer and meant primarily for Win Machines as it requires .Net framework..I use 2.x

Finally, a tip... if you want to store a backup copy of your database in the cloud (or any other file for that matter. Consider renaming the file extension to something different. Keepass uses .kbx (as word would use a.doc or excel .xsl). I rename my file something like "myword.aaa" the 'my word' part reminds me that it has password info. Someone would have zero clue as to what program can open it. If I need it, I Just rename back to .kbx
__________________
"The only function of economic forecasting is to make astrology look respectable"
- J.K. Galbraith
FireBug is offline   Reply With Quote
Old 08-28-2014, 08:58 PM   #40
Dryer sheet aficionado
 
Join Date: Jun 2014
Posts: 30
Just a note on LastPass, it is cloud based but it keeps everything in an encrypted blob. Nothing is in the clear beyond your own machine. I use it and am very happy with it.
__________________

__________________
ernow is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
The Great Reset Charlie_Boy FIRE and Money 3 09-12-2010 03:46 PM
Will the "great reset" cause the masses to embrace FI(RE)? Gerbil Wheel Young Dreamers 78 09-12-2010 12:55 PM

 

 
All times are GMT -6. The time now is 03:59 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.