Vanguard Security Questions Reset

[tmm99]

One thing I've noticed is that whenever I call Vanguard, they toggle two of my security questions as 2nd level of verification. I should probably change the security questions occasionally.

[Onward]

Quote:

Originally Posted by mpeirce I'd never answer a security question truthfully. There are just too many ways to figure out the real answer to many of these "security" questions.

How do you keep track of the fictional answers you gave?

[braumeister]

Quote:

Originally Posted by Onward How do you keep track of the fictional answers you gave?

That's just one of the reasons why password manager software is so valuable.

Personally, I use 1Password and I'm very heavily reliant on it.

[ERD50]

Quote:

Originally Posted by TromboneAl A key logger is unlikely. Note that I don't type the user name for the VG site. It is entered via my password system. ...

I don't know - do these passwiod systems actually bypass keyloggers, or do they simulate keypresses that would look the same to a system like this?

Quote:

My current hypotheses are: 1. A dictionary attack. Boris tried a succession of user names. My user name was only eight characters long.

OK, when I read 'It isn't possible that someone entered my user name by mistake', I took that to mean it was a very long and complex one. Eight char could be a brute force attack.

-ERD50

[mpeirce]

Quote:

Originally Posted by Onward How do you keep track of the fictional answers you gave?

braumeister mentioned 1Password which is good. I keep my account info in an encrypted note inside the Keychain on my Mac (built into OS X).

I change all these about once a year and after doing so I update the note and print it out, putting a copy into my safe deposit box.

[TromboneAl]

Quote:

Originally Posted by ERD50 I don't know - do these passwiod systems actually bypass keyloggers, or do they simulate keypresses that would look the same to a system like this? OK, when I read 'It isn't possible that someone entered my user name by mistake', I took that to mean it was a very long and complex one. Eight char could be a brute force attack. -ERD50

I read that keyloggers can't read the apps entries.

VG allows up to 12 chars for a user name, and now I use all 12 and include numbers. I found it's easy to change: just do it before you log in. Choose to register and it will understand that you are reregistering. Nothing is lost.

Sent from my Nexus 7 using Early Retirement Forum mobile app

[target2019]

Quote:

Originally Posted by TromboneAl I read that keyloggers can't read the apps entries. VG allows up to 12 chars for a user name, and now I use all 12 and include numbers. I found it's easy to change: just do it before you log in. Choose to register and it will understand that you are reregistering. Nothing is lost.

When I first signed up I picked 12 random characters. There could be an attacker that gets it right, but not likely.

Is it possible your browser or even pass program had a momentary glitch?

I would ask Vanguard to verify whether the attempt came from my IP address or not.

Might something like quicken or mint be downloading data for you? Maybe a hiccup there.

[TromboneAl]

Quote:

Originally Posted by target2019 Is it possible your browser or even pass program had a momentary glitch? I would ask Vanguard to verify whether the attempt came from my IP address or not. Might something like quicken or mint be downloading data for you? Maybe a hiccup there.

1. I would have noticed if that had happened.
2. Great idea. I just called and asked, and he's going to have someone look into it. I think the answer has to be "another IP address" because otherwise it wouldn't have asked the questions. If they can tell me where the IP address came from, it will really help.
3. No, I don't do that, and anyway I would have noticed.

[TromboneAl]

Quote:

Originally Posted by easysurfer While I was at Vanguard, I noticed they have a voice verification system: https://personal.vanguard.com/us/XHT...JumpPage.xhtml

The rep mentioned that, but here's the story:

I have a password ("enhanced security") for when I call VG.

If the voice thing fails, they use the password. So, that makes the voice thing pretty useless. OTOH, if the caller fails the voice test, it could make the rep suspicious.

[target2019]

Quote:

Originally Posted by TromboneAl 1. I would have noticed if that had happened. 2. Great idea. I just called and asked, and he's going to have someone look into it. I think the answer has to be "another IP address" because otherwise it wouldn't have asked the questions. If they can tell me where the IP address came from, it will really help. 3. No, I don't do that, and anyway I would have noticed.

Trying to think if I've ever gotten the challenge questions with Vanguard. Probably not. But I do get them with other companies when Firefox browser updates itself, which is a frequent occurrence.

It sounds like you're on a safer path, so just a question of knowing how it might have happened.

[Options]

Quote:

Originally Posted by braumeister That's just one of the reasons why password manager software is so valuable.

+1

After Heartbleed virus, began using KeePass, and absolutely love it. Generates very secure encrypted passwords, which I used to change passwords on all my sites. Now logging in to all financial sites is so much faster/easier, and safer. I copy encrypted passwords into each of my sites when logging in, and there's a setting to vary how long the entry stays in the clipboard to defeat keyloggers.

Was originally going to use LastPass, but didn't like that it's cloud based. I keep KeePass on two thumb drives (one for backup) which I only plug into the computer when accessing sites. All my data is vastly safer now.

[TromboneAl]

Vanguard called me back with the answer. They found that someone with a similar user name had typed in my user name by mistake, and therefore had trouble with the security questions.

I still find it a little surprising, because my user name at the time was something like this:

UOTTGERO

So, if they are telling the truth, then everything is OK, and my new user name with 12 characters and digits should prevent this happening again.

I say "telling the truth," because if Russia mobsters were doing dictionary attacks on Vanguard, they wouldn't want to admit that. I guess I'm cynical.

[easysurfer]

What does UOTTGERO mean in Russian?

At least the challenge question worked as planned which is much better than the alternative.

[MRG]

Quote:

Originally Posted by TromboneAl l I say "telling the truth," because if Russia mobsters were doing dictionary attacks on Vanguard, they wouldn't want to admit that. I guess I'm cynical.

Agree they wouldn't tell you, individually, of an attack. They probably wouldn't have given any answer.

The fact they called you back and gave a plausible explanation would suggest you got the truth(IMHO). Web servers or application servers log invalid authentication requests(given proper configuration). Those logs are generally available for research for weeks or longer, just for incidents like yours.

The next to last thing Vanguard or any financial services provider wants is for you not to trust their security. The last thing they want is their name on the front page of WSJ saying a breach occurred.

[Chuckanut]

Most likely Vanguard could tell from where the phone call came from if Boris was trying sneak into your account. "Why is Trombone Al calling from Babushba in Siberia?"

[veremchuka]

Quote:

Originally Posted by ERD50 which reminds me, Vanguards security sucks. You enter username and password on separate pages, so a bad guy gets confirmation of the username, and can then try the password. When they are on one page, they need to get BOTH right at the same attempt. And their PW are too short, I had to use a simpler system than my usual one for secure sights. -ERD50

Having both on the same page would be better as the hacker wouldn't know which was incorrect. But why say their security sucks? I think it is very good. The userid can be 12 positions so maybe 16 or 20 is better but 12 is good. The password can be 20, since when is 20 positions for a password too short? Mix up upper and lower case, numbers and symbols and you have a safe user id and password. They use an icon on the password page so you know you are really on their site. Then there are the security questions that should be nonsense answers that only you would know not the correct answers to the questions. It seems to me Vanguard is doing a good job.

Quote:

Originally Posted by Options +1 I copy encrypted passwords into each of my sites when logging in, and there's a setting to vary how long the entry stays in the clipboard to defeat keyloggers. Was originally going to use LastPass, but didn't like that it's cloud based. I keep KeePass on two thumb drives (one for backup) which I only plug into the computer when accessing sites. All my data is vastly safer now.

Yep I copy and drop userids and passwords from the safe. Like you I didn't care for keeping this in the cloud. I've used KeePass for 2 or 3 years now. And like you I deleted the database off the c drive and put it on 2 flash drives. I'd like to keep a 3rd in my safe deposit box but I'd have to have a 4th to bring and return with the one that was in the SDB, maybe all that is over kill. I have a print out of the entire database in the SDB and that is always up to date.

[ERD50]

Quote:

Originally Posted by veremchuka Having both on the same page would be better as the hacker wouldn't know which was incorrect. But why say their security sucks? ...

For one, the reason you just mentioned.

Quote:

I think it is very good. The userid can be 12 positions so maybe 16 or 20 is better but 12 is good. The password can be 20, since when is 20 positions for a password too short?

Unless they changed it, or I screwed up, I could not get it to take a long password, and by 'long', I still mean less than 20.

-ERD50

[veremchuka]

I changed mine from whatever the max was, maybe 10 positions?, to the full 20 a few months ago. If you can't I'd call Vanguard.

[FireBug]

+1 on keepass. I've been using it forever. It's FREE. It's safe. It's secure. From years of using it and in my previous life in technology...I used to research just how secure it might be. While nothing I suppose can be guaranteed at 100%, the general consensus from those "in the know" has always been, "you lose or forget your entry password into the program, you are toast (=secure)

I have no concerns storing my Database in the cloud. I drop it in my OneDrive folder so I have it locally and also the MS site.

Versions: 1.x (older version, still supported, perfectly fine)
2.x newer and meant primarily for Win Machines as it requires .Net framework..I use 2.x

Finally, a tip... if you want to store a backup copy of your database in the cloud (or any other file for that matter. Consider renaming the file extension to something different. Keepass uses .kbx (as word would use a.doc or excel .xsl). I rename my file something like "myword.aaa" the 'my word' part reminds me that it has password info. Someone would have zero clue as to what program can open it. If I need it, I Just rename back to .kbx

[ernow]

Just a note on LastPass, it is cloud based but it keeps everything in an encrypted blob. Nothing is in the clear beyond your own machine. I use it and am very happy with it.