Vanguard Security Questions Reset

[TromboneAl]

[FONT=Arial, Helvetica, sans-serif]I got this email the other day from Vanguard. [/FONT]I'm pretty sure I haven't answered the questions incorrectly. It isn't possible that someone entered my user name by mistake, because it is a random series of letters.

Have you ever gotten this email? What do you think is going on?

[FONT=Arial, Helvetica, sans-serif]We've disabled your access to certain areas of Vanguard.com because your security questions were answered incorrectly multiple times on .[/FONT]

[FONT=Arial, Helvetica, sans-serif]It's possible another user mistakenly entered your user name and locked your security questions. However, if you believe someone attempted to access your account information, contact us immediately.[/FONT]

[FONT=Arial, Helvetica, sans-serif] To access your account, follow the directions below.[/FONT]

[FONT=Arial, Helvetica, sans-serif]From a computer that you use frequently to access your Vanguard account: [/FONT]​

[FONT=Arial, Helvetica, sans-serif]Log on to Vanguard.com.[/FONT]

[FONT=Arial, Helvetica, sans-serif]Choose new security questions and answers.[/FONT]​

 

[braumeister]

It sounds legitimate, since they don't ask you to click a link in the email. I've had similar things happen. Someone tried to get access to your account and failed. Good idea to reset your security settings.

 

[ERD50]

I'd contact Vanguard direct, and if your username is really too complex to think someone got in accidentally mistyping their own, or by an actual 'brute-force' attempt, then I'd be very concerned that there is a keylogger on your computer. How else would they get a complex username?

And for some systems, I think they will ask the security questions if a new computer is trying to get access - either no cookies or a different IP?

I'd be worried. (edit/add): And I wouldn't just change the security questions, I'd change to a strong PW - which reminds me, Vanguards security sucks. You enter username and password on separate pages, so a bad guy gets confirmation of the username, and can then try the password. When they are on one page, they need to get BOTH right at the same attempt. And their PW are too short, I had to use a simpler system than my usual one for secure sights.

-ERD50

 

[MRG]

It sounds legit. If you're really suspicious give them a call to make double dog sure.

Sent from my SAMSUNG-SGH-I337 using Early Retirement Forum mobile app

 

[martyb]

Yes, Vanguard sends out letters like that. I've received them several times for my & my wife's accounts whenever I screw up with the passwords.

 

[W2R]

Wow! Al, I have never received a communication like that from Vanguard.

I am no expert on computer security, but for what it's worth (very little) here's what I'd do:

1) Do a full sweep with Malwarebytes and Norton (or whatever internet security suite you use), and fix any issues found.
2) Change my password to a different, longer, strong password
3) Change my security questions
4) Write down (and hide) the new password and security questions, and be extremely careful not to type in the wrong thing.
5) Log in daily for at least a month or two to check and make sure everything is OK. Frequently repeat steps 1-4 above.

 

[easysurfer]

Would be nice if Vanguard had the feature to change user names like some banks do to be sure the user name won't work in case that got into the wrong hands.

 

[Chuckanut]

After you contact Vanguard, change the answers to your security questions to silly things.

If they want to know the mascot of your High School don't give the real answer - "porcupines". Instead come up with something really off the wall like "dragonducks". In this way even if somebody knows what high school you attended they still won't know your answer.

Also, the thought of you sending fire breathing ducks to avenge yourself, will scare them.

 

[martyb]

Hey, wait...just went back & re-read your OP. Since you say you know you haven't incorrectly answered the questions, I withdraw my previous reply and suggest you definitely contact Vanguard & report what you think is a security breach attempt on your account. Sorry I answered so quickly without reading your question thoroughly enough!

 

[ERD50]

Hey, wait...just went back & re-read your OP. Since you say you know you haven't incorrectly answered the questions, I withdraw my previous reply and suggest you definitely contact Vanguard & report what you think is a security breach attempt on your account. Sorry I answered so quickly without reading your question thoroughly enough!

+1000 - A lot of people are missing this.

1) He said he has not entered wrong answers.

2) He said his username is very complex.

Put those together, and that means someone knows his complex username. How could that be? A keylogger is one explanation, and that is BAD.

I would take this very seriously, make sure my computer was clean, or better yet, do this from a known clean computer like a chromebook or something (boot linux from a flash drive, etc), and update all my important passwords and security questions - but not until I knew I was clean, or you might just be giving bad guys the new keys.

-ERD50

 

[mpeirce]

After you contact Vanguard, change the answers to your security questions to silly things.

If they want to know the mascot of your High School don't give the real answer - "porcupines". Instead come up with something really off the wall like "dragonducks". In this way even if somebody knows what high school you attended they still won't know your answer.

+1

I'd never answer a security question truthfully. There are just too many ways to figure out the real answer to many of these "security" questions.

 

[TromboneAl]

I just talked with a Vanguard rep. They showed that someone tried to log on with my user name yesterday, and failed to answer the security questions.

I've set things up so that my VG account can only be accessed from my computer in the future.

 

[ERD50]

I just talked with a Vanguard rep. They showed that someone tried to log on with my user name yesterday, and failed to answer the security questions.

I've set things up so that my VG account can only be accessed from my computer in the future.

But how do you explain this:

It isn't possible that someone entered my user name by mistake, because it is a random series of letters.

Aren't you concerned that they got your username through a keylogger on your system? How else can you explain this?

And if it is a keylogger, doesn't that mean everything you've entered passwords for is at risk? Not just Vanguard? Maybe all your data as well?

-ERD50

 

[Chuckanut]

I would also do a quick check of my credit reports. Then freeze your accounts at the three credit bureaus along with getting copies of your credit reports.

I think you have to assume somebody has managed to get some information about you, and it may be a deliberate attack on your personal ID.

 

[easysurfer]

I just talked with a Vanguard rep. They showed that someone tried to log on with my user name yesterday, and failed to answer the security questions.

I've set things up so that my VG account can only be accessed from my computer in the future.

That's pretty scary stuff about someone trying to log on with your user name, especially since it was one that someone couldn't just guess.

I went ahead and updated my Vanguard challenge questions to make them harder to guess randomly. While I was at Vanguard, I noticed they have a voice verification system:

https://personal.vanguard.com/us/XH...d/xhtml/VoiceBioSelfProvisionedJumpPage.xhtml

 

[TromboneAl]

Aren't you concerned that they got your username through a keylogger on your system? How else can you explain this?

A key logger is unlikely. Note that I don't type the user name for the VG site. It is entered via my password system.

I've done complete scans without finding anything suspicious. I have realtime protection enabled. No one has access to my computer. Even if someone broke into our home, it is fingerprint/password protected.

My current hypotheses are:

1. A dictionary attack. Boris tried a succession of user names. My user name was only eight characters long.

2. The alert was actually a glitch on VG's end. There was no attempt.

3. I flaked out and did try to log on and got a security question wrong. Not likely, since this just happened yesterday.

I called VG back to see if they had a record of the answer attempts, but they did not. That information would have been useful.

 

[Chuckanut]

Easysurfer, I looked at the Vanguard Voice Verification. As I read it is is a substitute for answering security questions when you phone. But, unless I am wrong, it is not a second form of verification. Still, it could be very useful especially for people who don't remember their answers.

 

[easysurfer]

Easysurfer, I looked at the Vanguard Voice Verification. As I read it is is a substitute for answering security questions when you phone. But, unless I am wrong, it is not a second form of verification. Still, it could be very useful especially for people who don't remember their answers.

After reading, I stuck with the regular security questions. Especially after reading about having to use the phone where I regularly call.

 

[Chuckanut]

I may be wrong, but most financial institutions usually will require one to answer a security question when they try to logon from a new and/or unfamiliar computer. Even if the logon ID and password are correct.

Doesn't Vanguard offer this feature? That and truly unknowable answers to security question would go far in keeping Boris from Babushkin out of one's account.

 

[Chuckanut]

If nothing else this thread will help keep us all on our toes:

Financial firms not offering two factor authentication | Computerworld Blogs

This guy is big on using a Chromebook for security

http://blogs.computerworld.com/data...-firms-not-offering-two-factor-authentication

Perhaps the biggest safety factor that Chrome OS offers is that the end user can't screw things up. Software updates can't be ignored or postponed. Malicious software can't be installed. This is H-U-G-E. Really huge. And, it's above and beyond the advantages that Linux already brings to the table such as kissing antivirus software goodbye.

On top of that, Google has beefed up the Defensive Computing in Chrome OS with features such as sandboxing, verified boot and a recovery mode. In addition, all files stored locally are encrypted and accessible to only one user.

 

[tmm99]

One thing I've noticed is that whenever I call Vanguard, they toggle two of my security questions as 2nd level of verification. I should probably change the security questions occasionally.

 

[Onward]

I'd never answer a security question truthfully. There are just too many ways to figure out the real answer to many of these "security" questions.

How do you keep track of the fictional answers you gave?

 

[braumeister]

How do you keep track of the fictional answers you gave?

That's just one of the reasons why password manager software is so valuable.

Personally, I use 1Password and I'm very heavily reliant on it.

 

[ERD50]

A key logger is unlikely. Note that I don't type the user name for the VG site. It is entered via my password system.

...

I don't know - do these passwiod systems actually bypass keyloggers, or do they simulate keypresses that would look the same to a system like this?

My current hypotheses are:

1. A dictionary attack. Boris tried a succession of user names. My user name was only eight characters long.

OK, when I read 'It isn't possible that someone entered my user name by mistake', I took that to mean it was a very long and complex one. Eight char could be a brute force attack.

-ERD50

 

[mpeirce]

How do you keep track of the fictional answers you gave?

braumeister mentioned 1Password which is good. I keep my account info in an encrypted note inside the Keychain on my Mac (built into OS X).

I change all these about once a year and after doing so I update the note and print it out, putting a copy into my safe deposit box.