New Vanguard login security


Thinks s/he gets paid by the post
Mar 11, 2004
Just got my turn ugrading to the new Vanguad login security level. Kinda cool -- you pick a picture that shows up every time you login. If you don't see your picture, then you are being phished.

Also a battery of questions and answers will need to be correctly answered to login from anything besides your 'home' computer.

This is the most advanced one I've used yet. I have a Canadian bank account with something advanced too (you answer a challenge question, and also put in randomized digits of your password, not the whole thing), but Vanguard's seems to be the new gold standard.

Advantage: good guys
Hmmm...I didnt get that yet. All I got so far is the username and password are on different pages...

Maybe because i'm using firefox and they seem to do different stuff for IE and FF? Maybe they havent gotten around to doing the new implementation for we minority browser users.

As long as they dont start doing crap like DCU did, forcing password changes every few months and making you close the browser completely after using it or suffer an annoying pop-up every couple of minutes... :p
Thanks for the heads-up ESRBob. I had received notification via US mail that there was going to be changes made (security image etc) however all that I have noticed was that the sign on takes you to two pages rather than one in order to sign in. Not sure how this makes it more secure as the imput data is the same.

I just tried again and got on my account without any more fancy sign in. Somewhere along the way, all of a sudden a screen pops up (after I am already into my accounts) and asks me for my favorite color. I'm not a big color guy so I picked one out of the air and it tells me that that is incorrect so I typed in another color and got the same message.  I do not recall ever telling Vanguard or anyone else what my fav color is. I still do not have one, I guess I need to get one soon as this seems to be a new issue in logins. I logged out and logged back in with no problem. I don't get it.

I got this from a security place on the VG site:

Now, we've begun introducing the new logon to our clients in stages. If you're a Web-registered client, you may have experienced the new logon already. If not, you'll see it during the next several months, as clients are gradually phased in. (We'll notify you by e-mail when you can begin using the new logon.)

When the new logon becomes available to you, not only will Vanguard be able to confirm your identity, but you'll also be able to verify that you're on the authentic Vanguard website. And you'll know that, as always, Vanguard is committed to providing a safe and secure online investing experience.

Evidently they are doing it in stages and I have not been selected yet, but the pop-up Q about my favorite color really has me stumped.

Has anyone had a simular situationm occur on Vanguard web site?
Im getting the same as CFB. Seperate handle then password page.
I still have the training wheels one (two separate pages). I'll bet they're doing it gradually so they don't have to work out the bugs with thousands of people at once.

Actually the two page system is a step down in security. You can determine whether the user name is correct. If a scammer enters both at once and fails, he doesn't know whether the name or the password is wrong.

BTW, if you use your real name as your User name, you might consider resetting things, and choosing something random. That way, a scammer has one more thing he has to guess.

As long as they dont start doing crap like DCU did, forcing password changes every few months and making you close the browser completely after using it or suffer an annoying pop-up every couple of minutes... 

Right, there's a big trade-off between security and convenience.  I hope this is going to be compatible with my password management system.   I'll be bummed if I can't make a transfer or exchange because I can't remember my favorite color.

For Monty Python fans:

What'ssssssssss your favorite color?

Red -- no Blue -- Zap!
Bank of America has had the same login picture idea for quite a while ... and they are the scum of the earth as far as banks go (in my experience), so good guys and bad guys have this software.

Anyways, these online sites just get their security software from another vendor (veritas?)
I got an email from Vanguard today that security was changing. I clicked on the link and was taken to the login page. As mentioned, user ID is entered on one page and password is entered on another. I was asked to identify a security picture. I was asked a series of security questions like where were you married, what town were you born in etc. I then got to my account. I logged off and a few hours later went back to the site. User ID is entered on one page. The next page shows my security picture and I entered my password. Not much to it. I do like the security picture idea.

None of the security questions were asked. Nothing about favorite color.
Maybe they're doing it for some 'grades' and not others, IE putting this in for the regular customers and not yet for voyager or flagship customers...?

Better answer that favorite color question correctly or you'll get launched into the air...
I am not programmed to respond in that area... ::)

Logged in today; user id and password are on different pages, and it asked me to verify my email address, but no color question.
As far as Vanguard is concerned, my favorite color is green; lots and lots of green.
I would be worried that email I got was an attempt to phish .
I wouldnt be suprised if they try to take advantage during the switch.
I'd call Vanguard and ask about the color popup thing... it doesn't sound right to me, and even (especially) if they are the perpetrators, they should know it doesn't jibe with any of their info about the security upgrade.

Since you were already in your accounts when it popped up, it doesn't sound like phishing, but stranger things have happened.
I just logged on this morning from a different computer than I used yesterday. It asked one of my security questions before prompting me for my password. I like it.
tomz said:
I just logged on this morning from a different computer than I used yesterday. It asked one of my security questions before prompting me for my password. I like it.

I wonder how Vanguard detects the you are logging on from a different computer? Do they collect a signature of the computer and tie it to your user ID? It is much better than just checking cookies.
Spanky said:
I wonder how Vanguard detects the you are logging on from a different computer? Do they collect a signature of the computer and tie it to your user ID? It is much better than just checking cookies.

You can track IP addresses on any decent web server. It's not perfect, but is another layer you can look at.
Rich_in_Tampa said:
You can track IP addresses on any decent web server. It's not perfect, but is another layer you can look at.

I think they can also track computer ID and the Internet Service Provider.
Cute Fuzzy Bunny said:
They can also put a cookie on the machine. No cookie, ask another question...
This would be faster but not as secure.
Would be if they put in some kind of encrypted hash that only they could adequately decrypt, combining it with a bunch of other machine specific 'observations'.
Cute Fuzzy Bunny said:
Would be if they put in some kind of encrypted hash that only they could adequately decrypt, combining it with a bunch of other machine specific 'observations'.
You may be right. I often do a 'Clear Private Data' from the Firefox browser. This will also clear all the cookies. I guess most people would not do this.
According to the FAQ that you linked to, they use encrypted cookies or Flash Objects. Checking IP address is probably not a good idea because many of us don't have static IPs.
John Tuttle said:
Checking IP address is probably not a good idea because many of us don't have static IPs.
Maybe not, but many ISPs use a pool of IPAs that are pretty close together.

This board's software will track a registered poster's IPAs and helpfully provide the names/IPAs of other posters in the vicinity. It sure helps cut down on the multiple personalities.
I went thru the same routine as ESRbob a few days ago. Picked a picture and answered a few security questions. I regularly use Firefox and log in without a problem. Today I attempted to log in using Internet Expolrer :eek: from the same computer... Vanguard didn't like that. I had to answer 1 of the security questions to log in.

So they don't look only at the PC but which browser you are using. Each browser must have their own cookie jar.


Latest posts

Top Bottom