Security Lapses at Vanguard, Schwab

These days it seems that no "computer system" connected to the internet is 100% secure (e.g. OMB, HD, Target, IRS,...the list seems almost infinite these days).

I have no idea how I would react if I logged into my Vanguard Account and saw all my accounts were all $0.00.
 
Agree especially with the part of the companies needing to balance security vs ease of access.
 
Sounds like they allow spelling errors in security questions..
With the 2-factor authentication, I don't see this as a problem.
I would like to see a little more focus on their site though.
 
In the interview (thanks for sharing that link) I heard where they say your password should not be used elsewhere, but they didn't say anything about having the same username at multiple sites. That is also probably not a good idea.

My (old) company used Vanguard for the 401-k and I had a specific username to access it. Then my company changed the 401 k to Fidelity and the access to the Fidelity 401-k had the same username. Today I went to the Vanguard web site today to see if I could change my username and in my initial checking I could not see how to change my username. I will probably call Vanguard in a day or two to check about this, unless somebody here reports they have done this.
 
From Vanguard:
What if I forgot my user name?

If you don't remember your user name, go to the Forgot user name screen. After you verify your identity, we'll send your user name to the registered e-mail address on file.

If you need to change your user name, you'll need to re-register. After you've re-registered, you'll have immediate access to your accounts; however, we'll place a seven-day hold on terminations, withdrawals, electronic bank transfers, and dividend elections processed online. We'll still process all other transactions, including loans via check, during this seven-day hold.

Whatever.

1. Rotate your password frequently.
2. Use two-factor authentication (security code sent to your phone).
 
These days it seems that no "computer system" connected to the internet is 100% secure (e.g. OMB, HD, Target, IRS,...the list seems almost infinite these days).

I have no idea how I would react if I logged into my Vanguard Account and saw all my accounts were all $0.00.

Truth...although in my case, the crook would add insult to injury.... balance would be $0.01
 
Thinking some more about the "security lapses" mentioned in the opening article...

What is in play is a fuzzy matching function, where the authentication service is allowing some "fuzziness" about your answers to challenge questions. It is not really a security lapse, but an example of a defense mechanism that has options to allow for the common errors we make.
 
I agree. My mother's maiden name is very common, I've never worried about it as it's a unusual spelling. I've never been asked how to spell her maiden name. That false sense of security is gone.
 
I agree. My mother's maiden name is very common, I've never worried about it as it's a unusual spelling. I've never been asked how to spell her maiden name. That false sense of security is gone.

The problem with using the mothers maiden name as authentication mechanism comes if your mother has passed on and her maiden name is the the obituary. Obituaries also contain the names of children and typically the city where the children live. Thus with sites like find a grave that post obits for folks it is possible to get this information. It always was in some sense findable at libraries but you would have to have gone to the newspaper for the city where your mother died, thus the likely need to go to the library for the town in question.
 
The only way I answer security questions is with answers that have nothing to do with the question.

Mother's maiden name? Blue
The name of your first pet? Box
What was you high school mascot? Roof

My only rule is to use words that are easy to spell.

Of course, I need to keep a list. The list is encrypted and kept in an obvious place...
 
I want extremely high security. With all my eggs in one mutual fund basket, I don't want to leave that basket out for rats to get in to. Thirteen random letters/number/symbols in my password and call back verification to foil any keyloggers.
With my keyboard, that gives 100 + possibilities to the 13th power. According to security blogs, that should take a thousand years of running computers to brute force through. Any hijacking would have to come from inside a mutual fund company.

I like the idea of resetting my name to randomness and random security answers.

Call me a random dude El Dan dee born on the 40 th of july.

Any other good ideas?
 
Last edited:
I use a random login and random password.
Added two-factor authentication.

Watch your in-home devices, router, and passwords.

Encrypt your password file or use an app for that storage.

There's usually an insider involved. So your insider could be a keylogger, "trusted" neighbor, relative...
 
wondering how Fuzzy the answers can be. I tried one missing letter and it worked. I'll have to test that more.

For those of you that want more security in Vanguard account:
turn on "Restrict account access from unrecognized devices"
use 2-factor authentication (security codes)
Use long unique username
Use long unique password
use long unique security question answers (not your actual info)
set up sms alerts and make sure they are on for transactions
make sure you phone has a pin lock on it


Some ideas for Vanguard to make it even more secure
Have account login history with IP
Show which devices are authorized and allow deauthorization
Improve verbal authentication on outbound calls
biometric identification in app.
bounty program for reporting security flaws
 
Last edited:
I moved some money out of a Schwab account recently using a wire transfer (they're free at Schwab) and I was pleased to see that they called me to verify that I was actually making the transfer.

The only problem was DD's bank charged her to receive it :-(
 
So Vanguard needs to update their iOS apps. to support login with Finger ID. All other banks have done it.

Not saying Finger ID would be more secure than 2-factor. Indeed, you should have to authenticate on device with Finger ID and then still input the code in.
 
I have no idea how I would react if I logged into my Vanguard Account and saw all my accounts were all $0.00.

Some years ago, I read about a hacker who did not transfer money out of a victim's account, but used it for shill trading a penny stock. And that was how he got caught.

So, if you log in and find yourself a sudden owner of a million shares of some unknown mom-and-pop Canadian gold mining companies, you know what happened. :LOL:
 
Last edited:
The last thing I want is hardware tokens for every account that I have to keep up with. Two-factor auth using your phone is good enough, methinks.

+1 We use the VIP Access app for our Fidelity account login. I see no need for an additional piece of hardware. We also use an encrypted password database to generate random user IDs and passwords that conform to the maximum strength allowed by each financial institution, and these are changed every 90 days. We also use random words as answers to each security question. We don't use the correct answers, which often can be easily discovered, and then used to change or reset the login credentials.
 
The last thing I want is hardware tokens for every account that I have to keep up with. Two-factor auth using your phone is good enough, methinks.

You just need single hardware token my friend :)

For example from E*Trade. Then you call Fidelity/Schwab and configure your Fidelity or Schwab account to use same Hardware Key.

I don't trust iphone. I rather have hardware key hanging on my keychain that nobody can hack into.
 
+1 We use the VIP Access app for our Fidelity account login. I see no need for an additional piece of hardware. We also use an encrypted password database to generate random user IDs and passwords that conform to the maximum strength allowed by each financial institution, and these are changed every 90 days. We also use random words as answers to each security question. We don't use the correct answers, which often can be easily discovered, and then used to change or reset the login credentials.

Well it just is easier to have single hardware key then bunch of ups (one per account) running in your mobile device.

(Looks more secure to me as well since I can not see you can hack RSA key) This is my opinion as Software Engineer :)
 
Well it just is easier to have single hardware key then bunch of ups (one per account) running in your mobile device.

(Looks more secure to me as well since I can not see you can hack RSA key) This is my opinion as Software Engineer :)

We only have one app for all our accounts.
 
Back
Top Bottom