I ran into that with a credit card company recently. They called and left a message about suspicious activity on an account and a callback number. I couldn't find that number anywhere on their website or the web in general. I ended up calling the main # and connecting to the security department. It was a legitimate message they left. I mentioned the phone number thing and they agreed that was an issue but who knows if they acted on it.
The number isn't published because it's outsourced, your bank is not the one handling the call. The agents will speak as if they're from your card issuer, but you will notice all the automated systems will say "cardmember services" or other ambiguous name.
I got called about suspicious activity on my card and the woman asked for the last 4 of my SSN to verify my identity. I asked "how do I verify your identity" and she told me to hang up and call the phone number printed on my credit card.
You could argue that there should be no limit or maybe the limit should be higher, but I'd have a hard time arguing that a 10 character password composed of upper, lower, specials and digits is absurd
You _should_ argue that there ought to be no limit. There is absolutely no reason why there should be a limit below maybe 4k (and even then, I'm not sure. Perhaps some limit if DOS is concern...).
The only reason why there are limits now is that there is code running on their servers specifically stopping passwords that are longer - which is insane, if you think about it - they are actively preventing people from creating stronger passwords. I'd rather create a 20-30 character password with no specials (which is still massively harder to crack than a 10 char with all possible specials), because it is easier to type in on mobile, but with this system, I couldn't - which is dumb.
Ouch. I didn't know their passwords were case insensitive.
I thought they didn't accept all special characters either, but I just successfully changed my password with special characters that I don't remember them accepting last time I changed my password. I was successfully able to log in using a version of my new password with the case changed for some letters.
absolutely! it baffles me that vanguard is putting people in the position of trusting millions of dollars of their portfolios to username/password and a 'security image'.
if i were a black hat, targeting a place like vanguard would make so much more sense than going after a bank.
Color me skeptical here or perhaps this is just an aberration. I've been with Vanguard financial services for more than 30 years and I've never received any phone calls. All recent communication has been via email with a non-clickable link telling me to log into my account and check my messages.
I most definitely have had this occur, and Vanguard is hardly the only offender. Basically, every single financial institution that I have dealt with has done this. Prior to leaving HSBC when their checking rates plummeted, I had a lengthy discussion with one of their reps about the issue.
The solution? I never answer the questions. I ask for their name and a number/extension that I can call back from. I then either confirm that it matches the ones I know, or call their mainline and request to be transferred.
I've had this happen when I submit a text request and my account manager decides to call instead of responding via their (horrible) internal messaging system.
I know my account manager's name, so it is less of a concern, but that's only because she's helped me out on some thorny issues. I could imagine this being more problematic if there isn't a pre-existing relationship.
Why did they call? You focus much of the post on security best practices which is indeed very important but I think it would also be very helpful to know the reason they called to begin with. There's a huge difference between someone calling in the way you described to say "it looks like based on your account activity you might want to buy our XYZ service" and someone calling to say "this to confirm that $10MM bank transfer to that offshore account, now what's your account number again?".
Of course, they're not going to tell you the specific details until you've correctly answered the security questions anyways. A phisher would use this to their advantage:
"Hi, I'm calling about some suspicious transactions on
your account which I'm fairly sure aren't authorized, but
I need to confirm with you just to make sure."
"Can you tell me what those are?"
"Sorry, I can't reveal specifics unless I can confirm I'm
talking to the authorized account holder. [Ask security
questions.] Thank you. Did you make a transfer of $500 to
Pharma Laboratories in Albania?"
"No."
"That's what I thought, we'll go ahead and cancel the
transfer. Your account will remain unaffected. Thank you
for your time."
The only defense against this (other than initiating the call yourself) is to casually give obviously wrong answers, and see if the rep accepts them blindly. If your first pet's name was Buddy and you say Ninja, a real rep shouldn't accept that. That should work until a really sophisticated operation tries to do a live man-in-the-middle attack.
Most corporations don't behave particularly responsibly in terms of your data security, and the financial industry is one of the worst when it isn't an issue that they are statutorily liable for. So you end up with odd extremes where credit card fraud is treated with extreme care (statutorily liable > $50) and business banking is usually secured quite poorly (no liability, typically). It's up to you to provide or ask for any extra security measures you find appropriate, like asking to call them back.
Anyone using common security questions is already balancing a risky behavior with ease of use.
They might also know that risk is low - if they don't allow any difficult to reverse transactions like outbound fedwire there may not be a lot they can't easily undo.
Yep. I've had Lloyds phone me and tell me my own goddamned password over the phone. Which means, apart from anything else, that they store them plaintext.
Phishing for this kind of info is stupidly easy though, and while call-centres quite definitely do condition people to be phished, there's not much that can be done when people are so willing to be fast and loose with their personal information.
Go tweet/facebook the following, and prepare to be astounded by how naïve most are:
"Want to know your porn star name? Just take your first pet's name, your first school's name, and your mother's maiden name! Mine's Muffy Grove Schlitz!"
It's more a failure of services/companies that require silly things like pet, school or maiden names as shared secrets. By now, everyone should get a PGP key at birth.
I agree. I never answer the security questions with a truthful answer, because things like "first company you worked for" are too easy to look up. I treat security questions almost the same as passwords. I generate random answers per question and store them in 1Password, just like my passwords.
A side-benefit of this is that if someone calls me and asks me to answer a security question, I won't know it. I'll be forced to call them back after I've opened 1Password and pulled up the record with the security questions.
At the very least, they should call you and direct you to vanguard.com where there would be a link at the bottom that says "call us back" at which point if you call back you'd be promptly put back in touch with your rep. another factor that helps broker trust in a conversation.
I follow this protocol with American Express and it's always effective. I'm also a high dollar monthly spend (corporate account) and so I get answered within a couple rings and they can pull up my account and notes immediately.
I received an email from Vanguard regarding $20 for taking a survey. It seemed phishy as the domain that it was sent from wasn't @vanguard.com (or similar) and the enticement of a monetary award.
I contacted Vanguard regarding this and forwarded them the email. The representative thought it was a phishing attempt as well. I was later contacted by Vanguard and they told me it was legitimate. I was even able to contact the person that wrote the email through a Vanguard number.
Hackers and technical folks and just the kind of people who hang out here on HN tend to be very inflexible and on the side of being "technically correct" over being "right".
From a security perspective, this should never happen. The author is absolutely, positively, without a doubt correct in his stance on this. Being called in such a way and having very little and/or weak security protocols as described is not only a security breach waiting to happen but it really is, as the author points out, training people to get phished.
But there's a bigger picture here. And that's the picture of Vanguard as a company having years of experience in talking to, working with, dealing with, and learning about their customers. Just like the manager says in the post, they need to balance security with service (no they're not mutually exclusive but they're not one and the same either).
In the end I think this okay. It's not technically correct but it seems like its the right thing to do. Now the reason for this call is never described (which gives some credence to the theories here that this actually never happened along with a lack of other details) but assuming here for the sake of argument that the call was just to talk about something that isn't of super high significance (let's say it was a sales call to upsell something) then a couple of security questions should suffice. If it's to talk about a 10 million dollar bank transfer to some off-shore account then maybe we should be in an uproar here.
Another point to consider is who is responsible for security? Obviously the company that hold your data should be reponsible for the safety of that data and should have measures in place to prevent fraudulent access to it. But then there's also the responsibility of the customer who needs to take care of their account credentials and make sure that if someone accesses one of their private accounts somewhere that there isn't a domino effect. I don't think it's Vanguard's responsibility to make sure that all of their customers use different, long, and random passwords on their Gmail and Facebook and what have you so that one day someone can access one of those and get into their Vanguard account. I mean, that's certainly a nice-to-have but customers have a responsibility to secure their data just the same as companies do. We want to be educating regular folks about security all the time but the moment it comes time for them to apply what we're teaching them we turn around and act like they're off the hook for being ignorant of security best practices. It's a double standard if you ask me.
I know we all like some good old fashioned manufactured outrage but before we get the pitchforks out let's look at the big picture, and not just one aspect of the issue here.
The purpose of the original call was to get a change of address (for sending forms). I probably should have clarified that but it seems like a pretty generic request.
No need to believe me about the "truthfulness of the claims". Just call Vanguard yourself and ask if they handle cases this way. They will confirm.
You ask about security responsibility. I absolutely agree with you that customers have to take on a lot of it (Vanguard is not responsible for creating a 20 char password on your behalf).
I do think, though, that you have to draw the line before training your users to accept phishing attempts. That is what is happening here.
My biggest reason for pitchforking Vanguard here is that, for many people, they hold more assets than commercial Banks. Their security protocols should have HIGHER standards.
I'm with you on this one and it has bothered me tremendously for years, but this is hardly limited to Vanguard, I know for a fact that many, many other institutions do this and will immediately ask for your secret password, or divulge too much information if I wasn't actually the intended recipient.
Thanks for bringing more attention to this. Personally, I think it is a fairly big deal and a responsibility that Vanguard should shoulder more of. They aren't providing free checking, or free email, or anything of that nature. They are taking money (pretty good money) for a financial service. Their web presence has improved by leaps and bounds and I'm surprised that this hasn't changed.
I agree with both of you that Vanguard has a responsibility to keep their customer's money secure. Vanguard holds a large chunk of my money (much more than any single bank), and I'd like to know that it's secure.
bpatrianakos is also right. Security has to be balanced with service. I think Vanguard's call would be okay if the security questions they ask are compartmentalized. What I mean by that is that they have separate security questions that they ask in a low-security environment (like an outgoing phone call) that they will never trust for high-security actions, such as withdrawals or password resets. Those actions should require a further level of authentication and should never be done via outgoing correspondence.
We should at least confirm that the security questions aren't compartmentalized before we break out the pitchforks. However, given that Vanguard limits passwords to 10 characters with limited support for punctuation, I don't have much faith that they have any sort of compartmentalized security.
Do you happen to remember the phone number that the call originated from? If it's a phone number that's published on Vanguard's site, at least one could add that phone number to their address book so that your phone says "Vanguard" when receiving the incoming call. That would offer some protection from phishing attacks in this case. (But you're right that this still trains people to be vulnerable to phishing attacks.)
I thought it was the Vanguard Communist Party. They should really be concerned with their security or risk having the Tsarist police ship them off to Siberia.
