

Vanguard conditioning users for phone phishing atttempts - bjpless
http://benplesser.com/2013/03/15/vanguard-conditioning-users-for-phone-phishing-atttempts/

======
bpatrianakos
Hackers and technical folks and just the kind of people who hang out here on
HN tend to be very inflexible and on the side of being "technically correct"
over being "right".

From a security perspective, this should never happen. The author is
absolutely, positively, without a doubt correct in his stance on this. Being
called in such a way and having very little and/or weak security protocols as
described is not only a security breach waiting to happen but it really is, as
the author points out, training people to get phished.

But there's a bigger picture here. And that's the picture of Vanguard as a
company having years of experience in talking to, working with, dealing with,
and learning about their customers. Just like the manager says in the post,
they need to balance security with service (no they're not mutually exclusive
but they're not one and the same either).

In the end I think this okay. It's not technically correct but it seems like
its the right thing to do. Now the reason for this call is never described
(which gives some credence to the theories here that this actually never
happened along with a lack of other details) but assuming here for the sake of
argument that the call was just to talk about something that isn't of super
high significance (let's say it was a sales call to upsell something) then a
couple of security questions should suffice. If it's to talk about a 10
million dollar bank transfer to some off-shore account then maybe we should be
in an uproar here.

Another point to consider is who is responsible for security? Obviously the
company that hold your data should be reponsible for the safety of that data
and should have measures in place to prevent fraudulent access to it. But then
there's also the responsibility of the customer who needs to take care of
their account credentials and make sure that if someone accesses one of their
private accounts somewhere that there isn't a domino effect. I don't think
it's Vanguard's responsibility to make sure that all of their customers use
different, long, and random passwords on their Gmail and Facebook and what
have you so that one day someone can access one of those and get into their
Vanguard account. I mean, that's certainly a nice-to-have but customers have a
responsibility to secure their data just the same as companies do. We want to
be educating regular folks about security all the time but the moment it comes
time for them to apply what we're teaching them we turn around and act like
they're off the hook for being ignorant of security best practices. It's a
double standard if you ask me.

I know we all like some good old fashioned manufactured outrage but before we
get the pitchforks out let's look at the big picture, and not _just_ one
aspect of the issue here.

~~~
bjpless
The purpose of the original call was to get a change of address (for sending
forms). I probably should have clarified that but it seems like a pretty
generic request.

No need to believe me about the "truthfulness of the claims". Just call
Vanguard yourself and ask if they handle cases this way. They will confirm.

You ask about security responsibility. I absolutely agree with you that
customers have to take on a lot of it (Vanguard is not responsible for
creating a 20 char password on your behalf).

I do think, though, that you have to draw the line before training your users
to accept phishing attempts. That is what is happening here.

My biggest reason for pitchforking Vanguard here is that, for many people,
they hold more assets than commercial Banks. Their security protocols should
have HIGHER standards.

~~~
atwebb
I'm with you on this one and it has bothered me tremendously for years, but
this is hardly limited to Vanguard, I know for a fact that many, many other
institutions do this and will immediately ask for your secret password, or
divulge too much information if I wasn't actually the intended recipient.

Thanks for bringing more attention to this. Personally, I think it is a fairly
big deal and a responsibility that Vanguard should shoulder more of. They
aren't providing free checking, or free email, or anything of that nature.
They are taking money (pretty good money) for a financial service. Their web
presence has improved by leaps and bounds and I'm surprised that this hasn't
changed.

~~~
davidcuddeback
I agree with both of you that Vanguard has a responsibility to keep their
customer's money secure. Vanguard holds a large chunk of my money (much more
than any single bank), and I'd like to know that it's secure.

bpatrianakos is also right. Security has to be balanced with service. I think
Vanguard's call would be okay _if_ the security questions they ask are
compartmentalized. What I mean by that is that they have separate security
questions that they ask in a low-security environment (like an outgoing phone
call) that they will _never_ trust for high-security actions, such as
withdrawals or password resets. Those actions should require a further level
of authentication and should never be done via outgoing correspondence.

We should at least confirm that the security questions aren't
compartmentalized before we break out the pitchforks. However, given that
Vanguard limits passwords to 10 characters with limited support for
punctuation, I don't have much faith that they have any sort of
compartmentalized security.

------
dp1234
I ran into that with a credit card company recently. They called and left a
message about suspicious activity on an account and a callback number. I
couldn't find that number anywhere on their website or the web in general. I
ended up calling the main # and connecting to the security department. It was
a legitimate message they left. I mentioned the phone number thing and they
agreed that was an issue but who knows if they acted on it.

~~~
teej
The number isn't published because it's outsourced, your bank is not the one
handling the call. The agents will speak as if they're from your card issuer,
but you will notice all the automated systems will say "cardmember services"
or other ambiguous name.

~~~
philwelch
"Cardmember services" is also a notorious phone scam.

------
prestonbriggs
I also noticed (and complained) that their passwords were limited to so
absurdly short sequence. Not sure if it's still true. Hope not.

~~~
jbuzbee
I just checked. Vanguard passwords can be up to 10 characters long

~~~
kibwen
For perspective, this is an absurdly short sequence.

~~~
jbuzbee
You could argue that there should be no limit or maybe the limit should be
higher, but I'd have a hard time arguing that a 10 character password composed
of upper, lower, specials and digits is absurd

~~~
pheleven
They don't accept lower case - if you have capslock on you'll still be logged
in. I don't think they accept all special characters either.

~~~
davidcuddeback
Ouch. I didn't know their passwords were case insensitive.

I thought they didn't accept all special characters either, but I just
successfully changed my password with special characters that I don't remember
them accepting last time I changed my password. I was successfully able to log
in using a version of my new password with the case changed for some letters.

------
jbuzbee
Color me skeptical here or perhaps this is just an aberration. I've been with
Vanguard financial services for more than 30 years and I've never received any
phone calls. All recent communication has been via email with a non-clickable
link telling me to log into my account and check my messages.

~~~
bjpless
I an OP. I can assure you that this happened. You can call them and ask if
these calls are standard. They will confirm.

~~~
bpatrianakos
Why did they call? You focus much of the post on security best practices which
is indeed very important but I think it would also be very helpful to know the
reason they called to begin with. There's a huge difference between someone
calling in the way you described to say "it looks like based on your account
activity you might want to buy our XYZ service" and someone calling to say
"this to confirm that $10MM bank transfer to that offshore account, now what's
your account number again?".

~~~
biot
Of course, they're not going to tell you the specific details until you've
correctly answered the security questions anyways. A phisher would use this to
their advantage:

    
    
      "Hi, I'm calling about some suspicious transactions on
       your account which I'm fairly sure aren't authorized, but
       I need to confirm with you just to make sure."
    
      "Can you tell me what those are?"
    
      "Sorry, I can't reveal specifics unless I can confirm I'm
       talking to the authorized account holder. [Ask security
       questions.] Thank you. Did you make a transfer of $500 to
       Pharma Laboratories in Albania?"
    
      "No."
    
      "That's what I thought, we'll go ahead and cancel the
       transfer. Your account will remain unaffected. Thank you
       for your time."
    

The only defense against this (other than initiating the call yourself) is to
casually give obviously wrong answers, and see if the rep accepts them
blindly. If your first pet's name was Buddy and you say Ninja, a real rep
shouldn't accept that. That should work until a really sophisticated operation
tries to do a live man-in-the-middle attack.

------
trotsky
Most corporations don't behave particularly responsibly in terms of your data
security, and the financial industry is one of the worst when it isn't an
issue that they are statutorily liable for. So you end up with odd extremes
where credit card fraud is treated with extreme care (statutorily liable >
$50) and business banking is usually secured quite poorly (no liability,
typically). It's up to you to provide or ask for any extra security measures
you find appropriate, like asking to call them back.

Anyone using common security questions is already balancing a risky behavior
with ease of use.

They might also know that risk is low - if they don't allow any difficult to
reverse transactions like outbound fedwire there may not be a lot they can't
easily undo.

------
lucian1900
Apparently it's common practice. Lloyds TSB (UK bank) and 3 (UK mobile
network) do something similar.

~~~
madaxe
Yep. I've had Lloyds phone me and _tell me my own goddamned password over the
phone_. Which means, apart from anything else, that they store them plaintext.

Phishing for this kind of info is stupidly easy though, and while call-centres
quite definitely do condition people to be phished, there's not much that can
be done when people are so willing to be fast and loose with their personal
information.

Go tweet/facebook the following, and prepare to be astounded by how naïve most
are:

"Want to know your porn star name? Just take your first pet's name, your first
school's name, and your mother's maiden name! Mine's Muffy Grove Schlitz!"

~~~
lucian1900
It's more a failure of services/companies that require silly things like pet,
school or maiden names as shared secrets. By now, everyone should get a PGP
key at birth.

~~~
davidcuddeback
I agree. I never answer the security questions with a truthful answer, because
things like "first company you worked for" are too easy to look up. I treat
security questions almost the same as passwords. I generate random answers per
question and store them in 1Password, just like my passwords.

A side-benefit of this is that if someone calls me and asks me to answer a
security question, I won't know it. I'll be forced to call them back after
I've opened 1Password and pulled up the record with the security questions.

------
davidu
At the very least, they should call you and direct you to vanguard.com where
there would be a link at the bottom that says "call us back" at which point if
you call back you'd be promptly put back in touch with your rep. another
factor that helps broker trust in a conversation.

I follow this protocol with American Express and it's always effective. I'm
also a high dollar monthly spend (corporate account) and so I get answered
within a couple rings and they can pull up my account and notes immediately.

-David

------
otto
I received an email from Vanguard regarding $20 for taking a survey. It seemed
phishy as the domain that it was sent from wasn't @vanguard.com (or similar)
and the enticement of a monetary award.

I contacted Vanguard regarding this and forwarded them the email. The
representative thought it was a phishing attempt as well. I was later
contacted by Vanguard and they told me it was legitimate. I was even able to
contact the person that wrote the email through a Vanguard number.

------
miles
Here is Vanguard's email contact form:

[https://personal.vanguard.com/us/ContactUsSecureEmail?isCont...](https://personal.vanguard.com/us/ContactUsSecureEmail?isContact=p)

------
c0nsumer
Any idea which Vanguard this is talking about? Financial services? The
university? The furniture company...?

~~~
bjpless
Vanguard the financial services. I'm less concerned about the furniture
company's security...

