Vanguard login flap showcases battle of cybersecurity vs. convenience

The Vanguard Group has recently come under fire for what one whistleblower says is an insecure online log-on system for its 20 million-plus customers. The alleged issue with the asset management giant's sign-on system was that customers could get into their accounts even if they entered their password or security question slightly incorrectly, for example, typing in “passwort” instead of “password,” as first reported by The Street. One customer reportedly called a Vanguard client relationship manager in May 2013 to tell her that he deliberately misspelled a security answer and still gained access. Vanguard spokeswoman Emily White said that, due to privacy policies, she could not further discuss the situation referred to in the article. However, she did say that the firm updated its security measures in 2013, and executives have been consistently reevaluating and revising them. She added that elements of The Street's story were inaccurate and misleading, but she would not go into detail about which aspects the firm disagreed with specifically. "We want to emphasize that Vanguard places the utmost importance on the security of client accounts," Ms. White said. "We follow industry best practices, employing state-of-the-art technology and rigorous online security standards." Further, she did acknowledge that online phishing scams — attempts to acquire sensitive information such as usernames, passwords and account numbers by masquerading as a trustworthy entity, typically in an email — are prevalent.

This week I enabled two-step authentication on my @Vanguard_Group account. Once per day, someone tries to hack my password.

— Aaron Welsh (@heywelshie) December 12, 2014

In December, the firm rolled out an optional security feature, two-factor authentication. Clients who opt in receive a text message to his or her phone with a code to be entered into the login portal. It has received mixed feedback on Twitter.

I'm looking at you, @Vanguard_Group. https://t.co/btD8IdH6c1

— Code Fairy (@zigdon) May 18, 2015

@vanguard_group You're supposed to send the text *after* the password is entered. Every 2 factor site I've ever seen works that way

— jared (@jaredmoody) January 30, 2015

Also, @Vanguard_Group asks way too much information to reset a password, then sends the temp password as plain text over e-mail. #facepalm

— Greg (@NemesisVex) December 21, 2014

Sid Yenamandra, the co-founder and chief executive of Entreda, a financial services cybersecurity consulting firm, said that this is a classic balance of sacrificing security for convenience, or vice versa. "Do you force customers to enter two passwords and still let them enter [even if they make a typo] because it's more convenient?" Mr. Yenamandra said. "That was the mistake Vanguard made." Vanguard is certainly not the only firm to grapple with this issue — other firms have also gotten heat for their allegedly lax sign-on requirements. For example, Schwab and Fidelity were both called out on Twitter for having a weak login system.

seriously schwab - password must b 6-8 char, no symbls and you don't check the case? Moving to vanguard w/2factor auth.

— Jim Siegl (@jsiegl) March 5, 2015

Schwab financial services has messed up 2FA. http://t.co/eom4lCHNsT Vanguard and Fidelity have had horrid security for all the years I'...

— John Gordon (@jgordonshare) December 25, 2014

Fidelity spokesman Adam Banker said that the firm offers multi-factor authentication as part of its ongoing effort to protect customer accounts and information. Sarah Bulgatz, director of public relations at Charles Schwab & Co., which has also received criticism for their allegedly weak password requirements, said that the firm is rolling out enhancements to their password protocols, which will make login and identity-verification processes to be much more complex. Both Schwab and Vanguard offer a guarantee that they will reimburse any losses in compromised online accounts that stemmed from incidents of fraud. Mr. Yenamandra suggested advisers take note of the types of security measures that the firms they work with are taking and alert management if they seem weak. "If you're using Schwab or Fidelity and custodying assets and find really weak cybersecurity practices, inform management teams — this is a cause of concern for your clients," Mr. Yenamandra said. "The second thing is they need to audit all of the different vendors." That's because any third-party service providers, especially those that are integrated with one another and share sensitive data, could be a backdoor way for hackers to enter a system. Chris Pogue, senior vice president of cyber threat analysis at Nuix, a cybersecurity service provider specializing in financial services firms, said it's usually a question of what the data and the security measures both cost, and which outweighs the other. "If it costs me more to protect the data than the actual data, what am I doing this for?" he said. "Then there's the concept of usability, as in, if I make it so difficult for my users to use this thing that it defeats the purpose." Orion Advisor Services also has the two-factor authentication feature. Joe Leyboldt, director of technology support at Orion, said that it provides an extra layer of safety. "I don't think that's common in the industry," Mr. Leyboldt said. "The chances of potential harm to your account, to have access to all three entry points, is very slim." There are many other options advisers can take to improve their cybersecurity measures, including knowing their firm's policies and procedures, getting security measures in writing, hiring staff specifically tasked with ensuring firm-wide security and protecting websites, apps and networks with added security features. But logging in always comes down to a password, which was the crux of Vanguard's issue. Mr. Pogue said that passwords should not be made or kept simply for convenience. He said that they should meet basic requirements, with capitalization, special characters and numbers, and should be rotated every 90 days. They also shouldn't be recycled or duplicated across platforms. "This is a $3 trillion industry for organized crime. It is not going anywhere any time soon," Mr. Pogue said. "They all say the same thing: 'I never thought it would happen to me.' "Not only is it going to happen to you, more than likely, it already has and you may not know it," he added.