Sunday, February 23, 2020

Someone is hacking at my Vanguard account and Vanguard can't stop them locking me out

So this has been happening.

Every few days for the past few weeks I have received an email from Vanguard like this:

Of course it's not me. Someone (some bot most like) is running passwords against my Vanguard user name. When they fail I'm locked out.

It's not supposed to work this way. This was a common problem in the 1990s, but then security teams learned to use timeouts to reduce the risk of password attacks. The chance that anyone will guess my quite long and random unique password is infinitesimally low.

I don't know the motivation. It might be harassment or it might be someone locking out the password so they can then do a social engineering attack. Given Vanguard's approach to lockout security I think there's a good chance they'll succeed.

I've written Vanguard about the problem but the representative tells me there's nothing they can do. Their security is working as it should.

I've gone through their password reset several times. It's the usual - last 4, birthdate, name of first boss, then text a code. The usual poor quality reset process that's been routinely broken. (Of course the answers to my secret questions are also unique strings unrelated to the question.)

Since Vanguard can't fix the lockout problem I'll have to try changing my username to a random string. That will take a phone call with Vanguard and a bit of hassle but I really don't have a choice.

Although the account rep didn't know this, there's an option to restrict logon to only recognized computers. This is a bad long term solution, but I've enabled it for now.

There's no relationship between the wealth of a corporation and the quality of their security.

Update 3/1/2020: Vanguard responded:
Our Fraud Team has reviewed your profile and the incidents you described.
They have determined that your account was locked multiple times by another client with a similar user name. Fraud has recommend you re-register for account access to change your user name to avoid this situation  going forward.
In other words, not a malevolent hacker, just someone who is not very good with credential management (maybe a bit further ahead on the dementia curve than I am). Based on my username it's probably a distant relative (it's a County Leitrim Ireland name, small cohort). Vanguard should be using time delay management of password attacks, instead they're locking me out. The re-register option is a real nuisance.

For now I've configured Vanguard to only allow access from my Mac (presumably a cookie). Maybe after a few weeks of getting a different error message my confused relative will figure out they're using the wrong damned username. Then I can try returning to standard access.

Update 3/13/2020: Locked out again, so the restricted access trick didn't help. I'll undo that. I really hate to have to change my username just because Vanguard can't implement 10 yo security technology.

Update 3/28/2020: Finally logged back in again doing the usual reset. Except now I discover the "restrict logon" is implemented by a cookie -- and I cleared my Safari cookies a week or two ago. So even with the reset I can't log in. It didn't work to stop my nemesis, but it sure stopped me.

I had a chance to review Vanguard's troubleshooting pages and looks like they haven't been updated for 5-10 years. So now I have to phone them some time during their limited service hours.

Update 11/7/2021: About 6 months ago I finally quit Intuit's Quicken software. After I did that I didn't have any more Vanguard lockouts. Despite my disabling Intuit's online account feature I think they were polling and storing my Vanguard financial records. They weren't logging in successfully, but they did lockout my account.

Monday, February 17, 2020

Apple can beat Google Maps -- by investing in bike route maps

Google Maps seems unbeatable. Every time Apple does an upgrade Google does three. It seems Apple can't win.

But Google has weaknesses. Google maps are increasingly hard to read, particularly in sunlight. Google has no options for scenic routes; even when I choose an alternate route for the pleasure of the trip Google aggressively reroutes me to the fastest option. Apple maps at least have a "no highway" trip option.

These are small weaknesses though. Apple still gets big things wrong even with their latest revisions. Apple hasn't learned much from Google's Local Guides program. My Local Guide score lets me relocate a business in seconds -- something that's made me quite popular with CrossFit gyms and medical clinics that have moved (sometimes they've suffered wrong location listings for months).

Most of all Google has bicycle routes and Apple doesn't. That gap means I can't consider Apple Maps for everyday use. Bike routes are a map moat and Apple hasn't tried to cross it.

But ... Google's bike map moat is silting over. They aren't updating them any more. Google once accepted bike route suggestions from Local Guides -- but now they direct us to treat omissions as road errors and even those are ignored. For example, here's Google's current map of bicycle trails around Hastings Minnesota:

That map makes it seem there's no route from the urban core to Hastings. In fact there's a lovely trail from Hastings to the blue dot on the left, then a brief gravel road, then a trail to St Paul and thus Minneapolis.

Google's neglect is Apple's opportunity. This is an area where Apple could actually beat Google Maps. I think they'd like that.

And, of course, if Apple did make a move maybe Google would accept some improvements ...