Sunday, February 23, 2020

Someone is hacking at my Vanguard account and Vanguard can't stop them locking me out

So this has been happening.

Every few days for the past few weeks I have received an email from Vanguard like this:

Of course it's not me. Someone (some bot most like) is running passwords against my Vanguard user name. When they fail I'm locked out.

It's not supposed to work this way. This was a common problem in the 1990s, but then security teams learned to use timeouts to reduce the risk of password attacks. The chance that anyone will guess my quite long and random unique password is infinitesimally low.

I don't know the motivation. It might be harassment or it might be someone locking out the password so they can then do a social engineering attack. Given Vanguard's approach to lockout security I think there's a good chance they'll succeed.

I've written Vanguard about the problem but the representative tells me there's nothing they can do. Their security is working as it should.

I've gone through their password reset several times. It's the usual - last 4, birthdate, name of first boss, then text a code. The usual poor quality reset process that's been routinely broken. (Of course the answers to my secret questions are also unique strings unrelated to the question.)

Since Vanguard can't fix the lockout problem I'll have to try changing my username to a random string. That will take a phone call with Vanguard and a bit of hassle but I really don't have a choice.

Although the account rep didn't know this, there's an option to restrict logon to only recognized computers. This is a bad long term solution, but I've enabled it for now.

There's no relationship between the wealth of a corporation and the quality of their security.

Update 3/1/2020: Vanguard responded:
Our Fraud Team has reviewed your profile and the incidents you described.
They have determined that your account was locked multiple times by another client with a similar user name. Fraud has recommend you re-register for account access to change your user name to avoid this situation  going forward.
In other words, not a malevolent hacker, just someone who is not very good with credential management (maybe a bit further ahead on the dementia curve than I am). Based on my username it's probably a distant relative (it's a County Leitrim Ireland name, small cohort). Vanguard should be using time delay management of password attacks, instead they're locking me out. The re-register option is a real nuisance.

For now I've configured Vanguard to only allow access from my Mac (presumably a cookie). Maybe after a few weeks of getting a different error message my confused relative will figure out they're using the wrong damned username. Then I can try returning to standard access.

Update 3/13/2020: Locked out again, so the restricted access trick didn't help. I'll undo that. I really hate to have to change my username just because Vanguard can't implement 10 yo security technology.

Update 3/28/2020: Finally logged back in again doing the usual reset. Except now I discover the "restrict logon" is implemented by a cookie -- and I cleared my Safari cookies a week or two ago. So even with the reset I can't log in. It didn't work to stop my nemesis, but it sure stopped me.

I had a chance to review Vanguard's troubleshooting pages and looks like they haven't been updated for 5-10 years. So now I have to phone them some time during their limited service hours.

No comments: