Tuesday, January 18, 2022

Bad Computer Security at Financial Firms

You would think that financial firms would have good login security, but read this from several years ago:
An angry Vanguard customer had called her to say he was able to log into his account, even though he'd deliberately provided a misspelled security answer, Brock explained to her tech colleague, named Mike, who took her call on May 7, 2013.
The company is weird. They put in a security image in the login process, telling customers to refuse to login if the right image is not seen. Then it just dropped the feature, without telling anyone. So if you followed their own security instructions, you would never login.
On a dozen occasions in recent months, I have logged into my own Vanguard account despite dropping letters and introducing other typographical errors to my security answers. On several occasions, I was able to reset my password after entering typos of between one and two characters into three separate security answers. The process did require that I provide my date of birth, zip code, the last four digits of my Social Security number and email address. But security experts say such information is easily stolen or found online, making accurate security answers critical.
So what is it doing? This is fairly standard:
During an hour-long interview with Sherlock and three other Vanguard officials in late July, the company stressed that it has made strides in customer safety that include the launch in December of an enhanced security option to make customers' login process safer. Its so-called "two-factor authentication" service requires not only that a customer enter a user name and password, but that they also submit a 6-digit code that Vanguard sends by text message to the customer's cellphone.
Okay, but here is the message that Vanguard sent me:
Vanguard won't contact you for this code: 894581. Don't share it with anyone. Reply HELP for help, STOP to cancel, Msg&Data Rates May Apply
Why would it say that? The whole purpose of the code is to submit it when Vanguard contacts me and asks for it. I am unable to login unless I share the code with Vanguard. Or maybe I should say logon, as that is what Vanguard calls it.

Currently, I cannot even login to Vanguard with my Firefox or Chrome browsers. They used to work fine.

No comments: