I am not a security expert, by any means, but my experience with Vanguard this morning left me with concerns about their security practices.

This Morning

My girlfriend received a call from someone claiming to be an employee of Vanguard. Without providing any verification, this person then proceeded to ask for the answer to one of her security questions.

If username and password are ever compromised, the security questions are the next (and possibly last?) line of defense against hacking an account.

My girlfriend immediately hung up and called Vanguard back to confirm their identity. Eventually, we were able to verify that they had, in fact, phoned.

Recipe for phishing?

Maybe I’m just being paranoid, but it seems to me that Vanguard is actively conditioning its customers to expose themselves to phishing attempts in the future. If Vanguard is willing to call and ask for this info, why not ask for more credentials down the road?

I called Vanguard back to discuss this phone protocol. Unfortunately, they do not publish a direct number to their security department. Even after speaking to several levels of management, I was never connected with a security expert.

Vanguard’s Response

At the top of the management chain with whom I did speak, I received two important pieces of information. First, this manager claimed that issues like these would become less meaningful in the future when they roll out voice recognition based security protocols. There was no timeline given for an official release (she did mention a Beta coming soon but wide adoption seems far out). Second, the manager acknowledged that this is probably a security hole but that it’s a tradeoff that they are willing to accept for smoother customer operations.

It seems, it would be too clunky for Vanguard to call a customer and ask that customer to call back on a secure, publicly verified phone line (or log in through the secure website).

I found all of this deeply troubling. Vanguard should have the highest possible standards for security. Am I off base here, or is this a really bad security practice?

About these ads