Originally published Aug. 10, 2015.
At first, the technology-support expert on the other end of the line didn't believe what Vanguard Group's client relationship administrator, Karen Brock, was telling him.
An angry Vanguard customer had called her to say he was able to log into his account, even though he'd deliberately provided a misspelled security answer, Brock explained to her tech colleague, named Mike, who took her call on May 7, 2013.
Mike, who identified himself on the recorded line only by his first name, initially insisted that the security system of the world's largest mutual fund company "wouldn't allow" something like that. But when he checked to see if he could access his own account after misspelling a personal security answer, his tone changed.
"This is messed up," he said in the recording, a copy of which Brock supplied to TheStreet.
Despite repeated efforts over the past two years to flag that and other issues she considers potential threats to the security of Vanguard's 20 million customers, Brock says management has never offered her a formal response. Another security issue with the company's voice verification system has been addressed, she said, but the security answer glitch remains. For the most part, Brock says her bosses either have ignored her or have told her to stop complaining.
Although Brock's allegations -- outlined in whistleblower tips she filed with the Securities and Exchange Commission and Finra -- do not cast Malvern, Pa.-based Vanguard in a favorable light, they in some cases mirror a challenge all financial firms face: Investment clients seeking online convenience don't always want what's in their best interest from a security point of view.
"I hear over and over when I'm onsite with financial firms that customers don't want additional security," because it slows down their ability to do transactions, said John Reed Stark, a consultant who is former chief of the SEC's Office of Internet Enforcement. "Maybe enhanced security requirements should be like seat belt laws, where everyone is required to be inconvenienced to protect them from themselves."
Even as some customers complain they don't want to jump through hoops to access their own money, others protest loudly on social media about weak security policies. That leaves companies like Vanguard and its competitors caught in the middle -- struggling to make their sites easy to use while doing their best to make sure accounts are secure.
From Brock's point of view, Vanguard leans too far in the direction of accommodating convenience. Customers who can't access their accounts wind up making more calls to customer service, she says, and that costs the firm more money. Brock says that comports with the firm's low-expense credo -- a corporate goal she thinks the firm pursues at the expense of security.
Vanguard spokeswoman Arianna Stefanoni Sherlock said in an email that the firm investigated Brock's claims "and we remain confident in our security practices and our efforts to keep our clients' confidential information and their assets safe."
Vanguard, which ranked 48th on ComputerWorld's "Best Places to Work in IT" list released in June, has "one of the strongest programs in the investment management industry in place to protect our clients," according to Sherlock.
Brock, a 56-year-old telephone representative in Vanguard's Scottsdale, Ariz. office, says that after speaking to her colleague in technology that day in 2013, the problem with misspelled security answers was immediately fixed. She checked periodically to be sure it was still working after that, only to discover 18 months later that Vanguard was again allowing access to accounts despite answers infected with typos.
On a dozen occasions in recent months, I have logged into my own Vanguard account despite dropping letters and introducing other typographical errors to my security answers. On several occasions, I was able to reset my password after entering typos of between one and two characters into three separate security answers. The process did require that I provide my date of birth, zip code, the last four digits of my Social Security number and email address. But security experts say such information is easily stolen or found online, making accurate security answers critical.
"I don't have enough words to express what a stupid decision that would be" to allow variations in the spelling of a security answer, said Fred H. Cate, a senior fellow at the Center for Applied Cybersecurity Research at Indiana University in Bloomington. For the cybercriminal using a computer program to randomly guess security answers, "it dramatically increases the number of right answers," he said.
Cate added that many customers don't even bother to memorize or look up their passwords, opting instead to reset passwords over and over. So the answers to those challenge questions that ask for the name of your favorite pet or the street you grew up on become "the critical thing," he says.
At a time when data breaches of health care records, customer information at financial firms and targets of government background checks are at the top of the public's mind, Brock says Vanguard, the darling of the small investor that pioneered low-cost investing, is leaving doors open for intruders to come in.
Last fall, the company saw a spike in fraudulent activity that generated a series of memos alerting employees to be particularly vigilant, she says. Vanguard says that it was among many companies experiencing a surge in phishing attacks during that period and that no customers lost money.
Brock, who serves 640 of Vanguard's affluent, $1 million-plus "Flagship" accounts, says she has alerted her managers and technology support staff in person, in writing and over recorded lines about shortcomings in the firm's procedures for customer security.
She said in an interview that, on one occasion, she reported an incident in 2013 where Vanguard's voice verification system allowed a customer's son to mimic his father's voice and get full access to his father's account. The father had asked the son to do that, so he could assure himself the feature couldn't be hacked.
On another occasion, she had to interrupt the instructor at a training session at the firm's Scottsdale, Ariz. offices last fall to point out that names, email addresses, phone numbers and account numbers of several current or prospective clients had evaded the redaction process and wound up being published in a 97-page hard-copy training manual. The document, which Brock says also had been used in previous training sessions, had no markings that designated it for "Internal Use Only." Brock says new manuals were produced for subsequent sessions.
Vanguard didn't respond to written questions about the voice verification and training manual glitches. The company said that it would have to decline to answer some questions about online security and fraud safeguards in order to protect its clients and its security measures.
Management hasn't taken kindly to her badgering, says Brock, who joined Vanguard in its Scottsdale office in 2011. "I've been told 'You need to stop talking about these things because it really upsets people,'" she said.
In May of 2014, frustrated that Vanguard had not corrected the security answer deficiency, Brock filed whistleblower complaints with the SEC and Finra, Wall Street's self-regulatory group. Several officials in the SEC's whistleblower office interviewed her for nearly two hours in January, according to Brock.
The SEC declined to comment about Brock's complaint. Finra told Vanguard in a May 29, 2015 letter that it had closed its examination of the case. Asked to comment, a Finra spokeswoman said, "Regulatory tips are confidential."
During an hour-long interview with Sherlock and three other Vanguard officials in late July, the company stressed that it has made strides in customer safety that include the launch in December of an enhanced security option to make customers' login process safer. Its so-called "two-factor authentication" service requires not only that a customer enter a user name and password, but that they also submit a 6-digit code that Vanguard sends by text message to the customer's cellphone.
The firm doesn't require that customers use the service, because there may be clients who don't want the cost sometimes attached to receiving texts, said Jeffrey Lampinski, who runs Vanguard's information security team.
Vanguard also beefed up its login requirements in late 2013, said Lampinski, adding the options of longer and more complex passwords.
Customers commenting online in late 2012 had engaged in an extended conversation about Vanguard's policies after the firm was criticized for being in the "Password Hall of Shame."
Image courtesy of Bogleheads.org
In October 2014, customers of the mutual fund giant received a detailed educational article about online "phishing" scams that appeared on Vanguard's site. Authored by Lampinski, the piece walked clients through the red flags they should look for -- phony Web addresses and unsolicited emails seeking social security numbers among them -- to steer clear of crooks who seduce investors to compromise their online credentials.
The firm itself had been grappling with phishing attacks that it had first become aware of two months earlier. In phishing scams of financial companies, cybercriminals blanket the public with emails that trick them into thinking they're clicking on a link of a company they do business with. Once customers are fooled into clicking on a link, criminals steal credentials and attempt to enter their accounts.
Every company that does business online faces regular attacks by cybercriminals and other fraudsters, and customers typically get wind of only the most alarming among them. A series of memos shared by Brock gives an idea of how companies mobilize when fraud is on the increase.
Last August, a Vanguard manager sent out an internal memo warning of a "huge increase" in fraud activity, noting that rogues were attempting to impersonate clients on the phone. A week later, another missive told of a fraudster who had successfully orchestrated an $80,000 wire transfer after imitating a 79-year-old Vanguard client on the phone. The man's identity had been stolen. Asked if his money had been retrieved or reimbursed, Sherlock said in an email that the firm doesn't discuss specific clients and their assets.
"Flagship is up to 100 fraud cases this year," the second memo noted, referring to its blue-chip clientele with accounts of $1 million and more. That was up from a total of 38 the previous year, the memo said. Sherlock noted that while the increase is "huge" by Vanguard's standards, it is relative to a small base the previous year and is "modest" relative to the firm's 20 million accounts.
Then, on Oct. 21, Brock says Vanguard's Web site was down nearly three hours.
Sherlock says the Web site outage was not related to the phishing incidents and was "the result of an error during a technology update." She initially told me the site was down for "three hours during the night when the markets were closed," but corrected that to "about two hours in the late afternoon," after I pointed out that customers online were talking about the site being down during trading hours.
It was early afternoon when customers on Facebook (FB - Get Report) first said the site was down, posting comments beginning at 12:25 p.m. Complaints about the site being down were still being posted just before 6 p.m. that day on Twitter (TWTR - Get Report) . No client accounts or data were compromised as a result of the outage, according to Sherlock.
Images courtesy of isitdown.com
A week after the outage, a manager sent Brock a memo asking her to help the Fraud department make calls to clients whose account credentials "may have recently been compromised." In a separate email that day, the same manager referred to "malicious account access" in the account of one of Brock's clients. Those memos were related to the phishing attacks, according to Vanguard.
With $3 trillion under management at Vanguard, where 90% of its 20 million clients access their accounts online, much is at stake. During the months-long phishing attacks last year, Vanguard spokesman John Woerth told me that no customers lost money; Lampinski added that the phishing sites were shut down. Vanguard would not tell me whether there were customers who lost money but were later made whole by the firm.
Sherlock said in an email that when Vanguard detects a fraud attempt, it immediately freezes the account to protect the client from unauthorized activity. In most cases, the firm is able to shut down attempted fraud, she said. "In other cases, we are able to recover the assets," she added. "And in a still smaller subset of cases, we are not able to recover the assets and we will reimburse those clients -- depending on the circumstances -- on a case-by-case basis."
To receive reimbursement, customers must meet certain requirements. Vanguard has an online fraud policy that promises customers that if assets are lost in an unauthorized online transaction, they will be reimbursed. For the guarantee to kick in, customers must regularly check their accounts; be sure they have up-to-date anti-spyware and firewall software; and use passwords that are different from their passwords on other sites, among other requirements. And they mustn't click on links in suspicious emails.
Brian Donadio, senior counsel at Vanguard, said it is still possible for customers who do not meet the criteria to get a reimbursement, but that Vanguard makes those decisions on a case-by-case basis. Given Vanguard's ownership structure, if it does reimburse a client, the cost "is gonna work its way back across the entire client base," he said. He would not say how often Vanguard denies a reimbursement. Unlike publicly owned brokerages such as Charles Schwab & Co. and T. Rowe Price, or Fidelity, which is owned by private shareholders, Vanguard is owned by the same people who invest in its funds. Vanguard says it keeps costs low for clients because it doesn't need to generate profits for outside owners.
Vanguard's competitors have their own security shortcomings. I decided to test the integrity of the security questions at Schwab (SCHW - Get Report) . I was able to enter an inaccurate answer and access my account, sans password, just as I did with Vanguard. Schwab emailed me a temporary password, and I was in.
Schwab spokeswoman Sarah Bulgatz said that's because Schwab doesn't consider the answer to your security question after the eighth character, which is a head-scratcher considering the question I was being asked required a 10-digit telephone number. She said on July 8 that Schwab had "recently discovered" the problem and plans to fix it by the end of the year.
In January, Schwab posted a memo on its Web site saying it had taken "to heart" that clients were complaining about its password protocol, and that it would offer the option of more complex passwords by year-end. On July 15, the firm announced it would introduce the new standards this month.
Images courtesy of Twitter.com
For Vanguard's part, the ability of customers -- or anyone else -- to access accounts despite typos is a sensitive topic. Woerth at first wouldn't comment when I asked if he was aware that Vanguard allowed typos in its security answers. But when I followed up to ask if there was anything he could say on the topic, he offered this: "I think that goes back to that boundary of convenience versus prevention, or, you know, inconvenience."
Tolerance of typos results in fewer phone calls to the humans who work Vanguard's call centers, says Brock. But the pros say there are times when convenience shouldn't be a consideration.
"It should not be up to the firm to decide what's acceptable," said Anand Mohabir, principal consultant at ACA Compliance, a regulatory compliance and cybersecurity-risk company. "They should not accept any variation" in the information that customers provide.
Vanguard gets deserved kudos for running a low-cost operation that focuses on the interest of its owners, who are the investors who buy shares of its funds. That unusual structure for years has been a plus for its customers.
But it also may shape the company's decisions when it comes to spending.
Woerth says, "I don't think we would scrimp a dime in ensuring" that clients' assets were safe. But he also concedes that Vanguard's client-ownership structure "certainly makes us more judicious in how we spend the clients' money."Every financial firm faces challenges on the difficult questions of security vs. convenience. In Vanguard's case, investor ownership may make those decisions even tougher.