Originally published Aug. 10, 2015.
At first, the technology-support expert on the other end of the line didn't believe what Vanguard Group's client relationship administrator, Karen Brock, was telling him.
An angry Vanguard customer had called her to say he was able to log into his account, even though he'd deliberately provided a misspelled security answer, Brock explained to her tech colleague, named Mike, who took her call on May 7, 2013.
Mike, who identified himself on the recorded line only by his first name, initially insisted that the security system of the world's largest mutual fund company "wouldn't allow" something like that. But when he checked to see if he could access his own account after misspelling a personal security answer, his tone changed.
"This is messed up," he said in the recording, a copy of which Brock supplied to TheStreet.
Despite repeated efforts over the past two years to flag that and other issues she considers potential threats to the security of Vanguard's 20 million customers, Brock says management has never offered her a formal response. Another security issue with the company's voice verification system has been addressed, she said, but the security answer glitch remains. For the most part, Brock says her bosses either have ignored her or have told her to stop complaining.
Although Brock's allegations -- outlined in whistleblower tips she filed with the Securities and Exchange Commission and Finra -- do not cast Malvern, Pa.-based Vanguard in a favorable light, they in some cases mirror a challenge all financial firms face: Investment clients seeking online convenience don't always want what's in their best interest from a security point of view.
"I hear over and over when I'm onsite with financial firms that customers don't want additional security," because it slows down their ability to do transactions, said John Reed Stark, a consultant who is former chief of the SEC's Office of Internet Enforcement. "Maybe enhanced security requirements should be like seat belt laws, where everyone is required to be inconvenienced to protect them from themselves."