Vanguard login flap showcases battle of cybersecurity vs. convenience

Advisers, this is why it's better to err on the side of caution — even if your firm's login and password-recovery processes are annoying

Aug 13, 2015 @ 11:50 am

By Alessandra Malito

The Vanguard Group has recently come under fire for what one whistleblower says is an insecure online log-on system for its 20 million-plus customers.

The alleged issue with the asset management giant's sign-on system was that customers could get into their accounts even if they entered their password or security question slightly incorrectly, for example, typing in “passwort” instead of “password,” as first reported by The Street. One customer reportedly called a Vanguard client relationship manager in May 2013 to tell her that he deliberately misspelled a security answer and still gained access.

Vanguard spokeswoman Emily White said that, due to privacy policies, she could not further discuss the situation referred to in the article. However, she did say that the firm updated its security measures in 2013, and executives have been consistently reevaluating and revising them. She added that elements of The Street's story were inaccurate and misleading, but she would not go into detail about which aspects the firm disagreed with specifically.

"We want to emphasize that Vanguard places the utmost importance on the security of client accounts," Ms. White said. "We follow industry best practices, employing state-of-the-art technology and rigorous online security standards."

Further, she did acknowledge that online phishing scams — attempts to acquire sensitive information such as usernames, passwords and account numbers by masquerading as a trustworthy entity, typically in an email — are prevalent.

In December, the firm rolled out an optional security feature, two-factor authentication. Clients who opt in receive a text message to his or her phone with a code to be entered into the login portal.

It has received mixed feedback on Twitter.

Sid Yenamandra, the co-founder and chief executive of Entreda, a financial services cybersecurity consulting firm, said that this is a classic balance of sacrificing security for convenience, or vice versa.

"Do you force customers to enter two passwords and still let them enter [even if they make a typo] because it's more convenient?" Mr. Yenamandra said. "That was the mistake Vanguard made."

Vanguard is certainly not the only firm to grapple with this issue — other firms have also gotten heat for their allegedly lax sign-on requirements.

For example, Schwab and Fidelity were both called out on Twitter for having a weak login system.

Fidelity spokesman Adam Banker said that the firm offers multi-factor authentication as part of its ongoing effort to protect customer accounts and information.

Sarah Bulgatz, director of public relations at Charles Schwab & Co., which has also received criticism for their allegedly weak password requirements, said that the firm is rolling out enhancements to their password protocols, which will make login and identity-verification processes to be much more complex.

Both Schwab and Vanguard offer a guarantee that they will reimburse any losses in compromised online accounts that stemmed from incidents of fraud.

Mr. Yenamandra suggested advisers take note of the types of security measures that the firms they work with are taking and alert management if they seem weak.

"If you're using Schwab or Fidelity and custodying assets and find really weak cybersecurity practices, inform management teams — this is a cause of concern for your clients," Mr. Yenamandra said. "The second thing is they need to audit all of the different vendors."

That's because any third-party service providers, especially those that are integrated with one another and share sensitive data, could be a backdoor way for hackers to enter a system.

Chris Pogue, senior vice president of cyber threat analysis at Nuix, a cybersecurity service provider specializing in financial services firms, said it's usually a question of what the data and the security measures both cost, and which outweighs the other.

"If it costs me more to protect the data than the actual data, what am I doing this for?" he said. "Then there's the concept of usability, as in, if I make it so difficult for my users to use this thing that it defeats the purpose."

Orion Advisor Services also has the two-factor authentication feature. Joe Leyboldt, director of technology support at Orion, said that it provides an extra layer of safety.

"I don't think that's common in the industry," Mr. Leyboldt said. "The chances of potential harm to your account, to have access to all three entry points, is very slim."

There are many other options advisers can take to improve their cybersecurity measures, including knowing their firm's policies and procedures, getting security measures in writing, hiring staff specifically tasked with ensuring firm-wide security and protecting websites, apps and networks with added security features.

But logging in always comes down to a password, which was the crux of Vanguard's issue. Mr. Pogue said that passwords should not be made or kept simply for convenience. He said that they should meet basic requirements, with capitalization, special characters and numbers, and should be rotated every 90 days. They also shouldn't be recycled or duplicated across platforms.

"This is a $3 trillion industry for organized crime. It is not going anywhere any time soon," Mr. Pogue said. "They all say the same thing: 'I never thought it would happen to me.'

"Not only is it going to happen to you, more than likely, it already has and you may not know it," he added.


What do you think?

View comments

Upcoming event

Nov 20


Future of Financial Advice

An innovative conference dedicated to improving the client experience by enhancing digital technology, mainstreaming healthcare and optimizing wealth management strategies.The Future of Financial Advice will provide a forum for... Learn more

Most watched


Young advisers envision a radically different business in five years

Fintech and sustainable investing are two factors being watched closely by some of the 2019 class of InvestmentNews' 40 Under 40.


Young professionals see lots of opportunity to reinvent the advice experience

Members of the 2019 InvestmentNews class of 40 Under 40 have strategies to overcome the challenges of being young in a mature industry.

Latest news & opinion

Funding for Reg BI, other SEC advice reform efforts denied in Waters amendment

House likely to approve measure that effectively kills rule package, but it faces uphill battle in Senate

Wall Street lashes out at Sanders' plan to pay off student debt with a securities trading tax

Financial pros argue that a transaction levy will hurt mom-and-pop investors along with investment houses.

GPB paid B-Ds and reps steep commissions to sell troubled private placements

GPB paid commissions of 9.3%, or $167 million altogether, on the firm's private placements.

Give us a break, active managers say

Seven portfolio managers share their outlooks for the rest of the year, generally agreeing that it's been hard for active managers to stand out.

GPB Capital reports decline in value of two biggest funds

One has dropped by 25.4% and the other by 39%, according to the company.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print