Online risk: What Vanguard does, and what you can do
August 06, 2014
You can think of risk as similar to the Hydra, the multiheaded monster in Greek mythology. Risk, in other words, has one name but many faces.
In the myth, Hercules was sent to dispatch the Hydra—not easy, because it grew two new heads for every one that got cut off. (Spoiler alert: Hercules wins.) In real life, risk can be even harder to battle. Online risk, in particular, is always morphing, and new threats constantly emerge. That's why risk control is a major part of Vanguard's operations and investment practices.
Online risk can mean both fraud—such as when an unauthorized person (often a family member) takes advantage of a poorly protected password to access an account—and, on a potentially much broader scale, cyber attacks.
Guarding your information
Vanguard has a variety of systems in place to counter cyber criminals, including a state-of-the-art Security Operations Center. "In a world that revolves around data, we can never forget that it's not our data—it's our clients' data," said Jeffrey A. Lampinski, a Vanguard principal in charge of information security.
Like other financial institutions, Vanguard is regularly targeted—hundreds of thousands of times a day—by cyber criminals who want that data. Our security center identifies and responds both to outright attacks and to probes that seek to remain unnoticed while they attempt to sniff out any weaknesses in Vanguard's systems.
We also employ "ethical hackers" and "threat scientists"—people who try to think like the bad guys in order to thwart them. These experts "take the attack models that are out there and manipulate them to see if they'll work inside of Vanguard," said Grant Pate, who manages the security center. Anything that looks like a potential threat triggers countermeasures.
Mr. Pate and his staff constantly review threat intelligence from a variety of sources, including private intelligence companies, government agencies such as the FBI and the Department of Homeland Security, and a collaborative group of financial companies. (Other industries have similar arrangements.) "We do not compete with each other when it comes to security," said Mr. Lampinski.
Vigilance is crucial. "It's an ongoing battle. As the bad guys change their methods, we change ours," said Owen Barton, a Vanguard data-protection manager. "There's no plateau."
Be wary of e-mail—even if it says 'Vanguard'
Another form of cyber attack could be called the wolf-in-sheep's-clothing ploy. Criminals devise e-mails that appear to be from legitimate sources, hoping you'll respond with personal information or follow a link to a spurious website and enter the information there. This practice is known as "phishing."
The safest practice is simply not to click links in e-mails—if it's a legitimate website, you can get there another way. At the minimum, be deeply suspicious of any e-mail that asks you to enter sensitive data—perhaps for an "update" or to deal with a "security issue"—even if it appears to come from a well-known organization like the IRS or Vanguard. "Vanguard will never ask you to provide personal data in an unsolicited e-mail or urge you to click a link to update or correct your website credentials," said Mr. Lampinski.
If Vanguard's name is used and you suspect you're being phished, "please forward the suspect e-mail to us right away at firstname.lastname@example.org," said Mr. Lampinski.
Defensive actions you can take
One key defense against online risk starts with each client's computer. In a process known as two-step authentication, the shareholder logs on with his or her password; then Vanguard's system searches for a "cookie"—in essence, an identification tag—that was previously placed on the shareholder's machine. (You can remove such cookies at any time.) "It's like fingerprinting the device," says Mr. Lampinski.
Don't use these passwords!
Here are some of the least secure passwords used in 2013, according to Splashdata, a password management application company. Splashdata compiles an annual list from files containing millions of stolen passwords posted online.
*Also to avoid: 1234, 12345, 1234567, and . . . well, you get it.
Clients can go further if they choose. For example, you can mandate that only a specific computer be recognized by Vanguard—a safeguard that blocks a thief who's trying to get at your account from his or her own machine. On vanguard.com, you can easily restrict the use of your credentials to your computer alone: After logging on to the website, go to the My Accounts tab, scroll down to select Account maintenance, then select Computer access restrictions in the Security profile section.
Clients who prefer to do business over the phone can require that they be identified through an oral password. You may also be able to sign up for the Vanguard Voice Verification™ service. This allows your voiceprint to act as your password. (Learn more at vanguard.com/VoiceVerification. Note that the capital letters are necessary.)
More ways to protect yourself
Obviously, it's best if thieves can't get near your personal data in the first place.
You shouldn't post your passwords on your refrigerator door, for example, or store them in your computer or smartphone unless they are encrypted and password-protected. Use different passwords for different websites, and make sure each one will be difficult for a thief to guess but easy for you to remember—and never chose a password that can be found in a dictionary or is a proper noun. Shred documents that contain personal information and regularly run antivirus software on your computer before changing any sensitive data.
Vanguard's security pros suggest that you open even junk mail to see if you're being thanked for opening a "new" account that you've never heard of. You can put a freeze on your credit reports at the Equifax, Experian, and TransUnion agencies to prevent a thief from opening an unauthorized line of credit in your name. (There may be a small fee.) You can also obtain one free credit report annually from each agency to do so, go to annualcreditreport.com.