Hackers and technical folks and just the kind of people who hang out here on HN tend to be very inflexible and on the side of being "technically correct" over being "right".<p>From a security perspective, this should never happen. The author is absolutely, positively, without a doubt correct in his stance on this. Being called in such a way and having very little and/or weak security protocols as described is not only a security breach waiting to happen but it really is, as the author points out, training people to get phished.<p>But there's a bigger picture here. And that's the picture of Vanguard as a company having years of experience in talking to, working with, dealing with, and learning about their customers. Just like the manager says in the post, they need to balance security with service (no they're not mutually exclusive but they're not one and the same either).<p>In the end I think this okay. It's not technically correct but it seems like its the right thing to do. Now the reason for this call is never described (which gives some credence to the theories here that this actually never happened along with a lack of other details) but assuming here for the sake of argument that the call was just to talk about something that isn't of super high significance (let's say it was a sales call to upsell something) then a couple of security questions should suffice. If it's to talk about a 10 million dollar bank transfer to some off-shore account then maybe we should be in an uproar here.<p>Another point to consider is who is responsible for security? Obviously the company that hold your data should be reponsible for the safety of that data and should have measures in place to prevent fraudulent access to it. But then there's also the responsibility of the customer who needs to take care of their account credentials and make sure that if someone accesses one of their private accounts somewhere that there isn't a domino effect. I don't think it's Vanguard's responsibility to make sure that all of their customers use different, long, and random passwords on their Gmail and Facebook and what have you so that one day someone can access one of those and get into their Vanguard account. I mean, that's certainly a nice-to-have but customers have a responsibility to secure their data just the same as companies do. We want to be educating regular folks about security all the time but the moment it comes time for them to apply what we're teaching them we turn around and act like they're off the hook for being ignorant of security best practices. It's a double standard if you ask me.<p>I know we all like some good old fashioned manufactured outrage but before we get the pitchforks out let's look at the big picture, and not <i>just</i> one aspect of the issue here.
I ran into that with a credit card company recently. They called and left a message about suspicious activity on an account and a callback number. I couldn't find that number anywhere on their website or the web in general. I ended up calling the main # and connecting to the security department. It was a legitimate message they left. I mentioned the phone number thing and they agreed that was an issue but who knows if they acted on it.
Color me skeptical here or perhaps this is just an aberration. I've been with Vanguard financial services for more than 30 years and I've never received any phone calls. All recent communication has been via email with a non-clickable link telling me to log into my account and check my messages.
Most corporations don't behave particularly responsibly in terms of your data security, and the financial industry is one of the worst when it isn't an issue that they are statutorily liable for. So you end up with odd extremes where credit card fraud is treated with extreme care (statutorily liable > $50) and business banking is usually secured quite poorly (no liability, typically). It's up to you to provide or ask for any extra security measures you find appropriate, like asking to call them back.<p>Anyone using common security questions is already balancing a risky behavior with ease of use.<p>They might also know that risk is low - if they don't allow any difficult to reverse transactions like outbound fedwire there may not be a lot they can't easily undo.
At the very least, they should call you and direct you to vanguard.com where there would be a link at the bottom that says "call us back" at which point if you call back you'd be promptly put back in touch with your rep. another factor that helps broker trust in a conversation.<p>I follow this protocol with American Express and it's always effective. I'm also a high dollar monthly spend (corporate account) and so I get answered within a couple rings and they can pull up my account and notes immediately.<p>-David
I received an email from Vanguard regarding $20 for taking a survey. It seemed phishy as the domain that it was sent from wasn't @vanguard.com (or similar) and the enticement of a monetary award.<p>I contacted Vanguard regarding this and forwarded them the email. The representative thought it was a phishing attempt as well. I was later contacted by Vanguard and they told me it was legitimate. I was even able to contact the person that wrote the email through a Vanguard number.
Here is Vanguard's email contact form:<p><a href="https://personal.vanguard.com/us/ContactUsSecureEmail?isContact=p" rel="nofollow">https://personal.vanguard.com/us/ContactUsSecureEmail?isCont...</a>