Web Security by Hiding Information – aka Vanguard’s Security Model Exposed

So, Vanguard locks me out of my money the other night. I didn’t know this because they didn’t tell me through the website or email or phone call or text message. Instead, they generated a letter that would reach me within 14 days to tell me that my account was locked. Why was it locked? I mistyped my password 3 times.

Did they tell me there is a 3 try limit? No.

Did they tell me that I had exceeded the limit? No.


After waiting for business hours to begin, I called them. They told me that they don’t won’t a hacker to know that there is a 3 try limit on the account. That’s why they won’t contact me by any other means than a written snail mail letter when my account is locked out.

Awesome. Best security job I’ve ever seen. Bullet proof. Especially since everyone on the Internet can now read Vanguard’s security policy on this blog. There you go, Vanguard. Boom. I just blew up your clever, clever security model.

Hiding information as a means of security works so damn well. Vanguard must have hired Microsoft’s Security advisor.

Crackers dissuaded? No.

Customers pissed off that they lost control of their account? Yes.

So, I guess anyone could write a script that would start locking all of Vanguard’s customers out of their site.  3 tries and done. Move on to the next one. It would be a Denial of Service on all their customers. The great thing is, not one customer would know what had happened. They would go to their account, put in the correct password, and be blocked on the first attempt. Of course, the website would not tell them why the password was no good. Then, they would get angry, and with good reason. Now multiply that by 100,000 customers. hmmm, just a thought.

Now, I just need to generate some more traffic to this blog.

This entry was posted in Rants. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *